Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 09/23/2020. Claims 1-20 are currently pending.
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/15/2021 was filed before the mailing date of the office action on 08/24/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claims 14-15, and 16-17 are objected to because of the following informalities:  
Claim 14 reads computer readable medium of claim 14. A claim cannot depend on itself. For the purpose of the examination, examiner interprets claim 14 as depending on claim 13, ie the computer readable medium of claim 13.  Appropriate correction is required.
	Claim 15 recites the computer readable medium of claim 14. But claim 15 contains attribute of claim 13 and not of claim 14. For the purpose of examination of the application, the examiner interprets claim 15 as depending on claim 13. Appropriate correction is required.
 Claim 16 also reads computer readable medium of claim 16. Just like in claim 14, for the purpose of the examination, examiner interprets claim 16 as depending on claim 15, ie the computer readable medium of claim 15.
Claim 17 recites ‘The computer readable medium of claim 17”. A claim cannot depend on itself. For the purpose of examination, examiner assumes that claim 17 depends on claim 16.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3-7, 9-13, 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20180103052 to Choudhury et al. (hereinafter Choudhury) in view of NPL “Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams” to Aaron Tuor et al. (hereinafter Aaron).



Regarding claim 1, Choudhury discloses a method comprising: 
collecting network activity data (“An information technology infrastructure collects multiple types of data such as network traffic (also referred to as netflow), and event logs”, ¶0007); 
generating a graph representing network activity based on at least the network activity data (“We describe a set of methods to transform these multiple data sources into a single, unified representation referred to hereafter as a cyber knowledge graph or a knowledge graph….”, ¶0007), and (“We extract a multi-scale graph model from the original cyber knowledge graph to represent such hierarchical structure for aggregation of information, from high-resolution, narrower context to coarser-resolution, broader context”, ¶0013); 
and training a graph neural network based on the graph representing network activity (“We build a multi-scale graph model from the original property graph, and then train Long-Short Term Memory (LSTM) Neural Network to process information at each scale and emit a decision”, ¶0011).  
However, Choudhury even though disclosed training a graph neural network based on the graph representing network activity, does not explicitly discloses training a graph mixture density neural network as disclosed by Aaron.

Aaron discloses detecting anomalous network activity from system logs in real time by unsupervised deep learning using mixture density networks (page 1, Right col. Lines 2-7, “Because insider threat behavior is widely varying, we do not attempt to explicitly model threat behavior. Instead, novel variants of Deep Neural Networks (DNNs) and Recurrent Neural Networks (RNNs) are trained to recognize activity that is characteristic of each user on a network and concurrently assess whether user behavior is normal or anomalous, all in real time”.) and (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury to include the teaching of mixture density network in training deep neural network (DNN) in the determination of anomaly in the network activity as disclosed by Aaron and be motivated in doing so in order to overcome the widely varying behavior of insider threat when analyzing network activity-Aaron page 1 right col. Lines 1-3. 

Regarding claim 3, Choudhury in view of Aaron discloses the method of claim 1. 
Choudhury further discloses further comprising: evaluating additional network activity using the neural network (“…defenders must revisit the problem with a new perspective”, ¶0003, where in revisiting is to evaluate the newer activities of the attackers in the network); 
and generating detection results based on at least the evaluation of the additional network activity using the neural network (“it is important to be proactive in detecting and reasoning about emerging threats in an enterprise network…” ¶0003), and (“Our primary contribution is a neural network based method that detects anomalies by analyzing the changes in the Cyber Knowledge Graph at multiple scales”, ¶0011). 
However, Choudhury even though disclosed using neural network based on the graph representing network activity to detect anomalies, does not explicitly discloses using a mixture density neural network as disclosed by Aaron.

Aaron discloses detecting anomalous network activity from system logs in real time by unsupervised deep learning using mixture density networks (page 1, Right col. Lines 2-7, “Because insider threat behavior is widely varying, we do not attempt to explicitly model threat behavior. Instead, novel variants of Deep Neural Networks (DNNs) and Recurrent Neural Networks (RNNs) are trained to recognize activity that is characteristic of each user on a network and concurrently assess whether user behavior is normal or anomalous, all in real time”.) and (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron to include the teaching of using a mixture density neural network in the evaluation and determination of anomaly in the network activity as disclosed by Aaron and be motivated in doing so in order to overcome the widely varying behavior of insider threat when analyzing network activity-Aaron page 1 right col. Lines 1-3. 

Regarding claim 4, Choudhury in view of Aaron discloses the method of claim 3. Choudhury further discloses
 wherein the detection results indicate that a host inside a network is identified as a staging point for collection of data prior to possible exfiltration to another host (“As an example of the resulting capability provided by the implementation of these methods an organization will be able to a) detect when a user (who is a potential insider threat) connects to multiple network services that are inconsistent with his profile, b) evaluate risk and explain why detected activity should be investigated by a human expert and, c) recommend altering network security configurations such as restricting user's access to specific resources or applications to minimize the risk to the larger infrastructure”, ¶0009, wherein detecting the activity of a user is a staging point for collection of data on that user activity, and restricting the user’s access to specific resources or applications prevents exfiltration/spreading the threat to other hosts on the network).
	See also (“Against this model then activities from this user can then be compared and deviations from the model identified and analyzed and as necessary actions can be taken with regard to the particular user on account of their out of model behavior so as to prevent lateral movement within the system and to protect mission components”, ¶0069, wherein preventing lateral movement within the system is understood to mean prior to possible exfiltration/spread to another host). 

Regarding claim 5, Choudhury in view of Aaron discloses the method of claim 4. 
Choudhury further discloses wherein the other host is external of the network (“It is possible that no direct traffic between two devices is discovered, but both may be controlled by an attacker from outside of the enterprise”, ¶0048).  

Regarding claim 6, Choudhury in view of Aaron discloses the method of claim 3. 
Choudhury further discloses wherein a host is identified as a staging point based on analysis of network activity against a plurality of distributions generated by the graph neural network (“… a profile can be established and modeled mathematically as a distribution of such a combination of such factors by segmentation on a user-host access graph…”, ¶0069) and 
Aaron discloses mixture density network (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron by combining the distributions generated by graph neural network of Choudhury with the mixture density network of Aaron in order to have distributions generated by the graph mixture density neural network and be motivated in doing so because detections are made as rapidly as new data is fed into the Deep Neural Networks (DNN) and Recurrent Neural Networks (RNN) models- Aaron page 1 right col. Lines 12-13.  
	
Regarding claim 7, Choudhury in view of Aaron discloses the method of claim 3.
Choudhury further discloses wherein a detection result is associated with a confidence level (“the criticality of the event is typically determined by looking for a high-probability sequence of potential future events that can lead to compromise of critical resources in the infrastructure”, ¶0017).  
	 
Regarding claim 9, Choudhury in view of Aaron discloses the method of claim 1. 
Choudhury further discloses wherein the graph representing the network activity is maintained using at least one of a source identifier (“The host unique ID”, ¶0051), a destination identifier, an adjacency matrix, or a network traffic table representing characteristics of communications between a source and a destination.  

Regarding claim 10, Choudhury in view of Aaron discloses the method of claim 9. Choudhury further discloses wherein the graph neural network is trained by:
 executing a graph convolution process on the graph representing network activity (“…We build a multi-scale graph model from the original property graph”, ¶0011);
 and processing embeddings using a neural network (“we specifically used a variant of Recurrent Neural Network such as Long-Short Term Memory Network (LSTM) to learn the vector space embeddings for each node in the graph”, ¶0059).  
However, Choudhury even though disclosed training a graph neural network based on the graph representing network activity, does not explicitly discloses training a graph mixture density neural network as disclosed by Aaron.
Aaron discloses detecting anomalous network activity from system logs in real time by unsupervised deep learning using mixture density networks (page 1, Right col. Lines 2-7, “Because insider threat behavior is widely varying, we do not attempt to explicitly model threat behavior. Instead, novel variants of Deep Neural Networks (DNNs) and Recurrent Neural Networks (RNNs) are trained to recognize activity that is characteristic of each user on a network and concurrently assess whether user behavior is normal or anomalous, all in real time”.) and (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron to include training the mixture density network disclosed by Aaron with a graph convolution process of Choudhury in the determination of anomaly in the network activity and be motivated in doing so in order to model a wider range of distributions with fewer underlying assumptions-Aaron page 2, Left col. Lines 18-19,


Regarding claim 11, Choudhury in view of Aaron discloses the method of claim 9.
Choudhury further discloses wherein the respective source identifier (“unique ID”, ¶0051) corresponds to a uniquely named resource (“resource type”, ¶0051), 
and the respective destination corresponds to a different uniquely named resource (“… the number of unique applications in communications where the given node is the source IP…”, ¶0054).  

Regarding claim 12, Choudhury in view of Aaron discloses the method of claim 1. Choudhury further discloses
 	wherein the network activity data comprises unique host identifiers (“unique ID”, ¶0051), sources of communications (“the number of unique applications in communications where the given node is the source IP”, ¶0054) , destinations of communications, an amount of data sent, an amount of data received (“the total numbers of packets and bytes exchanged in communications involving the given node”, ¶0054, wherein the total number of packets includes the packet sent and the packets received), a port(s) used for a communication, a requested service, a corresponding protocol (“the number of protocols used in interactions involving the given node, ¶0054), whether a communication is a request or a response, or a time of a communication (“the total duration of all interactions a node participated in over the course of a day”, ¶0054) .  


Regarding claim 13, Choudhury discloses a non-transitory computer readable medium having stored thereon a sequence of instructions, the sequence of instructions, when executed, causing a set of acts comprising: 
collecting network activity data (“An information technology infrastructure collects multiple types of data such as network traffic (also referred to as netflow), and event logs”, ¶0007);  25Atty. Dkt. No.: VN-028-US 
generating a graph representing network activity based on at least the network activity data generating a graph representing network activity based on at least the network activity data (“We describe a set of methods to transform these multiple data sources into a single, unified representation referred to hereafter as a cyber knowledge graph or a knowledge graph….”, ¶0007), and (“We extract a multi-scale graph model from the original cyber knowledge graph to represent such hierarchical structure for aggregation of information, from high-resolution, narrower context to coarser-resolution, broader context”, ¶0013); 
and training a graph neural network based on the graph representing network activity (“We build a multi-scale graph model from the original property graph, and then train Long-Short Term Memory (LSTM) Neural Network to process information at each scale and emit a decision”, ¶0011).  
However, Choudhury even though disclosed training a graph neural network based on the graph representing network activity, does not explicitly discloses training a graph mixture density neural network as disclosed by Aaron.
Aaron discloses detecting anomalous network activity from system logs in real time by unsupervised deep learning using mixture density networks (page 1, Right col. Lines 2-7, “Because insider threat behavior is widely varying, we do not attempt to explicitly model threat behavior. Instead, novel variants of Deep Neural Networks (DNNs) and Recurrent Neural Networks (RNNs) are trained to recognize activity that is characteristic of each user on a network and concurrently assess whether user behavior is normal or anomalous, all in real time”.) and (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury to include the teaching of mixture density network in training deep neural network (DNN) in the determination of anomaly in the network activity as disclosed by Aaron and be motivated in doing so in order to overcome the widely varying behavior of insider threat when analyzing network activity-Aaron page 1 right col. Lines 1-3. 

Regarding claim 15, Choudhury in view of Aaron discloses the computer readable medium of claim 14, wherein the set of acts further comprise evaluating: 
evaluating additional network activity using the graph neural network (“…defenders must revisit the problem with a new perspective”, ¶0003, where in revisiting is to evaluate the newer activities of the attackers in the network); 
and generating detection results based on at least the evaluation of the additional network activity using the graph neural network (“it is important to be proactive in detecting and reasoning about emerging threats in an enterprise network…” ¶0003), and (“Our primary contribution is a neural network based method that detects anomalies by analyzing the changes in the Cyber Knowledge Graph at multiple scales”, ¶0011). 
However, Choudhury even though disclosed using neural network based on the graph representing network activity to detect anomalies, does not explicitly discloses using a mixture density neural network as disclosed by Aaron.
Aaron discloses detecting anomalous network activity from system logs in real time by unsupervised deep learning using mixture density networks (page 1, Right col. Lines 2-7, “Because insider threat behavior is widely varying, we do not attempt to explicitly model threat behavior. Instead, novel variants of Deep Neural Networks (DNNs) and Recurrent Neural Networks (RNNs) are trained to recognize activity that is characteristic of each user on a network and concurrently assess whether user behavior is normal or anomalous, all in real time”.) and (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron to include the teaching of using a mixture density neural network in the evaluation and determination of anomaly in the network activity as disclosed by Aaron and be motivated in doing so in order to overcome the widely varying behavior of insider threat when analyzing network activity-Aaron page 1 right col. Lines 1-3. 
 

Regarding claim 16, Choudhury in view of Aaron discloses the computer readable medium of claim 16. Choudhury further discloses 
wherein the detection results indicate that a host inside a network is identified as a staging point for collection of data prior to possible exfiltration to another host (“As an example of the resulting capability provided by the implementation of these methods an organization will be able to a) detect when a user (who is a potential insider threat) connects to multiple network services that are inconsistent with his profile, b) evaluate risk and explain why detected activity should be investigated by a human expert and, c) recommend altering network security configurations such as restricting user's access to specific resources or applications to minimize the risk to the larger infrastructure”, ¶0009, wherein detecting the activity of a user is a staging point for collection of data on that user activity, and restricting the user’s access to specific resources or applications prevents exfiltration/spreading the threat to other hosts on the network).
	See also (“Against this model then activities from this user can then be compared and deviations from the model identified and analyzed and as necessary actions can be taken with regard to the particular user on account of their out of model behavior so as to prevent lateral movement within the system and to protect mission components”, ¶0069, wherein preventing lateral movement within the system is understood to mean prior to possible exfiltration/spread to another host). 

 
Regarding claim 17, Choudhury in view of Aaron discloses the computer readable medium of claim 17. Choudhury further discloses wherein the other host is external of the network (“It is possible that no direct traffic between two devices is discovered, but both may be controlled by an attacker from outside of the enterprise”, ¶0048).   

Regarding claim 18, Choudhury in view of Aaron discloses the computer readable medium of claim 16.
Choudhury further discloses wherein a host is identified as a staging point based on analysis of network activity against a plurality of distributions generated by the graph neural network (“… a profile can be established and modeled mathematically as a distribution of such a combination of such factors by segmentation on a user-host access graph…”, ¶0069) and 
Aaron discloses mixture density network (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron by combining the distributions generated by graph neural network of Choudhury with the mixture density network of Aaron in order to have distributions generated by the graph mixture density neural network and be motivated in doing so because detections are made as rapidly as new data is fed into the Deep Neural Networks (DNN) and Recurrent Neural Networks (RNN) models- Aaron page 1 right col. Lines 12-13.  
	
Regarding claim 19, Choudhury discloses a system comprising: 
a memory storing a set of instructions; 
and 26Atty. Dkt. No.: VN-028-US a processor to execute the set of instructions to perform a set of acts comprising: collecting network activity data (“An information technology infrastructure collects multiple types of data such as network traffic (also referred to as netflow), and event logs”, ¶0007);  
generating a graph representing network activity based on at least the network activity data (“We describe a set of methods to transform these multiple data sources into a single, unified representation referred to hereafter as a cyber knowledge graph or a knowledge graph….”, ¶0007), and (“We extract a multi-scale graph model from the original cyber knowledge graph to represent such hierarchical structure for aggregation of information, from high-resolution, narrower context to coarser-resolution, broader context”, ¶0013); 
and training a graph neural network based on the graph representing network activity (“We build a multi-scale graph model from the original property graph, and then train Long-Short Term Memory (LSTM) Neural Network to process information at each scale and emit a decision”, ¶0011).  
However, Choudhury even though disclosed training a graph neural network based on the graph representing network activity, does not explicitly discloses training a graph mixture density neural network as disclosed by Aaron.
Aaron discloses detecting anomalous network activity from system logs in real time by unsupervised deep learning using mixture density networks (page 1, Right col. Lines 2-7, “Because insider threat behavior is widely varying, we do not attempt to explicitly model threat behavior. Instead, novel variants of Deep Neural Networks (DNNs) and Recurrent Neural Networks (RNNs) are trained to recognize activity that is characteristic of each user on a network and concurrently assess whether user behavior is normal or anomalous, all in real time”.) and (page 4, Left col. Line 37-38, “…This portion of the model can be seen as a simplified Mixture Density Network (Bishop 1994)”). 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury to include the teaching of mixture density network in training deep neural network (DNN) in the determination of anomaly in the network activity as disclosed by Aaron and be motivated in doing so in order to overcome the widely varying behavior of insider threat when analyzing network activity-Aaron page 1 right col. Lines 1-3. 

Claims 2, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20180103052 to Choudhury et al. (hereinafter Choudhury) in view of NPL “Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams” to Aaron Tuor et al. (hereinafter Aaron) and further in view of NPL “Development and Verification of an Online Artificial Intelligence System for Detection of Bursts and Other Abnormal Flows” to MOUNCE et al. (hereinafter MOUNCE).



Regarding claim 2, Choudhury in view of Aaron discloses the method of claim 1.
However, Choudhury in view Aaron does not explicitly disclose the following limitation taught by MOUNCE: 
wherein the graph mixture density neural network generates multiple gaussian distributions,
and a gaussian distribution comprises at least a respective mixing coefficient. 
MOUNCE discloses general normal distributions mixture model from which confidence interval for the predicted value is computed (Page 3, Right col. Lines 48-53, “An 85% confidence interval for the predicted value is computed from the mixture model, which is a linear combination of component densities (general normal distributions) and this is used in conjunction with the observed data to form a residual that is analyzed by a FIS classification module”, Gaussian distributions is also known as Normal distributions) and
Various parameters of the mixture model including mixing coefficients that are governed by the output of the neural network (Page 3, right col. Lines 18-20 “…Various parameters of the mixture models (mixing coefficients, means, and variances) are governed by the outputs of the neural network which takes xt as its input”).
 Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron to include the concept of mixing coefficient in Gaussian distributions as disclosed by MOUNCE and be motivated in doing so in order to accurately estimate abnormal flow magnitude which will the ranking of alerts in the system-MOUNCE abstract in part.

Regarding claim 14, Choudhury in view of Aaron discloses the computer readable medium of claim 13. 
However, Choudhury in view Aaron does not explicitly disclose the following limitation taught by MOUNCE: 
wherein the graph mixture density neural network generates multiple gaussian distributions, 
and a gaussian distribution comprises at least a respective mixing coefficient.  
MOUNCE discloses general normal distributions mixture model from which confidence interval for the predicted value is computed (Page 3, Right col. Lines 48-53, “An 85% confidence interval for the predicted value is computed from the mixture model, which is a linear combination of component densities (general normal distributions) and this is used in conjunction with the observed data to form a residual that is analyzed by a FIS classification module”, Gaussian distributions is also known as Normal distributions), and
Various parameters of the mixture model including mixing coefficients that are governed by the output of the neural network (Page 3, right col. Lines 18-20 “…Various parameters of the mixture models (mixing coefficients, means, and variances) are governed by the outputs of the neural network which takes xt as its input”).
 Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron to include the concept of mixing coefficient in Gaussian distributions as disclosed by MOUNCE and be motivated in doing so in order to accurately estimate abnormal flow magnitude which will aid ranking of the alerts in the system-MOUNCE abstract in part. 

  

Regarding claim 20, Choudhury in view of Aaron discloses the system of claim 19.
However, Choudhury in view Aaron does not explicitly disclose the following limitation taught by MOUNCE: 
wherein the graph mixture density neural network generates multiple gaussian distributions,
 each with a respective mixing coefficient.
MOUNCE discloses general normal distributions mixture model from which confidence interval for the predicted value is computed (Page 3, Right col. Lines 48-53, “An 85% confidence interval for the predicted value is computed from the mixture model, which is a linear combination of component densities (general normal distributions) and this is used in conjunction with the observed data to form a residual that is analyzed by a FIS classification module”, Gaussian distributions is also known as Normal distributions) and
Various parameters of the mixture model including mixing coefficients that are governed by the output of the neural network (Page 3, right col. Lines 18-20 “…Various parameters of the mixture models (mixing coefficients, means, and variances) are governed by the outputs of the neural network which takes xt as its input”).
 Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of Choudhury and Aaron to include the concept of mixing coefficient in Gaussian distributions as disclosed by MOUNCE and be motivated in doing so in order to accurately estimate abnormal flow magnitude which will aid ranking of the alerts in the system-MOUNCE abstract in part. 

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20180103052 to Choudhury et al. (hereinafter Choudhury) in view of NPL “Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams” to Aaron Tuor et al. (hereinafter Aaron) and further in view of U.S. PGPub. No. 20200089953 to Newcombe et al. (hereinafter Newcombe).

Regarding claim 8, Choudhury in view of Aaron discloses the method of claim 1. Choudhury further discloses further comprising: 
capturing additional network activity data (“we may first aggregate information such as all machine-to-machine communication for a given IP address, and then aggregate activities (discovered from the communication sequence) across multiple workstations or devices to infer behavioral signatures for a single user account”, ¶0013, wherein aggregating activities across multiple devices or work stations is an additional network activity that is being captured.); 
updating the graph representing network activity to include a capture the additional network activity data.  
	However, Choudhury in view of Aaron does not explicitly disclose the following limitation taught by Newcombe: 
updating the graph representing the network activity to include a captured additional network activity data.
Newcombe discloses an updating module of a system that can update both baseline map data and event graph (“updating module 212 of system 200 and/or server 306 may update baseline map data 256 based on the mapping deltas, and may update event graph 260 based on the object deltas”, ¶0066)
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing data of the claimed invention to modify the method of Choudhury and Aaron to include updating of event graph as disclosed by Newcombe and be motivated in doing so in order to provide an immersive experience for far end users without completely replacing the user’s view of their real-world environment-Newcombe ¶0001. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, US 20080109730 A1.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495                                                                                                                                                                                                        

/MAUNG T LWIN/Primary Examiner, Art Unit 2495