DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 01/07/2021. Claims 1-20 are currently pending.
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/07/2021 was filed before the mailing date of the office action on 09/10/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-2, 4, 7-9, 11, 14-15, 17, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US. PGPub. No. 20180367548 to STOKES et al. (hereinafter STOKES).

Regarding claim 1, STOKES discloses a system for detecting and remediating computing system breaches using computing network traffic monitoring (abstract “tracking malicious lateral movement across a computer network”), the system comprising: 
a memory device with computer-readable program code stored thereon (“the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives”, ¶0087); 
a communication device (“the computing device”, ¶0008); 
and a processing device operatively coupled to the memory device and the communication device, wherein the processing device is configured to execute the computer-readable program code to (“Computer-executable instructions, such as program modules, being executed by a computer may be used…”, ¶0081): 
detect a topology of one or more computing systems in a network (“One technique to access files on a remote computer is to first map the file's drive or directory on the remote computer”, ¶0018, wherein mapping is equated to topology of the computing system), the one or more computing systems comprising an origin computing system and a destination computing system (“if there is an edge e from node v to node v′, v is referred to as the source node and v′ is referred to as the destination node, ¶0027); 
retrieve one or more historical network traffic logs from the one or more computing systems in the network (“Large-scale event logs collected from operational networks may be analyzed as described further herein”, ¶0020); 
based on the one or more historical network traffic logs, detect one or more data transfers between the origin computing system and the destination computing system (“assign a weight to each directed edge, w(v,v′), calculated as the rate of connection from v to v′ over an X-day history of data…”, ¶0044); 
generate a ranked list of likelihood scores for each of the one or more data transfers, wherein the likelihood scores reflect a likelihood of lateral movement of a vector from the origin computing system to the destination computing system through the one or more data transfers (“…The highest ranked paths, with the lowest score, are the most rare and are more likely to correspond to malicious lateral movement”, ¶0047); 
and based on the ranked list of likelihood scores, automatically implement one or more remediation steps associated with the vector (“…based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts. At 270, the identified malicious computers and/or user accounts may be shut down (i.e., disabled)”, ¶0061, FIG.2)  

Regarding claim 2, STOKES discloses the system according to claim 1, wherein the one or more historical network traffic logs comprises an origin network traffic log stored on the origin computing system and a destination network traffic log stored on the destination computing system, (“Periodically, (e.g., hourly, daily, etc.), the source and destination computers and user accounts are collected from the Kerberos Service Ticket Request event logs. Each Kerberos record represents an edge in the graph, with a source node, a destination node, and a timestamp indicating when this connection occurred”, ¶0038, wherein the traffic logs stored in the source and destination computers are recorded Kerberos records): 
wherein detecting the one or more data transfers between the origin computing system and the destination computing system comprises: 
identifying, from the origin network traffic log, one or more outgoing data transfers from the origin computing system to the destination computing system (“…In addition, e is the outbound edge for v and is the inbound edge for v′. A path is a sequence of edges which connects a sequence of nodes, e.g., v1, e1, v2, e2 , . . . eK, vK+1”, ¶0027, wherein  the outbound represent the outgoing data transfers from the source computer to destination computer); 
and Page 27 of 34AttyDktNo: 10628US1.014033.3926matching, using the destination network traffic log, the one or more outgoing data transfers with one or more incoming data transfers from the origin computing system to the destination computing system (“and then construct the overall malicious graph by joining these subpaths together based on a match of the source node, destination node, and timestamp, ¶0039), and (“ranking is performed based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts”, ¶0061, wherein the outbound paths represent data leaving the source and the inbound paths represent the data going to the destination ).  

Regarding claim 4, STOKES discloses the system according to claim 1, wherein the computer-readable program code, when executed by the processing device, further causes the processing device to (¶0087),
generate a graph database based on the topology of the one or more computing systems in the network (“In an implementation, each of the Kerberos Service Ticket Request events indicates a computer-to-computer connection or a user account-to-computer connection. These connections can be used to generate a graph 173 that shows the connections between the various nodes (e.g., the accounts and computers and their connections and relationships)”, ¶0037, wherein the connections represent the topology of the network), 
wherein the graph database comprises a first node representing the origin computing system (“the source node”, ¶0027) and a second node representing the destination computing system (“the destination node”, ¶0027), wherein the first node is linked to the second node by a relationship comprising the one or more data transfers between the origin computing system and the destination computing system (“e is the outbound edge for v and is the inbound edge for v′. A path is a sequence of edges which connects a sequence of nodes, e.g., v1, e1, v2, e2 , . . . eK, vK+1”, ¶0027) and (“Distributed computing environments may be used where tasks are performed by remote processing devices that are linked through a communications network or other data transmission medium”, ¶0081)  


Regarding claim 7, STOKES discloses the system according to claim 1, wherein the one or more remediation steps comprises at least one of applying software updates, implementing a network segmentation scheme, and performing a system wipe (“At 270, the identified malicious computers and/or user accounts may be shut down (i.e., disabled)”, ¶0061, FIG.2, step 270, wherein the shutting down of the identified malicious computers is a form of network segmentation).  

Regarding claim 8, STOKES discloses a computer program product for detecting and remediating computing system breaches using computing network traffic monitoring, the computer program product comprising at least one non-transitory computer readable medium having computer-readable program code portions embodied therein, the computer-readable program code portions comprising executable code portions for (¶0087): 
detecting a topology of one or more computing systems in a network (“One technique to access files on a remote computer is to first map the file's drive or directory on the remote computer”, ¶0018, wherein mapping is equated to topology of the computing system), the one or more computing systems comprising an origin computing system and a destination computing system (“if there is an edge e from node v to node v′, v is referred to as the source node and v′ is referred to as the destination node, ¶0027);  
retrieving one or more historical network traffic logs from the one or more computing systems in the network (“Large-scale event logs collected from operational networks may be analyzed as described further herein”, ¶0020); 
based on the one or more historical network traffic logs, detecting one or more data transfers between the origin computing system and the destination computing system (“assign a weight to each directed edge, w(v,v′), calculated as the rate of connection from v to v′ over an X-day history of data…”, ¶0044); 
generating a ranked list of likelihood scores for each of the one or more data transfers, wherein the likelihood scores reflect a likelihood of lateral movement of a vector from the origin computing system to the destination computing system through the one or more data transfers; and (“…The highest ranked paths, with the lowest score, are the most rare and are more likely to correspond to malicious lateral movement”, ¶0047); 
based on the ranked list of likelihood scores, automatically implementing one or more remediation steps associated with the vector (“…based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts. At 270, the identified malicious computers and/or user accounts may be shut down (i.e., disabled)”, ¶0061, FIG.2).  


Regarding claim 9, STOKES discloses the computer program product according to claim 8, wherein the one or more historical network traffic logs comprises an origin network traffic log stored on the origin computing system and a destination network traffic log stored on the destination computing system (“Periodically, (e.g., hourly, daily, etc.), the source and destination computers and user accounts are collected from the Kerberos Service Ticket Request event logs. Each Kerberos record represents an edge in the graph, with a source node, a destination node, and a timestamp indicating when this connection occurred”, ¶0038, wherein the traffic logs stored in the source and destination computers are recorded Kerberos records), 
 Page 29 of 34AttyDktNo: 10628US1.014033.3926identifying, from the origin network traffic log, one or more outgoing data 	wherein detecting the one or more data transfers between the origin computing system and the destination computing system comprises: 
	identifying, from the origin network traffic log, one or more outgoing data transfers from the origin computing system to the destination computing system (“…In addition, e is the outbound edge for v and is the inbound edge for v′. A path is a sequence of edges which connects a sequence of nodes, e.g., v1, e1, v2, e2 , . . . eK, vK+1”, ¶0027, wherein  the outbound represent the outgoing data transfers from the source computer to destination computer); 
and matching, using the destination network traffic log, the one or more outgoing data transfers with one or more incoming data transfers from the origin computing system to the destination computing system (“and then construct the overall malicious graph by joining these subpaths together based on a match of the source node, destination node, and timestamp, ¶0039), and (“ranking is performed based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts”, ¶0061, wherein the outbound paths represent data leaving the source and the inbound paths represent the data going to the destination ).  

Regarding claim 11, STOKES discloses the computer program product according to claim 8, wherein the computer-readable program code portions further comprise executable code portions (¶0087), 
for generating a graph database based on the topology of the one or more computing systems in the network (“In an implementation, each of the Kerberos Service Ticket Request events indicates a computer-to-computer connection or a user account-to-computer connection. These connections can be used to generate a graph 173 that shows the connections between the various nodes (e.g., the accounts and computers and their connections and relationships)”, ¶0037, wherein the connections represent the topology of the network),
 wherein the graph database comprises a first node representing the origin computing system (“the source node”, ¶0027) and a second node representing the destination computing system (“the destination node”, ¶0027), wherein the first node is linked to the second node by a relationship comprising the one or more data transfers between the origin computing system and the destination computing system (“e is the outbound edge for v and is the inbound edge for v′. A path is a sequence of edges which connects a sequence of nodes, e.g., v1, e1, v2, e2 , . . . eK, vK+1”, ¶0027) and (“Distributed computing environments may be used where tasks are performed by remote processing devices that are linked through a communications network or other data transmission medium”, ¶0081).   

Regarding claim 14, STOKES discloses a computer-implemented method for detecting and remediating computing system breaches using computing network traffic monitoring, wherein the computer-implemented method comprises (FIG. 7 shows an exemplary computing environment in which example embodiments and aspects may be implemented, ¶0017, FIG.7): 
detecting a topology of one or more computing systems in a network (“One technique to access files on a remote computer is to first map the file's drive or directory on the remote computer”, ¶0018, wherein mapping is equated to topology of the computing system), the one or more computing systems comprising an origin computing system and a destination computing system (“if there is an edge e from node v to node v′, v is referred to as the source node and v′ is referred to as the destination node, ¶0027); 
retrieving one or more historical network traffic logs from the one or more computing systems in the network (“Large-scale event logs collected from operational networks may be analyzed as described further herein”, ¶0020);  
based on the one or more historical network traffic logs, detecting one or more data transfers between the origin computing system and the destination computing system (“assign a weight to each directed edge, w(v,v′), calculated as the rate of connection from v to v′ over an X-day history of data…”, ¶0044); 
 
generating a ranked list of likelihood scores for each of the one or more data transfers, wherein the likelihood scores reflect a likelihood of lateral movement of a vector from the origin computing system to the destination computing system through the one or more data transfers (“…The highest ranked paths, with the lowest score, are the most rare and are more likely to correspond to malicious lateral movement”, ¶0047); and 
based on the ranked list of likelihood scores, automatically implementing one or more remediation steps associated with the vector (“…based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts. At 270, the identified malicious computers and/or user accounts may be shut down (i.e., disabled)”, ¶0061, FIG.2).  
 
Regarding claim 15, STOKES discloses the computer-implemented method according to claim 14, wherein the one or more historical network traffic logs comprises an origin network traffic log stored on the origin computing system and a destination network traffic log stored on the destination computing system (“Periodically, (e.g., hourly, daily, etc.), the source and destination computers and user accounts are collected from the Kerberos Service Ticket Request event logs. Each Kerberos record represents an edge in the graph, with a source node, a destination node, and a timestamp indicating when this connection occurred”, ¶0038, wherein the traffic logs stored in the source and destination computers are recorded Kerberos records), 
wherein detecting the one or more data transfers between the origin computing system and the destination computing system comprises:
 	identifying, from the origin network traffic log, one or more outgoing data transfers from the origin computing system to the destination computing system (“…In addition, e is the outbound edge for v and is the inbound edge for v′. A path is a sequence of edges which connects a sequence of nodes, e.g., v1, e1, v2, e2 , . . . eK, vK+1”, ¶0027, wherein  the outbound represent the outgoing data transfers from the source computer to destination computer);  
and Page 31 of 34AttyDktNo: 10628US1.014033.3926matching, using the destination network traffic log, the one or more outgoing data transfers with one or more incoming data transfers from the origin computing system to the destination computing system (“and then construct the overall malicious graph by joining these subpaths together based on a match of the source node, destination node, and timestamp, ¶0039), and (“ranking is performed based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts”, ¶0061, wherein the outbound paths represent data leaving the source and the inbound paths represent the data going to the destination ).  

Regarding claim 17, STOKES discloses the computer-implemented method according to claim 14, wherein the computer- implemented method further comprises (¶0087),
 generating a graph database based on the topology of the one or more computing systems in the network (“In an implementation, each of the Kerberos Service Ticket Request events indicates a computer-to-computer connection or a user account-to-computer connection. These connections can be used to generate a graph 173 that shows the connections between the various nodes (e.g., the accounts and computers and their connections and relationships)”, ¶0037, wherein the connections represent the topology of the network),
 wherein the graph database comprises a first node representing the origin computing system (“the source node”, ¶0027) and a second node representing the destination computing system (“the source node”, ¶0027), wherein the first node is linked to the second node by a relationship comprising the one or more data transfers between the origin computing system and the destination computing system (“e is the outbound edge for v and is the inbound edge for v′. A path is a sequence of edges which connects a sequence of nodes, e.g., v1, e1, v2, e2 , . . . eK, vK+1”, ¶0027) and (“Distributed computing environments may be used where tasks are performed by remote processing devices that are linked through a communications network or other data transmission medium”, ¶0081).     

Regarding claim 20, STOKES discloses the computer-implemented method according to claim 14, wherein the one or more remediation steps comprises at least one of applying software updates, implementing a network segmentation scheme, and performing a system wipe (“At 270, the identified malicious computers and/or user accounts may be shut down (i.e., disabled)”, ¶0061, FIG.2, step 270, wherein the shutting down of the identified malicious computers is a form of network segmentation).  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 5-6, 12-13, and 18-19, are rejected under 35 U.S.C. 103 as being unpatentable over US. PGPub. No. 20180367548 to STOKES et al. (hereinafter STOKES) in view of US. PGPub. No. 20220159033 to Mizrahi et al. (hereinafter Mizrahi)

Regarding claim 5, STOKES discloses the system according to claim 1. wherein generating the ranked list of likelihood scores comprises (“ranking is performed based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts”, ¶0061): 
identifying one or more parameters associated with the one or more data transfers between the origin computing system and the destination computing system ( Input parameters may include: K (the number of hops in suspicious paths); X (the number of days which are analyzed to generate the path-rate score); T (the time constraint for filtering improbable lateral movement connections); F (the node indegree and outdegree threshold used to filter out computers with a large number of connections); and D (the path-rate score threshold for automatic disabling)”, ¶0040) ; 
However, STOKES does not explicitly disclose the following limitation:
and computing increases or decreases to the likelihood scores based on the one or more parameters.  
	Mizrahi discloses allocation of coefficient that increases or decreases relative weight in calculating the Rank of the attack vector-ie decreasing or increasing the likelihood score (“ one or more particular Attack Chains, may be allocated by the system a particular coefficient that increases (or decreases) their relative weight in the calculation of the Rank of the Attack Vector, due to one or more pre-defined conditions that hold true or due to one or more other triggering events, or due to an ad hoc request or command from a security team to allocated an increased (or decreased) weight to an Attack Chain that includes (or that excludes) a particular vulnerability or characteristic”, ¶0063) 
	Thus, one of ordinary skill in the art would have found it obvious to modify the system of STOKES in claim 1 to include increasing or decreasing the likelihood score of an attack vector in the network as disclosed by Mizrahi and be motivated in doing so in order to prioritize the dynamically-verified Attack Vectors, and prioritizing threat mitigation resources-Mizrahi abstract.


Regarding claim 6, STOKES in view of Mizrahi discloses the system according to claim 5.                                                                                                                                             Mizrahi further discloses wherein the one or more parameters comprises at least one of vector intelligence data, data transfer type, and operating system version (“for example, data indicating that the laptop computer of the first user is of a particular make and model, and runs a particular type and version and build of Operating System, ¶0015).  
	
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES and Mizrahi in claim 5 to include the version of the operating system as disclosed by Mizrahi and be motivated in doing so in order to determine whether the network or its devices are exposed to a “pass the Hash” attack technique -Mizrahi ¶0079 in part.

 	Regarding claim 12, STOKES discloses the computer program product according to claim 8, wherein generating the ranked list of likelihood scores comprises (“ranking is performed based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts”, ¶0061): 
identifying one or more parameters associated with the one or more data transfers between the origin computing system and the destination computing system ( Input parameters may include: K (the number of hops in suspicious paths); X (the number of days which are analyzed to generate the path-rate score); T (the time constraint for filtering improbable lateral movement connections); F (the node indegree and outdegree threshold used to filter out computers with a large number of connections); and D (the path-rate score threshold for automatic disabling)”, ¶0040) ; 
However, STOKES does not explicitly disclose the following limitation:
and computing increases or decreases to the likelihood scores based on the one or more parameters.  
	Mizrahi discloses allocation of coefficient that increases or decreases relative weight in calculating the Rank of the attack vector-ie decreasing or increasing the likelihood score (“ one or more particular Attack Chains, may be allocated by the system a particular coefficient that increases (or decreases) their relative weight in the calculation of the Rank of the Attack Vector, due to one or more pre-defined conditions that hold true or due to one or more other triggering events, or due to an ad hoc request or command from a security team to allocated an increased (or decreased) weight to an Attack Chain that includes (or that excludes) a particular vulnerability or characteristic”, ¶0063) 
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES in claim 8 to include increasing or decreasing the likelihood score of an attack vector in the network as disclosed by Mizrahi and be motivated in doing so in order to prioritize the dynamically-verified Attack Vectors, and prioritizing threat mitigation resources-Mizrahi abstract.
 
Regarding claim 13, STOKES in view of Mizrahi discloses the computer program product according to claim 12.
Mizrahi further discloses wherein the one or more parameters comprises at least one of vector intelligence data, data transfer type, and operating system version (“for example, data indicating that the laptop computer of the first user is of a particular make and model, and runs a particular type and version and build of Operating System, ¶0015).  
	
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES and Mizrahi in claim 5 to include the version of the operating system as disclosed by Mizrahi and be motivated in doing so in order to determine whether the network or its devices are exposed to a “pass the Hash” attack technique -Mizrahi ¶0079 in part.

Regarding claim 18, STOKES discloses the computer-implemented method according to claim 14. wherein generating the ranked list of likelihood scores comprises (“ranking is performed based on the path-rate score 176, using inbound and/or outbound paths, to identify malicious computers and/or user accounts”, ¶0061): 
identifying one or more parameters associated with the one or more data transfers between the origin computing system and the destination computing system ( Input parameters may include: K (the number of hops in suspicious paths); X (the number of days which are analyzed to generate the path-rate score); T (the time constraint for filtering improbable lateral movement connections); F (the node indegree and outdegree threshold used to filter out computers with a large number of connections); and D (the path-rate score threshold for automatic disabling)”, ¶0040) ; 
 However, STOKES does not explicitly disclose the following limitation:
and computing increases or decreases to the likelihood scores based on the one or more parameters.  
	Mizrahi discloses allocation of coefficient that increases or decreases relative weight in calculating the Rank of the attack vector-ie decreasing or increasing the likelihood score (“ one or more particular Attack Chains, may be allocated by the system a particular coefficient that increases (or decreases) their relative weight in the calculation of the Rank of the Attack Vector, due to one or more pre-defined conditions that hold true or due to one or more other triggering events, or due to an ad hoc request or command from a security team to allocated an increased (or decreased) weight to an Attack Chain that includes (or that excludes) a particular vulnerability or characteristic”, ¶0063) 
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES in claim 8 to include increasing or decreasing the likelihood score of an attack vector in the network as disclosed by Mizrahi and be motivated in doing so in order to prioritize the dynamically-verified Attack Vectors, and prioritizing threat mitigation resources-Mizrahi abstract
 

Regarding claim 19, STOKES in view of Mizrahi discloses the computer-implemented method according to claim 18.
Mizrahi further discloses wherein the one or more parameters comprises at least one of vector intelligence data, data transfer type, and operating system version (“for example, data indicating that the laptop computer of the first user is of a particular make and model, and runs a particular type and version and build of Operating System, ¶0015).  
	
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES and Mizrahi in claim 18 to include the version of the operating system as disclosed by Mizrahi and be motivated in doing so in order to determine whether the network or its devices are exposed to a “pass the Hash” attack technique -Mizrahi ¶0079 in part.

Claims 3, 10, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over US. PGPub. No. 20180367548 to STOKES et al. (hereinafter STOKES) in view of US. Pat No. 10375101 to Berger et al. (hereinafter Berger)





Regarding claim 3, STOKES discloses the system according to claim 2.
	However, STOKES does not explicitly disclose the following limitation:
wherein detecting the one or more data transfers between the origin computing system and the destination computing system further comprises: 
generating a computed hash of the origin network traffic log using a hash algorithm; 
retrieving a validation hash associated with the origin network traffic log from an integrity validation data store hosted on a distributed server network; 
and executing a validation check of the origin network traffic log by comparing the computed hash of the origin network traffic log with the validation hash associated with the origin network traffic log.  
Berger discloses calculating the hash of files find RPM packages and store them in the database, (“The Measurement Collector 307 (a version of the measurement collector 207) retrieves the RPM packages and calculates measurements (e.g., hashes) of the files the collector finds in those packages. It stores information about the packages, such as version information, the processor platform for which the package contains software, along with the file measurements in the Global Software Measurement Database 316 (a version of the Global SW management database 216, ¶0039, the examiner equates this to generating a computed hash of the origin network traffic)
Berger discloses comparing the receive one or more values of the hashes with the values of hashes in one or more databases (“receiving one or more values for hashes from one or more of the target computer systems. Correlating further comprises: comparing the received one or more values of the hashes with values of hashes in one or more databases”, ¶0111, Validation) 
Berger discloses deducing malicious activity if the received hashes do not correlate to the hashes in the database (“deducing a malicious activity has occurred in response to the received one or more values of the hashes not corresponding to values of hashes in the one or more databases”, ¶0111, Executing a Validation check).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES to include generation of Hashes of streaming file, and execute a validation check on the hashes by comparing the received hashes to the hashes stored in the database as disclosed by Berger and be motivated in doing so in order to analyze the behavior of the system independently and compare it against the baseline pattern-Berger ¶0013.

Regarding claim 10, STOKES discloses the computer program product according to claim 9. 
However, STOKES does not explicitly disclose the following limitation:
wherein detecting the one or more data transfers between the origin computing system and the destination computing system further comprises: 
generating a computed hash of the origin network traffic log using a hash algorithm; retrieving a validation hash associated with the origin network traffic log from an integrity validation data store hosted on a distributed server network;
 and executing a validation check of the origin network traffic log by comparing the computed hash of the origin network traffic log with the validation hash associated with the origin network traffic log.  
Berger discloses calculating the hash of files find RPM packages and store them in the database, (“The Measurement Collector 307 (a version of the measurement collector 207) retrieves the RPM packages and calculates measurements (e.g., hashes) of the files the collector finds in those packages. It stores information about the packages, such as version information, the processor platform for which the package contains software, along with the file measurements in the Global Software Measurement Database 316 (a version of the Global SW management database 216, ¶0039, the examiner equates this to generating a computed hash of the origin network traffic)
Berger discloses comparing the receive one or more values of the hashes with the values of hashes in one or more databases (“receiving one or more values for hashes from one or more of the target computer systems. Correlating further comprises: comparing the received one or more values of the hashes with values of hashes in one or more databases”, ¶0111, Validation) 
Berger discloses deducing malicious activity if the received hashes do not correlate to the hashes in the database (“deducing a malicious activity has occurred in response to the received one or more values of the hashes not corresponding to values of hashes in the one or more databases”, ¶0111, Executing a Validation check).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES to include generation of Hashes of streaming file, and execute a validation check on the hashes by comparing the received hashes to the hashes stored in the database as disclosed by Berger and be motivated in doing so in order to analyze the behavior of the system independently and compare it against the baseline pattern-Berger ¶001
  

Regarding claim 16, STOKES discloses the computer-implemented method according to claim 15. 
However, STOKES does not explicitly disclose the following limitation:
wherein detecting the one or more data transfers between the origin computing system and the destination computing system further comprises: 
generating a computed hash of the origin network traffic log using a hash algorithm; retrieving a validation hash associated with the origin network traffic log from an integrity validation data store hosted on a distributed server network;
 	and executing a validation check of the origin network traffic log by comparing the computed hash of the origin network traffic log with the validation hash associated with the origin network traffic log.  
Berger discloses calculating the hash of files find RPM packages and store them in the database, (“The Measurement Collector 307 (a version of the measurement collector 207) retrieves the RPM packages and calculates measurements (e.g., hashes) of the files the collector finds in those packages. It stores information about the packages, such as version information, the processor platform for which the package contains software, along with the file measurements in the Global Software Measurement Database 316 (a version of the Global SW management database 216, ¶0039, the examiner equates this to generating a computed hash of the origin network traffic)
Berger discloses comparing the receive one or more values of the hashes with the values of hashes in one or more databases (“receiving one or more values for hashes from one or more of the target computer systems. Correlating further comprises: comparing the received one or more values of the hashes with values of hashes in one or more databases”, ¶0111, Validation) 
Berger discloses deducing malicious activity if the received hashes do not correlate to the hashes in the database (“deducing a malicious activity has occurred in response to the received one or more values of the hashes not corresponding to values of hashes in the one or more databases”, ¶0111, Executing a Validation check).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the system of STOKES to include generation of Hashes of streaming file, and execute a validation check on the hashes by comparing the received hashes to the hashes stored in the database as disclosed by Berger and be motivated in doing so in order to analyze the behavior of the system independently and compare it against the baseline pattern-Berger ¶0013. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure US Pat No.10855700.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495                                                                                                                                                                                                        

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495