Detailed Office Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the communication filed 9/3/2021.
claims 1-20 are pending.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11146472. Although the claims at issue are not identical, they are not patentably distinct from each other . For example, claims 1-20 of the instant application is compared with the claims 1-20 of U.S .Patent No. 11146472 (see the table below). The comparison  reveal the claims instant application and Patented claims define essentially the same invention in different language. Thus, one of ordinary skill in the art would conclude that the invention defined in the claim at issue is an obvious variation of the invention defined in the claims in the Patented claims. Thus, examiner asserts the difference describe a subset of all possible conditions being monitored in the Patented claims . These differences are not sufficient to render the claim patentably distinct and therefore a terminal disclaimer is required.



     Instant Application 17/466-997 
 
1. A system comprising: a computing device communicatively coupled to a network, wherein the computing device sends communications via the network and receives communications from the network; a local host computing device comprising: a processor; and memory storing instructions that, when executed by the processor, cause the local host computing device to: 

monitor, in real time by a lateral movement identification tool, network communications associated with the local host computing device;



 identify, by the lateral movement identification tool, a communication between the local host computing device and the computing device, wherein the communication corresponds to a user associated with a user group; determine, by an artificial intelligence engine and based on an indication of the user group, a risk score corresponding to a probability that the communication corresponds to an unauthorized lateral movement event on the network; and trigger, based on the risk score, an alert identifying the probability that the communication between the local host computing device and the computing device corresponds to the unauthorized lateral movement event on the network.2. The system of claim 1, wherein the instructions, when executed, cause the local host computing device to: aggregate information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the local host computing device.3. The system of claim 2, wherein the instructions, when executed cause the local host computing device to: correlate messages, in real time, with the aggregated information to actively detect an indication of lateral movement on the network.4. The system of claim 1, wherein the instructions, when executed cause triggering the alert by initiating a message being sent via a telecommunications network including an indication of the alert to a remote user computing device.5. The system of claim 1, wherein the communication between the local host computing device and the computing device comprises a file transfer.6. The system of claim 1, wherein an indication of the unauthorized lateral movement event on the network comprises a risk score corresponding to a weighted combination of risk factors and wherein the risk factors comprise one or more of a time associated with the communication between the local host computing device and the computing device and a user group corresponding to a user associated with the communication.7. A method comprising: monitoring, in real time by a lateral movement identification tool, network communications received via a network by a first host device and sent via the network by the first host device, wherein the lateral movement tool is distributed over a plurality of computing devices; identifying, by the lateral movement identification tool, a communication between the first host device and a second host device, wherein the communication corresponds to a user associated with a user group; determining, by an artificial intelligence engine and based on an indication of the user group, a probability that the communication corresponds to an unauthorized lateral movement event on the network; and triggering, based on the indication, an alert identifying the probability that the communication between the first host device and the second host device corresponds to the unauthorized lateral movement event on the network.8. The method of claim 7, wherein a portion of lateral movement identification tool is installed on the first host device.9. The method of claim 7, comprising: aggregating information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the first host device.10. The method of claim 9 comprising, correlating messages, in real time, with the aggregated information to actively detect an indication of lateral movement on the network.11. The method of claim 8, wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the network.12. The method of claim 8, wherein the communication between the first host device and the second host device comprises a file transfer.13. The method of claim 8, wherein the indication that the communication between the first host device and the second host device corresponds to the unauthorized lateral movement event on the network comprises a risk score corresponding to a weighted combination of risk factors.14. One or more non-transitory computer-readable media storing instructions that, when executed by a host computing device comprising a processor, memory, and a communication interface, cause the host computing device to: monitor, in real time by a lateral movement identification tool, network communications associated with the host computing device; identify, by the lateral movement identification tool, a communication between the host computing device and a second computing device, wherein the communication corresponds to a user associated with a user group; determine, by an artificial intelligence engine and based on an indication of the user group, a risk score corresponding to a weighted combination of risk factors and wherein the risk factors comprise one or more of a time associated with the communication between the host computing device and the second host computing device and a user group corresponding to a user associated with the communication; and trigger, based on the risk score, an alert identifying a probability that the communication between the host computing device and the second host computing device corresponds to unauthorized lateral movement event on the network.15. The one or more non-transitory computer-readable media of claim 14, wherein the instructions, when executed by the processor, cause the host computing device to: aggregate information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the host computing device.16. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the processor, cause the host computing device to: correlate messages, in real time, with the aggregated information to actively detect an indication of lateral movement on the network based on activity patterns associated with one or more user groups.17. The one or more non-transitory computer-readable media of claim 14, wherein the instructions, when executed cause triggering the alert by initiating a message being sent via a telecommunications network including an indication of the alert to a remote user computing device.18. The one or more non-transitory computer-readable media of claim 14, wherein the communication between the host computing device and the second computing device comprises a file transfer.19. The one or more non-transitory computer-readable media of claim 14, wherein a portion of lateral movement identification tool is installed on the host computing device.
U. S. Patent No. 11146472
1. A method comprising: 











monitoring, in real time by a lateral movement identification tool, network communications received via a network by a first host device and sent via the network by the first host device, wherein the lateral movement identification tool is installed on the first host device; identifying, by the lateral movement identification tool, a communication between the first host device and a second host device, wherein the communication corresponds to a user associated with a user group; determining, by an artificial intelligence engine and based on an indication of the user group, a probability that the communication corresponds to an unauthorized lateral movement event on the network; and triggering, based on the indication, an alert identifying the probability that the communication between the first host device and the second host device corresponds to the unauthorized lateral movement event on the network.


2. The method of claim 1, comprising: aggregating information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the first host device.

3. The method of claim 2 comprising, correlating messages, in real time, with the aggregated information to actively detect an indication of lateral movement on the network.

4. The method of claim 1, wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the network.

5. The method of claim 1, wherein the communication between the first host device and the second host device comprises a file transfer.

6. The method of claim 1, wherein the indication that the communication between the first host device and the second host device corresponds to the unauthorized lateral movement event on the network comprises a risk score corresponding to a weighted combination of risk factors.

7. A local host computing device, comprising: a processor; and memory storing instructions that, when executed by the processor, cause the local host computing device to: monitor, in real time by a lateral movement identification tool, network communications associated with the local host computing device; identify, by the lateral movement identification tool, a communication between the local host computing device and a second host computing device, wherein the communication corresponds to a user associated with a user group; determine, by an artificial intelligence engine and based on an indication of the user group, a risk score corresponding to a probability that the communication corresponds to an unauthorized lateral movement event on the network; and trigger, based on the risk score, an alert identifying the probability that the communication between the local host computing device and the second host computing device corresponds to the unauthorized lateral movement event on the network.

8. The local host computing device of claim 7, wherein the instructions, when executed, cause the local host computing device to: aggregate information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the local host computing device.

9. The local host computing device of claim 8, wherein the instructions, when executed cause the local host computing device to: correlate messages, in real time, with the aggregated information to actively detect an indication of lateral movement on the network.

10. The local host computing device of claim 7, wherein the instructions, when executed cause triggering the alert by initiating a message being sent via a telecommunications network including an indication of the alert to a remote user computing device.

11. The local host computing device of claim 7, wherein the communication between the local host computing device and the second host computing device comprises a file transfer.

12. The local host computing device of claim 7, wherein an indication of the unauthorized lateral movement event on the network comprises a risk score corresponding to a weighted combination of risk factors and wherein the risk factors comprise one or more of a time associated with the communication between the local host computing device and the second host computing device and a user group corresponding to a user associated with the communication.

13. One or more non-transitory computer-readable media storing instructions that, when executed by a host computing device comprising a processor, memory, and a communication interface, cause the host computing device to: monitor, in real time by a lateral movement identification tool, network communications associated with the host computing device; identify, by the lateral movement identification tool, a communication between the host computing device and a second host computing device, wherein the communication corresponds to a user associated with a user group; determine, by an artificial intelligence engine and based on an indication of the user group, a risk score associated with a probability that the communication corresponds to an unauthorized lateral movement event on the network; and trigger, based on the risk score, an alert identifying the probability that the communication between the host computing device and the second host computing device corresponds to the unauthorized lateral movement event on the network.

14. The one or more non-transitory computer-readable media of claim 13, wherein the instructions, when executed by the processor, cause the host computing device to: aggregate information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the host computing device.

15. The one or more non-transitory computer-readable media of claim 14, wherein the instructions, when executed by the processor, cause the host computing device to: correlate messages, in real time, with the aggregated information to actively detect an indication of lateral movement on the network based on activity patterns associated with one or more user groups.

16. The one or more non-transitory computer-readable media of claim 13, wherein the instructions, when executed cause triggering the alert by initiating a message being sent via a telecommunications network including an indication of the alert to a remote user computing device.

17. The one or more non-transitory computer-readable media of claim 13, wherein the communication between the host computing device and the second host computing device comprises a file transfer.

18. The one or more non-transitory computer-readable media of claim 13, wherein an indication of the unauthorized lateral movement event on the network comprises a risk score corresponding to a weighted combination of risk factors.



 Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAHI ELMI SALAD whose telephone number is (571)272-4009. The examiner can normally be reached 9:30AM-6:PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABDULLAHI E SALAD/Primary Examiner, Art Unit 2452