Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
2.	This action is in response to the amendment filed September 14, 2022.

3.	Claims 1, 8, and 15 have been amended and claims 1-20 remain pending with this action.


Response to Arguments
4.	Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

5.	Claim(s) 1, 5, 6, 8, 12, 13, 15, 19, and 20 is/are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Bisht et al. (US Pat. No. 11,457,031).
INDEPENDENT:
As per claim 1, Bisht teaches a method comprising: 
generating an event frequent pattern using operational records (see Bisht, col.15, lines 1-13: “These techniques ensure that a variety of traffic patterns, sources, protocols and methods are categorized appropriately to ensure behavioral patterns (even when dynamic) are captured in the traffic flow… Each of these processes are configured in a module, such as an intelligent machine learning engine, among others”; and col.17, lines 16-18: “the system has a user-interface or dashboard to display the flow of traffic through network of devices in real time and display any off-normal patterns or behaviors”); 
integrating topology-based event frequent patterns into a word embedding model (see Bisht, col.12, lines 33-39: “Dependencies between elements in the model need to reflect the reality of dependence between devices. So, if a thermostat is being modeled, its location is a function of where the thermostat is measuring temperature needs to be made available. The model therefore needs to be carefully built based on the elements of the catalog. And the catalog in turn, needs to be a collection of objects which are linked in the model”; col.15, lines 1-13: “These techniques ensure that a variety of traffic patterns, sources, protocols and methods are categorized appropriately to ensure behavioral patterns (even when dynamic) are captured in the traffic flow. Predictive and Descriptive methods require model building; Statistical methods such as Trend Analysis and Time Series analysis are model-free and describe the attributes associated with a time varying traffic and determine anomalous conditions in real-time”; and col.26, lines 9-33: “Next, feature generation module generates features for each system identified by its IP address in the NetFlow capture, based on preselected NetFlow variables. The features are based on both the topological position of the system in the complete graph structure mapping of the NetFlow capture and system behavior across set time-slots…  Each cluster is identified by its position on the KSOM map and its representative feature vector which is a representation of the data points (IP addresses) that belong to the cluster. Post clustering, the representative feature vector for each cluster are saved as a model file”); 
automatically mapping the operational records with an embedding engine (see Bisht, col.11, lines 48-52: “In an example, the system has an Autonomous Decision Engine (ADE), which is an important part of the technical infrastructure for automated response for its artificial and machine learning based engine for automated persistent threat diagnosis and response, as shown”; and col.26, lines 9-12: “The features are based on both the topological position of the system in the complete graph structure mapping of the NetFlow capture and system behavior across set time-slots”); 
predicting incident events (see Bisht, col.16, lines 32-49: “processed through a behavior analytics engine thereby feeding information into the autonomous decision engine taking into account information selected form an a status of an internal state, a response associated with the internal state and a received input, and a model associated with the device from a catalog stored in a database for remediation to reason over achieving a future state using remediation to predict a future state and use the AI processes to ensure migration to the future state”); and 
receiving labeled patterns to the embedding engine for an active learning cycle (see Bisht, col.20, lines 52-55: “the engine then produces a label for each netflow as normal or anomaly and sends such label to a datastore and the IMLE. Of course, there can be other variations, modifications, and alternatives”; and col.21, lines 17-25: “After fixed number of cycles of training iterations, models are updated based on improvement in scores. After training iterations get finished, algorithm only does prediction on incoming packet as normal or anomaly and sends result to IMLE and datastore. In an example, the fifth processing engine produces a label for each packet as normal or anomaly and sends the label to datastore and IMLE. Of course, there can be other variations, modifications, and alternatives”).

As per claim 8, Bisht teaches a computer system comprising: 
one or more processors (see Bisht, col.3, lines 9-13: “the computer system including a processor and a computer readable media”), 
one or more computer-readable memories (see Bisht, col.3, lines 9-13: “the computer system including a processor and a computer readable media), 
one or more computer-readable tangible storage media, and program instructions stored on at least one of the one or more computer-readable tangible storage media for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, 
wherein the computer system is capable of performing a method comprising: 
generating an event frequent pattern using operational records (see Bisht, col.15, lines 1-13: “These techniques ensure that a variety of traffic patterns, sources, protocols and methods are categorized appropriately to ensure behavioral patterns (even when dynamic) are captured in the traffic flow… Each of these processes are configured in a module, such as an intelligent machine learning engine, among others”; and col.17, lines 16-18: “the system has a user-interface or dashboard to display the flow of traffic through network of devices in real time and display any off-normal patterns or behaviors”); 
integrating topology-based event frequent patterns into a word embedding model (see Bisht, col.12, lines 33-39: “Dependencies between elements in the model need to reflect the reality of dependence between devices. So, if a thermostat is being modeled, its location is a function of where the thermostat is measuring temperature needs to be made available. The model therefore needs to be carefully built based on the elements of the catalog. And the catalog in turn, needs to be a collection of objects which are linked in the model”; col.15, lines 1-13: “These techniques ensure that a variety of traffic patterns, sources, protocols and methods are categorized appropriately to ensure behavioral patterns (even when dynamic) are captured in the traffic flow. Predictive and Descriptive methods require model building; Statistical methods such as Trend Analysis and Time Series analysis are model-free and describe the attributes associated with a time varying traffic and determine anomalous conditions in real-time”; and col.26, lines 9-33: “Next, feature generation module generates features for each system identified by its IP address in the NetFlow capture, based on preselected NetFlow variables. The features are based on both the topological position of the system in the complete graph structure mapping of the NetFlow capture and system behavior across set time-slots…  Each cluster is identified by its position on the KSOM map and its representative feature vector which is a representation of the data points (IP addresses) that belong to the cluster. Post clustering, the representative feature vector for each cluster are saved as a model file”); 
automatically mapping the operational records with an embedding engine (see Bisht, col.11, lines 48-52: “In an example, the system has an Autonomous Decision Engine (ADE), which is an important part of the technical infrastructure for automated response for its artificial and machine learning based engine for automated persistent threat diagnosis and response, as shown”; and col.26, lines 9-12: “The features are based on both the topological position of the system in the complete graph structure mapping of the NetFlow capture and system behavior across set time-slots”); 
predicting incident events (see Bisht, col.16, lines 32-49: “processed through a behavior analytics engine thereby feeding information into the autonomous decision engine taking into account information selected form an a status of an internal state, a response associated with the internal state and a received input, and a model associated with the device from a catalog stored in a database for remediation to reason over achieving a future state using remediation to predict a future state and use the AI processes to ensure migration to the future state”); and 
receiving labeled patterns to the embedding engine for an active learning cycle (see Bisht, col.20, lines 52-55: “the engine then produces a label for each netflow as normal or anomaly and sends such label to a datastore and the IMLE. Of course, there can be other variations, modifications, and alternatives”; and col.21, lines 17-25: “After fixed number of cycles of training iterations, models are updated based on improvement in scores. After training iterations get finished, algorithm only does prediction on incoming packet as normal or anomaly and sends result to IMLE and datastore. In an example, the fifth processing engine produces a label for each packet as normal or anomaly and sends the label to datastore and IMLE. Of course, there can be other variations, modifications, and alternatives”).

As per claim 15, Bisht teaches a computer program product comprising: 
one or more computer-readable tangible storage media and program instructions stored on at least one of the one or more computer-readable tangible storage media, the program instructions executable by a processor to cause the processor to perform a method (see Bisht, col.3, lines 9-13: “the computer system including a processor and a computer readable media”) comprising: 
generating an event frequent pattern using operational records (see Bisht, col.15, lines 1-13: “These techniques ensure that a variety of traffic patterns, sources, protocols and methods are categorized appropriately to ensure behavioral patterns (even when dynamic) are captured in the traffic flow… Each of these processes are configured in a module, such as an intelligent machine learning engine, among others”; and col.17, lines 16-18: “the system has a user-interface or dashboard to display the flow of traffic through network of devices in real time and display any off-normal patterns or behaviors”); 
integrating topology-based event frequent patterns into a word embedding model (see Bisht, col.12, lines 33-39: “Dependencies between elements in the model need to reflect the reality of dependence between devices. So, if a thermostat is being modeled, its location is a function of where the thermostat is measuring temperature needs to be made available. The model therefore needs to be carefully built based on the elements of the catalog. And the catalog in turn, needs to be a collection of objects which are linked in the model”; col.15, lines 1-13: “These techniques ensure that a variety of traffic patterns, sources, protocols and methods are categorized appropriately to ensure behavioral patterns (even when dynamic) are captured in the traffic flow. Predictive and Descriptive methods require model building; Statistical methods such as Trend Analysis and Time Series analysis are model-free and describe the attributes associated with a time varying traffic and determine anomalous conditions in real-time”; and col.26, lines 9-33: “Next, feature generation module generates features for each system identified by its IP address in the NetFlow capture, based on preselected NetFlow variables. The features are based on both the topological position of the system in the complete graph structure mapping of the NetFlow capture and system behavior across set time-slots…  Each cluster is identified by its position on the KSOM map and its representative feature vector which is a representation of the data points (IP addresses) that belong to the cluster. Post clustering, the representative feature vector for each cluster are saved as a model file”); 
automatically mapping the operational records with an embedding engine (see Bisht, col.11, lines 48-52: “In an example, the system has an Autonomous Decision Engine (ADE), which is an important part of the technical infrastructure for automated response for its artificial and machine learning based engine for automated persistent threat diagnosis and response, as shown”; and col.26, lines 9-12: “The features are based on both the topological position of the system in the complete graph structure mapping of the NetFlow capture and system behavior across set time-slots”); 
predicting incident events (see Bisht, col.16, lines 32-49: “processed through a behavior analytics engine thereby feeding information into the autonomous decision engine taking into account information selected form an a status of an internal state, a response associated with the internal state and a received input, and a model associated with the device from a catalog stored in a database for remediation to reason over achieving a future state using remediation to predict a future state and use the AI processes to ensure migration to the future state”); and 
receiving labeled patterns to the embedding engine for an active learning cycle (see Bisht, col.20, lines 52-55: “the engine then produces a label for each netflow as normal or anomaly and sends such label to a datastore and the IMLE. Of course, there can be other variations, modifications, and alternatives”; and col.21, lines 17-25: “After fixed number of cycles of training iterations, models are updated based on improvement in scores. After training iterations get finished, algorithm only does prediction on incoming packet as normal or anomaly and sends result to IMLE and datastore. In an example, the fifth processing engine produces a label for each packet as normal or anomaly and sends the label to datastore and IMLE. Of course, there can be other variations, modifications, and alternatives”).

DEPENDENT:
As per claims 5, 12, and 19, which respectively depend on claims 1, 8, and 15, Bisht further teaches wherein the operational records do not contain configuration information (see Bisht, FIGURE 8; and col.3, lines 20-25: “The computer readable media also includes software code that directs the processor to use the Authentication Type Server directory services to provide each of the network of trusted network servers with the security feature configuration data and validate the authenticity of the IoT devices”).
As per claims 6, 13, and 20, which respectively depend on claims 1, 8, and 15, Bisht further teaches wherein the embedding engine uses a topology-based association embedding engine to map the event frequent patterns from an event embedding and a node embedding to train a model (see Independent Claim rejections above; and see Bisht, col.3, lines 51-63: “Each of the objects includes a node list, a mac address, and a plurality of graph features; and using the node list, the mac address, and the plurality of graph features to retrain the graph based models including the plurality of objects. In an example, the graph based learning processing engine has a clustering engine coupled to the graph engine, the clustering engine being configured using a clustering process to self-organize the plurality of objects including the node list, the mac address, and the plurality of graph features into a plurality of clusters and a bot detection engine coupled to the clustering engine, the bot detection engine being configured to identify a malicious bot from the plurality of clusters”).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.	Claim(s) 2, 9, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bisht et al. (US Pat. No. 11,457,031) in view of Lecerf (US 2009/0252404).
As per claims 2, 9, and 16, which respectively depend on claims 1, 8, and 15, Bisht teaches further comprising: transmitting unrecognized patterns from the predicted incident events to a subject matter expert.
Lecerf teaches transmitting unrecognized patterns from the predicted incident events to a subject matter expert (see Lecerf, [0002]: “The goal of active learning is to identify patterns based on a limited amount of data. The technique is currently used in machine learning tasks, such as classification”; and [0043]: “The annotator 16 generally has sufficient background knowledge to correctly annotate unlabelled elements 20, although in some cases, the annotator may communicate with a human domain expert for assistance when the annotator has difficulty labeling an element”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Bisht in view of Lecerf by implementing transmitting unrecognized patterns from the predicted incident events to a subject matter expert.  One would be motivated to do so because Lecerf teaches such an implementation remediates “when the annotator has difficulty labeling an element”.

7.	Claim(s) 3, 4, 10, 11, 17, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bisht et al. (US Pat. No. 11,457,031) in view of Sadaghiani et al. (US Pat No. 10,181,032).
As per claims 3, 10, and 17, which respectively depend on claims 1, 8, and 15, although Bisht further teaches wherein the event frequent patterns are generated from a same node (see Bisht, col.1, lines 16-25: “More specifically, the present invention relates to configuring, authenticating, and managing of network internet of things devices security at single administration points using a purpose-built security appliance in form of a software module as virtual machine, a software container or a hardware appliance or security software services provided as software as a service from public or private cloud-based data centers”; and col.21, lines 19-21: “After training iterations get finished, algorithm only does prediction on incoming packet as normal or anomaly and sends result to IMLE and datastore”), Bisht does not explicitly teach using an Apriori algorithm.
Sadaghiani teaches an Apriori algorithm (see Sadaghiani, col.5, lines 61-64: “an associated rule learning algorithm (e.g., an Apriori algorithm, an Eclat algorithm, etc.)”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Bisht in view of Sadaghiani by implementing an Apriori algorithm.  One would be motivated to do so because Bisht teaches of a “graph based learning processor engine”.
As per claims 4, 11, and 18, which respectively depend on claims 1, 8, and 15, although Bisht further teaches wherein the event frequent patterns are generated from cross nodes using an subgraph frequent pattern mining algorithm (see Bisht, col.19, lines 43-47: “The ABE has a machine learning engine with various sub-engines numbered from A1, A2, A3 . . . to An, where n is an integer greater than 10, each of which may be working in parallel and/or a serial configuration with each other in processing information”), Bisht does not explicitly teach that the subgraph is Apriori-based.
Sadaghiani teaches an Apriori algorithm (see Sadaghiani, col.5, lines 61-64: “an associated rule learning algorithm (e.g., an Apriori algorithm, an Eclat algorithm, etc.)”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Bisht in view of Sadaghiani by implementing an Apriori algorithm.  One would be motivated to do so because Bisht teaches of a “graph based learning processor engine”.

8.	Claim(s) 7 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bisht et al. (US Pat. No. 11,457,031) in view of Gupta et al. (US 2016/0088006).
As per claims 7 and 14, which respectively depend on claims 1 and 8, although Bisht further teaches timeseries chart (see Bisht, FIGURE 5), Bisht does not explicitly teach wherein the unrecognized patterns include an unlabeled timeseries chart.
Gupta wherein the unrecognized patterns include an unlabeled timeseries chart (see Gupta, Page 10, claim 1: “a real-time testing module comprising: a data collection and preprocessing module configured to collect data from the open time-series database and to leave the data as unlabeled”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Bisht in view of Gupta by implementing wherein the unrecognized patterns include an unlabeled timeseries chart.  One would be motivated to do so because Bisht teaches timeseries chart (see Bisht, FIGURE 5).


Conclusion
9.	For the reasons above, claims 1-20 have been rejected and remain pending.

10.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993.  The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached on 571-272-3889.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Michael Won/Primary Examiner, Art Unit 2443