DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 06/29/2022. Claim 6, 13, and 20 are cancelled. Claims 21-23 are newly added. Claims 1-5, 7-12, 14-19, and 21-23 are pending.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/817,831.

Examiner Note
Examiner has corrected the typographical error and error mentioned by applicant representative on pages 9-10 of Remarks filed on 06/29/2022 for claim 1 in the first set of rejection and for claims 2, 9, and 16 in the second set of rejections. Per Applicant request examiner submitting a second non-final office action below.
Terminal Disclaimer
The terminal disclaimer filed on 06/29/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent application No. 16817997 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Claim Comment on 35 USC § 101
There is no need for a rejection of Claims 8-14 under 35 U.S.C. 101. Although Claims 8-14 are drawn towards a "computer program product comprising a computer readable storage medium" which could include a non-statutory digital signal, the specification clearly states tin paragraph 35, The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD- ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire].

Claim Rejections - 35 USC § 101

U.S.C. 101 reads as follows:

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

The claimed invention is not directed to patent eligible subject matter. Based upon consideration of all of the relevant factors with respect to the claim as a whole, claims 1-5, 7-12, 14-19, and 21-23 are determined to be directed to an abstract idea.
Claims 1-5, 7-12, 14-19, and 21-23 are rejected under 35 USC 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Under the 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”), effective January 7, 2019, independent claims 1, 7 and 15 are directed to an abstract idea without being significantly more nor being integrated into a practical application. The claims are directed towards a mechanism is provided in a data processing system for displaying cyber threat data in a narrative format. The mechanism receives a cyber threat information file that comprises cyber threat data in a serialized format. The mechanism generates a user interface presenting the cyber threat data in a narrative format. The user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object. The mechanism presents the user interface to an analyst.

For instance, the independent claim 1 recites the steps of “A method, in a data processing system, for displaying cyber threat data in a narrative format, the method comprising: receiving a cyber threat information file, wherein the cyber threat information file comprises cyber threat data in a serialized format; generating a user interface presenting the cyber threat data in a narrative format, wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object; and presenting the user interface to an analyst”, as drafted, is a method that, under its broadest reasonable interpretation, covers performance of the limitations in the mind and are broad enough to encompass performance by a human using pen and paper. For example, one ordinary skilled in the art, in the context of the claims, can manually (i.e., by using pen and paper and/or in human mind) generate a method, in a data processing system, for displaying cyber threat data in a narrative format, the method comprising: receiving a cyber threat information file, wherein the cyber threat information file comprises cyber threat data in a serialized format; generating a user interface presenting the cyber threat data in a narrative format, wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object; and presenting the user interface to an analyst. Therefore, the claim limitations, as drafted, is a method that, under its broadest reasonable interpretation, covers performance of the limitations in the mind and/or includes some additional physical steps such as to encompass performance by a human using pen and paper but for the recitations of generic computer components such as a processor (data processing system). If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind and/or includes some additional physical steps such as to encompass performance by a human using pen and paper but for the recitation of generic computer
components e.g., data processing system, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claim recites additional element, such as a processor (data processing system). These elements in the claim are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer which may include component e.g., a processor. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of a computer to perform “receiving a cyber threat information file, wherein the cyber threat information file comprises cyber threat data in a serialized format; generating a user interface presenting the cyber threat data in a narrative format, wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object; and presenting the user interface to an analyst” steps amounts to no more than mere instructions to apply the exception using a generic computer which may include component e.g., a processor. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Thus, the claim is not patent eligible.
Therefore, the independent claims 7, and 15 are rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons addressed above for the independent claim 1.
Thus, the claims 1-5, 7-12, 14-19, and 21-23 are rejected under 35 U.S.C 101 as being directed to non-statutory subject matter as the claims do not contain any element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. See Alice, 134 S. Ct. at 2360. Under Alice, that is not sufficient "to transform an abstract idea into a patent-eligible invention." See Electric Power group, CyberSource, and Classen (Fed. Cir. 2011).


Response to Arguments
Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).  

Applicant's arguments filed 06/29/2022 have been fully considered but they are not persuasive:
Applicant submits on page 18 of remarks filed on 06/29/2022 that neither Beck nor Muddu teach or suggest at least the feature of generating a user interface presenting the cyber threat data in a narrative format, wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object. Moreover, there is no motivation to attempt to combine teachings of Beck and Muddu. That is, there is no problem in Beck for which Muddu provides a solution and there is no problem in Muddu for which Beck would provide a solution. There is no reason why one of ordinary skill in the art would seek to combine the teachings of Beck and Muddu to address any specific issues.

Examiner respectfully disagrees with applicant argument for independent claims 1, 8, and 15 filed on 06/29/2022 on page 18 of remarks.
	  generating a user interface presenting the cyber threat data in a narrative format Becks discloses this limitation as: ([¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity)
Examiner Note: Muddu also discloses this limitation as: [Figs. 42, 45A, 46A, 46C, 46F, 48A, 49A, providing user interface presenting the analysis regarding security threat data with narrative information], and [¶147, event data refers to machine data related to activity on a network with respect to an entity of focus, such as one or more users, one or more network nodes, one or more network segments, one or more applications, etc.], and [¶163, event data related to traffic on a node, a link, a set of nodes, or a set of links]. and [¶175, a security graph is generally a representation of the relationships between entities in the network and any anomalies identified. For example, a security graph may map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities may be anomalous, and the like, the nodes of the security graph may be annotated with additional data (i.e., cyber threat data in a narrative format], and [¶179, the anomalies can be stored in a graph database in the form of anomaly nodes in a graph or graphs, specifically, after an event is determined to be anomalous, an event-specific relationship graph associated with that event can be updated to include an additional node that represents the anomaly].
Beck discloses wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object[¶99, cyber threat detection system recognize the relationships among its different entities], and [¶127, a topology of the network under scrutiny is projected automatically as a graph based on device communication relationships via an interactive user interface], and [¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity ].
Examiner Note: Muddu also discloses this limitation as: [¶175, a security graph is generally a representation of the relationships between entities in the network and any anomalies identified. For example, a security graph may map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities may be anomalous, and the like, the nodes of the security graph may be annotated with additional data (i.e., cyber threat data in a narrative format], and [¶179, the anomalies can be stored in a graph database in the form of anomaly nodes in a graph or graphs, specifically, after an event is determined to be anomalous, an event-specific relationship graph associated with that event can be updated to include an additional node that represents the anomaly].
 Beck and Muddu are analogous arts because they are in the same field of endeavor, visualizing cybersecurity threat information, Therefore, it would have been obvious to one with ordinary skill, in the art before the effective filing date of the claimed invention, to modify the invention of Beck using the teachings of Muddu to clearly include providing user interface presenting security threat data in narrative format. It would provide Beck’s method with the enhanced capability of allowing user to view/manage security threat data via GUI [ Muddu, Abstract, ¶51].

Examiner Note: Examiner maintains his rejection.

Regarding claims 2,9, and 16 argument on pages 20-23, Examiner respectfully disagrees with applicant argument and states that Muddu discloses  wherein the user interface presents a given process with context information including a name and a process identifier of the given process [¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth].

Regarding claims 3, 10, and 17, argument on pages 20-23, Examiner respectfully disagrees with applicant argument and states that Muddu discloses wherein the user interface presents a first file as a child of the given process, presents an indicator of a relationship between the given process and the first file, and presents context information including a name of the first file, wherein the relationship between the given process and the first file indicates that the given process ran the file [¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth; Fig. 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”].
Regarding claims 4, 11, and 18, argument on pages 20-23, Examiner respectfully disagrees with applicant argument and states that Muddu discloses wherein the user interface presents a child process of the given process, presents an indicator of a relationship between the given process and the child process, and presents context information including a name and a process identifier of the child process and a date the child process was created, wherein the relationship between the given process and the child process indicates that the given process created the child process[¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth; Fig. 46D, illustrates an “Anomalous Activity Sequence” box in the Anomally Details view].
Regarding claims 5, 12, and 19, argument on pages 20-23, Examiner respectfully disagrees with applicant argument and states that Muddu discloses wherein the user interface presents a connection, presents a relationship between the given process and the connection that indicates the given process opened the connection  [¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth; Fig. 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”; Fig. 46D, illustrates an “Anomalous Activity Sequence” box in the Anomally Details view)].
Regarding claim 7, argument on pages 20-23, Examiner respectfully disagrees with applicant argument and states that Muddu discloses wherein the hierarchical format comprises presenting a child object beneath and indented from its parent object [ see FIG 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”]. 


Applicant submits on page 28 of remarks filed on 06/29/2022 that the combination of Apostolopoulos and Beck would not teach or suggest generating a user interface presenting the cyber threat data in a narrative format, wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object.

Examiner respectfully disagrees with applicant argument for independent claims 1, 8, and 15 filed on 06/29/2022 on page 28 of remarks.

Apostolopoulos  discloses the limitation as: generating a user interface presenting the cyber threat data in a narrative format [¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and  [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices];
wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object [¶135], a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph].

Examiner Note: Examiner maintains his rejection.


Regarding claims 2,9, and 16 argument on pages 29-32, Examiner respectfully disagrees with applicant argument and states that Apostolopoulos discloses  wherein the user interface presents a given process with context information including a name and a process identifier of the given process [¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth].

Regarding claims 3, 10, and 17, argument on pages 29-32, Examiner respectfully disagrees with applicant argument and states that Apostolopoulos discloses wherein the user interface presents a first file as a child of the given process, presents an indicator of a relationship between the given process and the first file, and presents context information including a name of the first file, wherein the relationship between the given process and the first file indicates that the given process ran the file [¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph], and  [¶136, identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”].

Regarding claims 4, 11, and 18, argument on pages 29-32, Examiner respectfully disagrees with applicant argument and states that Apostolopoulos discloses wherein the user interface presents a child process of the given process, presents an indicator of a relationship between the given process and the child process, and presents context information including a name and a process identifier of the child process and a date the child process was created, wherein the relationship between the given process and the child process indicates that the given process created the child process[¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph], and  [¶136, identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”].
Regarding claims 5, 12, and 19, argument on pages 29-32, Examiner respectfully disagrees with applicant argument and states that Apostolopoulos discloses wherein the user interface presents a connection, presents a relationship between the given process and the connection that indicates the given process opened the connection [¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph], and  [¶136, identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”].
Regarding claim 7, argument on pages 29-32, Examiner respectfully disagrees with applicant argument and states that Apostolopoulos discloses wherein the hierarchical format comprises presenting a child object beneath and indented from its parent object [¶234, The connected components may be formed by performing computation on the graph using known algorithms (e.g., by either breadth-first search or depth-first search, which can compute the connected components of a graph in linear time (in terms of the numbers of the vertices and edges of the graph))].



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
First Set of Rejection:
Claims 1-5, 7-12, 14-19, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Michael Beck et al (US Publication 20190260804 A1, hereinafter Beck) (filed in IDS 05/24/2022) and in view of Michael Muddu et al (US Publication 2019/0342311 A1, hereinafter Muddu) (filed in IDS 03/13/2020).
Regarding claims 1, 8, and 15 Becks discloses a method, in a data processing system, for displaying cyber threat data in a narrative format, the method comprising [ Abstract, an expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform], and  [¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity].
Examiner Note: Muddu also discloses this limitation as: [Figs. 42, 45A, 46A, 46C, 46F, 48A, 49A, providing user interface presenting the analysis regarding security threat data with narrative information].
receiving a cyber threat information file
[¶42, assess whether the anomalous network activity has previously appeared in lists of malicious files], and [¶110, the cyber threat defense system initially ingests data from multiple source, the raw data sources include machine generated log files]; and
 wherein the cyber threat information file comprises cyber threat data in a serialized format [¶62, determine periodicity in multiple time series data and identify changes across single and multiple time series data for the purpose of anomalous behavior detection, a large number of metrics can be derived, each producing time series data for the given metric]; and 
and presenting the user interface to an analyst [¶140, , the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity]; and
 	  generating a user interface presenting the cyber threat data in a narrative format ([¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity)
Examiner Note: Muddu also discloses this limitation as: [Figs. 42, 45A, 46A, 46C, 46F, 48A, 49A, providing user interface presenting the analysis regarding security threat data with narrative information], and [¶147, event data refers to machine data related to activity on a network with respect to an entity of focus, such as one or more users, one or more network nodes, one or more network segments, one or more applications, etc.], and [¶163, event data related to traffic on a node, a link, a set of nodes, or a set of links]. and [¶175, a security graph is generally a representation of the relationships between entities in the network and any anomalies identified. For example, a security graph may map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities may be anomalous, and the like, the nodes of the security graph may be annotated with additional data (i.e., cyber threat data in a narrative format], and [¶179, the anomalies can be stored in a graph database in the form of anomaly nodes in a graph or graphs, specifically, after an event is determined to be anomalous, an event-specific relationship graph associated with that event can be updated to include an additional node that represents the anomaly].
Beck discloses wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object[¶99, cyber threat detection system recognize the relationships among its different entities], and [¶127, a topology of the network under scrutiny is projected automatically as a graph based on device communication relationships via an interactive user interface], and [¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity ].
Examiner Note: Muddu also discloses this limitation as: [¶175, a security graph is generally a representation of the relationships between entities in the network and any anomalies identified. For example, a security graph may map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities may be anomalous, and the like, the nodes of the security graph may be annotated with additional data (i.e., cyber threat data in a narrative format], and [¶179, the anomalies can be stored in a graph database in the form of anomaly nodes in a graph or graphs, specifically, after an event is determined to be anomalous, an event-specific relationship graph associated with that event can be updated to include an additional node that represents the anomaly].
 Beck and Muddu are analogous arts because they are in the same field of endeavor, visualizing cybersecurity threat information, Therefore, it would have been obvious to one with ordinary skill, in the art before the effective filing date of the claimed invention, to modify the invention of Beck using the teachings of Muddu to clearly include providing user interface presenting security threat data in narrative format. It would provide Beck’s method with the enhanced capability of allowing user to view/manage security threat data via GUI [ Muddu, Abstract, ¶51].
Regarding claims 2, 9, and 16, Beck does not explicitly disclose, however, Muddu discloses  wherein the user interface presents a given process with context information including a name and a process identifier of the given process [¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth].
 Beck and Muddu are analogous arts because they are in the same field of endeavor, visualizing cybersecurity threat information, Therefore, it would have been obvious to one with ordinary skill, in the art before the effective filing date of the claimed invention, to modify the invention of Beck using the teachings of Muddu to clearly include providing user interface presenting security threat data in narrative format. It would provide Beck’s method with the enhanced capability of allowing user to view/manage security threat data via GU [Muddu, Abstract, ¶51].
Regarding claims 3, 10, and 17, Beck does not explicitly disclose, however, Muddu discloses wherein the user interface presents a first file as a child of the given process, presents an indicator of a relationship between the given process and the first file, and presents context information including a name of the first file, wherein the relationship between the given process and the first file indicates that the given process ran the file [¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth; Fig. 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”].
Regarding claims 4, 11, and 18, Beck does not explicitly disclose, however, Muddu discloses, wherein the user interface presents a child process of the given process, presents an indicator of a relationship between the given process and the child process, and presents context information including a name and a process identifier of the child process and a date the child process was created, wherein the relationship between the given process and the child process indicates that the given process created the child process[¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth; Fig. 46D, illustrates an “Anomalous Activity Sequence” box in the Anomally Details view].
Regarding claims 5, 12, and 19, Beck does not explicitly disclose, however, Muddu discloses, wherein the user interface presents a connection, presents a relationship between the given process and the connection that indicates the given process opened the connection  [¶207, for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth; Fig. 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”; Fig. 46D, illustrates an “Anomalous Activity Sequence” box in the Anomally Details view)].
Regarding claim 7, Beck does not explicitly disclose, however, Muddu discloses, wherein the hierarchical format comprises presenting a child object beneath and indented from its parent object [ see FIG 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”]. 
Regarding claims 21-23, wherein generating a user interface presenting the cyber threat data in a narrative format further comprises
Beck discloses [ Abstract, an expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform], and  [¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity].
Examiner Note: Muddu also discloses this limitation as: [Figs. 42, 45A, 46A, 46C, 46F, 48A, 49A, providing user interface presenting the analysis regarding security threat data with narrative information], and [¶147, event data refers to machine data related to activity on a network with respect to an entity of focus, such as one or more users, one or more network nodes, one or more network segments, one or more applications, etc.], and [¶163, event data related to traffic on a node, a link, a set of nodes, or a set of links]. and [¶175, a security graph is generally a representation of the relationships between entities in the network and any anomalies identified. For example, a security graph may map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities may be anomalous, and the like, the nodes of the security graph may be annotated with additional data (i.e., cyber threat data in a narrative format], and [¶179, the anomalies can be stored in a graph database in the form of anomaly nodes in a graph or graphs, specifically, after an event is determined to be anomalous, an event-specific relationship graph associated with that event can be updated to include an additional node that represents the anomaly].
Beck does not explicitly disclose, however Muddu discloses generating a tree data structure based on the objects in the cyber threat data, wherein each node of the tree data structure represents an object in the cyber threat data and each edge in the tree data structure represents a relationship type between a parent object and a child object in the objects of the cyber threat data [ see FIG 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”], and [see FIGS 9A-B, ¶214, a graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. In general, any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph], and [see FIG.8, ¶21, graph generator], and [¶352]; and 
and performing a depth-first search of relationships between objects in the tree data structure and extracting context information pertinent to the relationships between the objects, wherein the hierarchical format indicates the relationships between parent objects and child objects graphically as links between the parent objects and child objects, based on the tree data structure[ see FIG 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”], and [¶¶ 214, 352]; and 
and presents indicators, in association with corresponding links between parent objects and child objects, wherein the indicators specify a relationship type between the parent object and the child object of the corresponding link [ see FIG 30, the parent object represents “Global Rarity Model,” and the child object represents “Local Rarity Model”], and [see FIGS 9A-B, ¶214, a graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. In general, any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph], and [see FIG.8, ¶21, graph generator], and [¶352].
Beck and Muddu are analogous arts because they are in the same field of endeavor, visualizing cybersecurity threat information, Therefore, it would have been obvious to one with ordinary skill, in the art before the effective filing date of the claimed invention, to modify the invention of Beck using the teachings of Muddu to clearly include providing user interface presenting security threat data in narrative format. It would provide Beck’s method with the enhanced capability of allowing user to view/manage security threat data via GUI [ Muddu, Abstract, ¶51].

Second Set of Rejection:
Claims 1, 3-5, 7-8, 10-12, 14-15, and 17-19, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Georgios Apostolopoulos (US Publication 20180219888 A1, hereinafter Apostolopoulos (filed in IDS 08/11/2021), and in view of Michael Beck et al (US Publication 20190260804 A1, hereinafter Beck) (filed in IDS 05/24/2022).
Regarding claim 1, 8, and 15, Apostolopoulos discloses receiving a cyber threat information file [Abstract, a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats; [¶94, the data generated by such data sources can include server log files, activity log files, and [¶128, cybersecurity data]; and 
 wherein the cyber threat information file comprises cyber threat data in a serialized format [¶44, events may be derived from time series data, where the time series data comprises a sequence of data points that are associated with successive points in time, in general, each event can be associated with a timestamp that is derived from the raw data in the event]; and
 generating a user interface presenting the cyber threat data in a narrative format  [¶135, the relationship graph generator is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities, some implementations incorporate the generated relationship graph into the event data that represents the event, in the form of a data structure representing the relationship graph, a graph in the context of this description includes a number of nodes and edges], and [¶140,  that the components introduced here (e.g., the graph generator 710) may be tailored or customized to the environment in which the platform is deployed. As described above, if the network administrator wishes to receive data in a new data format, he can edit the configuration file to create rules (e.g., in the form of functions or macros) for the particular data format including, for example, identifying how to tokenize the data, identifying which data are the entities in the particular format, and/or identifying the logic on how to establish a relationship. The data input and preparation stage then can automatically adjust to understand the new data format, identify identities and relationships in event data in the new format, and create event relationship graphs therefrom.], and [¶92, using one or more web-based interfaces. Thus, the techniques and systems described herein for providing user interfaces that enable a user to configure source type definitions are applicable to both on-premises and cloud-based service contexts, or some combination thereof (e.g., a hybrid system where both an on-premises environment such as SPLUNK® ENTERPRISE and a cloud-based environment such as SPLUNK CLOUD™ are centrally visible)]; and 
wherein the user interface presents objects in the cyber threat data in a hierarchical format indicative of relationships between parent objects and child objects and presents context information for each object [¶135], a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph].
 and presenting the user interface to an analyst.  
Even though Apostolopoulos discloses this limitation as: [¶35, by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to act promptly].
 Even though Apostolopoulos discloses a method, in a data processing system, for displaying cyber threat data in a narrative format as: [¶135, the relationship graph generator is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities, some implementations incorporate the generated relationship graph into the event data that represents the event, in the form of a data structure representing the relationship graph, a graph in the context of this description includes a number of nodes and edges], and [¶140,  that the components introduced here (e.g., the graph generator 710) may be tailored or customized to the environment in which the platform is deployed. As described above, if the network administrator wishes to receive data in a new data format, he can edit the configuration file to create rules (e.g., in the form of functions or macros) for the particular data format including, for example, identifying how to tokenize the data, identifying which data are the entities in the particular format, and/or identifying the logic on how to establish a relationship. The data input and preparation stage then can automatically adjust to understand the new data format, identify identities and relationships in event data in the new format, and create event relationship graphs therefrom.], and [¶92, using one or more web-based interfaces. Thus, the techniques and systems described herein for providing user interfaces that enable a user to configure source type definitions are applicable to both on-premises and cloud-based service contexts, or some combination thereof (e.g., a hybrid system where both an on-premises environment such as SPLUNK® ENTERPRISE and a cloud-based environment such as SPLUNK CLOUD™ are centrally visible)].
However, does not explicitly disclose this limitation and Beck discloses [ Abstract, an expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform], and  [¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Apostolopoulos with the teaching of Beck in order to implement an expert interface component which can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface [ Beck, Abstract].
Regarding claims 3, 10, and 17,  Apostolopoulos  discloses , wherein the user interface presents a first file as a child of the given process, presents an indicator of a relationship between the given process and the first file, and presents context information including a name of the first file, wherein the relationship between the given process and the first file indicates that the given process ran the file[¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph], and  [¶136, identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”].
Regarding claims 4, 11, and 18, Apostolopoulos discloses wherein the user interface presents a child process of the given process, presents an indicator of a relationship between the given process and the child process, and presents context information including a name and a process identifier of the child process and a date the child process was created, wherein the relationship between the given process and the child process indicates that the given process created the child process[¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph], and [¶136, identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”).
Regarding claims 5, 12, and 19,  Apostolopoulos discloses wherein the user interface presents a connection, presents a relationship between the given process and the connection that indicates the given process opened the connection[¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph], and [¶136, identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”).

Regarding claims 7, and 14, Apostolopoulos discloses wherein the hierarchical format comprises presenting a child object beneath and indented from its parent object [¶234, The connected components may be formed by performing computation on the graph using known algorithms (e.g., by either breadth-first search or depth-first search, which can compute the connected components of a graph in linear time (in terms of the numbers of the vertices and edges of the graph))].
Regarding claims 21-23, wherein generating a user interface presenting the cyber threat data in a narrative format further comprises
Apostolopoulos discloses [¶135, the relationship graph generator is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities, some implementations incorporate the generated relationship graph into the event data that represents the event, in the form of a data structure representing the relationship graph, a graph in the context of this description includes a number of nodes and edges], and [¶140,  that the components introduced here (e.g., the graph generator 710) may be tailored or customized to the environment in which the platform is deployed. As described above, if the network administrator wishes to receive data in a new data format, he can edit the configuration file to create rules (e.g., in the form of functions or macros) for the particular data format including, for example, identifying how to tokenize the data, identifying which data are the entities in the particular format, and/or identifying the logic on how to establish a relationship. The data input and preparation stage then can automatically adjust to understand the new data format, identify identities and relationships in event data in the new format, and create event relationship graphs therefrom.], and [¶92, using one or more web-based interfaces. Thus, the techniques and systems described herein for providing user interfaces that enable a user to configure source type definitions are applicable to both on-premises and cloud-based service contexts, or some combination thereof (e.g., a hybrid system where both an on-premises environment such as SPLUNK® ENTERPRISE and a cloud-based environment such as SPLUNK CLOUD™ are centrally visible)]. 
Beck discloses [ Abstract, an expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform], and  [¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity].
Examiner Note: Muddu also discloses this limitation as: [Figs. 42, 45A, 46A, 46C, 46F, 48A, 49A, providing user interface presenting the analysis regarding security threat data with narrative information], and [¶147, event data refers to machine data related to activity on a network with respect to an entity of focus, such as one or more users, one or more network nodes, one or more network segments, one or more applications, etc.], and [¶163, event data related to traffic on a node, a link, a set of nodes, or a set of links]. and [¶175, a security graph is generally a representation of the relationships between entities in the network and any anomalies identified. For example, a security graph may map out the interactions between users, including information regarding which devices are involved, who or what is talking to whom/what, when and how interactions occur, which nodes or entities may be anomalous, and the like, the nodes of the security graph may be annotated with additional data (i.e., cyber threat data in a narrative format], and [¶179, the anomalies can be stored in a graph database in the form of anomaly nodes in a graph or graphs, specifically, after an event is determined to be anomalous, an event-specific relationship graph associated with that event can be updated to include an additional node that represents the anomaly].
Examiner Note: Beck discloses [ Abstract, an expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform], and  [¶140, the threat-tracking graphical user interface may have a topology map displaying a two-dimensional or three-dimensional representation of the network, the topology map can have one or more network nodes acting as a visual data container for a network entity on the network, the topology map can illustrate each connection between a network node and any other network node in contact with that network node, a network node can be marked to indicate an issue with the represented network entity, the user analyst can select a network node with the cursor to reveal more information about the represented network entity]; and
 generating a tree data structure based on the objects in the cyber threat data, wherein each node of the tree data structure represents an object in the cyber threat data and each edge in the tree data structure represents a relationship type between a parent object and a child object in the objects of the cyber threat data[¶135, a graph in the context of this description includes a number of nodes and edges, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities], and [¶171, the anomaly data is stored in a data structure in the form of an anomaly graph, the anomaly graph includes a plurality of vertices representing entities associate with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices] , and [¶189, assigns combined network activities into different projections of the composite relationship graph, depending on the type of activity, each projection represents a subset of the composite relationship graph that relates to a certain type or types of user action or other category], and [¶199, for each edge (relationship) in the composite relationship graph, the graph library component examines the edge’s type to determine the projection to which the edge belongs], and [¶206, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph], and  [¶136, identifiable relationship may be customizable and provides the flexibility to the administrator to tailor the system to his data sources, possible relationships can include, for example, “connects to,” “uses,” “runs on,” “visits,” “uploads,” “successfully logs onto,” “restarts,” “shuts down,” “unsuccessfully attempts to log onto,” “attacks,” and “infects”]; and
and performing a depth-first search of relationships between objects in the tree data structure and extracting context information pertinent to the relationships between the objects, wherein the hierarchical format indicates the relationships between parent objects and child objects graphically as links between the parent objects and child objects, based on the tree data structure[¶234, The connected components may be formed by performing computation on the graph using known algorithms (e.g., by either breadth-first search or depth-first search, which can compute the connected components of a graph in linear time (in terms of the numbers of the vertices and edges of the graph))]; and 
and presents indicators, in association with corresponding links between parent objects and child objects, wherein the indicators specify a relationship type between the parent object and the child object of the corresponding link[see FIG.8, ¶139, Using the aforementioned techniques (e.g., the parsers 706, and the field mapper 708), the graph generator 710 can readily identify that the event represented in the FIG. 8A involves a number of entities, such as the user “psibbal,” the source IP “10.33.240.240,” the destination IP “74.125.239.107,” and an URL “sample.site.com.” The graph generator 710 also identifies that an action “GET” is involved in the event. Accordingly, the graph generator 710 can compare the action to the table of identifiable actions, identify one or more relationships between the entities, and create an event-specific relationship graph 802 based on the event. As shown in FIG. 8B, the relationship graph 802 includes the entities that are involved in the events. Each entity is represented by a different node. The relationship graph 802 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 802. The relationship graph 802 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges], and [¶¶171, the anomaly data 1004 is stored in a data structure in the form of an anomaly graph. In such embodiments, the anomaly graph includes a plurality of vertices (nodes) representing entities associated with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices (nodes)], and [¶173, the threat indicator graph may include a plurality of vertices (nodes) representing entities associated with the computer network and a plurality of edges, each of the plurality of edges representing a threat indicator linking two of the plurality of vertices (nodes)], and [¶174]. 

Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Georgios Apostolopoulos (US Publication 20180219888 A1, hereinafter Apostolopoulos) (filed in IDS 08/11/2021) and in view of Michael Beck et al (US Publication 20190260804 A1, hereinafter Beck) (filed in IDS 05/24/2022) and further in view of Michael Muddu et al (US Publication 2019/0342311 A1, hereinafter Muddu) (filed in IDS 03/13/2020).
Regarding claims 2, 9, and 16,  Apostolopoulos  and Beck do not explicitly disclose, however, Muddu discloses wherein the user interface presents a given process with context information including a name and a process identifier of the given process [¶207, , for a particular data source, the configuration file can identify, in the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, and event identifier, a process ID, a type of the event, a type of machine that generates the event, and so forth].
 Apostolopoulos, Beck and Muddu are analogous arts because they are in the same field of endeavor, visualizing cybersecurity threat information, Therefore, it would have been obvious to one with ordinary skill, in the art before the effective filing date of the claimed invention, to modify the invention of Apostolopoulos, and Beck using the teachings of Muddu to clearly include providing user interface presenting security threat data in narrative format. It would provide Muddu method with the enhanced capability of allowing user to view/manage security threat data via GUI [ Muddu, Abstract, ¶51].


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Falk (US2018/0046801) [ MALWARE DATA ITEM ANALYSIS].
Lewis (US2016/0359898) [COMPUTER NETWORK ATTRIBUTE BILATERAL INHERITANCE]. 
Cummings (US7496594) [ User Interface for Displaying A Hierarchical Structure of a Computer System].
CA2844845A1[HIERARCHICAL NAVIGATION WITH RELATED OBJECTS].
Choudhury (US2018/0329958) [ PERFORMANCE AND USABILITY ENHANCEMENTS FOR CONTINUOUS SUBGRAPH MATCHING QUERIES ON GRAPH-STRUCTURED DATA].
Chen (US2016/0330226) [ Graph-based Intrusion Detection Using Process Traces].
Philip (US2015/0073858) [ METADATA-DRIVEN AUDIT REPORTING SYSTEM WITH HIERARCHICAL RELATIONSHIPS].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496