DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 17219484 filed on 03/31/2021. Claims 1, 11 and 15 are independent claims. Claims 1-20 have been examined and are pending in this application. This Office Action is made Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/31/2021 and 08/12/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: Specification Summary missing. Appropriate correction is required. See MPEP § 608.01(a).





Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 15-20 are rejected under 35 U.S.C. 101 because as being directed to non-statutory subject matter. The claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because 
Regarding claim 15; the claim calls for an apparatus; however, there is no hardware element found within the claimed system. As recited in the body of the claim, the claimed system contains “a processor” and “a computer-readable medium.” One of ordinary skill in the art would understand that a ‘processor’ could be a software processor (See “The Authoritative Dictionary of IEEE Standards Terms,” Seventh Edition, published in 2000) and under a recent precedential opinion, the scope of the recited a ‘machine readable medium’ encompasses transitory media such as signals or carrier waves, where, as here the Specification does not limit the computer readable storage medium to non-transitory forms.  See Ex parte Mewherter, 107 USPQ2d 1857, 1862 (PTAB 2013) (precedential) (holding recited machine-readable storage medium ineligible under § 35 U.S.C. 101 since it encompassed transitory media). As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter. The nominal recitation of the machine/device in the preamble with an absence of a hardware element in the body of the claim fails to make the claim statutory under 35 USC 101. See Am. Med. Sys., Inc v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010).  See also Ex parte Cohen et al., (Appeal No. 2009-011366) for details.  The Examiner respectfully suggests that the claim be further amended to positively recites at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101.  
Regarding claims 16-20; claims 16-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons.

Claims 1-20 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more.
Regarding claims 1, 11 and 15, the claim is directed to an abstract idea as reciting the limitations “determining... and generating a causality tree” recited claim 1; “determining... and adding a plurality of nodes to a tree” recited claim 11; ” recited claim 15. The aforementioned steps are “mental process” as broadly interpreted said steps could be performed in the human mind and/or by a human using pencil/paper. Therefore, the claim recites an abstract idea.  
Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize determination result into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, processing system).  However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of detecting or determining operation etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Application 20200059481, US Application 20210263830. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component.  Therefore, the claim is directed to non-statutory subject matter.
Regarding dependent claims 2-10, 12-14 and 16-20; claims 2-10, 12-14 and 16-20 are rejected under 35 U.S.C. 101 as being directed to an abstract idea without being integrated into a practical application or significantly more for the same reason discussed above. It’s noted that claims 2-10, 12-14 and 16-20 recite additional steps, such as “determining … adding a plurality of nodes; determining … adding a node to the causality tree; determining … adding a node which corresponds to the child process; etc.” However, said steps are not sufficiently to be consider as integrating an abstract idea into a practical application.  As result claims 2-10, 12-14 and 16-20 are also rejected under 35 U.S.C. 101 as being directed to an abstract idea without being integrated into a practical application or significantly more.
	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 5-10 are rejected under 35 U.S.C. 103 as being unpatentable over Sekar et al. (“Sekar,” US 20200059481, published on 02/20/2022)  in view of Kruglov et al. (“Kruglov,” US 20210263830, published on 08/26/2021)  

Regarding Claim 1;
Sekar discloses a method comprising: 
parsing a report generated based on a security analysis of a detected software sample (par 0030; receiving an audit data stream associated with cyber events [] identifying trustworthiness values in a portion of data associated with the cyber events; par 0065; detection and reconstruction of cyber events extracted from audit data in order to generate a compact scenario representation; par 0066; detection of attacks and respective event data, including attack reconstruction from COTS audit logs),
the report comprising identifiers of a plurality of entities associated with a sequence of events that occurred during the security analysis (par 0065; detection and reconstruction of cyber events extracted from audit data in order to generate a compact scenario representation; par 0066; detection of attacks and respective event data, including attack reconstruction from COTS audit logs; par 0280; various implementations of different audit data sets that are processed by the disclosed system [] the events are labeled in sequence number beginning with 1-45, and represent the sequence of flow/steps; par 0301; the initial entry point for the attack is Firefox (near sequence 1), which is compromised on visiting the web server 129.55.12.167; par 0304; next exfiltrated to IP Address 129.55.12.51:9418 using git at sequence 27;
determining from the report a plurality of actions and a plurality of behaviors recorded during the security analysis (par 0098; fig. 1A: events as reported in the audit log being captured as labeled edges between such subjects and objects; par 0105; the tag and attack detection component is used to summarize the determination and/or assessment of the trust-worthiness and sensitivity of objects and subjects; par 0110; a Benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0116; reveal vulnerabilities in the system, but does not provide a direct way for an attacker to gain access to the system is assigned a sensitive confidentiality tag);
based on determining a hierarchical structure among the plurality of entities, generating a causality tree comprising a plurality of nodes (par 0078; fig. 6; determining the causality among system entities; par 0098; the graph represents subject and objects with events as reported in the audit log; par 0097; the system develops a graph that represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections [] events reported in the audit log are captured using labeled edges between nodes); 
wherein each of the plurality of nodes corresponds to a respective one of the plurality of entities (par 0078; fig. 6; graphs are used to trace back to the root causes of intrusions. These graphs are built by correlating events collected by a logging system and by determining the causality among system entities, to help in forensic analysis after an attack is detected; par 0097; the system develops a graph that represents two types of entities [] events reported in the audit log are captured using labeled edges between nodes); 
for each node of one or more of the plurality of nodes, associating indications of corresponding ones of the plurality of actions and indications of the plurality of behaviors with the node (par 0097; the system develops a graph that represents two types of entities [] events reported in the audit log are captured using labeled edges between nodes; par 0105; the tag and attack detection component is used to summarize the determination and/or assessment of the trust-worthiness and sensitivity of objects and subjects; par 0116; reveal vulnerabilities in the system, but does not provide a direct way for an attacker to gain access to the system is assigned a sensitive confidentiality tag; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0182; each alarm is related to one or more entities, which are marked as suspect nodes in the graph);
displaying a visualization of the causality tree on a graphical user interface (GUI) (par 0376; fig. 6; display provides a mechanism to display information to a user; par 0386; a real-time attack scenario reconstruction application, module and/or engine detect a gesture interacting with a displayed visualization).
Sekar discloses the report as recited above, but do not explicitly disclose verdict that the detected software sample is malicious.
However, in an analogous art, Kruglov discloses impact of software system/method that includes:
verdict that the detected software sample is malicious (Kruglov: par 0084; during the analysis of the event log, the software selector makes a decision that the sample of the malicious software is suitable for subsequent testing).
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kruglov with the method/system of Sekar to include verdict that the detected software sample is malicious. One would have been motivated to select samples of software to be analyzed for capability to cause harm to the IACS, for each particular configuration of the IACS being tested, performing analysis to identify effects of the selected samples (Kruglov: abstract).

Regarding Claim 5; 
	The combination of Sekar and Kruglov disclose the method of claim 1;
Sekar discloses determining one or more nodes of the plurality of nodes that correspond to a reason for the verdict, at least in part, on a field in the report with values corresponding to reasons for the verdict (par 0066; detection of attacks and respective event data, including attack reconstruction from COTS audit logs; par 0097; events reported in the audit log are captured using labeled edges between nodes; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms), wherein displaying the visualization of the causality tree comprises visually distinguishing graphical elements that represent the determined one or more nodes as corresponding to a reason for the verdict (par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0376; display provides a mechanism to display information to a user; par 0386; a real-time attack scenario reconstruction application, module and/or engine detect a gesture interacting with a displayed visualization).
Kruglov further discloses a reason for the verdict that the detected software sample is malicious based, at least in part, on a field in the report with values corresponding to reasons for the verdict (par 0041-0045; making an analysis of a malicious software in a simulated environment of a sandbox type, followed by an identification of a suitable malicious software for testing a particular configuration of the IACS, especially an ICS, performing of a controlled testing of samples of the malicious software in the simulated environment of a particular configuration of the IACS, especially an ICS, identification and measurement of the impact of each sample of the malicious software for a particular configuration of the IACS, especially an ICS, making an analysis of all identified causes (events) resulting in disruption of the operations of a particular configuration of the IACS, and pronouncing verdicts as to the danger of a particular sample of the malicious software in a particular configuration of the IACS; par 0084; during the analysis of the event log, the software selector makes a decision that the sample of the malicious software is suitable for subsequent testing).
One would have been motivated to select samples of software to be analyzed for capability to cause harm to the IACS, for each particular configuration of the IACS being tested, performing analysis to identify effects of the selected samples (Kruglov: abstract).

Regarding Claim 6;
The combination of Sekar and Kruglov disclose the method of claim 1;
Sekar discloses determining a plurality of objects associated with the plurality of actions based, at least in part, on fields in the report which indicate inputs to and outputs of each of the plurality of actions, wherein each of the plurality of objects is an input to or an output of a corresponding one of the plurality of actions (par 0386; a real-time attack scenario data and/or audit data analytics engine of the application determine the respective tags and/or policies for respective attack detection and/or creation of a final compact scenario graph representation that is based on root-cause and impact analysis using assigned tags to all relevant audited events; par 0085; the graph represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type, owner, and tags. Events reported in the audit log are captured using labeled edges between subjects and objects or between two subjects; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0110; a benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0115; highly sensitive information, such as login credentials and private keys are assigned a secret confidentiality tag); and for each node of the one or more of the plurality of nodes, associating indications of corresponding ones of the plurality of objects with the node (0085; events reported in the audit log are captured using labeled edges between subjects and objects or between two subjects; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0110; a benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0115; highly sensitive information, such as login credentials and private keys are assigned a secret confidentiality tag). 
 
Regarding Claim 7;	
The combination of Sekar and Kruglov disclose the method of claim 1,
Sekar discloses wherein each node of the plurality of nodes comprises fields for a name of an entity corresponding to the node, a type of the entity, a command executed via a command line, and a process identifier actions (par 0097; events reported in the audit log are captured using labeled edges between nodes; par 0085; the graph represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type, owner, and tags).   

Regarding Claim 8;
The combination of Sekar and Kruglov disclose the method of claim 1;
Sekar discloses for each node of the one or more of the plurality of nodes, determining counts of each of the corresponding ones of the plurality of behaviors and plurality of actions and associating the counts with the node (par 0075; fig. 2B; tag and policy-based attack detection component can be implemented and accomplished [] novel algorithms are implemented that leverage tags for root-cause identification and impact analysis; par 0097; events reported in the audit log are captured using labeled edges between nodes; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0187; analyzes and assigns a level of trustworthiness by incrementing the n.sup.th audited event counter in determination of whether the n.sup.th audited event has likelihood of contributing to the attack. The system will advance the counter for each audited event n+1 and repeat the steps until all audited events are analyzed and respective tags are assigned to all objects and subjects), wherein displaying the visualization of the causality tree on the GUI comprises displaying the counts for each of the one or more nodes (par 0187; analyzes and assigns a level of trustworthiness by incrementing the n.sup.th audited event counter in determination of whether the n.sup.th audited event has likelihood of contributing to the attack. The system will advance the counter for each audited event n+1 and repeat the steps until all audited events are analyzed and respective tags are assigned to all objects and subjects; par 0376; display provides a mechanism to display information to a user; par 0386; a real-time attack scenario reconstruction application, module and/or engine detect a gesture interacting with a displayed visualization).

Regarding Claim 9;	
The combination of Sekar and Kruglov disclose the method of claim 1;
Sekar discloses in response to selection of a graphical element that represents a first node of the causality tree, displaying an indicator of a type of entity corresponding to the first node and descriptions of corresponding ones of the plurality of actions and the plurality of behaviors associated with the first node (Sekar: par 0231; fig. 6; the system selects the unvisited node that is marked with the smallest tentative distance, sets it as the new “current node”; par 0085; the graph represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0110; a benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0115; highly sensitive information, such as login credentials and private keys are assigned a secret confidentiality tag).

Regarding Claim 10;
The combination of Sekar and Kruglov disclose the method of claim 1,
Sekar discloses wherein each of the plurality of entities comprises a process, a file, or a malware instance (par 0097; the main memory dependency graph is a per-host data structure that can reference entities on other hosts but is optimized for the common case of intra-host reference. The system develops a graph that represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type, owner, and tags; par 0112; data/code can sometimes be even malicious).

Claims 2-4 and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Sekar et al. (US 20200059481)  in view of Kruglov et al. (US 20210263830) and further in view of Park et al. (“Park,” US 20180159876, published on 06/07/2018)  	

Regarding Claim 2;
The combination of Sekar and Kruglov disclose the method of claim 1, wherein generating the causality tree based on determining the hierarchical structure among the plurality of entities comprises (Sekar: par 0078; fig. 6; determining the causality among system entities; par 0098; the graph represents subject and objects with events as reported in the audit log; par 0097; the system develops a graph that represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections [] events reported in the audit log are captured using labeled edges between nodes); for each entity in the pairs of entities, adding a node to the causality tree which corresponds to the entity; (Sekar: par 0097; events reported in the audit log are captured using labeled edges between nodes; par 0238; each step of this algorithm adds a node to the shortest path tree); determining if a process tree is associated with the entity in the report (Sekar: par 0078; fig. 6; determining the causality among system entities; par 0065; creation of compact visual graphs that enables an analyst in the expedient identification of the most pertinent attack steps and the source in a targeted cyber-security attack; par 0095; analysis of audit data by navigation from objects to subject, creation/maintaining of object-event records and a relative index; par 0097; events reported in the audit log are captured using labeled edges between nodes).
The combination of Sekar and Kruglov disclose all the limitations as recited above, but do not explicitly disclose determining one or more relationships between pairs of entities, wherein each of the one or more relationships indicates a source entity and a target entity; and based on determining that a process tree is associated with the entity, adding a plurality of nodes to the causality tree as children of the node which corresponds to the entity based, at least in part, on a hierarchical structure of processes in the process tree.  
However, in an analogous art, Park discloses structured and unstructured security system/method that includes:
determining one or more relationships between pairs of entities, wherein each of the one or more relationships indicates a source entity and a target entity (Park: par 0044; a digital impression reconstructs network relationships to help the investigator identify an attacking entity and other entities that it communicates with. A security intelligence platform includes a forensics incident module that is operative to correlate tagged identifiers that interacted with each other to produce a digital impression. The collection relationships in a digital impression report represent a continuously-collected electronic presence that is associated with an attacker, or a network-related entity; par 0047; analyzing them in a correlative context to determine their contribution to profiled higher-order security events); and based on determining that a process tree is associated with the entity, adding a plurality of nodes to the causality tree as children of the node which corresponds to the entity based, at least in part, on a hierarchical structure of processes in the process tree (Park: par 0044; fig. 6; the collection relationships in a digital impression report represent a continuously-collected electronic presence that is associated with an attacker, or a network-related entity; par 0050; merging the initial offense context graph, the one or more sub-graphs derived from the knowledge graph exploration; par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0058; the knowledge graph is informed by combining multiple structured and unstructured data sources. the offense context graph is centered around a root node that has child nodes within the “offense”. The “offense context” includes still other nodes of relevance. There may also be a set of device activities that include relevant device nodes).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Park with the method/system of Sekar and Kruglov to include determining one or more relationships between pairs of entities, wherein each of the one or more relationships indicates a source entity and a target entity; and based on determining that a process tree is associated with the entity, adding a plurality of nodes to the causality tree as children of the node which corresponds to the entity based, at least in part, on a hierarchical structure of processes in the process tree. One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).
	
Regarding Claim 3;
The combination of Sekar, Kruglov and Park disclose the method of claim 2, 
Sekar disclose wherein adding the node to the causality tree which corresponds to the entity comprises, based on determining that the entity is identified as a source entity in a first of the one or more relationships and is not identified as target entity in any of the one or more relationships, creating a root node of the causality tree (Sekar: par 0222; each step of this algorithm adds a node to the shortest path tree, which consists of the shortest paths computed thus far. This enables the search to stop as soon as an entry point node is added to the tree; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness).
Park further disclose creating a root node of the causality tree (Park: par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0078; the extracted and normalized entities and relationships are then added back into the KG. This addition is carried out and results in a composite knowledge graph; par 0063; context graph is built depending on offense types, such that the main offense source becomes the root of an offense context graph and offense details are linked together around the root node); and based on determining that the entity is identified as a target entity in a first of the one or more relationships, adding a node to the causality tree as a child of a node which corresponds to its respective source entity (Park: par 0044; fig. 6; the collection relationships in a digital impression report represent a continuously-collected electronic presence that is associated with an attacker, or a network-related entity; par 0050; merging the initial offense context graph, the one or more sub-graphs derived from the knowledge graph exploration; par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0058; the knowledge graph is informed by combining multiple structured and unstructured data sources. the offense context graph is centered around a root node that has child nodes within the “offense”. The “offense context” includes still other nodes of relevance. There may also be a set of device activities that include relevant device nodes).
One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).

Regarding Claim 4;
The combination of Sekar, Kruglov and Park disclose the method of claim 2, 
Park disclose wherein adding the plurality of nodes to the causality tree comprises, based on determining a parent process of the process tree, adding a first node which corresponds to the parent process to the causality tree as a child of the node which corresponds to the entity (Park: par 0044; fig. 6; the collection relationships in a digital impression report represent a continuously-collected electronic presence that is associated with an attacker, or a network-related entity; par 0050; merging the initial offense context graph, the one or more sub-graphs derived from the knowledge graph exploration; par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0053; the process then build an offense context graph, preferably with the offending entity as the center node and contextual information gradually connected to the center node and its children; par 0058; the knowledge graph is informed by combining multiple structured and unstructured data sources. the offense context graph is centered around a root node that has child nodes within the “offense”. The “offense context” includes still other nodes of relevance. There may also be a set of device activities that include relevant device nodes); and for each child process remaining in the process tree, adding a node which corresponds to the child process to the causality tree as a child of the first node; and adding additional child nodes for children of the child process indicated in the process tree (Park: par 0050; merging the initial offense context graph, the one or more sub-graphs derived from the knowledge graph exploration; par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0078; the extracted and normalized entities and relationships are then added back into the KG. This addition is carried out and results in a composite knowledge graph; par 0053; the process then build an offense context graph, preferably with the offending entity as the center node and contextual information gradually connected to the center node and its children; par 0058; the offense context graph is centered around a root node that has child nodes within the offense. The offense context includes still other nodes of relevance. There may also be a set of device activities that include relevant device nodes).
One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).



Regarding Claim 11; 
One or more non-transitory machine-readable media comprising program code to: 
parse a report generated from performing threat analysis based on detection of a potential threat (par 0030; receiving an audit data stream associated with cyber events [] identifying trustworthiness values in a portion of data associated with the cyber events; par 0065; detection and reconstruction of cyber events extracted from audit data in order to generate a compact scenario representation; par 0066; detection of attacks and respective event data, including attack reconstruction from COTS audit logs),
the report indicating that the potential threat is malicious (par 0079; if an attack deliberately writes into a well-known log file, Backtracker's search heuristics may remove the log file from the final graph, whereas the current system implements tag-based analysis that will prevent that node from being pruned away; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms);  
determine a plurality of actions, a plurality of behaviors, and a plurality of objects associated with the plurality of actions recorded from the threat analysis that are indicated in the parsed report (par 0098; fig. 1A: events as reported in the audit log being captured as labeled edges between such subjects and objects; par 0105; the tag and attack detection component is used to summarize the determination and/or assessment of the trust-worthiness and sensitivity of objects and subjects; par 0110; a Benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0116; reveal vulnerabilities in the system, but does not provide a direct way for an attacker to gain access to the system is assigned a sensitive confidentiality tag);
based on initialization of a causality tree, determine a hierarchical structure of malware instances, processes, and files indicated in the parsed report (par 0078; fig. 6; determining the causality among system entities; par 0065; creation of compact visual graphs that enables an analyst in the expedient identification of the most pertinent attack steps and the source in a targeted cyber-security attack; par 0085; the graph represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type, owner, and tags. Events reported in the audit log are captured using labeled edges between subjects and objects or between two subjects; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0238; each step of this algorithm adds a node to the shortest path tree); 
for each node of one or more of the plurality of nodes, associate with the node indications of corresponding ones of the plurality of actions, plurality of behaviors, and plurality of observable objects node (par 0097; the system develops a graph that represents two types of entities [] events reported in the audit log are captured using labeled edges between nodes; par 0105; the tag and attack detection component is used to summarize the determination and/or assessment of the trust-worthiness and sensitivity of objects and subjects; par 0116; reveal vulnerabilities in the system, but does not provide a direct way for an attacker to gain access to the system is assigned a sensitive confidentiality tag; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0182; each alarm is related to one or more entities, which are marked as suspect nodes in the graph).
Sekar discloses all the limitations as recited above, but do not explicitly disclose add a plurality of nodes which identify corresponding ones of the malware instances, processes, and files to the causality tree; wherein each of the plurality of nodes is added to the causality tree based on the hierarchical structure of malware instances, processes, and files.
However, in an analogous art, Park discloses structured and unstructured security system/method that includes:
add a plurality of nodes which identify corresponding ones of the malware instances, processes, and files to the causality tree (Park: par 0044; fig. 7; a digital impression reconstructs network relationships to help the investigator identify an attacking entity and other entities that it communicates with. A security intelligence platform includes a forensics incident module that is operative to correlate tagged identifiers that interacted with each other to produce a digital impression; par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships; par 0078; the extracted and normalized entities and relationships are then added. This addition is carried out and results in a composite knowledge graph; par 0059; extracted from a SIEM system [] an offense may be a malware category offense that indicates that malicious software is detected on a machine);
wherein each of the plurality of nodes is added to the causality tree based on the hierarchical structure of malware instances, processes, and files (Park: par 0050; merging the initial offense context graph, the one or more sub-graphs derived from the knowledge graph exploration; par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0053; the process then build an offense context graph, preferably with the offending entity as the center node and contextual information gradually connected to the center node and its children; par 0058; the knowledge graph is informed by combining multiple structured and unstructured data sources. the offense context graph is centered around a root node that has child nodes within the “offense”. The “offense context” includes still other nodes of relevance. There may also be a set of device activities that include relevant device nodes; par 0078; the extracted and normalized entities and relationships are then added; par 0059; extracted from a SIEM system [] an offense may be a malware category offense that indicates that malicious software is detected on a machine; par 0060; offense context related to an identified offense is then extracted and enriched depending on various factors, such as time, an offense type, and a direction. For example, if an offense type is a source IP, system [] and this information then provides a basis for investigation of provenance and consequences of an offense).
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Park with the method/system of Sekar to include add a plurality of nodes which identify corresponding ones of the malware instances, processes, and files to the causality tree; wherein each of the plurality of nodes is added to the causality tree based on the hierarchical structure of malware instances, processes, and files. One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).
The combination of Sekar and Park disclose the report as recited above, but do not explicitly disclose verdict that the potential threat is malicious.
 However, in an analogous art, Kruglov discloses impact of software system/method that includes:
verdict that the potential threat is malicious (Kruglov: par 0084; during the analysis of the event log, the software selector makes a decision that the sample of the malicious software is suitable for subsequent testing).
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Kruglov with the method/system of Sekar and Park to include verdict that the potential threat is malicious. One would have been motivated to select samples of software to be analyzed for capability to cause harm to the IACS, for each particular configuration of the IACS being tested, performing analysis to identify effects of the selected samples (Kruglov: abstract).

Regarding Claim 12; 
The combination of Sekar, Park and Kruglov disclose the non-transitory machine-readable media of claim 11, 
Sekar discloses for each node of the plurality of nodes, determine a count of indications of the corresponding ones of the plurality of actions associated with the node and a count of indications of the corresponding ones of the plurality of behaviors of associated with the node and associate the determined counts with each node of the plurality of nodes (Sekar: par 0075; fig. 2B; tag and policy-based attack detection component can be implemented and accomplished [] novel algorithms are implemented that leverage tags for root-cause identification and impact analysis; par 0097; events reported in the audit log are captured using labeled edges between nodes; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0187; analyzes and assigns a level of trustworthiness by incrementing the n.sup.th audited event counter in determination of whether the n.sup.th audited event has likelihood of contributing to the attack. The system will advance the counter for each audited event n+1 and repeat the steps until all audited events are analyzed and respective tags are assigned to all objects and subjects),  

Regarding Claim 13;
The combination of Sekar, Park and Kruglov disclose the non-transitory machine-readable media of claim 11, 
Sekar determine at least one of a first action, a first behavior, and a first malware instance that contributed to the verdict that the potential threat is malicious based, at least in part, on a field in the report which indicates one or more reasons for the verdict; and mark a corresponding one of the plurality of nodes as corresponding to a reason for the verdict (Sekar: par 0067; real-time attack scenario reconstructions from COTS audit data by implementation of efficient, tag-based techniques for attack detection and reconstruction thereof, including source identification and impact analysis; par 0078; determining the causality among system entities, to help in forensic analysis after an attack is detected; par 0079; if an attack deliberately writes into a well-known log file, Backtracker's search heuristics may remove the log file from the final graph, whereas the current system implements tag-based analysis that will prevent that node from being pruned away; par 0097; events reported in the audit log are captured using labeled edges between nodes; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms). 
Kruglov disclose further discloses a reason for the verdict (Kruglov: par 0041-0045; making an analysis of a malicious software in a simulated environment of a sandbox type, followed by an identification of a suitable malicious software for testing a particular configuration of the IACS, especially an ICS, performing of a controlled testing of samples of the malicious software in the simulated environment of a particular configuration of the IACS, especially an ICS, identification and measurement of the impact of each sample of the malicious software for a particular configuration of the IACS, especially an ICS, making an analysis of all identified causes (events) resulting in disruption of the operations of a particular configuration of the IACS, and pronouncing verdicts as to the danger of a particular sample of the malicious software in a particular configuration of the IACS; par 0084; during the analysis of the event log, the software selector makes a decision that the sample of the malicious software is suitable for subsequent testing).
One would have been motivated to select samples of software to be analyzed for capability to cause harm to the IACS, for each particular configuration of the IACS being tested, performing analysis to identify effects of the selected samples (Kruglov: abstract).

Regarding Claim 14;
The combination of Sekar, Park and Kruglov disclose the non-transitory machine-readable media of claim 11, 
Park discloses wherein the program code to determine the hierarchical structure comprises program code to determine a first malware instance identified from the threat analysis and determine a plurality of processes associated with the first malware instance in the report (Park: par 0046; the system is configured to collect event and flow data, and generate reports. As noted, a user can investigate offenses to determine the root cause of a network issue; par 0047; analyzing them in a correlative context to determine their contribution to profiled higher-order security events; par 0059; an offense are extracted from a SIEM system [] an offense may be a malware category offense that  indicates that malicious software is detected on a machine; par 0060; offense context related to an identified offense is then extracted and enriched depending on various factors, such as time, an offense type, and a direction. For example, if an offense type is a source IP, system and network activities of the same source may then be collected. This collected context depicts potential casual relationships among events, and this information then provides a basis for investigation of provenance and consequences of an offense)
One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).

Claims 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sekar et al. (US 20200059481)  in view of Park et al. (“Park,” US 20180159876, published on 06/07/2018)  	

Regarding Claim 15; 
Sekar discloses an apparatus comprising: 
a processor; and a computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, parse a report generated from a threat analysis of a software sample which indicates a primary malware instance detected from the threat analysis (par 0356; memory within the processor during execution thereof by the computing system; par 0030; receiving an audit data stream associated with cyber events [] identifying trustworthiness values in a portion of data associated with the cyber events; par 0065; detection and reconstruction of cyber events extracted from audit data in order to generate a compact scenario representation; par 0066; detection of attacks and respective event data, including attack reconstruction from COTS audit logs; par 0095; analysis of audit data by navigation from objects to subject, creation/maintaining of object-event records and a relative index; par 0097; events reported in the audit log are captured using labeled edges between nodes; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious); 
for each node in the causality tree, determine if at least one of one or more actions and one or more behaviors are associated with an entity corresponding to the node in the report (par 0098; fig. 1A: events as reported in the audit log being captured as labeled edges between such subjects and objects; par 0105; the tag and attack detection component is used to summarize the determination and/or assessment of the trust-worthiness and sensitivity of objects and subjects; par 0110; a Benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0116; reveal vulnerabilities in the system, but does not provide a direct way for an attacker to gain access to the system is assigned a sensitive confidentiality tag); and 
based on a determination that at least one of one or more actions and one or more behaviors are associated with the entity, associate indications of the at least one of the one or more actions and the one or more behaviors with the node (par 0069; fig. 6; audit data from these Operating System(s) is processed into a platform-neutral graph representation, where vertices and/or nodes represent subjects and objects and edges denote audit events. The scenario graph serves as the basis for attack detection as well as causality analysis and scenario reconstruction. The system initially processes the streams and initially generates a tagged dependence graph using dependence graph construction module Customizable policies may be implemented; par 0078; determining the causality among system entities; par 0098; the graph represents subject and objects with events as reported in the audit log;  par 0386; a real-time attack scenario data and/or audit data analytics engine of the application determine the respective tags and/or policies for respective attack detection and/or creation of a final compact scenario graph representation that is based on root-cause and impact analysis using assigned tags to all relevant audited events; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms).
  Sekar discloses all the limitations as recited above, but do not explicitly disclose create a root node of a causality tree based, at least in part, on a relationship indicated in the report which identifies the primary malware instance; based on a determination that the report indicates a process tree that corresponds to the primary malware instance, for each process in the process tree, add a node which identifies the process to the causality tree as a child node.
However, in an analogous art, Park discloses structured and unstructured security system/method that includes:
create a root node of a causality tree based, at least in part, on a relationship indicated in the report which identifies the primary malware instance (Park: par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0078; the extracted and normalized entities and relationships are then added. This addition is carried out and results in a composite knowledge graph; par 0059; extracted from a SIEM system [] an offense may be a malware category offense that indicates that malicious software is detected on a machine; par 0063; context graph is built depending on offense types, such that the main offense source becomes the root of an offense context graph and offense details are linked together around the root node);
based on a determination that the report indicates a process tree that corresponds to the primary malware instance, for each process in the process tree, add a node which identifies the process to the causality tree as a child node (Park: par 0047; collection of events regarding monitored accesses and unexpected occurrences across the data network, and analyzing them in a correlative context to determine their contribution to profiled higher-order security events; par 0050; merging the initial offense context graph, the one or more sub-graphs derived from the knowledge graph exploration; par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0078; the extracted and normalized entities and relationships are then added. This addition is carried out and results in a composite knowledge graph; par 0059; extracted from a SIEM system [] an offense may be a malware category offense that indicates that malicious software is detected on a machine; par 0053; the process then build an offense context graph, preferably with the offending entity as the center node and contextual information gradually connected to the center node and its children).
 Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Park with the method/system of Sekar to include create a root node of a causality tree based, at least in part, on a relationship indicated in the report which identifies the primary malware instance; based on a determination that the report indicates a process tree that corresponds to the primary malware instance, for each process in the process tree, add a node which identifies the process to the causality tree as a child node. One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).
  
Regarding Claim 16; 
The combination of Sekar and Park disclose the apparatus of claim 15, 
Park disclose wherein the instructions executable by the processor to cause the apparatus to create the root node comprise instructions executable by the processor to cause the apparatus to determine that the primary malware instance is identified as corresponding to a source entity or a target entity in the relationship, wherein the root node that is created identifies the source entity (Park: par 0051; by incorporating one or more subgraphs derived from the knowledge graph as well as additional observables mined from examining the subgraph hypotheses, provides for a refined graph that reveals potential causal relationships more readily, or otherwise provides information that reveals which parts of the graph might best be prioritized for further analysis; par 0078; the extracted and normalized entities and relationships are then added. This addition is carried out and results in a composite knowledge graph; par 0058; the knowledge graph is informed by combining multiple structured and unstructured data sources; par 0059; extracted from a SIEM system [] an offense may be a malware category offense that indicates that malicious software is detected on a machine; par 0063; context graph is built depending on offense types, such that the main offense source becomes the root of an offense context graph and offense details are linked together around the root node).
One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).

Regarding Claim 17; 
The combination of Sekar and Park disclose the apparatus of claim 15, 
Sekar discloses instructions executable by the processor to, based on a determination that one or more actions are associated with the entity corresponding to the node, determine one or more computing objects indicated as inputs to or outputs of a corresponding action of the one or more actions in the report, wherein the instructions executable by the processor to cause the apparatus to associate indications of the one or more actions with the node comprise instructions executable by the processor to cause the apparatus to associate indications of the one or more computing objects with the corresponding action of the one or more actions (Sekar: par 0386; a real-time attack scenario data and/or audit data analytics engine of the application determine the respective tags and/or policies for respective attack detection and/or creation of a final compact scenario graph representation that is based on root-cause and impact analysis using assigned tags to all relevant audited events; par 0085; the graph represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type, owner, and tags. Events reported in the audit log are captured using labeled edges between subjects and objects or between two subjects; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0110; a benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0115; highly sensitive information, such as login credentials and private keys are assigned a secret confidentiality tag).

Regarding Claim 18; 
The combination of Sekar and Park disclose the apparatus of claim 15, 
Sekar discloses wherein the instructions executable by the processor to cause the apparatus to determine if one or more actions are associated with an entity corresponding to the node in the report comprise instructions executable by the processor to, for each process in the process tree, determine if one or more actions were initiated in the process, wherein the instructions executable by the processor to cause the apparatus to associate indications of the one or more actions with the node comprises instructions executable by the processor to cause the apparatus to, based on a determination that one or more actions were initiated in the process, associate indications of the one or more actions with the node corresponding to the process (Sekar: par 0386; a real-time attack scenario data and/or audit data analytics engine of the application determine the respective tags and/or policies for respective attack detection and/or creation of a final compact scenario graph representation that is based on root-cause and impact analysis using assigned tags to all relevant audited events; par 0085; the graph represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type, owner, and tags. Events reported in the audit log are captured using labeled edges between subjects and objects or between two subjects; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0110; a benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0115; highly sensitive information, such as login credentials and private keys are assigned a secret confidentiality tag).
  
Regarding Claim 19;
The combination of Sekar and Park disclose the apparatus of claim 15,
Sekar discloses instructions executable by the processor to cause the apparatus to display a depiction of the causality tree on a graphical user interface (GUI), wherein the depiction of the causality tree comprises a plurality of GUI elements representing nodes of the causality tree and, for each GUI element of the plurality of GUI elements and corresponding node of the causality tree, at least one of a count of the indications of the one or more behaviors associated with the node and a count of the indications of the one or more actions associated with the node (Sekar: par 0187; fig. 6; analyzes and assigns a level of trustworthiness by incrementing the n.sup.th audited event counter in determination of whether the n.sup.th audited event has likelihood of contributing to the attack. The system will advance the counter for each audited event n+1 and repeat the steps until all audited events are analyzed and respective tags are assigned to all objects and subjects; par 0376; display provides a mechanism to display information to a user; par 0386; a real-time attack scenario reconstruction application, module and/or engine detect a gesture interacting with a displayed visualization; par 0376; display provides a mechanism to display information to a user; par 0386; a real-time attack scenario reconstruction application, module and/or engine detect a gesture interacting with a displayed visualization).

Regarding Claim 20;
The combination of Sekar and Park disclose the apparatus of claim 15, 
Sekar discloses wherein the instructions executable by the processor to cause the apparatus associate indications of the at least one of the one or more actions and one or more behaviors with the node comprise instructions executable by the processor to cause the apparatus to associate with the node, for each of the at least one of the one of the one or more actions and one or more behaviors, at least one of an identifier, name, description (Sekar: par 0069; fig. 6; audit data from these Operating System(s) is processed into a platform-neutral graph representation, where vertices and/or nodes represent subjects and objects and edges denote audit events. par 0085; the graph represents two types of entities: subjects, which represent processes, and objects, which represent entities such as files, pipes, and network connections. Subject attributes include process id, command line, owner, and tags for code and data. Objects attributes include name, type, owner, and tags. Events reported in the audit log are captured using labeled edges between subjects and objects or between two subjects; par 0108; tags provide important context for attack detection. Each audited event is interpreted in the context of these tags to determine its likelihood of contributing to an attack; par 0110; a benign authentic tag is assigned by the system to data/code received from sources trusted to be benign, and whose authenticity can be verified; par 0112; an unknown tag is assigned by the system to data/code from sources about which there is no information on trustworthiness. Such data/code can sometimes be even malicious; par 0137; setting of unknown t-tag at suspect nodes preserves the dependency structure between the graph vertices that cause alarms; par 0115; highly sensitive information, such as login credentials and private keys are assigned a secret confidentiality tag). 
Park further discloses associated application programming interface (API) call indicated in the report (par 0041; the packet capture appliances are operative to capture packets off the network application programming interfaces (APIs) or other known techniques, and to provide such data (e.g., real-time log event and network flow) to the distributed database, where the data is stored and available for analysis by the forensics module and the security intelligence console).
One would have been motivated to using entities identified in the initial version, additional security information is then received. The additional information is extracted from one or more unstructured data sources. The additional information includes text in which the entities appear. The text is processed to extract relationships involving the entities to generate entities and relationships extracted from the unstructured data sources (Park: abstract).



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.W./Examiner, Art Unit 2439                       


	/KARI L SCHMIDT/           Primary Examiner, Art Unit 2439