DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the application filed on 11/14/2022. Claims 1-23 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Specification
The incorporation of essential material in the specification by reference to an unpublished U.S. application, foreign application or patent, or to a publication is improper. Applicant is required to amend the disclosure to include the material incorporated by reference, if the material is relied upon to overcome any objection, rejection, or other requirement imposed by the Office. The amendment must be accompanied by a statement executed by the applicant, or a practitioner representing the applicant, stating that the material being inserted is the material previously incorporated by reference and that the amendment contains no new matter. 37 CFR 1.57(g).
Examiner refers the applicant to MPEP (1.57 incorporation by reference) section: (d) "Essential material" may be incorporated by reference, but only by way of an incorporation by reference to a U.S. patent or U.S. patent application publication, which patent or patent application publication does not itself incorporate such essential material by reference.

The disclosure is objected to because of the following informalities:
 In paragraph [0060], The description indicates that “a directed edge from a first dependency node 252 (ha) to a second dependency node 254 (hb)…”, however, in reviewing the Fig. 2B, it is noted that the second node dependency from 252 is not 254 and appears that it should have been to be 253. Node 254 is denoted as (ht) not (hb).
Appropriate correction is required.
Claim Rejections - 35 USC § 101 

U.S.C. 101 reads as follows:

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 15, and 23 are rejected under 35 USC 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Under the 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”), effective January 7, 2019, independent claims 1, 15 and 23 are directed to an abstract idea without being significantly more nor being integrated into a practical application. The claims are directed towards constructing a multi-layer graph for a system with a plurality of components, wherein the multi-layer graph comprises a configuration subgraph, a vulnerability subgraph, and a dependency subgraph.
For instance, the independent claim 1 recites the steps of “constructing a multi-layer graph for a system with a plurality of components, wherein the multi-layer graph comprises a configuration subgraph, a vulnerability subgraph, and a dependency subgraph, and wherein constructing the multi-layer graph comprises: generating nodes in the configuration subgraph, including: nodes in a first class which encode information associated with a configuration parameter for a respective component, wherein the encoded information includes a name, a default value, a range of values, and a data type; and nodes in a second class which encode value assignments for configuration parameters and relationships between configuration parameters; and generating nodes in the vulnerability subgraph based on known vulnerabilities associated with a component, bad security practices, and best security practices”, each limitation identified above, as drafted, is process that , under its broadest reasonable interpretation, covers performance of the limitations in the mind and are broad enough to encompass performance by a human using pen and paper. but for the recitation of generic computer components, for example, but for the “computer implemented” language in the preamble, and the further recitation of “for a system with a plurality of components”, which the additional element(s) does no more than generally link the use of the judicial exception to a particular technological environment or field of use.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The further recitation of computer implemented method and “for a system with a plurality of components”, which the additional element(s) does no more than generally link the use of the judicial exception to a particular technological environment or field of use. These steps are recited at a high level of generality (i.e., in the context of this claim, as a general way of obtaining information for use in the steps of generating the graphs) and amounts to mere data gathering, which is a form of insignificant extra-solution activity. See MPEP 2106.05(g). Insignificant extra-solution activity and mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Accordingly, the claim 1 is directed to an abstract idea.
Therefore, the independent claims 15, and 23 are rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons addressed above for the independent claim 1.
Thus, the claims 1-23 are rejected under 35 U.S.C 101 as being directed to non-statutory subject matter as the claims do not contain any element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. See Alice, 134 S. Ct. at 2360. Under Alice, that is not sufficient "to transform an abstract idea into a patent-eligible invention." See Electric Power group, CyberSource, and Classen (Fed. Cir. 2011).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-23 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2018/003017) issued to Gopalakrishnan and in view of US Patent No. (US2019/0141058) issued to Hassanzadeh 
Regarding claims 1, 15, and 23,  Gopalakrishnan  discloses constructing a multi-layer graph for a system with a plurality of components, wherein the multi-layer graph comprises a configuration subgraph, and a dependency subgraph [ see Fig. 2, for dependency graph generator (222) and cognitive dependency graph (234) and corresponding text for more details, see Figs 5a-5b, 6 and corresponding text for more detail, [¶49-51-, Based on the knowledge graph configured from the knowledge database 232 for the product and one or more entities extracted during the learning process, the CDGG module 222 may derive a cognitive dependency graph 234 for the product. The process of deriving the knowledge graph is explained in detail with respect to FIG. 5a and FIG. 5b and using this the construction of the cognitive dependency graph using the knowledge graph is explained in detail with respect to FIG. 6,,, In an aspect, the cognitive dependency graph 234 may be used to provide the technical support for the product of the customer at the remote end based on a technical problem statement received from the remote end….The cognitive dependency graph 234 may include a plurality of cognitive nodes having a root node and edges connecting the nodes in the cognitive dependency graph 234. The CDGG module 222 may use the CSCG module 224, which may generate a transitive sequence code for each cognitive node and the generated transitive sequence code may be encoded with each cognitive node], and 
and wherein constructing the multi-layer graph comprises: generating nodes in the configuration subgraph, including: nodes in a first class which encode information associated with a configuration parameter for a respective component, wherein the encoded information includes a name, a default value, a range of values, and a data type; 
[ see Fig. 2, for dependency graph generator (222) and cognitive dependency graph (234) and corresponding text for more details, see Figs 5a-5b, 6 and corresponding text for more detail, [¶49-51-, Based on the knowledge graph configured from the knowledge database 232 for the product and one or more entities extracted during the learning process, the CDGG module 222 may derive a cognitive dependency graph 234 for the product. The process of deriving the knowledge graph is explained in detail with respect to FIG. 5a and FIG. 5b and using this the construction of the cognitive dependency graph using the knowledge graph is explained in detail with respect to FIG. 6,,, In an aspect, the cognitive dependency graph 234 may be used to provide the technical support for the product of the customer at the remote end based on a technical problem statement received from the remote end….The cognitive dependency graph 234 may include a plurality of cognitive nodes having a root node and edges connecting the nodes in the cognitive dependency graph 234. The CDGG module 222 may use the CSCG module 224, which may generate a transitive sequence code for each cognitive node and the generated transitive sequence code may be encoded with each cognitive node]; and 
and nodes in a second class which encode value assignments for configuration parameters and relationships between configuration parameters; 
[ see FIGs 5a-5b, 6 and corresponding text for more detail, ¶51, the cognitive dependency graph 234 may include a plurality of cognitive nodes having a root node and edges connecting the nodes in the cognitive dependency graph 234.].
Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses vulnerability subgraph, and generating nodes in the vulnerability subgraph based on known vulnerabilities associated with a component, bad security practices, and best security practices [¶49, In some implementations, global enrichment engine 506 may access threat intelligence data from one or more threat knowledge databases 518 to enhance the raw alert data 550. Knowledge database 518 may include a threat intelligence database (e.g., a global threat database), and/or other global data (e.g., threat intelligence sources, vulnerability and incident repositories, or other sources of security information not owned by the local network) related to the particular ICS network that is under attack. Threat intelligence databases may include, for example, iDefense, Common Attack Pattern Enumeration and Classification (CAPEC), Common Vulnerabilities and Exposures (CVE), and/or National Vulnerabilities Database (NVD). For example, the global enrichment engine 506 may access an application program interface (e.g., iDefense by Accenture) to gather information related to the raw/meta alert 550], and [¶58, The alert dependency engine 512 identifies one or more dependencies for the classified alert 554. For example, for a classified alert 554, enrichment information from a threat intelligence data (e.g., from knowledge database 518) added by the global enrichment engine 506 and potential attack paths defined by an attack graph generated for the IIOT network from the attack graph database 520 can be used to identify all potential consequences (e.g., a list of exploits or other potential adversarial actions). The one or more attack paths in the attack path database 520 describes how one vulnerability may relate to another. In some implementations, an alert can be associated with a specific vulnerability and the attack graph can be used to establish the dependency between alerts], and [ ¶59,  In some implementations, a dependency is established between a pair of classified alerts 554, where the dependency is a relationship (e.g., Alert A is a prerequisite alert to Alert B, or Alert A is a consequence of Alert B) between the pair of classified alerts 554], and [¶64, Correlation graph generator 514 aggregates classified alerts each with respective identified dependencies and generates an adversary prediction model (e.g., correlation graph 556), described below in more detail with reference to FIG. 6. The correlation graph generator 514 can model each classified alert 554 including at least one dependency (e.g., a prerequisite alert and/or a consequence alert for the alert), where each classified alert is a node in the correlation graph 556, and each edge in the correlation graph 556 is a dependency (e.g., a prerequisite dependency or a consequence dependency) of the alert to either a prerequisite alert or a consequence alert. In some implementations, the correlation graph generator 514 uses fuzzy-matching or other techniques including probabilistic correlation, attack graph matching, formal methods, state machine, and logic-based models to analyze the classified alert data 554 and build the correlation graph 556], and [see FIGs 6 and 7 and corresponding text for more details, ([¶69, In some implementations, correlation graph analytics database 712 for a generated correlation graph 720 (e.g., similar to correlation graph 600 in FIG. 6) can be provided by the correlation graph modeling engine 704 to the pattern recognition and extraction module 706. The correlation graph analytics database 712 can include patterns of previously seen/detected/identified complex ICS threats, for example, Stuxnet, Night Dragon, CrashOverride, and the like. A particular alert 702 received by the multi-step, multi-domain attack detection system 700 would then trigger a prediction one or more subsequent (e.g., consequence) steps that an adversary will take in the IT CKC/ICS CKC process. For example, the multi-step, multi-domain attack detection system 700 may receive an alert 702 (e.g., alert 602c classified as an “install/modify” alert for correlation graph 600), which has been mapped to two consequence alerts in the correlation graph 720 (e.g., 602d and 602e in the “command/control” step of the IT CKC/ICS CKC in the correlation graph 600). Adversary prediction engine 708 may determine one or more likely outcomes for the alert 702 and recommend one or more courses of action 722 for the IT/OT network under attack. The multi-step, multi-domain attack detection system 700 may then implement one or more courses of action 722 to block the subsequent step in anticipation of the attack. Examples of counter-attack strategies include blocking, patching and updating, access control updates, white listing, physical security, or a combination thereof], and [¶70, In some implementations, the risk management engine 710 may provide information to a user (e.g., a network administrator) to assist in installing new software or software patches within a system, based on identified risks provided by the pattern recognition and extraction engine 706.], and [Abstract].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes,  each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts[Hassanzadeh, Abstract].
Regarding claims 2, and 16, Gopalakrishnan discloses wherein a component includes one or more of: a software component; a hardware component; a middleware component; and a networking component [¶68 The graph 500 shown in the FIG. 5a and the FIG. 5b include different type of nodes such as a component node, an operation node (ON), a dependency node (DN), a check node (CN) and an action node (AN). As will be appreciated by one skilled in the relevant art, different types of nodes are indicated in the graph 500 are for illustration purpose only and is not intended to be limiting any way].
Regarding claim 3, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses wherein generating the nodes for the vulnerability subgraph further comprises: identifying and encoding a negation of the known vulnerabilities associated with a component as a first set of known vulnerabilities, wherein the first set of known vulnerabilities are obtained from a public or a proprietary database; identifying the bad security practices and encoding the bad security practices as a second set of known vulnerabilities; and identifying the best security practices and encoding a negation of the best security practices as a third set of known vulnerabilities [¶¶49, 58-59, 64, 69-70, see FIGs 6 and 7 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes, each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts[Hassanzadeh, Abstract].
Regarding claim 4, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses wherein generating the nodes for the vulnerability subgraph is further based on combining information from network scanners and vulnerability databases [¶3, In some implementations, classification of the alert includes surveying one or more devices in a local network included in the first network domain and the second network domain and/or include obtaining threat intelligence data from one or more global threat databases. Classification of the alert can include labeling the alert by one or more machine-learning algorithms trained using training data including multiple labeled alerts (e.g., labeled by human experts). In some implementations, classification of the alert includes applying one or more labels to the alert by an expert], and [¶11, Alert enrichment utilizing local (e.g., local area network surveys) and/or global information (e.g., threat intelligence databases) can assist in more effectively characterizing an alert and labeling the alert as a step in the IT CKC and/or ICS CKC], and [¶49,  In some implementations, global enrichment engine 506 may access threat intelligence data from one or more threat knowledge databases 518 to enhance the raw alert data 550. Knowledge database 518 may include a threat intelligence database (e.g., a global threat database), and/or other global data (e.g., threat intelligence sources, vulnerability and incident repositories, or other sources of security information not owned by the local network) related to the particular ICS network that is under attack. Threat intelligence databases may include, for example, iDefense, Common Attack Pattern Enumeration and Classification (CAPEC), Common Vulnerabilities and Exposures (CVE), and/or National Vulnerabilities Database (NVD). For example, the global enrichment engine 506 may access an application program interface (e.g., iDefense by Accenture) to gather information related to the raw/meta alert 550].
Regarding claim 5, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses  wherein the vulnerability subgraph includes directed edges between pairs of vulnerability subgraph nodes, wherein a vulnerability subgraph node represents a known vulnerability or a security condition, wherein a directed edge from a first vulnerability subgraph node to a second vulnerability subgraph node indicates that exploiting the first vulnerability subgraph node creates preconditions for exploiting the second vulnerability subgraph node, and wherein a respective directed edge is associated with a probability value [¶¶49, 58-59, 64, 69-70, see FIGs 6 and 7 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes,  each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts [Hassanzadeh, Abstract].
Regarding claim 6, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses wherein the probability value indicates a likelihood that the respective directed edge will be traversed in an attack or by an attacker, and wherein determining the probability value is based on one or more of: a skill level of the attacker relative to a complexity of security condition associated with the second vulnerability subgraph node;  resources and time available to the attacker; and metrics based on the Common Vulnerability Scoring System (CVSS) [¶¶49, 58-59, 64, 69-70, see FIGs 6 and 7 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes,  each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts[Hassanzadeh, Abstract].
Regarding claim 7, Gopalakrishnan discloses generating nodes in the dependency subgraph, wherein the dependency subgraph includes directed edges between pairs of dependency subgraph nodes, wherein a dependency subgraph node represents a respective component of the system and is labeled with a dependency type and a number representing a value associated with the respective component, and wherein a directed edge from a first dependency subgraph node to a second dependency subgraph node indicates that the first dependency subgraph node depends upon the second dependency subgraph node [ see Fig. 2, for dependency graph generator (222) and cognitive dependency graph (234) and corresponding text for more details, see Figs 5a-5b, 6 and corresponding text for more detail, [¶49-51-, Based on the knowledge graph configured from the knowledge database 232 for the product and one or more entities extracted during the learning process, the CDGG module 222 may derive a cognitive dependency graph 234 for the product. The process of deriving the knowledge graph is explained in detail with respect to FIG. 5a and FIG. 5b and using this the construction of the cognitive dependency graph using the knowledge graph is explained in detail with respect to FIG. 6,,, In an aspect, the cognitive dependency graph 234 may be used to provide the technical support for the product of the customer at the remote end based on a technical problem statement received from the remote end….The cognitive dependency graph 234 may include a plurality of cognitive nodes having a root node and edges connecting the nodes in the cognitive dependency graph 234. The CDGG module 222 may use the CSCG module 224, which may generate a transitive sequence code for each cognitive node and the generated transitive sequence code may be encoded with each cognitive node].
Examiner Note:  Hassanzadeh also describes dependency graph and subgraph [ see Figs 5-7 and corresponding text for more details].
Regarding claim 8, Gopalakrishnan discloses wherein the value associated with the respective component indicates an importance to the system of the respective component or the dependency subgraph node, wherein the dependency type labeled on the dependency subgraph node indicates a category of dependency relationships and includes one or more of: a redundancy type, wherein the respective component depends on a redundant pool of resources; a strict dependence type, wherein the respective component strictly depends on a first pool of other components, and wherein if a single component of the first pool of other components fails, the respective  component fails to deliver any value; and  a graceful degradation type, wherein the respective component depends on a second pool of other components, and wherein if a single component of the second pool of other components fails, the system continues to operate with a degraded performance [ ¶76,  To derive the cognitive dependency graph 234 from the knowledge graph 500, the CDGG module 222 may perform a depth first search on the knowledge graph 500, starting from a root node. In an aspect, the root node of the knowledge graph 500 may be retained as a root node for the cognitive dependency graph 234. When a dependency node (DN) arrives during the traversal, a check node (CN) after the dependency node (DN) may result in two edges in the cognitive dependency graph 234. One edge is for check pass and other edge is for check fail. The check fail edge may arrive at one cognitive node in the dependency graph 234 and the check pass edge may reach to another cognitive node in the dependency graph 234. Further, after traversing to another cognitive node through the check fail edge, there may be an action node between the cognitive node and another cognitive node].
Regarding claim 9, Gopalakrishnan discloses, wherein a directed edge from a dependency subgraph node to a configuration subgraph node in the first class indicates a list of configuration parameters associated with a component associated with the dependency subgraph node[ see Fig. 2, for dependency graph generator (222) and cognitive dependency graph (234) and corresponding text for more details, see Figs 5a-5b, 6 and corresponding text for more detail, [¶49-51-, Based on the knowledge graph configured from the knowledge database 232 for the product and one or more entities extracted during the learning process, the CDGG module 222 may derive a cognitive dependency graph 234 for the product. The process of deriving the knowledge graph is explained in detail with respect to FIG. 5a and FIG. 5b and using this the construction of the cognitive dependency graph using the knowledge graph is explained in detail with respect to FIG. 6,,, In an aspect, the cognitive dependency graph 234 may be used to provide the technical support for the product of the customer at the remote end based on a technical problem statement received from the remote end….The cognitive dependency graph 234 may include a plurality of cognitive nodes having a root node and edges connecting the nodes in the cognitive dependency graph 234. The CDGG module 222 may use the CSCG module 224, which may generate a transitive sequence code for each cognitive node and the generated transitive sequence code may be encoded with each cognitive node].
Regarding claim 10, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses, wherein a directed edge from a configuration subgraph node in the second class to a vulnerability subgraph node indicates a constraint in the second-class configuration subgraph node which creates a precondition to exploit a vulnerability indicated by the vulnerability subgraph node [¶¶49, 58-59, 64, 69-70, Abstract, see FIGs 6 and 7 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes,  each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts[Hassanzadeh, Abstract].
Regarding claim 11, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses, wherein a directed edge from a vulnerability subgraph node to a dependency subgraph node indicates an exposure factor of a respective component to an exploitation of a vulnerability indicated by the vulnerability subgraph node [¶50 …to gain access to the controller device, the attacker may launch an attack against a computer device in an information technology (IT) network, and may exploit the computer device in order to step to a human-machine interface (HMI) device in the operational technology network, and then may further exploit the human-machine interface device in order to step to the controller device. The attack path database 520 can include multiple known attack paths or attack trees, where each attack path represents the potential paths an adversary can take to get into different targets (e.g., assets in the IT network domain 102 and/or assets in the OT network domain 104) in the IIOT network], and [¶58, The alert dependency engine 512 identifies one or more dependencies for the classified alert 554. For example, for a classified alert 554, enrichment information from a threat intelligence data (e.g., from knowledge database 518) added by the global enrichment engine 506 and potential attack paths defined by an attack graph generated for the IIOT network from the attack graph database 520 can be used to identify all potential consequences (e.g., a list of exploits or other potential adversarial actions). The one or more attack paths in the attack path database 520 describes how one vulnerability may relate to another. In some implementations, an alert can be associated with a specific vulnerability and the attack graph can be used to establish the dependency between alerts.], and [¶61,  In some implementations, one or more of the dependencies for the classified alert 554 may be determined based in part on one or more of the following: the step of the CKC process of the classified alert 554, the local enrichment data for the alert, and/or the global enrichment data for the alert. The one or more dependencies for the classified alert 554 can also be determined by analyzing the impact of an attack (e.g., in a post-mortem analysis) where the impact may include potential gains for an adversary who conducted the attack (e.g., what additional vulnerabilities in the IT/OT networks may have been exposed through the attack). For example, an IIS buffer overflow attack exposes a further buffer overflow vulnerability which can be used to gain certain administrative privileges].
Regarding claims 12, and 20,  Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses  further comprising calculating an impact of a multiple-step attack of the system, which comprises: defining an impact function for a single attack step based on a relative residual utility of a respective component before and after exploitation of a first vulnerability and further based on an original utility of the respective component,  wherein the impact of the exploitation of the first vulnerability is based on  other vulnerabilities exploited in prior attack steps and corresponding impact on the system, and wherein, in the multiple-step attack, a utility of each component of the system decreases after each attack step [¶36…. , a network-based intrusion detection system may not have specific information about an attacker or about a target, but may generate an alert based on the contents of a communications packet—that is, the alert may be generated if the packet includes an exploit directed to a known vulnerability. However, the generated alert in the present example may or may not indicate a successful attack on the target. For example, if an attack relies on certain system attributes (e.g., a type of operating system), but the system has different attributes (e.g., a different operating system) that are not affected by an attempted attack, the attack is rendered unsuccessful], and [¶58, The alert dependency engine 512 identifies one or more dependencies for the classified alert 554. For example, for a classified alert 554, enrichment information from a threat intelligence data (e.g., from knowledge database 518) added by the global enrichment engine 506 and potential attack paths defined by an attack graph generated for the IIOT network from the attack graph database 520 can be used to identify all potential consequences (e.g., a list of exploits or other potential adversarial actions). The one or more attack paths in the attack path database 520 describes how one vulnerability may relate to another. In some implementations, an alert can be associated with a specific vulnerability and the attack graph can be used to establish the dependency between alerts ], and [¶61,  In some implementations, one or more of the dependencies for the classified alert 554 may be determined based in part on one or more of the following: the step of the CKC process of the classified alert 554, the local enrichment data for the alert, and/or the global enrichment data for the alert. The one or more dependencies for the classified alert 554 can also be determined by analyzing the impact of an attack (e.g., in a post-mortem analysis) where the impact may include potential gains for an adversary who conducted the attack (e.g., what additional vulnerabilities in the IT/OT networks may have been exposed through the attack). For example, an IIS buffer overflow attack exposes a further buffer overflow vulnerability which can be used to gain certain administrative privileges], and [¶60].
Regarding claims 13,  and 21, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses wherein calculating the impact of the multiple-step attack of the system further comprises one or more of: defining a first attack surface metric based on a likelihood and a potential impact of each of a plurality of attack paths, wherein a respective attack path can be traversed in a step of the multiple-step attack of the system, and wherein the respective attack path comprises at least: a first node in the vulnerability subgraph; a directed edge from the first node in the vulnerability subgraph to a second node in the dependency subgraph; and the second node in the dependency subgraph; analyzing one or more attack paths based on probability values associated with directed edges between nodes which comprise a respective attack path; and defining a second attack surface metric based on assessing an impact of multiple steps of a multiple-step attack executed concurrently, wherein, at each step, all vulnerabilities for which preconditions are satisfied are exploited with a probability of one [¶¶49, 58-59, 64, 69-70, see FIGs 6 and 7 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes,  each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts[Hassanzadeh, Abstract].
Regarding claims 14, and 22,  displaying, on a screen of a user device, one or more interactive elements which allow the user to: view the constructed multi-layer graph comprising at least:  the configuration subgraph and the generated configuration  subgraph nodes; the vulnerability subgraph and the generated vulnerability subgraph nodes; the dependency subgraph and generated dependency subgraph nodes; and directed edges between nodes in a same subgraph or between nodes in different subgraphs; select one or more attack paths; and view an impact of the one or more attack paths executed sequentially or executed concurrently
Gopalakrishnan discloses this limitation as: [¶23, In an embodiment, the method further includes providing the technical support for the product using the cognitive dependency graph. The method comprises sending one or more of the set of questions associated with a cognitive node in the look up table, through a communication interface, to a customer at the remote end in response to a service request from the remote end. The service request may include a statement of a technical problem with the product. Further, the method comprises obtaining a response at the technical support end, through the communication interface, for each question that is sent from the remote end. Next, the method includes automated processing of the response to provide the technical support], and [see FIGs 2, Interface (204), user interaction module (214), [0037] The interface(s) 204 may include a variety of machine-readable instructions-based interfaces and hardware interfaces that allow the TAC 115 to interact with different entities], and [see FIGs 5a, 5b and 6 and corresponding text for more detail].
 Furthermore, Hassanzadeh discloses this limitation as: [¶¶78-79, a graphical visualization (e.g., correlation graph 600) is generated for the multiple alerts (e.g., alerts 602) (810). The graphical visualization may arrange the multiple classified alerts according to the sequence of steps of the cyber kill chain, where each alert is a node and each dependency between the alerts is an edge. Embodiments of the subject matter described in this specification can be implemented in a computing system that includes a back end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front end component (e.g., a client computer) having a graphical user interface or a Web browser through which a user can interact with an implementation of the subject matter described in this specification], and [Abstract].
Regarding claim 17, Gopalakrishnan does not explicitly disclose, however Hassanzadeh discloses wherein generating the nodes for the vulnerability subgraph further comprises: identifying and encoding a negation of the known vulnerabilities associated with a component as a first set of known vulnerabilities, wherein the first set of known vulnerabilities are obtained from a public or a proprietary database; identifying the bad security practices and encoding the bad security practices as a second set of known vulnerabilities; and identifying the best security practices and encoding a negation of the best security practices as a third set of known vulnerabilities, wherein the vulnerability subgraph includes directed edges between pairs of vulnerability subgraph nodes, wherein a vulnerability subgraph node represents a known vulnerability or a security condition, wherein a directed edge from a first vulnerability subgraph node to a second vulnerability subgraph node indicates that exploiting the first vulnerability subgraph node creates preconditions for exploiting the second vulnerability subgraph node, and 19 wherein a respective directed edge is associated with a probability value which indicates a likelihood that the respective directed edge will be traversed in an attack or by an attacker [¶¶49, 58-59, 64, 69-70, see FIGs 6 and 7 and corresponding text for more details].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes,  each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts[Hassanzadeh, Abstract].
Regarding claim 18, Gopalakrishnan discloses  generating nodes in the dependency subgraph, wherein the dependency subgraph includes directed edges between pairs of dependency subgraph nodes, wherein a dependency subgraph node represents a respective component of the system and is labeled with a dependency type and a number representing a value associated with the respective component, wherein the value associated with the respective component indicates an importance to the system of the respective component or the dependency subgraph node, and wherein the dependency type labeled on the dependency subgraph node indicates a category of dependency relationships and includes one or more of: a redundancy type, wherein the respective component depends on a redundant pool of resources; a strict dependence type, wherein the respective component strictly depends on a first pool of other components, and wherein if a single component of the first pool of other components fails, the respective component fails to deliver any value; and a graceful degradation type, wherein the respective component depends on a second pool of other components, and wherein if a single component of the second pool of other components fails, the system continues to operate with a degraded 24 performance, and wherein a directed edge from a first dependency subgraph node to a second dependency subgraph node indicates that the first dependency subgraph node depends upon the second dependency subgraph node [ ¶76,  To derive the cognitive dependency graph 234 from the knowledge graph 500, the CDGG module 222 may perform a depth first search on the knowledge graph 500, starting from a root node. In an aspect, the root node of the knowledge graph 500 may be retained as a root node for the cognitive dependency graph 234. When a dependency node (DN) arrives during the traversal, a check node (CN) after the dependency node (DN) may result in two edges in the cognitive dependency graph 234. One edge is for check pass and other edge is for check fail. The check fail edge may arrive at one cognitive node in the dependency graph 234 and the check pass edge may reach to another cognitive node in the dependency graph 234. Further, after traversing to another cognitive node through the check fail edge, there may be an action node between the cognitive node and another cognitive node].
Regarding claim 19, wherein a directed edge from a dependency subgraph node to a configuration subgraph node in the first class indicates a list of configuration parameters associated with a component associated with the dependency subgraph node, wherein a directed edge from a configuration subgraph node in the second class to a vulnerability subgraph node indicates a constraint in the second class configuration subgraph node which creates a precondition to exploit a vulnerability indicated by the vulnerability subgraph node, and wherein a directed edge from a vulnerability subgraph node to a dependency subgraph node indicates an exposure factor of a respective component to an exploitation of a vulnerability indicated by the vulnerability subgraph node
The combination of Gopalakrishnan and Hassanzadeh discloses:
Gopalakrishnan discloses: [ see Fig. 2, for dependency graph generator (222) and cognitive dependency graph (234) and corresponding text for more details, see Figs 5a-5b, 6 and corresponding text for more detail, [¶49-51-, Based on the knowledge graph configured from the knowledge database 232 for the product and one or more entities extracted during the learning process, the CDGG module 222 may derive a cognitive dependency graph 234 for the product. The process of deriving the knowledge graph is explained in detail with respect to FIG. 5a and FIG. 5b and using this the construction of the cognitive dependency graph using the knowledge graph is explained in detail with respect to FIG. 6,,, In an aspect, the cognitive dependency graph 234 may be used to provide the technical support for the product of the customer at the remote end based on a technical problem statement received from the remote end….The cognitive dependency graph 234 may include a plurality of cognitive nodes having a root node and edges connecting the nodes in the cognitive dependency graph 234. The CDGG module 222 may use the CSCG module 224, which may generate a transitive sequence code for each cognitive node and the generated transitive sequence code may be encoded with each cognitive node].
Furthermore, Hassanzadeh discloses :[¶¶49, 58-59, 64, 69-70, Abstract, see FIGs 6 and 7 and corresponding text for more details], and [¶50 …to gain access to the controller device, the attacker may launch an attack against a computer device in an information technology (IT) network, and may exploit the computer device in order to step to a human-machine interface (HMI) device in the operational technology network, and then may further exploit the human-machine interface device in order to step to the controller device. The attack path database 520 can include multiple known attack paths or attack trees, where each attack path represents the potential paths an adversary can take to get into different targets (e.g., assets in the IT network domain 102 and/or assets in the OT network domain 104) in the IIOT network], and [¶58, The alert dependency engine 512 identifies one or more dependencies for the classified alert 554. For example, for a classified alert 554, enrichment information from a threat intelligence data (e.g., from knowledge database 518) added by the global enrichment engine 506 and potential attack paths defined by an attack graph generated for the IIOT network from the attack graph database 520 can be used to identify all potential consequences (e.g., a list of exploits or other potential adversarial actions). The one or more attack paths in the attack path database 520 describes how one vulnerability may relate to another. In some implementations, an alert can be associated with a specific vulnerability and the attack graph can be used to establish the dependency between alerts.], and [¶61,  In some implementations, one or more of the dependencies for the classified alert 554 may be determined based in part on one or more of the following: the step of the CKC process of the classified alert 554, the local enrichment data for the alert, and/or the global enrichment data for the alert. The one or more dependencies for the classified alert 554 can also be determined by analyzing the impact of an attack (e.g., in a post-mortem analysis) where the impact may include potential gains for an adversary who conducted the attack (e.g., what additional vulnerabilities in the IT/OT networks may have been exposed through the attack). For example, an IIS buffer overflow attack exposes a further buffer overflow vulnerability which can be used to gain certain administrative privileges].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopalakrishnan with the teaching of Hassanzadeh in order for detecting and identifying advanced persistent threats (APTs) in networks and classifying each alter of the multiple alerts with respect to a cyber kill chain and generating a graphical visualization dependency of the multiple alerts which includes multiple nodes and edges between the nodes,  each node corresponding to the cyber kill chain and representing at least one alert, and each edge representing a dependency between alerts[Hassanzadeh, Abstract].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

 (WO 2019186722 A1) teaches this security evaluation system is provided with: a first graph generation unit that generates a first evaluation graph indicating a connection relationship between resources subjected to security evaluation; a second graph generation unit that generates a second evaluation graph indicating a connection relationship between areas to which the resources are allocated; and a display unit that displays the first evaluation graph and the second evaluation graph in association with each other.

Adogla (US9215158) teaches embodiments of the present disclosure are directed to, among other things, determining whether some or all portions of an application stack implemented on a distributed system are vulnerable to availability issues. In some examples, a web service may utilize or otherwise control a client instance to control, access, or otherwise manage resources of a distributed system. Based at least in part on comparing one or more customer graphs with one or more model, curated, or best practice graphs of a distributed system, availability risks and/or deployment recommendations may be provided. Additionally, in some examples, one or more remediation and/or migration operations may be performed automatically or provided as recommendations.
Crabtree(US20220263860) teaches a system for cyber threat hunting employing an advanced cyber decision platform comprising a time series data store, a directed computational graph module, an automated planning service module, and observation and state estimation module, wherein the state of a network is monitored and used to predict network resources that may be vulnerable to a future cyber threat and to produce a cyber-physical graph representing the vulnerable network resources, a human operator is provided with the cyber-physical graph to analyze the data contained therein to initiate an investigation of network resources, and the results of the threat investigation and their effects are analyzed to produce security recommendations.
Abaya (US2017/0177740) teaches the method involves forming a graph interface for a set of components by forming an interface element of a graph interface and configuring properties of the interface element such that a port of a component is consistent with the properties of the interface element. Implementation of the graph interface including the set of components is formed by forming a correspondence between the interface element and the port of the component of the set of components. The implementation of the graph interface is stored in a data storage system.
Muddu (US10904270) teaches the composite graph enables the security platform to perform analytics on entity behaviors, which can be a sequence of activities, a certain volume of activities, or can be custom defined by the administrator (e.g., through a machine learning model). By having an explicit recordation of relationships among the events, the relationship graph generator 810 can enable the analytics engines introduced here (e.g., the complex processing engine) to employ various machine learning models, which may focus on different portions or aspects of the discovered relationships between all the events in the environment, in order to detect anomalies or threats.

Noel (US10313382) teaches a system and method for implementing a graph database to analyze and monitor a status of an enterprise computer network is provided. In one example, a plurality of sensors can be inputted into sensor interface in which all of the data associated with the sensors in converted into a common data format. The data can be parsed into a data model that contains nodes and edges in order to generate a graph database model that can allow a network analyst to analyze the real-time status of a computer network. The graph database model can include multiple layers including an infrastructure layer, a cyber threats layer, a cyber posture layer, and a mission readiness layer. The graph database model can also be queried by a user using a domain-specific query language, so as to provide a user-friendly syntax in generating queries.  
Bakalli (US2020/0175174) teaches data is received that characterizes source code requiring a security vulnerability assessment. Using this received data, an input node of a vulnerability context graph is generated. Subsequently, at least one node is resolved from the input node using at least one of a plurality of resolvers that collectively access each of a knowledge base, a source code commit database, and at least one online resource. Additionally, nodes are later iteratively resolved at different depth levels until a pre-defined threshold is met. The vulnerability context graph is then caused to be displayed in a graphical user interface such that each node has a corresponding graphical user interface element which, when activated, causes complementary information for such node to be displayed.
Leviseur (US11265292) teaches the set of nodes and edges associated with the graph may be used to derive configurations for the virtualized infrastructure components from the associated values, settings, annotations, or other metadata in the graph. In one example, a network control point at an individual virtual network interface or a firewall, may be configured using a configuration derived from the graph with the values, settings, annotations, or other metadata in the graph of a node corresponding to the network control point and one or more application dataflows that involve the corresponding node. In another example, a security group with a firewall rule may be established using a configuration derived from the graph. In yet another example, a network access control list (NACL) may be established using a configuration derived from the graph. In further examples, a configuration may be derived from the graph to set a media access control (MAC) address, an Internet Protocol (IP) address, a source or destination check flag, and the like.

Chari (US2017/0286690) teaches generating an attack graph is provided. A set of sensitive data corresponding to a regulated service is identified. A set of components corresponding to the regulated service that are authorized to perform activities associated with sensitive data is scanned for. Vulnerability and risk metrics corresponding to each component in the set of components of the regulated service is identified. The attack graph that includes nodes representing components in the set of components of the regulated service and edges between nodes representing relationships between related components in the set of components is generated based on the vulnerability and risk metrics corresponding to each component in the set of components.
Olson (US2015/0244734) teaches the registering consumer may also provide information associated with digital signatures Countermeasure rule engine 518 may obtain the rules by iterating through each vulnerability node of an intelligence graph and determining, for each vulnerability node, whether documents such as intelligence reports mention it by examining the edges joined to the vulnerability node for the presence of "mentions" or "mentioned by" edges. If so, the iteration may parse the documents to extract any existing rules, including both sub-graph templates for matching to threats, and countermeasure templates. The extracted information may then be stored in countermeasure rules engine 518.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496