DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to applicant’s filing on 
September 28, 2020.
Claims 1-20 are pending.

                                                            Specification
The use of the term MITRE ATT&CK and Microsoft, which are a trade name or a mark used in commerce, have been noted in this application. The term should be accompanied by the generic terminology; furthermore, the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM, or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 3, 5, 7, 8, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 2020/0021607 A1), hereinafter Muddu in view of Badawy et al. (US 10,938,828 B1), hereinafter Badawy.

In regards to claim 1, Muddu discloses a method, comprising: 
creating a graph of processes performed by a computer system using edges of the processes and metadata comprising properties or artifacts of the edges or processes (Muddu, Para. 0214, some implementations of the relationship graph generator 810 generate a single relationship graph for each event), the edges identify a connection between a parent process and a child process (Muddu, Para. 0214, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities); and detecting anomalous parent-child process chains of the processes by (Muddu, Para. 0523, a profiling window of successive prediction can be used to build the baseline prediction profile (e.g., for a specific entity, to learn that how many unusual events per window for the specific entity is consider normal)):
 assigning edge weights to the edges of the processes using a supervised learning process that has been trained to identify malicious edges and benign edges to create a weighted graph (Muddu, Para. 0588, for each node, the machine learning model 6300 keeps 15% of the weight value at the node and then equally distributes the remainder of the weight values along the edges to other nodes), the edge weights comprising predicted class probabilities that are indicative of the processes being malicious (Muddu, Para. 0579, The machine learning model calculates the anomaly score as, e.g., 0.355, by summing the similarity score difference of 0.255 and an extra weight of 0.1 in recognition that the network device 6424 is a server of high importance); and
Muddu fails to disclose performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains.
However, Badawy teaches performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains (Badawy, Col. 24, lines 44-59, the community-detection or other clustering algorithm utilized in an embodiment may fall under the umbrella of what are usually termed unsupervised machine-learning and Col. 3, lines 40-59).  
Muddu and Badawy are both considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Badawy to include performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains (Badawy, Col. 24, lines 44-59). Doing so would aid the improvement of reducing the computational burden and memory requirements of systems implementing these embodiments through the improved data structures and the graph processing and analysis implemented by such embodiments (Badawy, Col. 14, lines 37-42).

In regards to claim 2, the combination of Muddu and Badawy teaches the method according to claim 1, further comprising extracting information from each of the processes, the information including a process name of a process, an edge that is indicative of an action of the process, and metadata comprising properties or artifacts that are associated with the process name and/or the edge (Muddu, Fig. 36, and Para. 411, In the graph database 3560, the nodes (also referred to as vertices), edges and associated metadata of the composite relationship graph are stored in one or more data files. The nodes and edges of the composite relationship can be partitioned based on the timestamps (from the event data) of the corresponding network activities).  

In regards to claim 3, the combination of Muddu and Badawy teaches the method according to claim 1, further comprising analyzing any combination of a filepath, username, timestamp, an array created from processes, and command line arguments (Muddu, Para. 0411, The nodes and edges of the composite relationship can be partitioned based on the timestamps (from the event data) of the corresponding network activities. Each data file can be designated for storing nodes and edges for a particular time period). 

In regards to claim 5, the combination of Muddu and Badawy teaches the method according to claim 1, wherein the graph is a directed acyclical graph (Muddu, Para. 0311, The topology-based assignments maintain a directed acyclical graph (DAG) structure that allows for dynamic execution of model-specific process threads and management of the input data dependencies of these model-specific process threads).  

In regards to claim 7, the combination of Muddu and Badawy teaches the method according to claim 1, wherein the supervised learning process determines the edge weights from any one or more of: a time difference between creation and termination of a process; one-hot encoding of a child process and a parent process; a determination as to whether the process is signed; a determination as to whether the process is elevated; a determination as to whether the process is running as a system; a parent-child user mismatch; entropy of a process name; entropy of a command line argument; and/or term frequency-inverse document frequency analysis of the command line argument (Muddu, para. 0622, the machine-generated nature of a character-based identifier is a high degree of entropy or randomness in the sequencing of characters. One way to analyze the entropy or randomness in the characters is through an n-gram analysis).  

In regards to claim 8, the combination of Muddu and Badawy teaches the method according to claim 1, wherein the unsupervised learning technique assigns each of the processes: using a greedy assignment of the processes from a community to a neighboring community to determine changes in modularity (Badawy Col. 24, lines 24-35, For example, setting an empirical low threshold for modularity, with combined user alerts, could serve as a warning for deteriorating quality of peer groups or the identity graph); and for each of the processes, determining a maximum change in the modularity and placing a process of the process into a corresponding community (Badawy, Col. 24, lines 60-67, and Col. 25, lines, 1-2, This newly pruned identity graph can then be clustered into new peer groups of identities or entitlements at step 240 and a peer group assessment metric determined at step 250 based on the newly pruned identity graph or the newly determined peer groups).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Badawy to include the unsupervised learning technique assigns each of the processes: using a greedy assignment of the processes from a community to a neighboring community to determine changes in modularity (Badawy Col. 24, lines 24-35); and for each of the processes, determining a maximum change in the modularity and placing a process of the process into a corresponding community (Badawy, Col. 24, lines 60-67, and Col. 25, lines, 1-2). Doing so would aid the improvement of reducing the computational burden and memory requirements of systems implementing these embodiments through the improved data structures and the graph processing and analysis implemented by such embodiments (Badawy, Col. 14, lines 37-42).

In regards to claim 18, Muddu discloses a system, comprising: a processor; and a memory for storing instructions, the processor executing the instructions to: 
create a graph of processes performed by a computer system using edges of the processes and metadata comprising properties or artifacts of the edges or processes (Muddu, Para. 0214, some implementations of the relationship graph generator 810 generate a single relationship graph for each event), the edges identify a connection between a parent process and a child process (Muddu, Para. 0214, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities); and detect anomalous parent-child process chains of the processes by (Muddu, Para. 0523, a profiling window of successive prediction can be used to build the baseline prediction profile (e.g., for a specific entity, to learn that how many unusual events per window for the specific entity is consider normal)): assigning edge weights to the edges of the processes using a supervised learning process that has been trained to identify malicious edges and benign edges to create a weighted graph (Muddu, Para. 0588, for each node, the machine learning model 6300 keeps 15% of the weight value at the node and then equally distributes the remainder of the weight values along the edges to other nodes), the edge weights comprising predicted class probabilities that are indicative of the processes being malicious (Muddu, Para. 0579, The machine learning model calculates the anomaly score as, e.g., 0.355, by summing the similarity score difference of 0.255 and an extra weight of 0.1 in recognition that the network device 6424 is a server of high importance); and 
Muddu fails to disclose performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains.  
However, Badawy teaches performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains (Badawy, Col. 24, lines 44-59, the community-detection or other clustering algorithm utilized in an embodiment may fall under the umbrella of what are usually termed unsupervised machine-learning and Col. 3, lines 40-59).  
Muddu and Badawy are both considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Badawy to include performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains (Badawy, Col. 24, lines 44-59). Doing so would aid the improvement of reducing the computational burden and memory requirements of systems implementing these embodiments through the improved data structures and the graph processing and analysis implemented by such embodiments (Badawy, Col. 14, lines 37-42).

In regards to claim 19, the system according to claim 18, wherein the processor is configured to extract information from each of the processes, the information including a process name of a process, an edge that is indicative of an action of the process, and metadata comprising properties or artifacts that are associated with the process name and/or the edge (Muddu, Fig. 36, and Para. 411, In the graph database 3560, the nodes (also referred to as vertices), edges and associated metadata of the composite relationship graph are stored in one or more data files. The nodes and edges of the composite relationship can be partitioned based on the timestamps (from the event data) of the corresponding network activities).  

In regards to claim 20, the combination of Muddu and Badawy teaches the system according to claim 18, wherein the processor is configured to: analyze any combination of a filepath, username, timestamp, an array created from the processes, and command line arguments; and apply a term frequency-inverse document frequency analysis of the command line arguments (Muddu, Para. 0411, The nodes and edges of the composite relationship can be partitioned based on the timestamps (from the event data) of the corresponding network activities. Each data file can be designated for storing nodes and edges for a particular time period).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 2020/0021607 A1), hereinafter Muddu in view of Badawy et al. (US 10,938,828 B1), hereinafter Badaway and further in view of Sawal et al. (US 2017/0109356 A1), hereinafter Sawal.

In regards to claim 4, the combination of Muddu and Badawy fails to teach the method according to claim 3, further comprising applying a term frequency- inverse document frequency analysis of the command line arguments.
However, Sawal teaches applying a term frequency- inverse document frequency analysis of the command line arguments (Sawal, Para. 0039, a command template database is consulted in a command generation system for suggesting a command for a particular product. In embodiments, a term frequency/inverse document frequency (TF/IDF)-based ranking function is used to get the most relevant match for an input. In embodiments, the APACHE LUCENE index engine may be used to index commands (e.g., CLIs and REST APIs) for template lookup). 
Muddu, Badawy, and Sawal are all considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu and Badawy to incorporate the teachings of Sawal to include applying a term frequency- inverse document frequency analysis of the command line arguments (Sawal, Para. 0039). Doing so would aid to Make the systems easier and more intuitive improves the likelihood that the network will be configured correctly, that less errors will be made, and that problems will be resolved more quickly (Sawal, Para. 0008).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 2020/0021607 A1), hereinafter Muddu in view of Badawy et al. (US 10,938,828 B1), hereinafter Badawy and further in view of McLane et al. (US 2019/0007433 A1), hereinafter McLane.

In regards to claim 6, the combination of Muddu and Badawy fails to teach the method according to claim 1, wherein the supervised learning process is a gradient boosted trees model, and the edge weights are assigned by predicting a class probability for the edges that are identified as malicious edges by the supervised learning process.
However, Sawal teaches the supervised learning process is a gradient boosted trees model, and the edge weights are assigned by predicting a class probability for the edges that are identified as malicious edges by the supervised learning process (McLane, Paras 0003, and 0089, edges. In this example, the configuration of the decision tree is trained (e.g., using a gradient decent process), based on features associated with training data (e.g., the set of malware containing files, the set of non-malware containing files, and classification information associated with each file) to identify patterns in the features that correspond to malware and patterns in the features that correspond to non-malware. Subsequently, to determine whether a new file includes malware). 
Muddu, Badawy, and McLane are all considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu and Badawy to incorporate the teachings of McLane to include the supervised learning process is a gradient boosted trees model, and the edge weights are assigned by predicting a class probability for the edges that are identified as malicious edges by the supervised learning process (McLane, Paras 0003, and 0089). Doing so would aid to enable the file classifier to identify malware that has not been specifically used to train the file classifier. For example, a trained file classifier may be able to identify files that contain so called “zero day” malware (McLane, Para. 0006).

Claims 9-13 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 2020/0021607 A1), hereinafter Muddu in view of Badawy et al. (US 10,938,828 B1), hereinafter Badawy and further in view of Bayliss (US 9,836,524 B2).

In regards to claim 9, the combination of Muddu and Badawy fails to teach the method according to claim 1, further comprising determining a prevalence score for a parent-child process chain that is indicative of how often the child process has been encountered as compared to other child processes relative to the parent process. 
However, Bayliss teaches further comprising determining a prevalence score for a parent-child process chain that is indicative of how often the child process has been encountered as compared to other child processes relative to the parent process (Bayliss, Col. 26, lines, 6-19, suppose that a query value of “H” returns a score of 2 based on matches with records in the “First Name” field from a first child record in a hierarchy. Now, suppose that for a second child record, a query value of “Harold” returns a score of 9 in the “First Name” field).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu and Badawy to incorporate the teachings of Bayliss to include further comprising determining a prevalence score for a parent-child process chain that is indicative of how often the child process has been encountered as compared to other child processes relative to the parent process (Bayliss, Col. 26, lines, 6-19). Doing so would aid to determine linkages or relationships among the records. The “relationships” among the various records (nodes) may be represented (for illustration purposes) as connecting lines (edges), with line weights representing different types of relationships and/or weightings among field values of the database records (Bayliss, Col. 6, lines 41-48).

In regards to claim 10, Muddu discloses a method, comprising: 
creating a graph of processes performed by a computer system using edges of the processes and metadata comprising properties or artifacts of the edges or processes (Muddu, Para. 0214, some implementations of the relationship graph generator 810 generate a single relationship graph for each event), the edges identify a connection between a parent process and a child process (Muddu, Para. 0214, each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities); and detecting anomalous parent-child process chains of the processes by (Muddu, Para. 0523, a profiling window of successive prediction can be used to build the baseline prediction profile (e.g., for a specific entity, to learn that how many unusual events per window for the specific entity is consider normal)): 
assigning edge weights to the edges of the processes using a supervised learning process that has been trained to identify malicious edges and benign edges to create a weighted graph (Muddu, Para. 0588, for each node, the machine learning model 6300 keeps 15% of the weight value at the node and then equally distributes the remainder of the weight values along the edges to other nodes), the edge weights comprising predicted class probabilities that are indicative of the processes being malicious (Muddu, Para. 0579, The machine learning model calculates the anomaly score as, e.g., 0.355, by summing the similarity score difference of 0.255 and an extra weight of 0.1 in recognition that the network device 6424 is a server of high importance); 
Muddu fails to disclose performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains and determine a structure of a grouped attack technique of the anomalous parent-child process chains; and 
However, Badawy teaches performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains and determine a structure of a grouped attack technique of the anomalous parent-child process chains (Badawy, Col. 24, lines 44-59, the community-detection or other clustering algorithm utilized in an embodiment may fall under the umbrella of what are usually termed unsupervised machine-learning and Col. 3, lines 40-59);
Muddu and Badawy are both considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Badawy to include performing community detection on the weighted graph using an unsupervised learning technique to identify the anomalous parent-child process chains and determine a structure of a grouped attack technique of the anomalous parent-child process chains (Badawy, Col. 24, lines 44-59). Doing so would aid the improvement of reducing the computational burden and memory requirements of systems implementing these embodiments through the improved data structures and the graph processing and analysis implemented by such embodiments (Badawy, Col. 14, lines 37-42).
Muddu and Badawy fail to teach generating an anomalous score for a parent-child process chain by combining a predicted class probability with a prevalence score that is indicative of how often a child process has been encountered as compared to other child processes relative to a parent process.
However, Bayliss teaches generating an anomalous score for a parent-child process chain by combining a predicted class probability with a prevalence score that is indicative of how often a child process has been encountered as compared to other child processes relative to a parent process (Bayliss, Col. 26, lines, 6-19, suppose that a query value of “H” returns a score of 2 based on matches with records in the “First Name” field from a first child record in a hierarchy. Now, suppose that for a second child record, a query value of “Harold” returns a score of 9 in the “First Name” field).  
Muddu, Badawy and Bayliss are all considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu and Badawy to incorporate the teachings of Bayliss to include generating an anomalous score for a parent-child process chain by combining a predicted class probability with a prevalence score that is indicative of how often a child process has been encountered as compared to other child processes relative to a parent process (Bayliss, Col. 26, lines, 6-19). Doing so would aid to determine linkages or relationships among the records. The “relationships” among the various records (nodes) may be represented (for illustration purposes) as connecting lines (edges), with line weights representing different types of relationships and/or weightings among field values of the database records (Bayliss, Col. 6, lines 41-48).

In regards to claim 11, the combination of Muddu and Badawy in view of Bayliss teaches the method according to claim 10, further comprising determining a structure of a grouped attack technique of the anomalous parent-child process chains (Muddu, Para. 624, such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. An exploit chain typically involves patterns in the sequencing of communications).  

In regards to claim 12, the combination of Muddu and Badawy in view of Bayliss teaches the method according to claim 10, wherein the supervised learning process determines the edge weights from any one or more of: a time difference between creation and termination of a process; one-hot encoding of a child process and a parent process; a determination as to whether the process is signed; a determination as to whether the process is elevated; a determination as to whether the process is running as a system; a parent-child user mismatch; entropy of a process name; entropy of a command line argument; and/or term frequency-inverse document frequency analysis of the command line argument (Muddu, para. 0622, the machine-generated nature of a character-based identifier is a high degree of entropy or randomness in the sequencing of characters. One way to analyze the entropy or randomness in the characters is through an n-gram analysis).    

In regards to claim 13, the combination of Muddu and Badawy in view of Bayliss teaches the method according to claim 10, wherein the unsupervised learning technique assigns each of the processes: using a greedy assignment of the processes from a community to a neighboring community to determine changes in modularity (Badawy Col. 24, lines 24-35, For example, setting an empirical low threshold for modularity, with combined user alerts, could serve as a warning for deteriorating quality of peer groups or the identity graph); and for each of the processes, determining a maximum change in the modularity and placing a process of the process into a corresponding community (Badawy, Col. 24, lines 60-67, and Col. 25, lines, 1-2, This newly pruned identity graph can then be clustered into new peer groups of identities or entitlements at step 240 and a peer group assessment metric determined at step 250 based on the newly pruned identity graph or the newly determined peer groups).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu and Bayliss to incorporate the teachings of Badawy to include using a greedy assignment of the processes from a community to a neighboring community to determine changes in modularity (Badawy Col. 24, lines 24-35); and for each of the processes, determining a maximum change in the modularity and placing a process of the process into a corresponding community (Badawy, Col. 24, lines 60-67, and Col. 25, lines, 1-2). Doing so would aid the improvement of reducing the computational burden and memory requirements of systems implementing these embodiments through the improved data structures and the graph processing and analysis implemented by such embodiments (Badawy, Col. 14, lines 37-42).

In regards to claim 15, the combination of Muddu and Badawy in view of Bayliss teaches the method according to claim 14, further comprising determining a prevalence score for a parent-child process chain that is indicative of how often the child process has been encountered as compared to other child processes relative to the parent process (Bayliss, Col. 26, lines, 6-19, suppose that a query value of “H” returns a score of 2 based on matches with records in the “First Name” field from a first child record in a hierarchy. Now, suppose that for a second child record, a query value of “Harold” returns a score of 9 in the “First Name” field).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu and Badawy to incorporate the teachings of Bayliss to include further comprising determining a prevalence score for a parent-child process chain that is indicative of how often the child process has been encountered as compared to other child processes relative to the parent process (Bayliss, Col. 26, lines, 6-19). Doing so would aid to determine linkages or relationships among the records. The “relationships” among the various records (nodes) may be represented (for illustration purposes) as connecting lines (edges), with line weights representing different types of relationships and/or weightings among field values of the database records (Bayliss, Col. 6, lines 41-48).

In regards to claim 16, the combination of Muddu and Badawy in view of Bayliss teaches the method according to claim 10, wherein the graph is a directed acyclical graph (Muddu, Para. 0311, The topology-based assignments maintain a directed acyclical graph (DAG) structure that allows for dynamic execution of model-specific process threads and management of the input data dependencies of these model-specific process threads).  

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 2020/0021607 A1), hereinafter Muddu in view of Badawy et al. (US 10,938,828 B1), hereinafter Badawy in view of Bayliss (US 9,836,524 B2) and further in view of Sawal et al. (US 2017/0109356 A1), hereinafter Sawal.

In regards to claim 14, the combination of Muddu, Badawy and Bayliss fails to teach the method according to claim 13, further comprising applying a term frequency-inverse document frequency analysis of the command line arguments.
However, Sawal teaches applying a term frequency-inverse document frequency analysis of the command line arguments (Sawal, Para. 0039, a command template database is consulted in a command generation system for suggesting a command for a particular product. In embodiments, a term frequency/inverse document frequency (TF/IDF)-based ranking function is used to get the most relevant match for an input. In embodiments, the APACHE LUCENE index engine may be used to index commands (e.g., CLIs and REST APIs) for template lookup). 
Muddu, Badawy, Bayliss, and Sawal are all considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu, Badawy and Bayliss to incorporate the teachings of Sawal to include applying a term frequency-inverse document frequency analysis of the command line arguments (Sawal, Para. 0039). Doing so would aid to Make the systems easier and more intuitive improves the likelihood that the network will be configured correctly, that less errors will be made, and that problems will be resolved more quickly (Sawal, Para. 0008).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 2020/0021607 A1), hereinafter Muddu in view of Badawy et al. (US 10,938,828 B1), hereinafter Badawy in view of Bayliss (US 9,836,524 B2) and further in view of McLane et al. (US 2019/0007433 A1), hereinafter McLane.

In regards to claim 17, the combination of Muddu, Badawy and Bayliss fails to teach the method according to claim 10, wherein the supervised learning process is a gradient boosted trees model, and the edge weights are assigned by predicting a class probability for the edges that are identified as malicious edges by the supervised learning process.
However, Sawal teaches wherein the supervised learning process is a gradient boosted trees model, and the edge weights are assigned by predicting a class probability for the edges that are identified as malicious edges by the supervised learning process (McLane, Paras 0003, and 0089, edges. In this example, the configuration of the decision tree is trained (e.g., using a gradient decent process), based on features associated with training data (e.g., the set of malware containing files, the set of non-malware containing files, and classification information associated with each file) to identify patterns in the features that correspond to malware and patterns in the features that correspond to non-malware. Subsequently, to determine whether a new file includes malware). 
Muddu, Badawy, Bayliss and McLane are all considered to be analogous to the claim invention because they are in the same field of creating a relationship graph and detecting malicious edges and benign edges.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu, Badawy and Bayliss to incorporate the teachings of McLane to include wherein the supervised learning process is a gradient boosted trees model, and the edge weights are assigned by predicting a class probability for the edges that are identified as malicious edges by the supervised learning process (McLane, Paras 0003, and 0089). Doing so would aid to enable the file classifier to identify malware that has not been specifically used to train the file classifier. For example, a trained file classifier may be able to identify files that contain so called “zero day” malware (McLane, Para. 0006).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Zadeh et al. (US 10,237,294 B1) teaches Techniques are described for analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity and using the information to detect anomalous activity that may be indicative of malicious activity.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/G.F./
Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496