DETAILED ACTION
Claims 1-15 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 05/11/2022 have been fully considered but they are not persuasive. The reasons set forth below.
The Applicant argues:
(1)	Milajerdi fails to teach the authentication graph module that generates network-level authentication logs and an authentication graph, as required by claim 1, [Remarks, pages 5-6].
The Examiner respectfully disagrees with these arguments.

As per the first argument
As indicated in the previous rejection and below, Milajerdi discloses a log receiving module [fig. 6, page 1140, Section IV (A. Data Collection and Representation), page 1143, a log receiving module (Stream Processor)] configured to receive a first plurality of network-level authentication logs having unique identifiers associated with users and services in a network and source Internet-Protocol addresses of a plurality of requesting entities, and a second plurality of network-level authentication logs having unique identifiers associated with a plurality of authentication events subject to an anomaly detection [fig. 2, 6, table 4, page 1137, Section I “Introduction”, page 1139, Section III, page 1140, Section IV (A. Data Collection and Representation), page 1141, (B. TTP Specification), page 1145, Section VI (A. Datasets), page 1146, (D. Attack Scenarios), a log receiving module configured to receive a first plurality of network-level authentication logs having unique identifiers associated with users and services in a network and source Internet-Protocol addresses of a plurality of requesting entities (benign audit data; collect log events and alerts; hundreds of APT reports; low-level audit events), and a second plurality of network-level authentication logs having unique identifiers associated with a plurality of authentication events subject to an anomaly detection (collect log events and alerts; hundreds of APT reports; low-level audit events and high-level APT; IP Addresses; trusted/untrusted IP addresses)]; an authentication graph module [fig. 2, 6, page 1143, an authentication graph module (provenance graph)] configured to generate, according to the first plurality of network-level authentication logs, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping [fig. 2, 6, page 1138, Section Il, page 1140, Section Ill, Section IV (A. Data Collection and Representation), page 1147, Section VI (F. Performance), generate, according to the first plurality of network-level  authentication logs, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping (construct a provenance graph; nodes and edges in the provenance graph)].
  
Regarding generate, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping, Milajerdi discloses in Figure 6, Table 11, pages 1140, 1142, 1145.


    PNG
    media_image1.png
    162
    607
    media_image1.png
    Greyscale
 

Fig. 6 shows the architecture  to generate a high-level graph that summarizes the attacker’s actions in real-time.


    PNG
    media_image2.png
    124
    291
    media_image2.png
    Greyscale


TABLE 11. Scores Assigned to Attack Scenarios. L = Low, M = Moderate, H = High, C = Critical. Note: for each scenario, Highest Benign Score in Dataset is the highest threat score assigned to benign background activities streamed during the audit log collection of a host

[page 1140] … We solve these challenges through several design innovations. For efficient matching, we use a representation of the audit logs as a directed provenance graph (Section IV) in main memory, which allows for efficient matching. This graph also encodes the information flow dependencies that exist between system entities (such as processes and files). TTPs are specified as patterns that leverage these dependencies. For instance, in order to match a maintain persistence TTP, an information flow dependency must exist from a process matching an initial compromise TTP to the maintain persistence TTP. For detecting correlations between attack steps, we build a High-level Scenario Graph (HSG) as an abstraction over the provenance graph. Each node in the HSG represents a matched TTP, while the edges represent information flow and causality dependencies among those matched TTPs. An HSG is illustrated in the middle layer of Fig. 3 by nodes and edges in boldface. (We refer the reader to Fig. 5 for the HSG of the running example.) To determine the edges among nodes in the HSG, use the prerequisite-consequence patterns of among the TTPs and the APT stages.
… The data is represented as a graph that we call the provenance graph. The general structure of this graph is similar to that of many previous forensic analysis works [27], [34], [39]: the nodes of the graph include subjects (processes) and objects (files, pipes, sockets) and the edges denote the dependencies between these entities and are annotated with event names. There are some important differences as well: our subjects, as well as objects, are versioned. A new version of a node is created before adding an incoming edge if this edge changes the existing dependencies (i.e., the set of ancestor nodes) of the node. Versioning enables optimizations that can prune away a large fraction of events in the audit log without changing

[page 1142] … One of the challenges in the analysis of audit logs for attack detection and forensics is the presence of noise, i.e., benign events matching TTP rules. Long-living processes such as browsers, web servers, and SSH daemons trigger TTP matches from time to time. To cut down these false positives, we incorporate noise reduction rules based on training data. We leverage two notions: (1) benign prerequisite matches and (2) benign data flow quantity

[page 1145] … Attacks. The datasets we used for evaluation are summarized in Table 10. This table shows nine APT scenarios from 7 hosts across three OS platforms. There are three scenarios for each platform. Collectively, the streams cover 20 days’ worth of audit logs collected using auditd, dtrace, and ETW from Ubuntu, FreeBSD, and Microsoft Windows, respectively. Each stream contains kernel audit logs of routine system activities and attack activities. Attacks constitute less than 0.001% of the audit data volume. Streams 5 and 7 each contain two independent APT attacks, while the remaining streams contain one APT attack each.

In other words, Milajerdi discloses generating a graph (provenance graph), comprising nodes of the HSG correspond to TTPs, and the edges represent information flows between entities involved in the TTPs.

Therefore, given that Milajerdi discloses generating a graph (provenance graph), comprising nodes, and the edges represent information flows between entities involved in the TTPs, then Milajerdi clearly discloses generate, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping.

In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., lateral movement) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). In this case, the Specification discloses “Lateral movement is defined as a malicious path”, Milajerdi discloses assign weights to nodes and paths in the graph based on their severity [page 1140, 1142, (prioritizing attacker influenced flows)].

In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., training a graph machine learning model via a random- walks and continuous-bag-of-words embedding on the authentication graph data structure) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). In this case, Milajerdi discloses assign reduction rules based on training data [page 1142]. Furthermore, Muddu teaches a machine learning model can have different phases, for example, a training phase [paragraphs 0233, 0237, 0277].

Regarding the dependent claims 2-15, Applicant has not made specific arguments pertaining to why the cited references do not teach the recited claims. Without such arguments, the Examiner cannot respond and is not persuaded by such argument.

In view of above, it is clear that the system/methods of the cited art disclose the claimed invention.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over in Milajerdi et al., (hereinafter Milajerdi), NPL “HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows” (IDS 12/30/2020), view of Muddu et al., (hereinafter Muddu), U.S. Publication No. 2017/0063886.

As per claim 1, Milajerdi discloses a system [Abstract, page 4, a system], comprising: 
a log receiving module [fig. 6, page 1140, Section IV (A. Data Collection and Representation), page 1143, a log receiving module (Stream Processor)] configured to receive a first plurality of network-level authentication logs having unique identifiers associated with users and services in a network and source Internet-Protocol addresses of a plurality of requesting entities, and a second plurality of network-level authentication logs having unique identifiers associated with a plurality of authentication events subject to an anomaly detection [fig. 2, 6, table 4, page 1137, Section I “Introduction”, page 1139, Section III, page 1140, Section IV (A. Data Collection and Representation), page 1141, (B. TTP Specification), page 1145, Section VI (A. Datasets), page 1146, (D. Attack Scenarios), a log receiving module configured to receive a first plurality of network-level authentication logs having unique identifiers associated with users and services in a network and source Internet-Protocol addresses of a plurality of requesting entities (benign audit data; collect log events and alerts; hundreds of APT reports; low-level audit events), and a second plurality of network-level authentication logs having unique identifiers associated with a plurality of authentication events subject to an anomaly detection (collect log events and alerts; hundreds of APT reports; low-level audit events and high-level APT; IP Addresses; trusted/untrusted IP addresses)]; 
an authentication graph module [fig. 2, 6, page 1143, an authentication graph module (provenance graph)] configured to generate, according to the first plurality of network-level authentication logs, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping [fig. 2, 6, page 1138, Section II, page 1140, Section III, Section IV (A. Data Collection and Representation),  page 1147,  Section VI (F. Performance), generate, according to the first plurality of network-level authentication logs, an authentication graph, wherein the authentication graph is a graph with a node type mapping and an edge type mapping (construct a provenance graph; nodes and edges in the provenance graph)]; 
a sampling module configured to sample the authentication graph to generate a plurality of node sequences each including a sequence of nodes [fig. 6, page 1138, page 1139, page 1143, (F. Signal Correlation and Detection), page 1147, (E. Finding the Optimal Threshold Value), a sampling module configured to sample the authentication graph to generate a plurality of node sequences each including a sequence of nodes (information flows between entities; relationships and information flows; a small subset of activities in the audit log)]; and 
an embedding module configured to tune a plurality of node embeddings according to the plurality of node sequences, wherein each node embedding is a vector representation for a node [fig. 3, 5, 6, page 1140, page 1143, table 11, table 8, page 1144, an embedding module configured to tune a plurality of node embeddings according to the plurality of node sequences, wherein each node embedding is a vector representation for a node (entry in the converted threat tuple; attack vectors)]; 
an anomaly detection module [fig. 6, an anomaly detection module (detection engine)] configured to perform anomaly detection according to the link prediction [fig. 6, page 1138, page 1139, page 1143, page 1145, page 1147, page 1148, Section  VII, an anomaly detection module configured to perform anomaly detection according to the link prediction (detection engine; audit logs for attack detection)].
Milajerdi discloses events subject to the anomaly detection [page 1138, 1148, events subject to the anomaly detection (detecting low-level events associated with APT steps and linking them using information flow)]. Milajerdi does not explicitly a training module configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph; a link prediction module configured to apply the link predictor to perform a link prediction on each of the plurality of authentication events subject to the anomaly detection.
However, Muddu teaches a training module configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph [fig. 10, 16, paragraphs 0233, 0234, 0294, 0352, 0521, a training module configured to train a link predictor according to the plurality of node embeddings and ground-truth edge information from the authentication graph (training phase; model … better trained about the probability of association between the user and the machine identifiers…creates a probabilistic graph … can include peripheral nodes, a center node, and edges)]; a link prediction module configured to apply the link predictor to perform a link prediction on each of the plurality of authentication events subject to the anomaly detection [paragraphs 0149, 0151, 0519, 0521, 0524, 0528, 0640, a link prediction module configured to apply the link predictor to perform a link prediction on each of the plurality of authentication events subject to the anomaly detection (anomalies and threats detected; prediction model, which may be customized for detecting abnormal entity behaviors)].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to improve upon the system described in Milajerdi by performing a link prediction on each of the plurality of authentication events subject to the anomaly detection as taught by Muddu because it would provide the Milajerdi's system with the enhanced capability of detecting malware efficiently [Muddu, paragraphs 0363, 0524, 0545, 0644].

As per claim 2, Milajerdi discloses the system of claim 1, Milajerdi does not explicitly wherein the log receiving module is configured to: receive the first plurality of network-level authentication logs in an offline stage; and receive the second plurality of network-level authentication logs in an online stage.
However, Muddu teaches wherein the log receiving module is configured to: receive the first plurality of network-level authentication logs in an offline stage; and receive the second plurality of network-level authentication logs in an online stage [paragraphs 0233, 0260, 0269, wherein the log receiving module is configured to: receive the first plurality of network-level authentication logs in an offline stage; and receive the second plurality of network-level authentication logs in an online stage (track the user sessions based on login/logout events; login/logout events or events that indicate possible connection between two sessions)].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to improve upon the system described in Milajerdi by performing a link prediction on each of the plurality of authentication events subject to the anomaly detection as taught by Muddu because it would provide the Milajerdi's system with the enhanced capability of detecting malware efficiently [Muddu, paragraphs 0363, 0524, 0545, 0644].

As per claim 3, Milajerdi discloses the system of claim 1, 
wherein the authentication graph includes nodes that represent authenticating entities, and edges that represent authentication events [fig. 2, 3, 6, page 1138, page 1140, Section IV,  page 1142, page 1145, page 1146, wherein the authentication graph includes nodes that represent authenticating entities, and edges that represent authentication events (trusted entitites; benign activities in the audit log; nodes and edges in the provenance graph)].

As per claim 4, Milajerdi discloses the system of claim 3, 
wherein the authenticating entities include machines, users, and/or software [fig. 2, 3, 6, page 1138, page 1140, Section IV,  page 1142, page 1145, page 1146, wherein the authenticating entities include machines, users, and/or software (wherein the authenticating entities include machines, users, and/or software; Entity types are shown by the characters: P=Process, F=File, S=Socket, M=Memory, U=User)].

As per claim 5, Milajerdi discloses the system of claim 1, 
wherein the vector representation for each node captures degree of behavior of each node within the network as a whole [table 10, table 11, page 1140, 1143, wherein the vector representation for each node captures degree of behavior of each node within the network as a whole (assign weights to nodes and paths in the graph based on their severity; analysis of whole-system provenance)].

As per claim 6, Milajerdi discloses the system of claim 1, 
wherein the plurality of node embeddings are in a high-dimensional embedding space having the number of dimensions equal to or greater than 128 [fig. 9, 15, page 1142, 1143, 1147, wherein the plurality of node embeddings are in a high-dimensional embedding space having the number of dimensions equal to or greater than 128 (graph size ratio measured in edges is 1875:1, i.e., an 1875-fold reduction is achieved in the process of mapping from the provenance graph)].

As per claim 7, Milajerdi discloses the system of claim 1, 
wherein the training module is configured to train the link predictor according to a dataset of true edge embeddings and a dataset of false edge embeddings from the ground-truth edge information [fig. 6, page 1139, 1140, 1142, 1148, 1149, wherein the training module is configured to train the link predictor according to a dataset of true edge embeddings and a dataset of false edge embeddings from the ground-truth edge information (successfully detects APT campaigns with high precision and low false alarm rates)].

As per claim 8, Milajerdi discloses the system of claim 1, 
wherein the link prediction module is configured to apply the link predictor to each of the plurality of authentication events subject to an anomaly detection to obtain a probability value of each of the plurality of the authentication event [page 1141, page 1143, page 1145-page 1148, wherein the link prediction module is configured to apply the link predictor to each of the plurality of authentication events subject to an anomaly detection to obtain a probability value of each of the plurality of the authentication event (mapping between low-level audit events and high-level APT steps; detection threshold)].

As per claim 9, Milajerdi discloses the system of claim 8, Milajerdi does not explicitly wherein the plurality of authentication events subject to an anomaly detection are extracted and parsed into a set of edges between authenticating entities.
However, Muddu teaches wherein the plurality of authentication events subject to an anomaly detection are extracted and parsed into a set of edges between authenticating entities [paragraphs 0166, 0167, 0209, 0218, wherein the plurality of authentication events subject to an anomaly detection are extracted and parsed into a set of edges between authenticating entities (connector can parse the file with a parser that corresponds to the file's data format, and extract only the time from the even)].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to improve upon the system described in Milajerdi by including an anomaly detection are extracted and parsed into a set of edges as taught by Muddu because it would provide the Milajerdi's system with the enhanced capability of detecting malware efficiently [Muddu, paragraphs 0363, 0524, 0545, 0644].

As per claim 10, Milajerdi discloses the system of claim 9, further comprising 
a lookup module configured to perform an embedding lookup for the node embeddings for the authenticating entities [page 1142, 1147, a lookup module configured to perform an embedding lookup for the node embeddings for the authenticating entities (respond to attacks embedded within a predominantly benign stream of events, we evaluated it as a live detection system)].

As per claim 11, Milajerdi discloses the system of claim 8, the anomaly detection module is configured to: 
in response to the probability value being less than a threshold, determine that an anomaly is detected; and in response to the probability value being equal to or greater than the threshold, determine that the anomaly is not detected [page 1141, page 1143, page 1145-page 1148, in response to the probability value being less than a threshold, determine that an anomaly is detected; and in response to the probability value being equal to or greater than the threshold, determine that the anomaly is not detected (mapping between low-level audit events and high-level APT steps; detection threshold)].

As per claim 12, Milajerdi discloses the system of claim 11, 
wherein the threshold is approximately 10% [fig. 18, table 7, page 1141, page 1143, page 1145, page 1147, page 1148, wherein the threshold is approximately 10% (less than a specified threshold)].

As per claim 13, Milajerdi discloses the system of claim 11, 
wherein the anomaly detection module is further configured to generate an anomaly graph containing information about anomalous authentication events [fig. 6, page 1138, page 1140, page 1141, page 1147, wherein the anomaly detection module is further configured to generate an anomaly graph containing information about anomalous authentication events (nodes and edges in the provenance graph; a clear distinction between attack and benign subgraphs in the tested datasets)].

As per claim 14, Milajerdi discloses the system of claim 13, further comprising 
a security investigation module configured to forward the authentication event having a probability value below the threshold to security experts for investigation [fig. 18, table 7, page 1141, page 1143, page 1145, page 1147, page 1148, a security investigation module configured to forward the authentication event having a probability value below the threshold to security experts for investigation (less than a specified threshold)].

As per claim 15, Milajerdi discloses the system of claim 1, 
wherein the sampling module is configured to sample the authentication graph via unbiased, fixed-length random walks [table 7, page 1142, page 1143, page 1147, wherein the sampling module is configured to sample the authentication graph via unbiased, fixed-length random walks (threat tuple; graph size ratio)].



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ouyang et al., U.S. Patent No. 11,270,185, discloses a predictive model such as continuous-bag-of-words (CBOW). 
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACKIE ZUNIGA ABAD whose telephone number is (571)270-7194. The examiner can normally be reached Monday - Friday, 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, IAN MOORE can be reached on 571-272-3085. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JACKIE ZUNIGA ABAD/           Primary Examiner, Art Unit 2469