DETAILED ACTION
This Action is responsive to claims filed 10/10/2025.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Notice of Pre-AIA or AIA Status
Claims 1, 8, and 15 have been amended. Claims 1-21 are pending.
Response to Arguments
Applicant’s arguments, see Pages 11-20, filed 10/10/2025, with respect to Claims 1-21 have been fully considered and are persuasive. The 35 U.S.C. 101 Rejection of Claims 1-21 has been withdrawn.
Applicant’s arguments with respect to the 35 U.S.C. 103 Rejection(s) of claim(s) 1-21 have been fully considered but they are not persuasive.
The Examiner submits that, even with the outstanding 35 U.S.C. 112(a) Rejection below, a combination of Chen, Yang, and Erdos continues to read broadly on the newly amended limitations.
Chen recites at least in “More specifically, the embodiments described herein can implement a heterogeneous graph matching framework that formulates malicious program detection as a heterogenous graph matching problem. For example, a heterogeneous invariant graph can be generated to capture interactions/dependencies between different pairs of system entities, and a program representation can be learned from the heterogeneous invariant graph.” (Column 3, Lines 58-65), which the Examiner submits broadly reads on a “subgraph matching function” and “performing…graph pattern matching…”
Chen also recites at least in “In one embodiment, performing the at least one corrective action can include transmitting the detection results to the computing system 102. For example, the detection results can be output as a visualization (e.g., a GUI), a program behavior report, etc. More specifically, the program behavior report can include any malicious program behaviors that were detected. At least one end-user can utilize the results to determine the existence of an attack on the underlying computing system 102, and can thus seek to mitigate or prevent the attack from compromising data on the computing system 102.
Other exemplary corrective actions that can be performed include, but are not limited to, changing a security setting for an application or hardware component, changing an operational parameter of an application or hardware component (e.g., an operating speed), halting and/or restarting an application, halting and/or rebooting a hardware component, changing an environmental condition, changing a network interface's status or settings, etc. Accordingly, the system 100 can automatically correct or mitigate unknown malicious program behavior.” (Column 5, Lines 7-27), which the Examiner submits broadly reads on the claimed remedial actions in response to malicious activity being detected.
See the updated 35 U.S.C. 103 Rejection below.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-21 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1, 8, and 15 recite: “…wherein the process-centric subgraph comprises an attack subgraph matching function;” This is at odds with the Specification, which makes no mention of the process-centric subgraph being comprised of a function. Rather, the Specification recites “At step 1204, a process-centric subgraph is then built for each given process represented in the temporal graph. A process-centric subgraph typically comprises the events related to the given process.”
The dependent claims do not rectify this issue, and are therefore similarly rejected.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Chen (US 11,463,472 B2), hereinafter Chen, Erdos et al. (Reconstructing Graphs from Neighborhood Data, 2014), hereinafter Erdos, and Yang et al. (Heterogeneous Network Representation Learning: A Unified Framework With Survey and Benchmark, 2020), hereinafter Yang.
In regards to claim 1: The present application claims: “A method to detect anomalous behavior in a computing system, comprising:” Chen teaches “A method for detecting malicious program behavior includes performing program verification based on system activity data, analyzing unverified program data identified from the program verification to detect abnormal events, including analyzing host-level events to detect abnormal host-level events…” (Abstract).
“building a process-centric subgraph for a given process represented within a temporal graph, wherein the process-centric subgraph comprises an attack subgraph matching function;” Chen teaches “From the graph G, a set of n meta-paths M={M1 , M2 , ... , Mn} can be generated with each meta-path M; representing a unique multi-hop relationship between two programs. For each meta-path M;, a path-relevant neighbor set N v' of a node v can be defined as N}={ul(u, v)EM,(v, u)EM;} where u is a reachable neighbor of v via the meta-path M;. Accordingly, the subcomponent 510 finds path-relevant sets of neighbors under the guide of the meta-paths.” (Column 7, Lines 52-60).
Based on the Applicant’s Specification, it is assumed the process-centric subgraph is comprised of process events (“with each process-centric subgraph consisting of all events related to a given process represented by the subgraph“).
“performing, by the attack subgraph matching function, graph pattern matching between an evolving inter-process activity graph, and malicious behavior graph patterns, wherein the attack subgraph matching function searches for a graph substructure that matches the malicious behavior graph patterns stored in local cache;” Chen teaches “More specifically, the embodiments described herein can implement a heterogeneous graph matching framework that formulates malicious program detection as a heterogenous graph matching problem. For example, a heterogeneous invariant graph can be generated to capture interactions/dependencies between different pairs of system entities, and a program representation can be learned from the heterogeneous invariant graph.” (Column 3, Lines 58-65), which the Examiner submits broadly reads on a “subgraph matching function” and “performing…graph pattern matching…”
“responsive to a match being found between the graph substructure and the malicious behavior graph patterns, executing, by a called resilience function, a post-detection operations, wherein the post-detection operations comprise halting an involved processes, moving the involved processes to a sandbox for further evaluation, and dropping on-going network sessions;” Chen teaches “In one embodiment, performing the at least one corrective action can include transmitting the detection results to the computing system 102. For example, the detection results can be output as a visualization (e.g., a GUI), a program behavior report, etc. More specifically, the program behavior report can include any malicious program behaviors that were detected. At least one end-user can utilize the results to determine the existence of an attack on the underlying computing system 102, and can thus seek to mitigate or prevent the attack from compromising data on the computing system 102.
Other exemplary corrective actions that can be performed include, but are not limited to, changing a security setting for an application or hardware component, changing an operational parameter of an application or hardware component (e.g., an operating speed), halting and/or restarting an application, halting and/or rebooting a hardware component, changing an environmental condition, changing a network interface's status or settings, etc. Accordingly, the system 100 can automatically correct or mitigate unknown malicious program behavior.” (Column 5, Lines 7-27), which the Examiner submits broadly reads on the claimed remedial actions in response to malicious activity being detected.
“following training, receiving the temporal graph derived from system-generated events;” Chen teaches “More specifically, analyzing the host-level events at block 634 can include modeling system event data as an invariant graph to capture a program behavior profile. The invariant graph can be a heterogeneous graph between different system entities (e.g., processes, files and Internet sockets).” (Column 11, Lines 4-8, part of the loop of Figure 6).
“using the trained GNN to embed the temporal graph into a representation;” Chen teaches “…computing a nodewise attentional weight for each node in the path-relevant neighbor sets to generate node embeddings from different layers, aggregating the node embeddings toward a dense-connected node embedding, and automatically learning path-wise attentional weights for respective meta-paths to compute a joint embedding.” (Column 11, Lines 16-22).
“reconstructing the temporal graph with the set of atomic operations;” While Chen teaches “atomic operations” in “More formally, given the event data U across several machines within a time window (e.g., one day), each target program can be represented by a heterogeneous graph G=(V, E), in which V denotes a set of vertices or nodes. Each node can represent an entity. Examples of such entities can include, but are not limited to, processes, files, and Internet sockets, where P can denote the set of processes, F can denote the set of files and I can denote the set of Internet sockets. For example, V=PUFUI. E denotes a set of edges (dependencies) ( v,, v d, r) between a source entity vs and a destination entity v d with relation r. The relation r corresponds to a causal dependency. Examples of relations include, but are not limited to, a process forking another process (P----;,P), a process accessing a file (P----;,F), and a process connecting to an Internet socket (P----;,I). [“atomic operations” as per Applicant’s specification Pages 33-34 include such chains of operations] Each graph can further be associated with an adjacency matrix A.” (Column 7) (The graph used in Chen is essentially the “reconstructed” graph of the instant application, since it already depicts the relations among entities as nodes and edges of the graph). Chen fails to explicitly teach “reconstructing the temporal graph…” explicitly. However, Erdos teaches, in at least pages 1 and 2, reconstructing a graph from neighborhood information provided about a network.
Both Columns 7 and 8 of Chen make numerous reference to the need and use of neighbor/neighborhood information, and column 9 references path-relevant neighbor sets. A cursory search shows anomaly detection often utilizes neighborhood information. Erdos shows the reconstructing of a graph from network information, such as the data received in Chen Fig. 6, item 610, would have been known in the art at the time of Chen’s writing, and would have been an obvious step to one combining Chen and Erdos for the invariant graph modeling (IGM) component (Fig. 4, item 410) performing anomaly detection while using neighbor/neighborhood information as Chen does.
“utilizing the atomic operations to train a graph neural network (GNN) in an unsupervised manner by applying contrastive representation learning on sets of positive samples and negative samples derived from one or more heterogeneous graphs using meta-path sampling;” While Chen teaches embedding entities and their interactions [atomic operations] into training data for the GNN (Columns 7 and 8), and a data collector for system activity data (Figure 2, 210) and an unknown malicious program detection component (Figure 3, 360, mapping to unsupervised manner) and “More specifically, the Siamese network can include two identical AHGNNs or HAGNEs to compute the program graph representation independently. Each AHGNN can receive a program graph snapshot and generate a corresponding program embedding hG.” (Column 9, Lines 53-57, training GNN, heterogeneous graphs) and “From the graph G, a set of n meta-paths M={M1 ,M2 , ... , Mn} can be generated with each meta-path M; representing a unique multi-hop relationship between two programs.” (Column 7, Lines 52-54, meta-path sampling) and “For each meta-path M;, a path-relevant neighbor set N v' of a node v can be defined as N}={ul(u, v)EM,(v,u)EM;} where u is a reachable neighbor of v via the meta-path M;. Accordingly, the subcomponent 510 finds path-relevant sets of neighbors under the guide of the meta-paths.” (Column 7, Lines 55-60, deriving positive samples), Chen fails to explicitly teach “negative samples,” however, in the context of heterogeneous network representation learning, Yang teaches “HIN2Vec generates positive tuples (u; v; M) (i.e., u connects with v via the meta-path M) using homogeneous random walks [29] regardless of node/link types. For each positive tuple (u; v; M), it generates several negative tuples by replacing u with a random node u’.” (Page 4857, right column).
Yang highlights the wide usage of heterogeneous networks and representation learning for more powerful, realistic, and generic networks graphs for mining and analytical tasks (Abstract). It would have obvious to one of ordinary skill in the art at the time of the applicant’s filing date to combine the anomaly detection system with algorithms of Yang to better represent the heterogeneous network in the anomaly detection system.
In regards to claim 2: The present application claims: “wherein meta-path sampling identifies a meta-path in one of the heterogeneous graphs, wherein a meta-path is a sequence of edges connected a source node type to a target node type.” Chen teaches “As used herein, a meta-path is a path that connects different entity types via a sequence of relations in a heterogeneous graph. In a computer system, a meta-path could be, e.g., a process forking another process (P----;,P), two processes accessing a same file (P.,_F----;,P), two processes opening the same Internet socket (P.,_I----;,P), etc., with each one defining a unique relationship between two programs.
From the graph G, a set of n meta-paths M={M1 ,M2 , ... , Mn} can be generated with each meta-path M; representing a unique multi-hop relationship between two programs.” (Column 7, Lines 45-55).
In regards to claim 3: The present application claims: “wherein the meta-path sampling minimizes embedding distance in a representation space between pairs of positive samples and maximizes embedding distance in the representation space between pairs of negative samples.” Chen teaches “The objective function 1 can be optimized using any suitable technique in accordance with the embodiments described herein. With the help of similarity learning, the parameters that keep similar embeddings closer can be learned while pushing dissimilar embeddings apart by directly optimizing the embedding distance.” (Column 10, Lines 18-24).
In regards to claim 4: The present application claims: “wherein meta-path sampling generates the positive samples by traversing one or the heterogeneous graphs with respect to a specified node to reach one or more nodes that have a common node type to the specified node,”
“and generates the negative samples by randomly choosing a node that has a different node type from the specified node.”
While Chen teaches “As used herein, a meta-path is a path that connects different entity types via a sequence of relations in a heterogeneous graph. In a computer system, a meta-path could be, e.g., a process forking another process (P----;,P), two processes accessing a same file (P.,_F----;,P), two processes opening the same Internet socket (P.,_I----;,P), etc.” (Column 7, Lines 45-50, mapping to positive samples, by this description). Chen fails to explicitly teach the “negative samples,” however, in the context of heterogeneous network representation learning, Yang teaches “HIN2Vec generates positive tuples (u; v; M) (i.e., u connects with v via the meta-path M) using homogeneous random walks [29] regardless of node/link types. For each positive tuple (u; v; M), it generates several negative tuples by replacing u with a random node u’.” (Page 4857, right column).
In regards to claim 5: The present application claims: “wherein the contrastive representation learning implements a loss function L =-log(Spos) - log(1 - Sneg), where Spos is the set of positive samples, and wherein Sneg is the set of negative samples.” Yang teaches “HIN2Vec generates positive tuples (u; v; M) (i.e., u connects with v via the meta-path M) using homogeneous random walks [29] regardless of node/link types. For each positive tuple (u; v; M), it generates several negative tuples by replacing u with a random node u0. Its objective is”
PNG
media_image1.png
145
484
media_image1.png
Greyscale
(Page 4857, right column).
In regards to claim 6: The present application claims: “wherein the representations are vectors and comparing representations uses a fuzzy pattern match.” Chen teaches “where kE{l, 2, ... K} denotes the index of the layer, h} O(k) is the program embedding (e.g., feature vector) of program v for meta-path M, at the k-th layer, E(k) is a trainable parameter that quantifies the trade-off between the previous layer representation and the aggregated contextual representation…” (Column 8, Lines 30-33) and “At block 640, training is performed to improve the analysis of the host-level events. For example, the AHGNN architecture can be trained to better distinguish between an unknown program and a known benign program. More specifically, the AHGNN architecture can be trained by learning a similarity metric and program graph representation jointly for better graph matching between the unknown program and known benign programs. In one embodiment, the parameters of the AHGNN can be trained via one or more Siamese networks.” (Column 11, Lines 23-32, mapping graph matching to pattern matching).
In regards to claim 7: The present application claims: “deriving the set of subgraphs from the temporal graph; embedding each of the set of subgraphs into a vector representation;
Chen teaches “the subcomponent 530 can aggregate the node embeddings generated from different layers toward a dense-connected node embedding. More specifically, the subcomponent 530 can leverage all the intermediate representations, with each capturing a subgraph structure.” (Column 8, Lines 48-52).
“and wherein the comparing compares each vector representation corresponding to a subgraph with a vector representation corresponding to a pattern graph.” Chen teaches “model (e.g., Siamese-network-based model) can be used to train the parameters and compute the similarity scores between an unknown program and the existing benign programs. Since the model can be trained on existing benign programs, as opposed to malware/malicious program samples, an unknown malicious program having a behavioral representation sufficiently different to any of the existing benign programs can be identified.” (Column 4, Lines 1-9).
In regards to claim 8-14: Claims 8-14 recite similar limitations to claims 1-7, with the exception of the recitation of “An apparatus, comprising: a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions configured to…” however, given the claimed apparatus relies on the method of claims 1-7, both sets of claims are similarly rejected.
In regards to claim 15-21: Claims 15-21 recite similar limitations to claims 1-7, with the exception of the recitation of “A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to…” however, given the claimed computer program product relies on the method of claims 1-7, both sets of claims are similarly rejected.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GRIFFIN T BEAN whose telephone number is (703)756-1473. The examiner can normally be reached M - F 7:30 - 4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li Zhen can be reached at (571) 272-3768. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GRIFFIN TANNER BEAN/ Examiner, Art Unit 2121
/Li B. Zhen/ Supervisory Patent Examiner, Art Unit 2121