METHOD OF THREAT DETECTION IN A THREAT DETECTION NETWORK AND THREAT DETECTION NETWORK

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendments / Arguments Regarding the rejection of claims under 35 USC 112(b) Applicant’s arguments filed March 10, 2025 have been fully considered and are persuasive, therefore the rejection has been withdrawn. Regarding the rejections of claims under 35 USC 103: Applicant's arguments filed March 10, 2025 have been fully considered but they are not persuasive. Applicant argues that "Dasgupta is silent regarding a backend system and references only a DLA (distributed learning agent) and router." This argument is not persuasive. Dasgupta clearly discloses a Supervisory and Control Agent (SCA) that functions as a backend system. Paragraph [0052] of Dasgupta explicitly states that the SCA operates as "one or more supervisory/centralized devices" that coordinate "the deployment and configuration of the DLAs," receive "information from the DLAs (e.g., detected anomalies/attacks, compressed data for visualization, etc.)," provide "information regarding a detected anomaly to a user interface," and "analyze data regarding a detected anomaly using more CPU intensive machine learning processes." These functions definitively establish the SCA as a backend system within the meaning of the claimed invention. The fact that Dasgupta uses different terminology does not negate the functional equivalence between the claimed "backend system" and Dasgupta's SCA. Regarding the limitation "sharing at least one generated local user behavior model related to the network node with one or more other nodes and with the backend system," Dasgupta unequivocally teaches this feature. Paragraphs [0092-0094] describe DLA 506 sending "a custom message 518 to the selected device(s) 504 that includes the parameters of the model, its dependencies, etc." This constitutes sharing a generated model with other nodes. Furthermore, paragraph [0063] explicitly states: "The SCA may also send updates 414 to DLC 408 to update model(s) 410 and/or RL engine 412 (e.g., based on information from other deployed DLAs, input from a user, etc.)." This clearly establishes model sharing between the DLAs and the SCA (backend system), as the SCA must receive model information from DLAs in order to send appropriate updates based on "information from other deployed DLAs." The anomaly detection models in Dasgupta monitor network behavior, which necessarily includes user activity, and therefore are functionally equivalent to the claimed "user behavior models." Applicant argues that Honkasalo fails to disclose "wherein at least one local user behavior model related to the network node is generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior model" and is unrelated to threat detection networks. However, this argument is not persuasive. Honkasalo explicitly teaches the limitation with structural correspondence to the claimed elements. In paragraph [0046], Honkasalo clearly states that "each data endpoint may execute on-line learning... and keep track of the changes to the local model," which directly corresponds to "at least one local user behavior model related to the network node is generated by the network node." Furthermore, paragraphs [0004-0005] of Honkasalo explicitly describe "determining the selected common model based at least partially on the local model of the first data endpoint," and paragraph [0059] elaborates that "representations of local models of data endpoints 220 1-220 M may be first mapped to their corresponding common models 210 1-210 N. Then, averaging may be performed by averaging units for each of the common models 210 1-210 N." This directly corresponds to "at least one common behavior model is generated by the backend system of the computer network... based at least in part on the at least one received local user behavior model." While Honkasalo operates in the context of radio access networks rather than threat detection, the technical mechanism for generating, sharing, and aggregating models between network nodes and a backend system is structurally identical to what is claimed. The application of this model generation and distribution framework to security contexts is a straightforward implementation when combined with the security-focused teachings of Bazalgette and Dasgupta. Honkasalo's disclosure of behavior attributes in paragraphs [0040-0041] further reinforces its relevance to the claimed limitation. Therefore, the combination of Bazalgette, Dasgupta, and Honkasalo properly teaches the disputed limitation, and the rejection is maintained. Therefore, the identified claim language is considered to be taught by the Bazalgette-Dasgupta-Honkasalo combination, and the rejection is maintained. Further, since Applicant has not argued the dependent claims, their rejections are likewise maintained. DETAILED ACTION This is a reply to the arguments filed on 03/10/2025, in which, claims 1-7, 9-12, and 14-15 are pending. Claims 1, 10, 11 and 12 are independent. Claims 8 and 13 have been cancelled. When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6, 10-12, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Bazalgette et al. (EP 3528462 A1, referred to as Bazalgette), in view of Dasgupta et al. (US 20170279838 A1, referred to as Dasgupta) in further view of “Honkasalo” et al. (US 20200374711 A1). In reference to claim 1, A method of threat detection in a threat detection network, the threat detection network comprising interconnected network nodes and a backend system, wherein at least part of the nodes comprise security agent modules which collect data related to the respective network node, the method comprising (Bazalgette: [0011]-[0013] Provides for a comprehensive description of the cyber threat defense system with interconnected modules and components.) Collecting and/or analyzing at the network node data related to a network node (Bazalgette: Fig.1, [0014]-[0016] and [0024] Provides for a gather module that collects and analyzes data from various sources within the network.) Generating at least one local user behavior model at the network node related to the network node on the basis of the collected and/or analyzed data (Bazalgette: [0016] and [0044]-[0045] Provides for generating machine-learning models based on collected data about normal behavior of different aspects of the system, including user activity. Bazalgette paragraph [0056] further provides for that the system creates individual models for each user.) Comparing user activity in a node to the at least one generated local user behavior model and/or a received behavior model, and alerting the backend system and/or the other nodes, about anomalous behavior, if deviation from the at least one generated local user behavior model and/or the received behavior model is detected (Bazalgette: [0017] and [0103] Provides for comparing user activity to behavior models and detecting deviations by identifying anomalous behavior and potential cyber threats based on these comparisons.) Comparing at the backend system the received anomalous data with other behavior models in the same organization and/or behavior models of known malicious users, and sending from the backend system to the node results and/or data relating to the comparison (Bazalgette: [0015], [0025], and [0116] Provides for comparing anomalous data with known threat databases and other sources.) Bazalgette provides for sharing inoculation patterns based on identified threats and behavioral parameters ( [0017]-[0018], [0021], [0027] and [0115]), but does not explicitly teach sharing at least one generated local user behavior model related to the network node with one or more other nodes and/or with the backend system and wherein one or more local user behavior models related to the network node are generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the received local user behavior models. However, Dasgupta discloses: Sharing at least one generated local user behavior model related to the network node with one or more other nodes and/or with the backend system (Dasgupta [0063] and [0090]-[0095] and Fig. 5 Provides for sharing models between nodes. Dasgupta [0052] Provides for SCA as a backend system.) For the sake of completeness Dasgupta further discloses (Dasgupta: Fig.1A-1B and [0017]-[0019] Provides for a network with interconnected nodes and devices for threat detection. Dasgupta paragraph [0061] and Fig. 4 further provides for the collection and analysis of network data at network nodes. Dasgupta paragraph [0063] further provides for the generation of local behavior models at the network node based on collected data. Dasgupta paragraphs [0065]-[0066] further provides for the comparison of activity to models and alerting about anomalies.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette, which involves generating and utilizing local user behavior models for detecting anomalies within a network node, with the teachings of Dasgupta, which include the sharing of models and their parameters between network nodes. One of ordinary skill in the art would recognize the ability to share local user behavior models across network nodes to enhance collaborative and dynamic threat detection capabilities. Such a modification would be motivated by the need to improve the responsiveness and accuracy of the threat detection network by leveraging distributed data analysis and learning across various nodes. Bazalgette in view of Dasgupta do not explicitly disclose wherein one or more local user behavior models related to the network node are generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the received local user behavior models. However, Honkasalo teaches: Wherein at least one local user behavior models related to the network node is generated by the network node (Honkasalo: [0004]-[0005], [0036], [0044]-[0046] and [0080] Provides for local model generation at nodes.) At least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior models (Honkasalo: [0004]-[0005], [0046]-[0047], [0052]-[0059] and [0073] Provides for generation of common models from local models at the backend.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette in view of Dasgupta, which provides a system for generating, sharing, and utilizing local user behavior models across network nodes for threat detection, with the teachings of Honkasalo, which introduces the generation of both local models at network nodes and common behavior models at the backend based on the local models. One of ordinary skill in the art would recognize the ability to incorporate Honkasalo's hierarchical model generation approach into the combined system to enable both localized and network-wide behavior analysis. One of ordinary skill in the art would be motivated to make this modification in order to create a more comprehensive threat detection system. In reference to claim 2, The method according to claim 1, wherein Bazalgette in view of Dasgupta in further view of Honkasalo further teaches once deviation from the at least one generated local user behavior model and/or the received behavior model is detected, the agent module and/or node performs at least one of the following actions: increasing level of data collection, sending the data to the backend system and/or other nodes that didn't match the at least one generated local user behavior model and/or the received behavior model, heightening a risk level of the user, heightening a risk level of the node and/or alerting an operator Bazalgette discloses a method of using an inoculation module to communicate with other devices both inside and outside the network, using incident data to warn of potential cyber threats, and generating an inoculation pattern describing the breach state (see, paragraph [0027]). Bazalgette also discloses that the cyber threat module can generate a threat risk parameter with a confidence score, severity score, and consequence score, where the severity score indicates a percentage that the network entity in the breach state is deviating from the model, and this information can be used to assess and respond to the threat (see, paragraph [0032]). In reference to claim 3, The method according to claim 1, wherein Bazalgette in view of Dasgupta in further view of Honkasalo further teaches the agent module builds the at least one behavior model by collecting and analyzing data relating to user activity utilizing a machine learning model, such as a statistical model, a probabilistic model and/or deep learning model, Bazalgette discloses a method of using one or more machine-learning models as self-learning models using unsupervised learning and trained on normal behavior of different aspects of the system. These aspects include email activity and user activity associated with an email system, network activity and user activity associated with the network, among others. The models are regularly updated and use a normal behavior threshold as a moving benchmark to spot behavior outside of the set parameters (see, paragraph [0016]). In reference to claim 4, The method according to claim 1, wherein Bazalgette in view of Dasgupta in further view of Honkasalo further teaches the generated or received at least one behavior model is used in monitoring the activity of a user in order to notice changes in behavior which are due to automation, attacks and/or or another user using a same account, Bazalgette discloses a method of using one or more machine-learning models integrated with a cyber threat module to gain an understanding of characteristics on a transmission and related data, including classifying the properties of the transmission and its metadata. The cyber threat module can determine a cyber-threat risk parameter indicative of a likelihood of a cyber-threat based on the analyzed metrics and a moving benchmark of what is considered normal behavior (see, paragraph [0019], Figure 9). Bazalgette also discloses that the cyber threat module can generate a set of incident data describing an anomalous event by an entity, such as a user or device, and use this incident data to determine whether the anomalous event indicates a breach state representing a malicious incident or confidential data exposure. This process includes analyzing transmission characteristics to determine if they have potentially malicious characteristics (see, paragraph [0020]). In reference to claim 5, The method according to claim 1, wherein Bazalgette in view of Dasgupta in further view of Honkasalo further teaches a same behavior model essentially covers users with corresponding activity, corresponding behavior and/or corresponding role in the organization, Bazalgette discloses a method of behavioral pattern analysis to determine unusual behaviors of a network entity, such as a network, a system, a device, a user, or an email, under analysis by the cyber threat module and the machine-learning models. This includes analyzing patterns of behavior indicative of a malicious actor and using the behavioral pattern analysis to detect cyber threats (see, paragraph [0039], Fig 2). Bazalgette also discloses that the cyber threat defense system uses unusual behavior deviating from normal behavior and builds a chain of unusual behavior with causal links to detect cyber threats. This involves filtering out activities, events, or alerts that fall within the normal pattern of life for the network entity under analysis and then analyzing the remaining pattern to determine if it is indicative of a malicious actor. The defense system can also reintegrate some of the filtered out normal activities to support or refute hypotheses about malicious behavior, demonstrating a comprehensive approach to behavioral pattern analysis that could cover users with corresponding activity, behavior, or role (see, paragraph [0039]). In reference to claim 6, The method according to claim 1, wherein Bazalgette in view of Dasgupta in further view of Honkasalo further teaches the agent modules collect at least one of the following computer usage data for creating the at least one behavior model and/or when comparing user activity: programs executed and frequency thereof, login location, login time, login place, network usage patterns, keyboard layout, keyboard language, typing frequency and/or speed, mouse and touch screen movement patterns, typing errors, syntax and style of command-line commands and arguments, use of clipboard, peripheral devices, such as headphones, camera, screens, printers, USB storage, and/or activity of the peripheral devices, screen lock status, use of keyboard shortcuts, Bazalgette discloses a method of using a trigger module to detect time-stamped data indicating events and/or alerts from unusual or suspicious behavior/activity. The gathered data, which is collected based on abnormal behavior, suspicious activity, or both, is passed to the comparison module and the cyber threat module for analysis (see, paragraph [0013], Figure 1). In reference to claim 10, A network node of a threat detection network, the network comprising interconnected network nodes and a backend system, wherein the network node comprises at least one or more processors and at least one security agent module which is configured to collect data related to the respective network node, and the network node is configured to collect and/or analyze data related to the network node (Bazalgette: [0011]-[0013] Provides for a comprehensive description of the cyber threat defense system with interconnected modules and components. Bazalgette: Fig.1, [0014]-[0016] and [0024] Provides for a gather module that collects and analyzes data from various sources within the network.) The network node is further configured to generate at least one local user behavior model related to the network node on the basis of the collected and/or analyzed data (Bazalgette: [0016] and [0044]-[0045] Provides for generating machine-learning models based on collected data about normal behavior of different aspects of the system, including user activity. Bazalgette paragraph [0056] further provides for that the system creates individual models for each user.) The network node is further configured to compare user activity in a node to the at least one generated local user behavior model and/or a received behavior model, and to alert the backend system and/or the other nodes about anomalous behavior, if deviation from the at least one generated local user behavior model and/or the received behavior model is detected (Bazalgette: [0017] and [0103] Provides for comparing user activity to behavior models and detecting deviations by identifying anomalous behavior and potential cyber threats based on these comparisons.) The network node is configured to receive from the backend system results and/or data relating to a comparison carried out by the backend system, the comparison comprising comparing the anomalous data received by the with other behavior models, with other behavior models in the same organization and/or behavior models of known malicious users. (Bazalgette: [0015], [0025], and [0116] Provides for comparing anomalous data with known threat databases and other sources.) Bazalgette provides for sharing inoculation patterns based on identified threats and behavioral parameters ( [0017]-[0018], [0021], [0027] and [0115]), but does not explicitly teach sharing at least one generated local user behavior model related to the network node with one or more other nodes and/or with the backend system. However, Dasgupta discloses: The network node is further configured to share at least one generated local user behavior model related to the network node with one or more other nodes and/or with the backend system (Dasgupta [0090]-[0095] and Fig. 5 Provides for sharing models between nodes.) For the sake of completeness Dasgupta further discloses (Dasgupta: Fig.1A-1B and [0017]-[0019] Provides for a network with interconnected nodes and devices for threat detection. Dasgupta paragraph [0061] and Fig. 4 further provides for the collection and analysis of network data at network nodes. Dasgupta paragraph [0063] further provides for the generation of local behavior models at the network node based on collected data. Dasgupta paragraphs [0065]-[0066] further provides for the comparison of activity to models and alerting about anomalies.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette, which involves generating and utilizing local user behavior models for detecting anomalies within a network node, with the teachings of Dasgupta, which include the sharing of models and their parameters between network nodes. One of ordinary skill in the art would recognize the ability to share local user behavior models across network nodes to enhance collaborative and dynamic threat detection capabilities. Such a modification would be motivated by the need to improve the responsiveness and accuracy of the threat detection network by leveraging distributed data analysis and learning across various nodes. Bazalgette in view of Dasgupta do not explicitly disclose wherein one or more local user behavior models related to the network node are generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the received local user behavior models. However, Honkasalo teaches: Wherein at least one local user behavior models related to the network node is generated by the network node (Honkasalo: [0036], [0044]-[0046] and [0080] Provides for local model generation at nodes.) At least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior models (Honkasalo: [0047], [0052]-[0059] and [0073] Provides for generation of common models from local models at the backend.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette in view of Dasgupta, which provides a system for generating, sharing, and utilizing local user behavior models across network nodes for threat detection, with the teachings of Honkasalo, which introduces the generation of both local models at network nodes and common behavior models at the backend based on the local models. One of ordinary skill in the art would recognize the ability to incorporate Honkasalo's hierarchical model generation approach into the combined system to enable both localized and network-wide behavior analysis. One of ordinary skill in the art would be motivated to make this modification in order to create a more comprehensive threat detection system. In reference to claim 11, A backend server of a threat detection network, the threat detection network comprising interconnected network nodes and a backend system, wherein the backend server comprises at least one or more processors and is configured to receive at least one activity data from a network node generated by the network node on the basis of collected and analyzed data at the network node (Bazalgette: [0011]-[0013] Provides for a comprehensive description of the cyber threat defense system with interconnected modules and components. Bazalgette: Fig.1, [0014]-[0016] and [0024] Provides for a gather module that collects and analyzes data from various sources within the network. Bazalgette: [0016] and [0044]-[0045] Provides for generating machine-learning models based on collected data about normal behavior of different aspects of the system, including user activity. Bazalgette paragraph [0056] further provides for that the system creates individual models for each user.) The backend server is further configured to receive and alert from a network node, about detected anomalous behavior, if deviation from the at least one generated local user behavior model and/or a received behavior model is detected at the network node (Bazalgette: [0017] and [0103] Provides for comparing user activity to behavior models and detecting deviations by identifying anomalous behavior and potential cyber threats based on these comparisons.) The backend server is further configured to compare at the backend system the anomalous data with other behavior models, with at least one common behavior model created by the backend server based on at least the one received local user behavior model, with other behavior models in the same organization and/or with behavior models of known malicious users, and to send from the backend system to the network node results and/or data relating to the comparison. (Bazalgette: [0015], [0025], and [0116] Provides for comparing anomalous data with known threat databases and other sources.) Bazalgette provides for sharing inoculation patterns based on identified threats and behavioral parameters ( [0017]-[0018], [0021], [0027] and [0115]), but does not explicitly teach that user activity comprises a “local user behavior model”. However, Dasgupta discloses: User activity comprises a “local user behavior model” (Dasgupta [0090]-[0095] and Fig. 5 Provides for sharing models between nodes.) For the sake of completeness Dasgupta further discloses (Dasgupta: Fig.1A-1B and [0017]-[0019] Provides for a network with interconnected nodes and devices for threat detection. Dasgupta paragraph [0061] and Fig. 4 further provides for the collection and analysis of network data at network nodes. Dasgupta paragraph [0063] further provides for the generation of local behavior models at the network node based on collected data. Dasgupta paragraphs [0065]-[0066] further provides for the comparison of activity to models and alerting about anomalies.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette, which involves generating and utilizing local user behavior models for detecting anomalies within a network node, with the teachings of Dasgupta, which include the sharing of models and their parameters between network nodes. One of ordinary skill in the art would recognize the ability to share local user behavior models across network nodes to enhance collaborative and dynamic threat detection capabilities. Such a modification would be motivated by the need to improve the responsiveness and accuracy of the threat detection network by leveraging distributed data analysis and learning across various nodes. Bazalgette in view of Dasgupta do not explicitly disclose wherein one or more local user behavior models related to the network node are generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the received local user behavior models. However, Honkasalo teaches: Wherein at least one local user behavior models related to the network node is generated by the network node (Honkasalo: [0036], [0044]-[0046] and [0080] Provides for local model generation at nodes.) At least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior models (Honkasalo: [0047], [0052]-[0059] and [0073] Provides for generation of common models from local models at the backend.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette in view of Dasgupta, which provides a system for generating, sharing, and utilizing local user behavior models across network nodes for threat detection, with the teachings of Honkasalo, which introduces the generation of both local models at network nodes and common behavior models at the backend based on the local models. One of ordinary skill in the art would recognize the ability to incorporate Honkasalo's hierarchical model generation approach into the combined system to enable both localized and network-wide behavior analysis. One of ordinary skill in the art would be motivated to make this modification in order to create a more comprehensive threat detection system. In reference to claim 12, A threat detection network comprising a plurality of interconnected network nodes and a backend system, wherein: each network node comprises at least one or more processors and at least one security agent module which is configured to collect data related to the respective network node, and the network node is configured to collect and/or analyze data related to the network node (Bazalgette: [0011]-[0013] Provides for a comprehensive description of the cyber threat defense system with interconnected modules and components. Bazalgette: Fig.1, [0014]-[0016] and [0024] Provides for a gather module that collects and analyzes data from various sources within the network.) Each network node is further configured to generate at least one local user behavior model related to the network node on the basis of the collected and/or analyzed data (Bazalgette: [0016] and [0044]-[0045] Provides for generating machine-learning models based on collected data about normal behavior of different aspects of the system, including user activity. Bazalgette paragraph [0056] further provides for that the system creates individual models for each user.) Each network node is further configured to compare user activity in a node to the at least one generated local user behavior model and/or a received behavior model, and to alert the backend system and/or the other nodes about anomalous behavior, if deviation from the at least one generated local user behavior model and/or a received behavior model is detected, and/or each network node is configured to receive from the backend system results and/or data relating to a comparison carried out by the backend system (Bazalgette: [0017] and [0103] Provides for comparing user activity to behavior models and detecting deviations by identifying anomalous behavior and potential cyber threats based on these comparisons.) The comparison comprising: comparing the anomalous data received by the with other behavior models with other behavior models in the same organization and/or behavior models of known malicious users, the backend server comprises at least one or more processors and is configured to receive at least one local user behavior model from a network node generated by the network node on the basis of collected and analyzed data at the network node, the backend server is further configured to receive and alert from a network node about detected anomalous behavior, if deviation from the generated local user behavior model and/or a received behavior model is detected at the network node, and the backend server is further configured to compare at the backend system the anomalous data with other behavior models with a common behavior model created by the backend server based on at least the one received local user behavior model, with other behavior models in the same organization and/or with behavior models of known malicious users, and to send from the backend system to the network node results and/or data relating to the comparison (Bazalgette: [0015], [0025], and [0116] Provides for comparing anomalous data with known threat databases and other sources.) Bazalgette provides for sharing inoculation patterns based on identified threats and behavioral parameters ( [0017]-[0018], [0021], [0027] and [0115]), but does not explicitly teach sharing at least one generated local user behavior model related to the network node with one or more other nodes and/or with the backend system. However, Dasgupta discloses: Each network node is further configured to share the at least one generated local user behavior model related to the network node with one or more other nodes and/or with the backend system (Dasgupta [0090]-[0095] and Fig. 5 Provides for sharing models between nodes.) For the sake of completeness Dasgupta further discloses (Dasgupta: Fig.1A-1B and [0017]-[0019] Provides for a network with interconnected nodes and devices for threat detection. Dasgupta paragraph [0061] and Fig. 4 further provides for the collection and analysis of network data at network nodes. Dasgupta paragraph [0063] further provides for the generation of local behavior models at the network node based on collected data. Dasgupta paragraphs [0065]-[0066] further provides for the comparison of activity to models and alerting about anomalies.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette, which involves generating and utilizing local user behavior models for detecting anomalies within a network node, with the teachings of Dasgupta, which include the sharing of models and their parameters between network nodes. One of ordinary skill in the art would recognize the ability to share local user behavior models across network nodes to enhance collaborative and dynamic threat detection capabilities. Such a modification would be motivated by the need to improve the responsiveness and accuracy of the threat detection network by leveraging distributed data analysis and learning across various nodes. Bazalgette in view of Dasgupta do not explicitly disclose wherein one or more local user behavior models related to the network node are generated by the network node and at least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the received local user behavior models. However, Honkasalo teaches: Wherein at least one local user behavior models related to the network node is generated by the network node (Honkasalo: [0036], [0044]-[0046] and [0080] Provides for local model generation at nodes.) At least one common behavior model is generated by the backend system of the computer network and/or by the network node based at least in part on the at least one received local user behavior model (Honkasalo: [0047], [0052]-[0059] and [0073] Provides for generation of common models from local models at the backend.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette in view of Dasgupta, which provides a system for generating, sharing, and utilizing local user behavior models across network nodes for threat detection, with the teachings of Honkasalo, which introduces the generation of both local models at network nodes and common behavior models at the backend based on the local models. One of ordinary skill in the art would recognize the ability to incorporate Honkasalo's hierarchical model generation approach into the combined system to enable both localized and network-wide behavior analysis. One of ordinary skill in the art would be motivated to make this modification in order to create a more comprehensive threat detection system. In reference to claim 14, Bazalgette in view of Dasgupta in further view of Honkasalo further teaches a computer program product comprising at least one non- transitory computer-readable medium having instructions stored thereon which, when executed by a processor of a computer, cause the computer to carry out the method according to claim 1, Bazalgette teaches the method of claim 1, therefore a computer program that carries out the same method as claim 1 is rejected under similar rationale. In reference to claim 15, Bazalgette in view of Dasgupta in further view of Honkasalo further teaches a non-transitory computer-readable medium having instructions stored thereon which, when executed by a processor, cause a computer to: perform the method according to claim 1, Bazalgette teaches the method of claim 1 and 14, therefore a computer-readable medium related to computer program that carries out the same method as claim 1 is rejected under similar rationale. Claims 7 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Bazalgette, et al. (EP 3528462 A1, referred to as Bazalgette), in view of Dasgupta et al. (US 20170279838 A1, referred to as Dasgupta) in view of “Honkasalo” et al. (US 20200374711 A1) in further view of Kerseboom (WO-2017102088-A1, referred to as Kerseboom). In reference to claim 7, Wherein the backend system identifies shared accounts used at the nodes and/or in the network and links multiple behavior models to an identified shared account, Bazalgette in view of Dasgupta in further view of Honkasalo teaches all the features of claim 1, as outlined above. Bazalgette in view of Dasgupta in further view of Honkasalo does not explicitly disclose, however Kerseboom teaches: That routers can make collaborative decisions based on filtered data, sharing findings regarding anomalies in the filtered data traffic. This process involves the routers identifying and responding to anomalies coming from a protected PC, including configuring routers to cease communications or probe the infected PC for more information about its data connections and/or behavior (see, Figure 5, Page 10 lines 18-35). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette in view of Dasgupta in further view of Honkasalo, which involve machine learning models and cyber threat analysis, by incorporating Kerseboom’s teachings of collaborative decision-making among routers in order to detect attacks and synchronize gathered data over a separate communications network. In reference to claim 9, Wherein the threat control network is a threat control swarm intelligence network, and/or the threat detection swarm intelligence network comprises a plurality of interconnected network nodes of a local computer network, and the at least one behavior model is shared with the backend system and/or nodes of the swarm intelligence network, Bazalgette in view of Dasgupta in further view of Honkasalo teaches all the features of claim 1, as outlined above. Bazalgette in view of Dasgupta in further view of Honkasalo does not explicitly disclose, however Kerseboom teaches: Methods for communications network attack detection, and more particularly to a method and system for a distributed early attack warning platform (DEAWP) for detecting attacks and synchronizing gathered data over a separate communications network via a power line network connection, and the like, to connected nodes, in order to protect the network as a whole and systems connected thereto (see, Page 1, lines 23-29). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Bazalgette in view of Dasgupta in further view of Honkasalo by incorporating Kerseboom's distributed early attack warning platform in order to protect the network as a whole and systems connected thereto. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AIDAN EDWARD SHAUGHNESSY whose telephone number is (703)756-1423. The examiner can normally be reached on Monday-Friday from 7:30am to 5pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson, can be reached at telephone number (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/usptoautomated-interview-request-air-form. /A.E.S./Examiner, Art Unit 2432 /Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432