SYSTEMS, DEVICES, AND METHODS FOR OBSERVING A COMPUTER NETWORK AND/OR SECURING DATA ACCESS TO A COMPUTER NETWORK

§101 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 82-88 and 91-107 are currently pending. Response to Arguments The present office action is responsive to communications filed on 08/22/2025. Claims 82, 87, 88, 95, 97, and 102 have been amended. Applicant’s amendments with regards to the claims and arguments have overcome every objection and rejection that were previously set forth in Final Office Action mailed 06/13/2025. Applicant’s arguments and amendments, filed on 08/22/2025, with respect to the rejections to 82-88 and 91-107 under 35 USC 112, as seen in page 11, have been fully considered and persuasive. Further with respect to the rejections of claims 82-81 and 91-107 under 35 USC 103, as seen in pages 11-13, over Stockdale et al. (US PGPub No. 20200244673-A1) in view of Sher-Jan et al. (US PGPub No. 20170206376-A1), Brannon et al. (US PGPub No. 20220147638-A1), Shen et al. (US PGPub No. 20170180418-A1), and Davenport et al. (US PGPub No. 20160343100-A1), and Donahue (US PGPub No. 20170366576 A1) specifically with the amended limitations of repeating when the level of risk of non-compliance is below risk threshold have been fully considered and are persuasive. Therefore, the rejection have been withdrawn. However, upon further consideration, a new grounds of rejection of is made in additional view of Qiu et al. (US PGPub No.20190205926-A1 ). Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Regarding claims 82, 97, and 102: “…a machine learning algorithm configured to perform predictive path progress analysis comprising path-based anomaly detection…” is recited in claims 82, 97, and 102, but the specification does not provide any concrete algorithmic detail (e.g., model choice, features, training procedure, etc.) beyond high-level functional descriptions like “predictive path progress analysis” and “path-based anomaly detection”. Further, “a machine learning algorithm” is recited at the level of a broad functional genus that, under a broadest reasonable interpretation, encompasses essentially all types of machine learning techniques capable of being configured to perform the recited functions. The specification does not disclose any representative set of specific machine-learning species (e.g., particular model families, feature sets, or training schemes) nor any common structural characteristics that would demonstrate that the inventor had possession of the full scope of this machine-learning genus at the time of filing. Instead, the application provides only results-oriented statements that such predictive path progress analysis and path-based anomaly detection are performed, without any example implementation or description of how any particular algorithm is configured to carry out these analyses, or how any such algorithm is adapted to produce the specific output of a “level of risk of non-compliance with the standard for data protection” as further recited in the claims. The claims further recites: “…wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with the standard for data protection associated with the data flow…” There is a discrepancy between the written description and the claims. As cited in ¶0013 “…a frequency of the trace sampling and/or size of the samples may be responsive to a sensitivity of, for example, the data included in the data flow, a node associated with the data flow, a software application associated with the data flow, and/or a user associated with the data flow…”, and similar portions of the specification describe sampling frequency and/or size as being responsive to a “sensitivity” or “security risk” associated with data, users, nodes, or applications. However, the specification does not disclose that the frequency of sampling is based, even in part, on “a risk of non-compliance with the standard for data protection associated with the data flow,” as expressly required by the claims. In particular, there is no description of how a “risk of non-compliance with the standard for data protection” is determined for a given data flow, or how any such risk value is then used to set or adjust the sampling frequency or sample size for the software application transaction log or the trace log. The claims further recite: “…a level of risk of non-compliance with the standard for data protection caused by the data flow responsive to the determined characteristic of the data flow, the determined characteristic of the user, and the classification of the data flow…” “…a visual indicator of the level of risk of non-compliance with the standard for data protection…” “…repeating a to l when the level of risk of non-compliance is below the risk threshold…” While the specification generally describes determining a level of security risk for a data flow, comparing that security risk to a risk threshold, and displaying security sensitivities or risk indicators on a graphical user interface or map of nodes, it does not describe how a “level of risk of non‑compliance with the standard for data protection” is determined for a particular data flow, user, or classification. See, e.g., ¶¶0007–0009, 0040–0045, 0062–0064 (security risk, security sensitivity, risk severity indicators), and ¶¶0048, 0053 (references to GDPR, CCPA, PCI DSS, HIPAA, and other laws). In particular, the specification does not disclose any algorithm, rule set, scoring function, or other mechanism that translates the legal or policy requirements of a “standard for data protection” (such as GDPR, CCPA, PCI DSS, HIPAA, or other federal, state, or local data security or privacy laws) into a corresponding level of risk of non‑compliance associated with a specific data flow or user, nor does it explain how such a level is computed “responsive to the determined characteristic of the data flow, the determined characteristic of the user, and the classification of the data flow” as recited in the claims. Likewise, the specification does not describe how that level of risk of non‑compliance is encoded and rendered as “a visual indicator of the level of risk of non‑compliance with the standard for data protection” on the claimed transaction maps, or how that level of non‑compliance risk is used as the condition for “repeating a to l when the level of risk of non‑compliance is below the risk threshold,” as opposed to the security‑risk thresholds actually discussed in the written description. Accordingly, the limitations reciting “a level of risk of non‑compliance with the standard for data protection …”, “a visual indicator of the level of risk of non‑compliance with the standard for data protection”, and “repeating a to l when the level of risk of non‑compliance is below the risk threshold” are not supported by a written description that reasonably conveys to one of ordinary skill in the art that the inventor had possession, at the time of filing, of these specific features as claimed. Claims 83-88, 91-96, 98-101, and 103-107 do not overcome the rejections of their respective base claims that have been rejected above, and therefore rejected under the same grounds provided to claims 82, 97, and 102. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 82-88 and 91-107 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Regarding claims 82, 97, and 102: “…a characteristic of the data flow and a characteristic of the user based, at least in part, on a standard for data protection…” Indefinite because the claim does not specify what constitutes as a “characteristic” nor how it is obtained or what constitutes as a characteristic. It is unclear whether “a characteristic of the data flow” refers toa node type, data type, or something else. Similarly, it is unclear whether “a characteristic of the user” refers to an age, profile, access level, or something else. Further the claims does not specify how these ‘characteristics’ of the data flow and user relate to the standard for data protection. It is unclear whether the standard refers to an assigned privacy level, access role, or something else. “…a risk of non-compliance…” and “…a level of risk of non-compliance with standard data protection…” Indefinite because the claim does not provide no objective boundaries or metrics by which a person having ordinary skill in the art can determine a “risk of non-compliance” and a “level of risk of non-compliance” nor it is clear whether this refers to a security risk, risk severity, data sensitivity, or something else. Further the claims does not specify how ‘a level risk of non-compliance’ and ‘a level of risk of non-compliance’ are related to the standard for data protection. It is unclear whether the standard refers to an assigned privacy level, access role, or something else. “…a machine learning algorithm configured to perform predictive path progress analysis comprising path-based anomaly detection…” Indefinite because “predictive path progress analysis” and “path-based anomaly detection” are coined terms whose scope is not defined in the claims and is not given any clear, objective meaning in the specification. A person having ordinary skill in the art would not be able to determine, with reasonable certainty, what specific analyses or operations are encompassed by these phrases, and thus would not know what types of algorithms fall within “a machine learning algorithm configured to perform” such analyses versus those that do not. “…a standard for data protection…” (as used in, e.g., “based, at least in part, on a standard for data protection” and “the standard for data protection associated with the data flow”) Indefinite because the claims do not identify any objective criteria for what qualifies as “a standard for data protection.” It is unclear whether this is limited to formal legal or regulatory standards (e.g., GDPR, CCPA, PCI DSS, HIPAA), internal corporate policies, industry best practices, or any user-defined rule set. Without such clarification, a person having ordinary skill in the art cannot determine, with reasonable certainty, which sets of rules or policies fall within the scope of “standard for data protection” and which do not. “…a visual indicator of the level of risk of non-compliance with the standard for data protection…” Indefinite because neither the claims nor the specification provide objective boundaries as to what constitutes a “visual indicator of the level of risk of non-compliance with the standard for data protection.” It is unclear whether any graphical element that is in some way related to security or compliance (e.g., a color, icon, label, or numeric value) would qualify, and no particular scale, coding scheme, or mapping between levels of non-compliance risk and the visual representation is defined. As a result, the metes and bounds of what visual representations are encompassed by this limitation are not reasonably clear to a person having ordinary skill in the art. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 82-88 and 91-107 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 82 recites a method which appears to be a ‘process’ and one of the four statutory subject matter categories of invention (Step 1 of the Subject Matter Eligibility Test). However, the claim appears to not qualify for a streamlined analysis thus a full eligibility and thus a full eligibility analysis is necessary (Step 2A and Step 2B of the Subject Matter Eligibility Test). In Step 2A, Prong One, examiners evaluate whether the claim recites a judicial exception, i.e., whether a law of nature, natural phenomenon, or abstract idea is set forth or described in the claim. The claim recites the steps of: “…a) detecting … a data flow between a sequence of nodes of a computer network…” “…b) executing … distributed tracing within the computer network to generate a trace log associated with the data flow…” “…c) determining … a characteristic of the data flow and a characteristic of the user…” “…d) receiving … a software application transaction log for the computer network...” “…e) sampling … data from the software application transaction log to create a plurality of software application transaction log samples…” “…f) sampling … data from the trace log to create a plurality of trace log samples…” “…g) classifying … the data flow responsive to the plurality of software application transaction log samples and the plurality of trace log samples…” “…h) … perform predictive path progress analysis comprising path-based anomaly detection…” “…i) generating … a plurality of transaction maps…” “…j) comparing … two or more of the transaction maps…” “…k) generating … an alert notification of the change…” “…l) receiving… a risk threshold...” “…m) repeating a) to k) when the level of risk of non-compliance is below the risk threshold.” The steps performing amount to an abstract idea which falls under a judicial exception (Step 2A Prong 1, of Subject Matter Eligibility). Abstract ideas fall in the category. The abstract idea falls in the categories of a mental process, for example evaluation, judgements, and opinion and mathematical concepts (MPEP 2106.04(a)(2) & MPEP 2106.06) such as comparing transaction maps and using a calculating a level risk to determine if a data flow is malicious/non-compliant. For example, the courts found that a claim to "collecting information, analyzing it, and displaying certain results of the collection and analysis," where the data analysis steps are recited at a high level of generality, could practically be performed in the human mind, Electric Power Group v. Alstom, S.A., 830 F.3d 1350, 1353‐54, 119 USPQ2d 1739, 1741‐42 (Fed. Cir. 2016). In Step 2A, Prong Two, examiner determine whether the claim as a whole integrates the judicial exception into a practical application to disqualify abstract as a judicial exception. However, the judicial exception in claim 82 is not integrated into practical application because the generically recited computer elements: “…a computer monitoring system …” “…applying, by the computer monitoring system, a machine learning algorithm…” do not add meaningful limitation to an abstract idea because they do not add a meaningful limitation to an abstract idea because they amount to simply implementing the abstract idea on a computer. The implementation of using a transaction maps and use of level of risk results enabling human decision making without using the user actions in any meaningful to improve the functioning of a computer or another technology without reference to what is well-understood, routine, and conventional activity. The claim do not include additional elements that are sufficient to amount to significantly more than the judicial exception because simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer function that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 573 U.S. at 225, 110 USPQ2d at 1984. Thus, the analysis concludes is ineligible under 35 U.S.C. § 101 as it is directed to a judicial exception. Regarding to claims 83-88, 91-96, and 107 : Claims 83-88, 91-96, and 107 do not add any additional elements than those already disclosed in claim 82, and merely adds further abstract ideas. Furthermore, none of the claims integrate the judicial exception into a practical application. Claim 97 recites a computer-implemented system which appears to be a ‘machine’ and one of the four statutory subject matter categories of invention (Step 1 of the Subject Matter Eligibility Test). However, the claim appears to not qualify for a streamlined analysis thus a full eligibility and thus a full eligibility analysis is necessary (Step 2A and Step 2B of the Subject Matter Eligibility Test). In Step 2A, Prong One, examiners evaluate whether the claim recites a judicial exception, i.e., whether a law of nature, natural phenomenon, or abstract idea is set forth or described in the claim. The claim recites the steps of: “…a) detecting a data flow between a sequence of nodes of a computer network…” “…b) generate a trace log associated with the data flow…” “…c) determining a characteristic of the data flow and a characteristic of the user…” “…d) receiving a software application transaction log for the computer network...” “…e) sampling data from the software application transaction log to create a plurality of software application transaction log samples…” “…f) sampling data from the trace log to create a plurality of trace log samples…” “…g) classifying the data flow responsive to the plurality of software application transaction log samples and the plurality of trace log samples…” “…h) perform predictive path progress analysis comprising path-based anomaly detection…” “…i) generating a plurality of transaction maps…” “…j) comparing two or more of the transaction maps…” “…k) generating, an alert notification of the change…” “…l) receiving a risk threshold...” “…m) repeating a) to k) when the level of risk of non-compliance is below the risk threshold.” The steps performing amount to an abstract idea which falls under a judicial exception (Step 2A Prong 1, of Subject Matter Eligibility). Abstract ideas fall in the category. The abstract idea falls in the categories of a mental process, for example evaluation, judgements, and opinion and mathematical concepts (MPEP 2106.04(a)(2) & MPEP 2106.06) such as comparing transaction maps and using a calculating a level risk to determine if a data flow is malicious/non-compliant. For example, the courts found that a claim to "collecting information, analyzing it, and displaying certain results of the collection and analysis," where the data analysis steps are recited at a high level of generality, could practically be performed in the human mind, Electric Power Group v. Alstom, S.A., 830 F.3d 1350, 1353‐54, 119 USPQ2d 1739, 1741‐42 (Fed. Cir. 2016). In Step 2A, Prong Two, examiner determine whether the claim as a whole integrates the judicial exception into a practical application to disqualify abstract as a judicial exception. However, the judicial exception in claim 97 is not integrated into practical application because the generically recited computer elements: “…one computing device…” “…one processor and instructions…” “…executing distributed tracing within the computer network…”, and “applying a machine learning algorithm” do not add meaningful limitation to an abstract idea because they do not add a meaningful limitation to an abstract idea because they amount to simply implementing the abstract idea on a computer. The implementation of using a transaction maps and use of level of risk results enabling human decision making without using the user actions in any meaningful to improve the functioning of a computer or another technology without reference to what is well-understood, routine, and conventional activity. The claim do not include additional elements that are sufficient to amount to significantly more than the judicial exception because simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer function that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 573 U.S. at 225, 110 USPQ2d at 1984. Thus, the analysis concludes is ineligible under 35 U.S.C. § 101 as it is directed to a judicial exception. Regarding to claims 98-100: Claims 98-100 do not add any additional elements than those already disclosed in claim 97, and merely adds further abstract ideas. Furthermore, none of the claims integrate the judicial exception into a practical application. Claim 102 recites one or more non-transitory readable storage media which appears to be a ‘machine’ and one of the four statutory subject matter categories of invention (Step 1 of the Subject Matter Eligibility Test). However, the claim appears to not qualify for a streamlined analysis thus a full eligibility and thus a full eligibility analysis is necessary (Step 2A and Step 2B of the Subject Matter Eligibility Test). In Step 2A, Prong One, examiners evaluate whether the claim recites a judicial exception, i.e., whether a law of nature, natural phenomenon, or abstract idea is set forth or described in the claim. The claim recites the steps of: “…a) a software module detecting a data flow between a sequence of nodes of a computer network…” “…b) a software module executing distributed tracing within the computer network to generate a trace log associated with the data flow…” “…c)a software module determining a characteristic of the data flow and a characteristic of the user…” “…d) a software module receiving a software application transaction log for the computer network...” “…e) a software module sampling data from the software application transaction log to create a plurality of software application transaction log samples…” “…f) a software module sampling data from the trace log to create a plurality of trace log samples…” “…g) a software module classifying the data flow responsive to the plurality of software application transaction log samples and the plurality of trace log samples…” “…h) a software module applying a machine learning algorithm configured to perform predictive path progress analysis comprising path-based anomaly detection…” “…i) a software module generating a plurality of transaction maps…” “…j) a software module comparing two or more of the transaction maps…” “…k) a software module generating, an alert notification of the change…” “…l) a software module receiving a risk threshold...” “…m) a software module repeating operation of software modules a) to k) when the level of risk of non-compliance is below the risk threshold.” The steps performing amount to an abstract idea which falls under a judicial exception (Step 2A Prong 1, of Subject Matter Eligibility). Abstract ideas fall in the category. The abstract idea falls in the categories of a mental process, for example evaluation, judgements, and opinion and mathematical concepts (MPEP 2106.04(a)(2) & MPEP 2106.06) such as comparing transaction maps and using a calculating a level risk to determine if a data flow is malicious/non-compliant. For example, the courts found that a claim to "collecting information, analyzing it, and displaying certain results of the collection and analysis," where the data analysis steps are recited at a high level of generality, could practically be performed in the human mind, Electric Power Group v. Alstom, S.A., 830 F.3d 1350, 1353‐54, 119 USPQ2d 1739, 1741‐42 (Fed. Cir. 2016). In Step 2A, Prong Two, examiner determine whether the claim as a whole integrates the judicial exception into a practical application to disqualify abstract as a judicial exception. However, the judicial exception in claim 102 is not integrated into practical application because the generically recited computer elements: “…one or more non-transitory readable storage media encoded with instructions …” “…one or more processors …” “…a software module…” do not add meaningful limitation to an abstract idea because they do not add a meaningful limitation to an abstract idea because they amount to simply implementing the abstract idea on a computer. The implementation of using a transaction maps and use of level of risk results enabling human decision making without using the user actions in any meaningful to improve the functioning of a computer or another technology without reference to what is well-understood, routine, and conventional activity. The claim do not include additional elements that are sufficient to amount to significantly more than the judicial exception because simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer function that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 573 U.S. at 225, 110 USPQ2d at 1984. Thus, the analysis concludes is ineligible under 35 U.S.C. § 101 as it is directed to a judicial exception. Regarding to claims 103-106: Claims 103 do not add any additional elements than those already disclosed in claim 102, and merely adds further abstract ideas. Furthermore, none of the claims integrate the judicial exception into a practical application. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 82-87, 91, and 97-106 are rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US PGPub No. 20200244673-A1) in view of Sher-Jan et al. (US PGPub No. 20170206376-A1), Brannon et al. (US PGPub No. 20220147638-A1), Shen et al. (US PGPub No. 20170180418-A1), and Davenport et al. (US PGPub No. 20160343100-A1), and Qiu et al. (US PGPub No.20190205926-A1 ). With respect to claim 82, Stockdale teaches a method comprising: a) detecting, by a computer monitoring system(¶0032: the cyber threat defense system (computer monitoring system) may include components such as a trigger module, gather module, a data store, an ingestion module, coordinator module, comparison module, cyber threat module, a graph detection module, a batch module, a centrality processing module, an anomaly detector module, user interface module, an autonomous response module, a communication module, at least one input or output port to secure connect to other ports, and one or machine-learning model trained on vectors for malicious activity in a network), a data flow between a sequence of nodes of a computer network, (¶0029-0030: the detector looks at unusual activity/anomalous states (data flow) occurring over two or more groups of device/nodes (nodes) in order to detect potential cyberthreats within a network). the data flow being associated with a user of the computer network; (¶0035: the network entity can be a user and/or the user's device, as well as another network device interacting with the network), b) executing, by the computer monitoring system, distributed tracing within the computer network (¶0034: A feedback loop of cooperation occurs between the gather module, the ingestion module monitoring network and email activity, the comparison module to apply one or more models trained on different aspects of this process, and the cyber threat module to identify cyber threats based on comparisons by the comparison module) to generate a trace log associated with the data flow; (¶0034-0034: The ingestion module monitoring a network entity's activity may feed collected data to a coordinator module to correlate causal links between these activities to (trace logs) supply this input into the cyber threat module.). c) determining, by the computer monitoring system, a characteristic of the data flow and a characteristic of the user based, at least in part, [on a standard for data protection;] (¶0031: the cyber threat module determines a threat risk parameter (characteristic) that factors in the likelihood that chain of one or more unusual behaviors of email, activity network activity, and user activity (data flow)). d) receiving, by the computer monitoring system, a software application transaction log for the computer network; (¶0034-0035: a gather module comprising of multiple automatic data gatherers works in conjunction with an ingestion module which collects input data (transaction log) received from a set of input probes, connectors, and/or other data input device or input method, deployed to a network). e) sampling, by the computer monitoring system, data from the software application transaction log to create a plurality of software application transaction log samples, (¶0035: the ingestion module may be divided into an email module, SaaS module, a Cloud module, and network module (plurality of software application transaction log samples), where each module is configured to monitor and interaction with its corresponding network). wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with [the standard for data protection] associated with the data flow; (¶0033-0034: trigger module may detect time stamped data indicating one or more alarms (frequency) from suspicious activity (risk of non-compliance) triggering the gather module by specific alerts of suspicious activity. The inclined data may be gathered on the deployment from a data store when traffic is observed that can be interact with the ingestion module). g) classifying, by the computer monitoring system, the data flow responsive to the plurality of software application transaction log samples [and the plurality of trace log samples;] (¶0040-0042: the cyber threat module is configured to identify (classify) the data whether a breach state identified by comparison module and a chain of relevant behavioral parameters deviating from normal benign behavior of that network entity correspond from the ingestion module as stated in ¶0035). h) applying, by the computer monitoring system, a machine learning algorithm (¶0036-0037: the cyber threat module may also use (apply) one or more machine-learning models (machine learning algorithm) trained on cyber threats in the network). configured to perform predictive path progress analysis [comprising path-based anomaly detection] (¶0036: the cyber threat module can determine a threat risk parameter that factors in how the chain of unusual behaviors correlate to potential cyber threats (predictive path progress analysis)). in order to determine [a level of risk of non-compliance with the standard for data protection] caused by the data flow responsive to the determined characteristic of the data flow, the determined characteristic of the user, and the classification of the data flow; and (¶0036-0037: the cyber threats can also determine 'the likelihood that a chain of one or more unusual behaviors of the network activity and user activity under analysis (level of risk) fall outside of derived normal behavior' (a determined characteristic of the user), and thus is malicious behavior (the classification of data flow)). l) receiving by computer monitoring system, (¶0054-0055: the multivariate detector is configured to an anomaly detector can to identify whether two or more devices (nodes) are in an anomalous state from normal device network interactions and can be sent over to the cyber-threat module to identify the incremental malicious actions distributed across multiple devices (nodes))a risk threshold; and (¶0055-0056: The cyber threat defense system 100 can then take actions to counter detected potential cyber threats. The autonomous response module, rather than a human taking an action, can be configured to cause one or more rapid autonomous actions can be taken to contain cyber threat module is equal to or above an actionable threshold.) Stockdale does not disclose: a standard for data protection level of risk of non-compliance with the standard for data protection. However, Sher-Jan teaches a standard for data protection (¶0065: included in the risk assessment, in some instances is a summary of sections of the state or federal privacy state. An example would be regarding state specific assessment, the risk assessment generator may generate an outline of key information about the state statute that was utilized to generate the state specific risk assessment). level of risk of non-compliance with the standard for data protection. (¶0059-0061: risk assessments may be generated by modeling the data incident data to at least one state rule and at least one federal rule wherein the risk assessment may combine risk levels for each rule into a risk assessment and generate a severity value and a data sensitivity value for the data incident). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sher-Jan of standard for data protection and visual indicator of the level of risk of non-compliance with standard for data protection to the method of Stockdale in order to determine if the breach of data violates the law and provide further protection of the system by providing a way to notify to one or privacy agencies or users when further action is needed (Sher-Jan: ¶0030-0032). Stockdale in view of Sher-Jan does not disclose: (f) sampling, by the computer monitoring system, data from the trace log to create a plurality of the trace log samples, wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with the standard for data protection associated with data flow g) classifying, by the computer monitoring system, the data flow responsive to the plurality of software application transaction log samples and the plurality of trace log samples; predictive path progress analysis comprising path-based anomaly detection However, Brannon teaches (f) sampling, by the computer monitoring system, data from the trace log to create a plurality of the trace log samples, wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with the standard for data protection associated with data flow ( ¶0065-0070: As seen in Figure 3, Further, according to particular aspects, the rules-based model and/or machine-learning model may be configured to generate separate risks, a first risk associated with the entity experiencing a data privacy incident due to the functionality's use of the target data and a second, separate risk associated with the entity being noncompliant with one or more legal and/or industry standards due to the functionality's use of the target data (generating a plurality of trace log samples). ) g) classifying, by the computer monitoring system, the data flow responsive to [the plurality of software application transaction log samples] and the plurality of trace log samples; (¶0076-0077: Accordingly, the rule-based model and/or machine learning model may process the metadata for the input field and provide output identifying that the type of data associated. Further, the output may provide a confidence score with respect to the identified type of data and/or indicate this particular type of data represents a type of targe data) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Brannon of sampling and classifications of trace logs to the method of Stockdale in view of Sher-Jan in order to prevent unauthorize access or modification and mitigate data privacy risks within the system (Brannon: ¶0002-0004). Stockdale in view of Sher-Jan and Brannon does not disclose: predictive path progress analysis comprising path-based anomaly detection However, Shen teaches predictive path progress analysis comprising path-based anomaly detection (¶0046-0048: As shown in Figure 1A & 3C, in an action 370, the routing table of the BGP router having the identified at least one malicious event may be corrected. For example, the BGP hijack detection module 130 may identify the block of IP addresses associated with each malicious event. The BGP hijack detection module 130 may identify each corrupt path in the routing table that corresponds to each malicious event). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shen of path-based anomaly detection to the method of Stockdale in view of Sher-Jan and Brannon in order to prevent network hijacking attacks (Shen: ¶0001-0007). Stockdale in view of Sher-Jan, Brannon, and Shen does not disclose: i) generating, by the computer monitoring system plurality of transaction maps, each transaction map comprising icons representing the nodes of the computer network and the data flow between the nodes over a configurable time interval starting at a point of in time and a visual indicator of the level of risk of non-compliance with the standard for data protection. j) comparing, by the computer monitoring system, two or more of the transaction maps representing different time intervals, different points in time, or both to detect a change between the transaction maps; and k) generating, by the computer monitoring system, an alert notification of the change; However, Davenport teaches i) generating, by the computer monitoring system plurality of transaction maps, each transaction map comprising icons representing the nodes of the computer network (¶0175-0177: Overlaid on the map 506 may be plurality of markers 50 representing transactions (transaction map), events, office locations, customized alerts, etc., which involve one or more companies. The position of the markers on the map corresponds to the location ) and the data flow between the nodes over a configurable time interval starting at a point of in time and (¶0086: As seen in Figure 1, further, the remote server 134 may comprises one or more graphs, charts, table, etc., may track transactions over time (configurable time interval), by transaction location, by transaction cost, by frequency of the transactions, etc. ¶0179-0182: Further, as shown in Figure 5C, a user can filter transactions presented on a display 700, so that only transactions taking place within a certain time interval are shown (configurable). ) a visual indicator of the level of risk of non-compliance with the standard for data protection. (¶0199-0200: The example display in Figure 7D, shows a display 2000 that may be presented with information either display 1800 or 1900 in Figure 7B and 7C respectively. On display 1800 a user may be presented with information about Qatar Holding such as their country origin, entity type, ownership type, website, year founded, number of enterprises, risk exposures (visual indicator of the level of risk of non-compliance with the standard for data protection), office locations, persons, and transactions etc.). j) comparing, by the computer monitoring system, two or more of the transaction maps representing different time intervals, different points in time, or both to detect a change between the transaction maps; and (¶0151-0153: As seen Figure 2C, however, in other examples, the method at 278 may additionally or alternatively comprise determining the risk factor based on the transaction history (time intervals) of one or more companies involved in the transaction, the country in which the transaction took place, type of industry of the transaction, etc. Thus, in some examples, the method at 278 may include comparing the transaction information data of the transaction with a record of transaction information. For example, if the transaction occurred in China, a record of transaction having taken place in China may be generated and compared with more than one piece of transaction information data may be used in the comparison. For example, if the transaction occurred in China, and involved the company Rosatom, then a history of all transactions involving Rosatom and conducted in China may be generated and compared to the current transaction. (comparing multiple transactions)). k) generating, by the computer monitoring system, an alert notification of the change; (¶0153- 0155: Thus, the risk factor for a given company may be adjusted based on the activity of the company and/or its affiliated companies (changes). For example, if a company becomes more involved in illegal activities, continues to pursue transactions in a geographic region that the user has identified as a high-risk region, is involved in types of transactions that are flagged by the user etc., then risk factor for that company may be increased. A user may be notified (alert notification of the change) more frequently of transactions and/ or activity involving companies with higher risk factors. More generally, the relevance and worthiness of a transaction or group of transactions may be determined based on the difference between the transaction information and a regression line. ¶0155: If the difference is greater than a certain threshold, a notification concerning the transaction, company or other data point may be generated.). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Davenport of generating visualization plurality of transaction maps within time intervals, comparing the plurality of transaction maps, and generating alerts of a change to the method of Stockdale in view of Sher-Jan, Brannon, and Shen in order to enable transparency for the user by visualizing activity patterns so that underlying motivations behind such activity may be elucidated and to inform/notify user to potential risks (Davenport: ¶0015-0017). Stockdale in view of Sher-Jan, Brannon, Shen, and Davenport does not disclose: m) repeating a) to l) when the level of security risk of non-compliance is below risk threshold. However, Qiu teaches m) repeating a) to l) when the level of security risk of non-compliance is below risk threshold. (¶0048: Suspicious activity detection system may then be configured to determine whether the pair risk value satisfies a condition. For example, if condition is met when the user and content provider associated with the user-content pair, may have a fraudulent label applied thereto such that future events detected by content provider from the user are flagged and prevented from resulting in monetary gain by the provider (and user). Further ¶0062-0068: Figure 2 is an illustrative flowchart of an exemplary for detecting suspicious activity for user-content provider pairs. At step 268, it is determined that the pair risk value is less than the risk threshold value, then process 250 may proceed to step 272. At step 272, interactions between the user device and the content provider may continue to be monitored. In this particular scenario, process 250 may, in some embodiments, repeat (e.g., steps 252-268). ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Qiu regarding repeating steps in response to the level of security risk of non-compliance is below risk threshold to the method of Stockdale in view of Sher-Jan, Brannon, Shen, and Davenport in order to mitigate the effects of non-compliant activities such as fraudulence for future events (Qiu: ¶0039). With respect to claim 83, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) wherein the standard for data protection comprises one or more of: a) European General Data Protection Regulation (GDPR); b) California Consumer Privacy Act (CCPA); c) Payment Card Industry Data Security Standard (PCI DSS); d) Health Insurance Portability and Accountability Act (HIPAA); e) federal, state, or local data security law; f) federal, state, or local privacy law; g) federal, state, or local tax law; and h) federal, state, or local data employment law. (Sher-Jan: ¶0036: the present technology allows entrusted entities to model data incident data to privacy rules (standard for data protection) which include at least one state rule and at least one federal rule wherein ¶0086: an exemplary embodiment may be European General Data Privacy Regulation (GDPR) rule risk assessment page) The motivation to reject claim 83 under Sher-Jan is the same motivation applied in the rejection of claim 82 above. With respect to claim 84, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) further comprising generating, by the computer monitoring system, a compliance report based on the standard for data protection. (Sher-Jan: ¶0153: data incidents are documented in a record (compliance report) that can used to comply efficiently with GDPR's breach notification requirements (standard for data protection) Figure 2 displays a Reporting Module 225). The motivation to reject claim 84 under Sher-Jan is the same motivation applied in the rejection of claim 82 above. With respect to claim 85, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) further comprising generating, by the computer monitoring system, a compliance alert based on the standard for data protection. (Sher-Jan: ¶0153-0160: based on GDPR's breach notification requirements (standard for data protection) so that a data incident may trigger an obligation to notify (compliance alert) affected parties Figure 2 displays a notification module 220). The motivation to reject claim 85 under Sher-Jan is the same motivation applied in the rejection of claim 82 above. With respect to claim 86, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) further comprising taking, by the computer monitoring system, a remedial compliance action based on the standard for data protection. (Sher-Jan: ¶0083: Remedial action (remedial compliance action), uploading of a file, or other notification and/or compliance related action may be noted and associated with a particular risk assessment which is related to the GDPR). The motivation to reject claim 86 under Sher-Jan is the same motivation applied in the rejection of claim 82 above. With respect to claim 87, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) further comprising: determining, by the computer monitoring system, a characteristic of at least one of the nodes, (Stockdale: ¶0046: the cyber threat defense system can apply principle centrality from discipline of graph theory to identify characteristics within a node by studying how each node in a system interacts with other nodes in a system and uses centrality to identify the more important nodes in in a graph based on effect those nodes have on a characteristic of the graph). and a level of security risk caused by the data flow is further responsive to the characteristic of the at least one of the nodes. (Stockdale: ¶0046: from changes of centrality in a single node can be indicative of greater changes in network activity across the entire network and by identifying anomalous change in centrality in a node the detector can identify (determine) a device by node as potentially (level of security risk) participating in a distributed attack). With respect to claim 91, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see method of claim 82 above) wherein the data flow is detected by using at least one of a user name, a user identifier, a uniform resource locator (URL), a service sequence, a data source, an Internet protocol (IP) address, and a node identifier. (Stockdale: ¶0107-109: detection system in which data of activity is derived (detected by) from multiple sources as displayed in Figure 6 Block 602 which includes raw network Internet Protocol (IP) traffic capture from an IP or other network Test Access Points (TAP)). With respect to claim 93, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) further comprising: receiving, by the computer monitoring system, the standard for data protection. (Sher-Jan: ¶ 0036: present technology allows entrusted entities to model data incident data to privacy rules which include at least one state rule and at least one federal rule which illustrated in Figure 1 shows wherein Regulatory Agency 120 (standard for data protection) is received by risk assessment system 105). The motivation to reject claim 93 under Sher-Jan is the same motivation applied in the rejection of claim 82 above. With respect to claim 94, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) wherein determining the characteristic of the data flow includes determining what nodes the data is flowing through. (Stockdale: ¶0046: the multivariate anomality detector can identify a device represented by the node as potential participating in a distributed attack in network activity). With respect to claim 95, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) further comprising: executing, by the computer monitoring system, a remedial action responsively to a determination that the level of risk of non-compliance is above the risk threshold. (Stockdale: ¶0056: the cyber threat defense system can then take actions (remedial action responsively to determination that the level of security risk is above the threshold of security risk) to counter detected potential cyber threats). With respect to claim 97, Stockdale teaches a computer-implemented system comprising at least one computing device comprising at least one processor and instructions executable by the at least one processor to cause the at least one processor to perform operations comprising: (¶0077: an exemplar embodiment of the invention the computer system (computer-implemented system) has a threat detection system therefore runs threat detection method as such it comprises a processor (at least one processor) arranged to run steps (instructions) of the process herein memory required to store information related to running of the process as well as a network interface for collecting the required information) a) detecting a data flow between a sequence of nodes of a computer network, (¶0029-0030: the detector looks at unusual activity/anomalous states (data flow) occurring over two or more groups of device/nodes (nodes) in order to detect potential cyberthreats within a network) the data flow associated with a user of the computer network; (¶0035: the network entity can be a user and/or the user's device, as well as another network device interacting with the network), b) executing distributed tracing within the computer network (¶0034: A feedback loop of cooperation occurs between the gather module, the ingestion module monitoring network and email activity, the comparison module to apply one or more models trained on different aspects of this process, and the cyber threat module to identify cyber threats based on comparisons by the comparison module) to generate a trace log associated with data flow; (¶0034-0034: The ingestion module monitoring a network entity's activity may feed collected data to a coordinator module to correlate causal links between these activities to (trace logs) supply this input into the cyber threat module.). c) determining a characteristic of the data flow and a characteristic of the user based, at least in part, [on a standard for data protection;] (¶0031: the cyber threat module determines a threat risk parameter (characteristic) that factors in the likelihood that chain of one or more unusual behaviors of email, activity network activity, and user activity (data flow)). d) receiving a software application transaction log for the computer network; (¶0034-0035: a gather module comprising of multiple automatic data gatherers works in conjunction with an ingestion module which collects input data (transaction log) received from a set of input probes, connectors, and/or other data input device or input method, deployed to a network). e) sampling data from the software application transaction log to create a plurality of software application transaction log samples, (¶0035: the ingestion module may be divided into an email module, SaaS module, a Cloud module, and network module (plurality of software application transaction log samples), where each module is configured to monitor and interaction with its corresponding network). wherein frequency of the sampling is based, at least in part, on [a risk of non-compliance with the standard for data protection] associated with the data flow; (¶0033-0034: trigger module may detect time stamped data indicating one or more alarms (frequency) from suspicious activity (risk of non-compliance) triggering the gather module by specific alerts of suspicious activity. The inclined data may be gathered on the deployment from a data store when traffic is observed that can be interact with the ingestion module). g) classifying the data flow responsive to the plurality of software application transaction log samples [and the plurality of trace log samples;] (¶0040-0042: the cyber threat module is configured to identify (classify) the data whether a breach state identified by comparison module and a chain of relevant behavioral parameters deviating from normal benign behavior of that network entity correspond from the ingestion module as stated in ¶0035). f) applying a machine learning algorithm (¶0036-0037: the cyber threat module may also use (apply) one or more machine-learning models (machine learning algorithm) trained on cyber threats in the network) configured to perform predictive path progress analysis (¶0036: the cyber threat module can determine a threat risk parameter that factors in how the chain of unusual behaviors correlate to potential cyber threats (predictive path progress analysis)) [comprising path-based anomaly detection] in order to determine a level of risk of non-compliance [with the standard for data protection] caused by the data flow responsive to a determined characteristic of the data flow, a determined characteristic of the user, and the classification of the data flow; and (¶0036-0037: the cyber threats can also determine 'the likelihood that a chain of one or more unusual behaviors of the network activity and user activity under analysis (level of risk) fall outside of derived normal behavior' (a determined characteristic of the user), and thus is malicious behavior (the classification of data flow)). l) receiving an indication of a risk threshold; and (¶0055-0056: The cyber threat defense system 100 can then take actions to counter detected potential cyber threats. The autonomous response module, rather than a human taking an action, can be configured to cause one or more rapid autonomous actions can be taken to contain cyber threat module is equal to or above an actionable threshold.) Stockdale does not disclose: a standard for data protection level of risk of non-compliance with the standard for data protection. However, Sher-Jan teaches a standard for data protection (¶0065: included in the risk assessment, in some instances is a summary of sections of the state or federal privacy state. An example would be regarding state specific assessment, the risk assessment generator may generate an outline of key information about the state statute that was utilized to generate the state specific risk assessment). level of risk of non-compliance with the standard for data protection. (¶0059-0061: risk assessments may be generated by modeling the data incident data to at least one state rule and at least one federal rule wherein the risk assessment may combine risk levels for each rule into a risk assessment and generate a severity value and a data sensitivity value for the data incident). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sher-Jan of standard for data protection and visual indicator of the level of risk of non-compliance with standard for data protection to the method of Stockdale in order to determine if the breach of data violates the law and provide further protection of the system by providing a way to notify to one or privacy agencies or users when further action is needed (Sher-Jan: ¶0030-0032). Stockdale in view of Sher-Jan does not disclose: (f) sampling, by the computer monitoring system, data from the trace log to create a plurality of the trace log samples, wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with the standard for data protection associated with data flow g) classifying, by the computer monitoring system, the data flow responsive to [the plurality of software application transaction log samples] and the plurality of trace log samples; However, Brannon teaches (f) sampling, by the computer monitoring system, data from the trace log to create a plurality of the trace log samples, wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with the standard for data protection associated with data flow( ¶0065-0070: As seen in Figure 3, Further, according to particular aspects, the rules-based model and/or machine-learning model may be configured to generate separate risks, a first risk associated with the entity experiencing a data privacy incident due to the functionality's use of the target data and a second, separate risk associated with the entity being noncompliant with one or more legal and/or industry standards due to the functionality's use of the target data (generating a plurality of trace log samples). ) g) classifying, by the computer monitoring system, the data flow responsive to [the plurality of software application transaction log samples] and the plurality of trace log samples; (¶0076-0077: Accordingly, the rule-based model and/or machine learning model may process the metadata for the input field and provide output identifying that the type of data associated. Further, the output may provide a confidence score with respect to the identified type of data and/or indicate this particular type of data represents a type of targe data). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Brannon of sampling and classifications of trace logs to the method of Stockdale in view of Sher-Jan in order to prevent unauthorize access or modification and mitigate data privacy risks within the system (Brannon: ¶0002-0004). Stockdale in view of Sher-Jan and Brannon does not disclose: predictive path progress analysis comprising path-based anomaly detection However, Shen teaches predictive path progress analysis comprising path-based anomaly detection (¶0046-0048: As shown in Figure 1A & 3C, in an action 370, the routing table of the BGP router having the identified at least one malicious event may be corrected. For example, the BGP hijack detection module 130 may identify the block of IP addresses associated with each malicious event. The BGP hijack detection module 130 may identify each corrupt path in the routing table that corresponds to each malicious event). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shen of path-based anomaly detection to the method of Stockdale in view of Sher-Jan and Brannon in order to prevent network hijacking attacks (Shen: ¶0001-0007). Stockdale in view of Sher-Jan, Brannon, and Shen does not disclose: i) generating plurality of transaction maps, each transaction map comprising icons representing the nodes of the computer network and the data flow between the nodes over a configurable time interval starting at a point in time and a visual indicator of the level of risk of non-compliance with the standard for data protection. j) comparing two or more of the transaction maps representing different time intervals, different points in time, or both to detect a change between the transaction map; and k) generating an alert notification of change; However, Davenport teaches i) generating plurality of transaction maps, each transaction map comprising icons representing the nodes of the computer network (¶0175-0177: Overlaid on the map 506 may be plurality of markers 50 representing transactions (transaction map), events, office locations, customized alerts, etc., which involve one or more companies. The position of the markers on the map corresponds to the location ) and the data flow between the nodes over a configurable time interval starting at a point in time (¶0086: As seen in Figure 1, further, the remote server 134 may comprises one or more graphs, charts, table, etc., may track transactions over time (configurable time interval), by transaction location, by transaction cost, by frequency of the transactions, etc. ¶0179-0182: Further, as shown in Figure 5C, a user can filter transactions presented on a display 700, so that only transactions taking place within a certain time interval are shown (configurable). ) and a visual indicator of the level of risk of non-compliance with the standard for data protection. (¶0199-0200: The example display in Figure 7D, shows a display 2000 that may be presented with information either display 1800 or 1900 in Figure 7B and 7C respectively. On display 1800 a user may be presented with information about Qatar Holding such as their country origin, entity type, ownership type, website, year founded, number of enterprises, risk exposures (visual indicator of the level of risk of non-compliance with the standard for data protection), office locations, persons, and transactions etc.). j) comparing two or more of the transaction maps representing different time intervals, different points in time, or both to detect a change between the transaction map; and (¶0151-0153: As seen Figure 2C, however, in other examples, the method at 278 may additionally or alternatively comprise determining the risk factor based on the transaction history (time intervals) of one or more companies involved in the transaction, the country in which the transaction took place, type of industry of the transaction, etc. Thus, in some examples, the method at 278 may include comparing the transaction information data of the transaction with a record of transaction information. For example, if the transaction occurred in China, a record of transaction having taken place in China may be generated and compared with more than one piece of transaction information data may be used in the comparison. For example, if the transaction occurred in China, and involved the company Rosatom, then a history of all transactions involving Rosatom and conducted in China may be generated and compared to the current transaction. (comparing multiple transactions)). k) generating an alert notification of change. (¶0153- 0155: Thus, the risk factor for a given company may be adjusted based on the activity of the company and/or its affiliated companies (changes). For example, if a company becomes more involved in illegal activities, continues to pursue transactions in a geographic region that the user has identified as a high-risk region, is involved in types of transactions that are flagged by the user etc., then risk factor for that company may be increased. A user may be notified (alert notification of the change) more frequently of transactions and/ or activity involving companies with higher risk factors. More generally, the relevance and worthiness of a transaction or group of transactions may be determined based on the difference between the transaction information and a regression line. ¶0155: If the difference is greater than a certain threshold, a notification concerning the transaction, company or other data point may be generated.). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Davenport of generating visualization plurality of transaction maps within time intervals, comparing the plurality of transaction maps, and generating alerts of a change to the method of Stockdale in view of Sher-Jan, Brannon, and Shen in order to enable transparency for the user by visualizing activity patterns so that underlying motivations behind such activity may be elucidated and to inform/notify user to potential risks (Davenport: ¶0015-0017). Stockdale in view of Sher-Jan, Brannon, Shen, and Davenport does not disclose: m) repeating a) to l) when the level of security risk is below the threshold level of security risk to continuously monitor an additional threshold level of security risk. However, Qiu teaches m) repeating a) to l) when the level of security risk is below the threshold level of security risk to continuously monitor an additional threshold level of security risk. (¶0048: Suspicious activity detection system may then be configured to determine whether the pair risk value satisfies a condition. For example, if condition is met when the user and content provider associated with the user-content pair, may have a fraudulent label applied thereto such that future events detected by content provider from the user are flagged and prevented from resulting in monetary gain by the provider (and user). Further ¶0062-0068: Figure 2 is an illustrative flowchart of an exemplary for detecting suspicious activity for user-content provider pairs. At step 268, it is determined that the pair risk value is less than the risk threshold value, then process 250 may proceed to step 272. At step 272, interactions between the user device and the content provider may continue to be monitored. In this particular scenario, process 250 may, in some embodiments, repeat (e.g., steps 252-268). ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Qiu regarding repeating steps in response to the level of security risk of non-compliance is below risk threshold to the method of Stockdale in view of Sher-Jan, Brannon, Shen, and Davenport in order to mitigate the effects of non-compliant activities such as fraudulence for future events (Qiu: ¶0039). With respect to claim 98, the combination of the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the system claim 97 (see rejection of claim 97 above) wherein the standard for data protection comprises one or more of: a) European General Data Protection Regulation (GDPR); b) California Consumer Privacy Act (CCPA); c) Payment Card Industry Data Security Standard (PCI DSS); d) Health Insurance Portability and Accountability Act (HIPAA); e) federal, state, or local data security law; f) federal, state, or local privacy law; g) federal, state, or local tax law; and h) federal, state, or local data employment law. (Sher-Jan: ¶0036: the present technology allows entrusted entities to model data incident data to privacy rules (standard for data protection) which include at least one state rule and at least one federal rule wherein ¶0086: an exemplary embodiment may be European General Data Privacy Regulation (GDPR) rule risk assessment page) The motivation to reject claim 98 under Sher-Jan is the same motivation applied in the rejection of claim 97 above. With respect to claim 99, the combination of the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches system of claim 97 (see the rejection of claim 97 above) wherein the operations further comprise generating a compliance report based on the standard for data protection. (Sher-Jan: ¶0153: data incidents are documented in a record (compliance report) that can used to comply efficiently with GDPR's breach notification requirements (standard for data protection) Figure 2 displays a Reporting Module 225). The motivation to reject claim 99 under Sher-Jan is the same motivation applied in the rejection of claim 97 above. With respect to claim 100, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches system of claim 97 (see the rejection of claim 97 above) wherein the operations further comprise generating a compliance alert based on the standard for data protection. (Sher-Jan: ¶0153-0160: based on GDPR's breach notification requirements (standard for data protection) so that a data incident may trigger an obligation to notify (compliance alert) affected parties Figure 2 displays a notification module 220). The motivation to reject claim 100 under Sher-Jan is the same motivation applied in the rejection of claim 97 above. With respect to claim 101, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches system of claim 97 (see the rejection of claim 97 above) wherein the operations further comprise taking a remedial compliance action based on the standard for data protection. (Sher-Jan: ¶0083: Remedial action (remedial compliance action), uploading of a file, or other notification and/or compliance related action may be noted and associated with a particular risk assessment which is related to the GDPR). The motivation to reject claim 101 under Sher-Jan is the same motivation applied in the rejection of claim 97 above. With respect to claim 102, Stockdale teaches one or more non-transitory computer-readable storage media encoded with instructions executable by one or more processors to provide an application comprising: (¶0131: the method and system can be arranged to be performed by one or more processing components with any portions of software stored in an executable format (instructions executable) on a computer readable medium that may be non-transitory). a) a software module detecting a data flow between a sequence of nodes of a computer network (¶0029-0030: the detector looks at unusual activity/anomalous states (data flow) occurring over two or more groups of device/nodes (nodes) in order to detect potential cyberthreats within a network), the data flow associated with a user of the computer network; (¶0035: the network entity can be a user and/or the user's device, as well as another network device interacting with the network) b) a software module executing distributed tracing within the computer network (¶0034: A feedback loop of cooperation occurs between the gather module, the ingestion module monitoring network and email activity, the comparison module to apply one or more models trained on different aspects of this process, and the cyber threat module to identify cyber threats based on comparisons by the comparison module) to generate a trace log associated with the data flow; (¶0034-0034: The ingestion module monitoring a network entity's activity may feed collected data to a coordinator module to correlate causal links between these activities to (trace logs) supply this input into the cyber threat module.). c) a software module determining a characteristic of the data flow and a characteristic of the user based, at least in part, [on a standard for data protection;] (¶0031: the cyber threat module determines a threat risk parameter (characteristic) that factors in the likelihood that chain of one or more unusual behaviors of email, activity network activity, and user activity (data flow)). d) a software module receiving a software application transaction log for the computer network; (¶0034-0035: a gather module comprising of multiple automatic data gatherers works in conjunction with an ingestion module which collects input data (transaction log) received from a set of input probes, connectors, and/or other data input device or input method, deployed to a network). e) a software module sampling data from the software application transaction log to create a plurality of software application transaction log samples, (¶0035: the ingestion module may be divided into an email module, SaaS module, a Cloud module, and network module (plurality of software application transaction log samples), where each module is configured to monitor and interaction with its corresponding network). wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with [the standard for data protection] associated with the data flow; (¶0033-0034: trigger module may detect time stamped data indicating one or more alarms (frequency) from suspicious activity (risk of non-compliance) triggering the gather module by specific alerts of suspicious activity. The inclined data may be gathered on the deployment from a data store when traffic is observed that can be interact with the ingestion module). g) a software module classifying the data flow responsive to the plurality of software application transaction log samples and [the plurality of trace log samples]; (¶0040-0042: the cyber threat module is configured to identify (classify) the data whether a breach state identified by comparison module and a chain of relevant behavioral parameters deviating from normal benign behavior of that network entity correspond from the ingestion module as stated in ¶0035). h) a software module applying a machine learning algorithm (¶0036-0037: the cyber threat module may also use (apply) one or more machine-learning models (machine learning algorithm) trained on cyber threats in the network). configured to perform predictive path progress analysis [comprising path-based anomaly detection] (¶0036: the cyber threat module can determine a threat risk parameter that factors in how the chain of unusual behaviors correlate to potential cyber threats (predictive path progress analysis)). in order to determine a level of risk of non- compliance with [the standard for data protection] caused by the data flow responsive to a determined characteristic of the data flow, a determined characteristic of the user, and the classification of the data flow; and (¶0036-0037: the cyber threats can also determine 'the likelihood that a chain of one or more unusual behaviors of the network activity and user activity under analysis (level of risk) fall outside of derived normal behavior' (a determined characteristic of the user), and thus is malicious behavior (the classification of data flow)). l) a software module receiving an indication of a threshold level of security risk; and (¶0055:cyber defense system can use a user-interface module to display input data along with calculations and can use a communication module to send an alert to a system that cyber-attack is taking place once a determination is made by the cyber-threat module). Stockdale does not disclose: a standard for data protection level of risk of non-compliance with the standard for data protection. a visual indicator of the level of risk of non-compliance with the standard for data protection. However, Sher-Jan teaches a standard for data protection (¶0065: included in the risk assessment, in some instances is a summary of sections of the state or federal privacy state. An example would be regarding state specific assessment, the risk assessment generator may generate an outline of key information about the state statute that was utilized to generate the state specific risk assessment). level of risk of non-compliance with the standard for data protection. (¶0059-0061: risk assessments may be generated by modeling the data incident data to at least one state rule and at least one federal rule wherein the risk assessment may combine risk levels for each rule into a risk assessment and generate a severity value and a data sensitivity value for the data incident). a visual indicator of the level of risk of non-compliance with the standard for data protection (¶0064- 0065: the risk assessment generator may create a visual indicator such a risk level map that assists the entrusted entity in determining if a data incident is relatively severe or is relatively benign. The risk assessment (standard for data protection) may include a risk level that includes a visual indicator such as a colored objects). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sher-Jan of standard for data protection and visual indicator of the level of risk of non-compliance with standard for data protection to the method of Stockdale in order to determine if the breach of data violates the law and provide further protection of the system by providing a way to notify to one or privacy agencies or users when further action is needed (Sher-Jan: ¶0030-0032). Stockdale in view of Sher-Jan does not disclose: (f) sampling, by the computer monitoring system, data from the trace log to create a plurality of the trace log samples, wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with the standard for data protection associated with data flow g) classifying, by the computer monitoring system, the data flow responsive to the plurality of software application transaction log samples and the plurality of trace log samples; However, Brannon teaches (f) sampling, by the computer monitoring system, data from the trace log to create a plurality of the trace log samples, wherein frequency of the sampling is based, at least in part, on a risk of non-compliance with the standard for data protection associated with data flow ( ¶0065-0070: As seen in Figure 3, Further, according to particular aspects, the rules-based model and/or machine-learning model may be configured to generate separate risks, a first risk associated with the entity experiencing a data privacy incident due to the functionality's use of the target data and a second, separate risk associated with the entity being noncompliant with one or more legal and/or industry standards due to the functionality's use of the target data (generating a plurality of trace log samples). ) g) classifying, by the computer monitoring system, the data flow responsive to the plurality of software application transaction log samples and the plurality of trace log samples; (¶0076-0077: Accordingly, the rule-based model and/or machine learning model may process the metadata for the input field and provide output identifying that the type of data associated. Further, the output may provide a confidence score with respect to the identified type of data and/or indicate this particular type of data represents a type of targe data) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Brannon of sampling and classifications of trace logs to the method of Stockdale in view of Sher-Jan in order to prevent unauthorize access or modification and mitigate data privacy risks within the system (Brannon: ¶0002-0004). Stockdale in view of Sher-Jan and Brannon does not disclose: predictive path progress analysis comprising path-based anomaly detection However, Shen teaches predictive path progress analysis comprising path-based anomaly detection (¶0046-0048: As shown in Figure 1A & 3C, in an action 370, the routing table of the BGP router having the identified at least one malicious event may be corrected. For example, the BGP hijack detection module 130 may identify the block of IP addresses associated with each malicious event. The BGP hijack detection module 130 may identify each corrupt path in the routing table that corresponds to each malicious event). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shen of path-based anomaly detection to the method of Stockdale in view of Sher-Jan and Brannon in order to prevent network hijacking attacks (Shen: ¶0001-0007). Stockdale in view of Sher-Jan, Brannon, and Shen does not disclose: i) a software module generating a plurality transaction maps, each map transaction map comprising icons representing the nodes of the computer network and the data flow between the nodes over a configurable time interval starting at a point in time (¶00375: and a visual indicator of the level of risk of non-compliance with the standard for data protection. j) comparing two or more of the transaction maps representing different time intervals, different points in time, or both to detect a change between the transaction maps; and k) generating an alert notification of the change; However, Davenport teaches i) a software module generating a plurality transaction maps, each map transaction map comprising icons representing the nodes of the computer network (¶0175-0177: Overlaid on the map 506 may be plurality of markers 50 representing transactions (transaction map), events, office locations, customized alerts, etc., which involve one or more companies. The position of the markers on the map corresponds to the location ) and the data flow between the nodes over a configurable time interval starting at a point in time (¶0086: As seen in Figure 1, further, the remote server 134 may comprises one or more graphs, charts, table, etc., may track transactions over time (configurable time interval), by transaction location, by transaction cost, by frequency of the transactions, etc. ¶0179-0182: Further, as shown in Figure 5C, a user can filter transactions presented on a display 700, so that only transactions taking place within a certain time interval are shown (configurable). ) and a visual indicator of the level of risk of non-compliance with the standard for data protection. (¶0199-0200: The example display in Figure 7D, shows a display 2000 that may be presented with information either display 1800 or 1900 in Figure 7B and 7C respectively. On display 1800 a user may be presented with information about Qatar Holding such as their country origin, entity type, ownership type, website, year founded, number of enterprises, risk exposures (visual indicator of the level of risk of non-compliance with the standard for data protection), office locations, persons, and transactions etc.). j) comparing two or more of the transaction maps representing different time intervals, different points in time, or both to detect a change between the transaction maps; and (¶0151-0153: As seen Figure 2C, however, in other examples, the method at 278 may additionally or alternatively comprise determining the risk factor based on the transaction history (time intervals) of one or more companies involved in the transaction, the country in which the transaction took place, type of industry of the transaction, etc. Thus, in some examples, the method at 278 may include comparing the transaction information data of the transaction with a record of transaction information. For example, if the transaction occurred in China, a record of transaction having taken place in China may be generated and compared with more than one piece of transaction information data may be used in the comparison. For example, if the transaction occurred in China, and involved the company Rosatom, then a history of all transactions involving Rosatom and conducted in China may be generated and compared to the current transaction. (comparing multiple transactions)). k) generating an alert notification of the change; (¶0153- 0155: Thus, the risk factor for a given company may be adjusted based on the activity of the company and/or its affiliated companies (changes). For example, if a company becomes more involved in illegal activities, continues to pursue transactions in a geographic region that the user has identified as a high-risk region, is involved in types of transactions that are flagged by the user etc., then risk factor for that company may be increased. A user may be notified (alert notification of the change) more frequently of transactions and/ or activity involving companies with higher risk factors. More generally, the relevance and worthiness of a transaction or group of transactions may be determined based on the difference between the transaction information and a regression line. ¶0155: If the difference is greater than a certain threshold, a notification concerning the transaction, company or other data point may be generated.). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Davenport of generating visualization plurality of transaction maps within time intervals, comparing the plurality of transaction maps, and generating alerts of a change to the method of Stockdale in view of Sher-Jan, Brannon, and Shen in order to enable transparency for the user by visualizing activity patterns so that underlying motivations behind such activity may be elucidated and to inform/notify user to potential risks (Davenport: ¶0015-0017). Stockdale in view of Sher-Jan, Brannon, Shen, and Davenport discloses: m) a software module repeating operation of software modules a) to l) when the level security risk is below the threshold level of security risk to continuously monitor an additional threshold level security risk. However, Qiu teaches m) a software module repeating operation of software modules a) to l) when the level security risk is below the threshold level of security risk to continuously monitor an additional threshold level security risk. (¶0048: Suspicious activity detection system may then be configured to determine whether the pair risk value satisfies a condition. For example, if condition is met when the user and content provider associated with the user-content pair, may have a fraudulent label applied thereto such that future events detected by content provider from the user are flagged and prevented from resulting in monetary gain by the provider (and user). Further ¶0062-0068: Figure 2 is an illustrative flowchart of an exemplary for detecting suspicious activity for user-content provider pairs. At step 268, it is determined that the pair risk value is less than the risk threshold value, then process 250 may proceed to step 272. At step 272, interactions between the user device and the content provider may continue to be monitored. In this particular scenario, process 250 may, in some embodiments, repeat (e.g., steps 252-268). ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Qiu regarding repeating steps in response to the level of security risk of non-compliance is below risk threshold to the method of Stockdale in view of Sher-Jan, Brannon, Shen, and Davenport in order to mitigate the effects of non-compliant activities such as fraudulence for future events (Qiu: ¶0039). With respect to claim 103, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 102 (see the rejection of claim 102 above) wherein the standard for data protection comprises one or more of: a) European General Data Protection Regulation (GDPR); b) California Consumer Privacy Act (CCPA); c) Payment Card Industry Data Security Standard (PCI DSS); d) Health Insurance Portability and Accountability Act (HIPAA); e) federal, state, or local data security law; f) federal, state, or local privacy law; g) federal, state, or local tax law; and h) federal, state, or local data employment law. (Sher-Jan: ¶0036: the present technology allows entrusted entities to model data incident data to privacy rules (standard for data protection) which include at least one state rule and at least one federal rule wherein ¶0086: an exemplary embodiment may be European General Data Privacy Regulation (GDPR) rule risk assessment page). The motivation to reject claim 103 under Sher-Jan is the same motivation applied in the rejection of claim 102 above. With respect to claim 104, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 102 (see rejection of claim 102 above) wherein the application further comprises a software module generating a compliance report based on the standard for data protection. (Sher-Jan: ¶0153: data incidents are documented in a record (compliance report) that can used to comply efficiently with GDPR's breach notification requirements (standard for data protection) Figure 2 displays a Reporting Module 225). The motivation to reject claim 104 under Sher-Jan is the same motivation applied in the rejection of claim 102 above. With respect to claim 105, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 102 (see the rejection of claim 102 above) wherein the application further comprises a software module generating a compliance alert based on the standard for data protection. (Sher-Jan: ¶0153-0160: based on GDPR's breach notification requirements (standard for data protection) so that a data incident may trigger an obligation to notify (compliance alert) affected parties Figure 2 displays a notification module 220). The motivation to reject claim 105 under Sher-Jan is the same motivation applied in the rejection of claim 102 above. With respect to claim 106, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method claim 102 (see the rejection of claim 102 above) wherein the application further comprises a software module taking a remedial compliance action based on the standard for data protection. (Sher-Jan: ¶0083: Remedial action (remedial compliance action), uploading of a file, or other notification and/or compliance related action may be noted and associated with a particular risk assessment which is related to the GDPR). The motivation to reject claim 106 under Sher-Jan is the same motivation applied in the rejection of claim 102 above. Claim 88 is rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US PGPub No. 20200244673-A1) in view of Sher-Jan et al. (US PGPub No. 20170206376-A1) Brannon et al. (US PGPub No. 20220147638-A1), Shen et al. (US PGPub No. 20170180418-A1), Davenport et al. (US PGPub No. 20160343100-A1), Qiu et al. (US PGPub No.20190205926-A1 ), and Merza et al. (US PG Pub No.20170223030-A1). With respect to claim 88, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 87 (see the rejection of claim 87 above) wherein the data flow is associated with a data source, the method further comprising: a) determining, by the computer monitoring system, [a characteristic of the data source;] and (Stockdale: ¶0108-0109: wherein the cyber security defense system initially ingests data from multiple sources Block 602 displayed in Figure 6 which are not limited to raw network, individual machine, machine level performance data taken from on-host sources. The cyber thread defense system devices second order metrics from the raw data (Block 604)). From these raw sources of data, multiple metrics can be derived, each producing time series data for the given metric.). Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu does not disclose: a) determining, by the computer monitoring system, a characteristic of the data source; and b) classifying, by the computer monitoring system, the data flow responsive to the characteristic of the data source, wherein the determining of the level of security risk caused by the data flow is further responsive to the classification. However, Merza teaches a) determining, by the computer monitoring system, a characteristic of the data source (¶0237-0238: wherein event of plurality of events (data flow) includes a portion a raw-machine data from a data source); and (¶0238: for at least one event of the plurality of events, (data flow) a transaction phase of computer security transaction is correlated (characteristic) with the at least one event based at least in part of a data source associated of the at least one event.). b) classifying, by the computer monitoring system, the data flow responsive to the characteristic of the data source, (¶0238-0240: the transaction phase of the at least one event is correlated with a particular asset of a plurality of assets and can be aggregated for the plurality of assets on a per-asset identity basis in which the assets can be searched by transaction phase (classifying based on data source)). wherein the determining of the level of security risk caused by the data flow is further responsive to the classification. (¶0239-240: the computer security transaction can also include a plurality of transaction phases (dataflow) indicative of a progressive cyber-attack (determining of the level a security risk) in which the plurality of transaction phases is defined (classified)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Merza of determining the characteristic of the data source to the method of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu in order to reduce the size of the potentially vast amount of data that may be generated to be analyzed by the system (Merza: ¶0067-0068). Claim 92 is rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US PGPub No. 20200244673-A1) in view of Sher-Jan et al. (US PGPub No. 20170206376-A1) Brannon et al. (US PGPub No. 20220147638-A1), Shen et al. (US PGPub No. 20170180418-A1), Davenport et al. (US PGPub No. 20160343100-A1), Qiu et al. (US PGPub No.20190205926-A1 ), and Aksela et al. (US PG Pub No.20210092129-A1). With respect to claim 92, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) wherein further comprising: scanning, by the computer monitoring system, (Stockdale: ¶ 0035: the gather module may comprise of multiple automatic data gathers that each look (scanning) at different aspects of the data depending on the particular form for analyzed event and/or event.). the computer network to discover the sequence of nodes of the computer network (Stockdale: ¶ 0035: the ingestion module monitoring a network's entity activity may feed collected data, from the gather module, to a coordinator module to correlate casual links between these activity is to supply this input cyber threat module.) Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu does not disclose: prior to detecting the data flow between the sequence of nodes of the computer network. However, Aksela teaches prior to detecting the data flow between the sequence of nodes of the computer network (¶0015-0017: In which an EDR (Endpoint Detection Response) deployed data collectors observe (scans/monitors) activities happening at end point (prior) and then send collected data to be processed). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Aksela of discovering a sequence of nodes of the computer network prior to detecting the data flow between the sequence of nodes of the computer network to the method of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu in order to collect data about the behavior of a program (sequence) and used when the sequence need to be further analyzed (Aksela: ¶0015). Claim 96 is rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US PGPub No. 20200244673-A1) in view of Sher-Jan et al. (US PGPub No. 20170206376-A1) Brannon et al. (US PGPub No. 20220147638-A1), Shen et al. (US PGPub No. 20170180418-A1), Davenport et al. (US PGPub No. 20160343100-A1), Qiu et al. (US PGPub No.20190205926-A1 ), and Pandian et al. (US PG Pub No.20200076846-A1). With respect to claim 96, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see the rejection of claim 82 above) wherein the one or more transaction maps further comprises an icon [representing the user.] (Stockdale: ¶0129: the topology map (transaction map) can have one or more network node acting as a visual avatar for a network entity). Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu discloses with regards to a transaction map and visual representation of the network entity related to user but does not disclose: wherein the one or more transaction maps comprises an icon representing the user. However, Pandian teaches wherein the transaction map further comprises an icon representing the user (¶0117: wherein the graphical user interface showing device photos (icons) of devices (user) in a network. Device photo is associate with an icon (wherein the device photo is an icon) and device profile name(user)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Pandian of an icon representing the user to the method of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu in order to present information to the user about network in an easily understandable manner (Pandian: ¶0049). Claim 107 is rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US PGPub No. 20200244673-A1) in view of Sher-Jan et al. (US PGPub No. 20170206376-A1) Brannon et al. (US PGPub No. 20220147638-A1), Shen et al. (US PGPub No. 20170180418-A1), Davenport et al. (US PGPub No. 20160343100-A1), Qiu et al. (US PGPub No. 20170366576-A1), and Chen Kaldi et al. (US PG Pub No. 20210377288-A1). With respect to claim 107, the combination of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu teaches the method of claim 82 (see rejection of claim 82 above) wherein [a size] of the sampling of the data from the software application transaction log is based, (Brannon: ¶0035: the ingestion module may be divided into an email module, SaaS module, a Cloud module, and network module (plurality of software application transaction log samples), where each module is configured to monitor and interaction with its corresponding network). at least in part, on a risk of non-compliance with the standard for data protection associated with the data flow, and (Brannon: ¶0039-0042: The cyber threat module can generate a set of incident data describing an anomalous event by an entity, here representing a user or a device participating in the network. ) wherein [a size] of the sampling of the data from the trace log is based, at least in part, on a risk of non-compliance with the standard for data protection associated with the data flow. (Brannon: ¶0065-0070: As seen in Figure 3, Further, according to particular aspects, the rules-based model and/or machine-learning model may be configured to generate separate risks, a first risk associated with the entity experiencing a data privacy incident due to the functionality's use of the target data and a second, separate risk associated with the entity being noncompliant with one or more legal and/or industry standards due to the functionality's use of the target data (generating a plurality of trace log samples). ) The motivation to reject claim 107 under Brannon is the same motivation applied in the rejection of claim 82 above. Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu does not disclose: wherein a size of the sampling of the data from the software application transaction log is based, at least in part, on a risk of non-compliance with the standard for data protection associated with the data flow, and wherein a size of the sampling of the data from the trace log is based, at least in part, on a risk of non-compliance with the standard for data protection associated with the data flow. However, Chen Kaldi teaches wherein a size of the sampling of the data from the software application transaction log is based, at least in part, on a risk of non-compliance with the standard for data protection associated with the data flow, and (¶0014: The logs and/or time period may be selected (implying that there is a limit on how many logs can be taken in for sampling determining size of the sampling) based on the service provider identifying other computing attacks (risk of non-compliance) during that time period, to identify an extent and/or source of the computing attack during the time period, and/or based on minimum or maximum number of logs for generating the malicious log's signature and testing for computing attacks.). wherein a size of the sampling of the data from the trace log is based, (¶0053: However, to identify network traffic logs from different sources (tracing logs) that may be associated with the same or similar computing attack, such as using a similar vector or operation to compromise the service provider, the service provider may instead execute a search using the aggregate values and other log signatures. at least in part, on a risk of non-compliance with the standard for data protection associated with the data flow. (¶0053-0054: The service provider may further determine log signatures for other network traffic logs. This may be done for the network traffic logs over the time period or selected for another time period of interest, such as when a computing attack (risk of non-compliance) occurred or is actively happening in real-time. Where the number of log entries for network traffic may be too high, sampling (reducing size (e.g., determination of size) may be used to reduce computing resources, such as when streaming network traffic log entries in real-time for log signature determination.) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Chen Kaldi of scaling of the sampling to the method of Stockdale in view of Stockdale in view of Sher-Jan, Brannon, Shen, Davenport, and Qiu in order to reduce the risk, fraud, exposure of data, and reduce processing load and stress on the system (Chen Kaldi: ¶00002 & 0064). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Fujisawa et al. (US PGPub No.20170251007-A1 ) teaches continuous monitoring and the repetition of the monitoring process when security level is below the threshold. A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAYLOR P VU whose telephone number is (703)756-1218. The examiner can normally be reached MON - FRI (7:30 - 5:00). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /T.P.V./Examiner, Art Unit 2437 /ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437