FAULT PROPAGATION CONDITION EXTRACTION METHOD AND APPARATUS AND STORAGE MEDIUM

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This is a final office action. Claims 1-20 were considered. Response to Amendment This action is in response to communication filed on 10/20/2025. a. Claims 1-20 are pending in this application. b. Claims 1, 4, 6-7, 11-14, 17 and 19 has been amended. Response to Arguments Regarding Claim Rejections – 35 USC § 103 Applicant's arguments, see page 12-14 of REMARKS, filed on 10/20/2025, with respect to Claim Rejections - 35 USC § 103 have been fully considered. Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim 1, 11-13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Coull et al. (US 11201890 B1, hereinafter Coull) in view of Stokes et al. (US 20180367548 A1, hereinafter Stokes) further in view of Qi et al. (US 20210021456 A1, hereafter Lin) further in view of Tucker et al. (US 20180123864 A1, hereinafter Tucker). Regarding claim 1, Coull teaches a method, comprising: obtaining, by a network device, a plurality of event-object connection graphs corresponding to a communications network ([Col 11, 5-20]: The method 500 includes generating, at 540, a semantic graph that represents objects as nodes and events (or actions) as edges. Threat scores for the objects of the semantic graph are then calculated (e.g., simultaneously or concurrently), at 546, based on the alert data and the event data. At 548, each threat score calculated at 546 for a given object/node of the semantic graph is propagated to each other object/node of the semantic graph, via the calculation of modified threat scores that are based on the associations calculated at 544 (i.e. obtaining the fault propagation graph for network nodes)), wherein the plurality of event-object connection graphs are obtained at different times ([Col 2, 63-67; Col 3, 1-2]: The updating of the semantic graph can include modifying an alert attribute of a first object from the plurality of objects when the event data includes an alert applicable to the first object, and modifying a threat score of each object from the plurality of objects based on the event data. The alert attribute optionally includes a timestamp associated with the alert (i.e. event-object graph are modified at different times)), the different times are in a one-to-one correspondence with the plurality of event-object connection graphs ([Col 3, 1-6]: The alert attribute optionally includes a timestamp associated with the alert. The updating of the semantic graph can also include decomposing the event data into a set of objects and a set of events, and updating a frequency of occurrence of an edge from the plurality of edges based on the set of events), and each of the plurality of event-object connection graphs describes a fault-related event that occurs in the communications network ([Col 11, 5-11]: The method 500 includes generating, at 540, a semantic graph that represents objects as nodes and events (or actions) as edges. Alert data (e.g., for one or more cyber-alerts received at the processor from one or more firewalls, agents, third-party sources, etc.) is stored in memory at 542. The alert data can include one or more of: alert type, weight, and number of occurrences (i.e. graph represents fault events in the communication network)) and a connection relationship between objects related to the fault-related event ([Col 11, 11-16]: At 544 (optionally in response to or triggered by the receipt of the alert(s)), associations between objects of the semantic graph and the alert data are calculated. Threat scores for the objects of the semantic graph are then calculated (e.g., simultaneously or concurrently), at 546, based on the alert data and the event data. (i.e. threat score are determined for the events and objects)); determining, by the network device, a plurality of subgraphs based on the plurality of event-object connection graphs ([Col 11, 21-25]: A subgraph (e.g., a high-risk or anomalous subgraph) of the semantic graph can then be identified/detected (and optionally displayed via a GUI) at 550 based on the modified threat scores (which have optionally been normalized prior to the subgraph detection) (i.e. subgraph is determined based on event and threat scores)), wherein the plurality of subgraphs are in a one-to-one correspondence with the plurality of event-object connection graphs ([Col 12, 15-18]: FIG. 7B shows an example subgraph of the semantic graph of FIG. 7A. The subgraph can correspond to a region within the semantic graph that is of particular interest (e.g., in a cyber-security sense) (i.e. subgraph fig. 7B is from event-object graph fig. 7A)), each of the plurality of subgraphs is a subset of a corresponding event-object connection graph ([Col 12, 21-27]: The subgraph can include a substantially smaller number of objects/nodes and events/edges than that of the semantic graph of FIG. 7A (in this case, FIG. 7B includes 27 nodes and 28 edges), such that the subgraph, when rendered within a GUI, focuses the user/analyst's attention on a critical region of the monitored system (i.e. subgraph is a subset of event-object graph)). Coull however does not teach each of the plurality of subgraphs has a maximum hop distance N, a quantity of hops between an object that generates a first event in each of the plurality of subgraphs and any object related to the corresponding first event is not greater than N, the fault-related event corresponding to each of the plurality of event-object connection graphs comprises the first event of the corresponding subgraph of the plurality of subgraphs, and N is an integer greater than or equal to 1; updating, by the network device, an object in each of the plurality of subgraphs to a corresponding object type based on a correspondence between the respective object and an object type, to obtain a plurality of updated subgraphs, wherein the plurality of updated subgraphs are in a one-to-one correspondence with the plurality of subgraphs; and determining, by the network device, one or more fault propagation conditions based on the plurality of updated subgraphs, wherein the one or more fault propagation conditions indicate a path through which a fault is propagated in the communications network. Stokes teaches each of the plurality of subgraphs has a maximum hop distance N ([40-41]: One input parameter to the system is K, the number of hops in suspicious paths which can also be considered the desired subpath length. K may be set equal to 2.), a quantity of hops between an object that generates a first event in each of the plurality of subgraphs and any object related to the corresponding first event is not greater than N ([39-40]: Malicious lateral movement subgraphs may be identified in the network connection graph 173. To facilitate accurate and efficient processing, search for malicious subpaths (i.e., rare K-hop paths), and then construct the overall malicious graph by joining these subpaths together based on a match of the source node, destination node, and timestamp. Input parameters may include: K (the number of hops in suspicious paths). One input parameter to the system is K, the number of hops in suspicious paths which can also be considered the desired subpath length. K may be set equal to 2 (i.e. quantity of hops in subgraph is K=2)); N is an integer greater than or equal to 1 ([40-41]: One input parameter to the system is K, the number of hops in suspicious paths which can also be considered the desired subpath length. K may be set equal to 2 (i.e. hop distance K is greater than 1)). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull to incorporate the teachings of Stokes and each of the plurality of subgraphs has a maximum hop distance N, a quantity of hops between an object that generates a first event in each of the plurality of subgraphs and any object related to the corresponding first event is not greater than N and N is an integer greater than or equal to 1. One of ordinary skilled in the art would have been motivated to combine the teachings in order to search for malicious subpaths (Stokes, [39]). Coull in view of Stokes however does not teach the fault-related event corresponding to each of the plurality of event-object connection graphs comprises the first event of the corresponding subgraph of the plurality of subgraphs; updating, by the network device, an object in each of the plurality of subgraphs to a corresponding object type based on a correspondence between the respective object and an object type, to obtain a plurality of updated subgraphs, wherein the plurality of updated subgraphs are in a one-to-one correspondence with the plurality of subgraphs; and determining, by the network device, one or more fault propagation conditions based on the plurality of updated subgraphs, wherein the one or more fault propagation conditions indicate a path through which a fault is propagated in the communications network. Qi teaches the fault-related event corresponding to each of the plurality of event-object connection graphs comprises the first event of the corresponding subgraph of the plurality of subgraphs ([80-81]: Each node in the host subgraph is not connected to any node in the host Bayesian network outside the host subgraph. The event Bayesian network includes nodes representing the alarm events and edges representing conditional dependencies among the alarm events, and the event subgraph includes nodes representing the subset of alarm events and edges representing conditional dependencies among the subset of the alarm events. The nodes of the event subgraph includes at least one root node indicating a root cause of the subset of alarm events (i.e. each subgraph contains root node and related nodes)); updating, by the network device, an object in each of the plurality of subgraphs to a corresponding object type based on a correspondence between the respective object and an object type, to obtain a plurality of updated subgraphs ([64, 84]: FIG. 5 is a schematic diagram of an illustrative system 500 that can implement the event grouping 96 as shown in FIG. 3. The system 500 includes a training module 502 configured to determine correlation of the events to be trained and produce a number of groups of correlated events, where each group has one or more root causes. The updating module 506 can update the subgraph of the host Bayesian network based on the group of alarm events. For example, the updating module 506 can update the weights of the edges in the matched host subgraph based on the group of alarm events (i.e. updating the subgraph for related events)), wherein the plurality of updated subgraphs are in a one-to-one correspondence with the plurality of subgraphs ([84]: The updating module 506 can update the subgraph of the host Bayesian network based on the group of alarm events. The updating module 506 can also update probabilities of the group of entities based on the group of alarm events.); and determining, by the network device, one or more fault propagation conditions based on the plurality of updated subgraphs ([83-84]: At block 606, the online grouping module 504 determines a root cause of the group of historical alarm events based on the first correlation, for example, the first Bayesian network.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes to incorporate the teachings of Qi and a quantity of hops between an object that generates a first event in each of the plurality of subgraphs and the fault-related event corresponding to each of the plurality of event-object connection graphs comprises the first event of the corresponding subgraph of the plurality of subgraphs; updating, by the network device, an object in each of the plurality of subgraphs to a corresponding object type based on a correspondence between the respective object and an object type, to obtain a plurality of updated subgraphs, wherein the plurality of updated subgraphs are in a one-to-one correspondence with the plurality of subgraphs; and determining, by the network device, one or more fault propagation conditions based on the plurality of updated subgraphs. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Coull in view of Stokes and Qi however does not teach wherein the one or more fault propagation conditions indicate a path through which a fault is propagated in the communications network. Tucker teaches wherein the one or more fault propagation conditions indicate a path through which a fault is propagated in the communications network ([77]: A connected subgraph may include at least two vertices and may be disconnected from other vertices in the graph. A subgraph is connected when there is a path (i.e., of edges that have not been removed from the graph) between every pair of vertices within the subgraph. A subgraph is disconnected from a vertex if there is no path (i.e., of edges that have not been removed from the graph) from the vertex to the vertices in the subgraph (i.e. the fault propagation indicates path of fault)). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes and Qi to incorporate the teachings of Tucker and one or more fault propagation conditions indicate a path through which a fault is propagated in the communications network. One of ordinary skilled in the art would have been motivated to combine the teachings in order for improving efficiency of computing network management (Tucker, [04]). Regarding claim 11, Coull in view of Stokes, Qi and Tucker teaches the method according to claim 1. Qi teaches further comprising: after determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs, predicting, by the network device, a fault-affected object based on an object on which a first fault alarm currently occurs ([89]: At block 702, the training module 502 can cluster the events to separate the events into several groups. For example, an event that the CPU usage is above 90% may be categorized into the same group as another event that the CPU usage is above 95%. As a result, similar events can be classified into the same group so that the events can be standardized or templatized. In addition, outlier detection can be carried out to remove outlier.), the updated subgraph of the communications network at a current time ([92]: At block 714, the training module 502 can select a time window based on the correlation of the events. For example, two most-correlated events can be determined in a default time window. Then, the time window can be selected to be a time period that spans the two events.), and the one or more fault propagation conditions, wherein the fault-affected object is an object on which a second fault alarm occurs due to impact of the first fault alarm ([83]: At block 606, the online grouping module 504 determines a root cause of the group of historical alarm events based on the first correlation, for example, the first Bayesian network. Since the root cause of the group of historical alarm events is the same as the root cause of the group of alarm events, the root cause of the group of historical alarm events can be used as the root cause of the received alarm events.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi and Tucker to incorporate the teachings of Qi and after determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs, predicting, by the network device, a fault-affected object based on an object on which a first fault alarm currently occurs, the updated subgraph of the communications network at [[the]]a current time, and the one or more fault propagation conditions, wherein the fault-affected object is an object on which a second fault alarm occurs due to impact of the first fault alarm. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding claim 12, Coull in view of Stokes, Qi and Tucker teaches the method according to claim 11. Qi teaches wherein predicting, by the network device, the fault-affected object based on the object on which the first fault alarm currently occurs and the one or more fault propagations condition comprises: selecting, by the network device from the one or more fault propagation conditions, a fourth fault propagation condition whose start point is the object on which the first fault alarm currently occurs and that matches the updated subgraph of the communications network at the current time ([89, 98]: At block 702, the training module 502 can cluster the events to separate the events into several groups. For example, an event that the CPU usage is above 90% may be categorized into the same group as another event that the CPU usage is above 95%. As a result, similar events can be classified into the same group so that the events can be standardized or templatized. In addition, outlier detection can be carried out to remove outlier (i.e. determine fault propagation condition such as CPU usage threshold and update the subgraph to remove outliers)); and determining, by the network device, an end point of the fourth fault propagation condition as the fault-affected object ([99]: The training module 502 can obtain a number of event subgraphs and when an alarm storm happens in the future, the alarm storm can match one of the event subgraphs to quickly identify the root cause of the alarm storm.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi and Tucker to incorporate the teachings of Qi and selecting, by the network device from the one or more fault propagation conditions, a fourth fault propagation condition whose start point is the object on which the first fault alarm currently occurs and that matches the updated subgraph of the communications network at the current time; and determining, by the network device, an end point of the fourth fault propagation condition as the fault-affected object. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding claim 13, Coull in view of Stokes, Qi and Tucker teaches the method according to claim 12. Qi teaches further comprising: determining, by the network device, a fault propagation time corresponding to the one or more fault propagation conditions ([78]: The first time window or slot can be determined based on a first alarm event and a second alarm event that are most correlated in a default or predetermined time slot.); and predicting, by the network device based on a fault propagation time corresponding to the fourth fault propagation condition and an alarm occurrence time of the first fault alarm, a time at which the second fault alarm occurs on the fault-affected object ([78]: The second time slot can be determined based on a third alarm event and a fourth alarm event that are most correlated in the default time slot. For example, if a default time slot is one hour, the events can be divided into a number of groups based on the default time slot. For each time slot, the training module 502 can determine two events that are most correlated to each other and the time window can be determined to equal the time span of the two events.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi and Tucker to incorporate the teachings of Qi and determining, by the network device, a fault propagation time corresponding to the one or more fault propagation conditions; and predicting, by the network device based on a fault propagation time corresponding to the fourth fault propagation condition and an alarm occurrence time of the current fault alarm, a time at which the fault alarm occurs on the fault-affected object. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding Claim 14, they do not teach or further define over claim 1. Therefore, claim 14 is rejected for the same reason as set forth above in claim 1. Claim 2-10, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Coull in view of Stokes, Qi and Tucker further in view of Keen et al. (US 20080178293 A1, hereinafter Keen). Regarding claim 2, Coull in view of Stokes, Qi and Tucker teaches the method according to claim 1. Qi teaches wherein determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs comprises: separately converting, by the network device, the plurality of updated subgraphs into graph embedding vectors based on a graph embedding algorithm, to obtain a plurality of graph embedding vectors that are in a one-to-one correspondence with the plurality of updated subgraphs ([84]: The updating module 506 can perform causal inference based on the updated subgraph and the group of alarm events to update the first correlation or the first Bayesian network. For example, the updating module 506 can use any method or algorithm currently known or to be developed in the future to perform the causal inference, for example, PC-algorithm.); wherein each of the plurality of subgraph sets comprises at least one of the plurality of updated subgraphs ([84]: The updating module 506 can update the subgraph of the host Bayesian network based on the group of alarm events. For example, the updating module 506 can update the weights of the edges in the matched host subgraph based on the group of alarm events (i.e. subgraph includes updated subgraph for related events)). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi and Tucker to incorporate the teachings of Qi and determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs comprises: separately converting, by the network device, the plurality of updated subgraphs into graph embedding vectors based on a graph embedding algorithm, to obtain a plurality of graph embedding vectors that are in a one-to-one correspondence with the plurality of updated subgraphs; and each of the plurality of subgraph sets comprises at least one of the plurality of updated subgraphs. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Coull in view of Stokes, Qi and Tucker however does not teach determining, by the network device, a plurality of subgraph sets based on the plurality of graph embedding vectors and a clustering algorithm; and extracting, by the network device based on a frequent subgraph mining algorithm, the one or more fault propagation conditions from the updated subgraph comprised in each of the plurality of subgraph sets. Keen teaches determining, by the network device, a plurality of subgraph sets based on the plurality of graph embedding vectors and a clustering algorithm ([32, 55-58]: Subgraph Isomorphism can be implemented as part of distributed GDM in various embodiments. Subgraph isomorphism is the activity of finding subgraphs (e.g., one or more subgraphs in the set of subgraphs 210) within a larger graph (e.g., graph 200) that match a chosen or particular subgraph. Thus, subgraph isomorphism can be used by the system 100 (see FIG. 1) to discover graph patterns that match a particular graph pattern during the distributed use of GDM (i.e. apply matching algorithm). [47]: Distributed Support Vector Machine (SVM) algorithms may be used to apply ML to perform GDM. This approach is classified as a heuristic graph search using indirect pattern matching); and extracting, by the network device based on a frequent subgraph mining algorithm, the one or more fault propagation conditions from the updated subgraph comprised in each of the plurality of subgraph sets ([55-59]: The method 311 may continue on to detecting intrusion at block 345 with respect to the at least one network using GDM for a selected subgraph and the one or more communications graphs.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi and Tucker to incorporate the teachings of Keen and determining, by the network device, a plurality of subgraph sets based on the plurality of graph embedding vectors and a clustering algorithm; and extracting, by the network device based on a frequent subgraph mining algorithm, the one or more fault propagation conditions from the updated subgraph comprised in each of the plurality of subgraph sets. One of ordinary skilled in the art would have been motivated to combine the teachings in order for intrusion detection using GDM for selected subgraphs (Keen, [59]). Regarding claim 3, Coull in view of Stokes, Qi, Tucker and Keen teaches the method according to claim 2. Keen teaches wherein determining, by the network device, the plurality of subgraph sets based on the plurality of graph embedding vectors and the clustering algorithm comprises: determining, by the network device, a similarity between every two graph embedding vectors of the plurality of graph embedding vectors ([56-58]: The use of GDM comprises using a distributed support vector machine to classify feature vectors based on a set of graph invariants associated with the one or more communications graphs.); and clustering, by the network device, the plurality of updated subgraphs based on the similarity and the clustering algorithm, to obtain the plurality of subgraph sets ([52-53]: The method 311 may continue on to block 333, with extracting behavior patterns, including patterns of infrequent behavior and frequent behavior, from the one or more communication graphs using graph-based metrics. The method 311 may include generating one or more subgraphs representing a portion of the communications occurring with respect to one or more of the network hosts at block 335 (i.e. obtain subgraphs based of behavior patterns). [59]: The method 311 may continue on to detecting intrusion at block 345 with respect to the at least one network using GDM for a selected subgraph and the one or more communications graphs.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi and Tucker to incorporate the teachings of Keen and determining, by the network device, the plurality of subgraph sets based on the plurality of graph embedding vectors and the clustering algorithm comprises: determining, by the network device, a similarity between every two graph embedding vectors of the plurality of graph embedding vectors; and clustering, by the network device, the plurality of updated subgraphs based on the similarity and the clustering algorithm, to obtain the plurality of subgraph sets. One of ordinary skilled in the art would have been motivated to combine the teachings in order for intrusion detection using GDM for selected subgraphs (Keen, [59]). Regarding claim 4, Coull in view of Qi, Tucker and Keen teaches the method according to claim 2. Qi teaches further comprising: after determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs, determining, by the network device, a fault propagation time corresponding to the one or more fault propagation conditions ([92]: At block 714, the training module 502 can select a time window based on the correlation of the events. Two most-correlated events can be determined in a default time window. Then, the time window can be selected to be a time period that spans the two events (i.e. determine fault propagation time for events)); filtering, by the network device, a fault propagation condition that meets a condition from the one or more fault propagation conditions based on an object on which a first fault alarm currently occurs ([94]: At block 718, the training module 502 can combine the correlated host groups. For example, the training module 502 can combine the host Bayesian networks from multiple time windows.), an updated subgraph of the communications network at a current time ([95]: At block 720, the training module 502 can extract host subgraphs from the combined Bayesian network.), and the fault propagation time corresponding to the one or more fault propagation conditions ([93]: At block 716, the training module 502 can determine correlation of the host in each time window or time slot. For example, the training module 502 can determine a host Bayesian network in each time window.); and when a quantity of the fault propagation conditions that meet the condition is 1, determining, by the network device, a start point of the fault propagation condition that meets the condition as a fault source of the first fault alarm ([98]: At block 726, the training module 502 can extract an event subgraph from the event Bayesian network. If an event subgraph of the event Bayesian network has only one root node, the training module 502 will extract the event subgraph accordingly. If an event subgraph of the event Bayesian network has more than one root node, the training module 502 could merge the root node V with another node U if the nodes V and U satisfy one or more predefined conditions (i.e. determining fault source based on matched condition)). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi, Tucker and Keen to incorporate the teachings of Qi and after determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs, determining, by the network device, a fault propagation time corresponding to the one or more fault propagation conditions, filtering, by the network device, a fault propagation condition that meets a condition from the one or more fault propagation conditions based on an object on which a first fault alarm currently occurs, an updated subgraph of the communications network at a current time, and the fault propagation time corresponding to the one or more fault propagation conditions; and when a quantity of the fault propagation conditions that meet the condition is 1, determining, by the network device, a start point of the fault propagation condition that meets the condition as a fault source of the first fault alarm. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding claim 5, Coull in view of Stokes, Qi, Tucker and Keen teaches the method according to claim 4. Qi teaches wherein determining, by the network device, the fault propagation time corresponding to the one or more fault propagation conditions comprises: determining, by the network device, an alarm occurrence time at a start point and an alarm occurrence time at an end point of a first fault propagation condition ([92]: At block 714, the training module 502 can select a time window based on the correlation of the events (i.e. time window includes start time and end point for alarms)), wherein the first fault propagation condition is a fault propagation condition extracted from a first subgraph set, and the plurality of subgraph sets comprise the first subgraph set ([93-94]: At block 716, the training module 502 can determine correlation of the host in each time window or time slot. At block 720, the training module 502 can extract host subgraphs from the combined Bayesian network. For example, each node in a host subgraph is not connected to another node (for example, all the other nodes) in the Bayesian network outside the host subgraph.); and determining, by the network device, a difference between the alarm occurrence time at the start point and the alarm occurrence time at the end point of the first fault propagation condition as a fault propagation time corresponding to the first fault propagation condition ([94, 98]: At block 718, the training module 502 can combine the correlated host groups. For example, the training module 502 can combine the host Bayesian networks from multiple time windows. At block 726, the training module 502 can extract an event subgraph from the event Bayesian network. If an event subgraph of the event Bayesian network has only one root node, the training module 502 will extract the event subgraph accordingly (i.e. determining the time for fault propagation to determine the root cause)). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi, Tucker and Keen to incorporate the teachings of Qi and determining, by the network device, an alarm occurrence time at a start point and an alarm occurrence time at an end point of a first fault propagation condition, wherein the first fault propagation condition is a fault propagation condition extracted from a first subgraph set, and the plurality of subgraph sets comprise the first subgraph set; and determining, by the network device, a difference between the alarm occurrence time at the start point and the alarm occurrence time at the end point of the first fault propagation condition as a fault propagation time corresponding to the first fault propagation condition. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding claim 6, Coull in view of Stokes, Qi, Tucker and Keen teaches the method according to claim 4. Qi teaches wherein filtering, by the network device, the fault propagation condition that meets the condition from the one or more fault propagation conditions based on the object on which the first fault alarm currently occurs, the updated subgraph of the communications network at the current time, and the fault propagation time corresponding to the one or more fault propagation conditions comprises: selecting, by the network device from the one or more fault propagation conditions, a second fault propagation condition whose end point is the object on which the first fault alarm currently occurs and that matches the updated subgraph of the communications network at the current time ([89]: At block 702, the training module 502 can cluster the events to separate the events into several groups. For example, an event that the CPU usage is above 90% may be categorized into the same group as another event that the CPU usage is above 95% (i.e. selecting second fault condition)); selecting, by the network device from the second fault propagation condition based on the updated subgraph of the communications network at the current time, a third fault propagation condition with a start point at which a second fault alarm occurs before the current time ([95]: At block 720, the training module 502 can extract host subgraphs from the combined Bayesian network. For example, each node in a host subgraph is not connected to another node (for example, all the other nodes) in the Bayesian network outside the host subgraph.); determining, by the network device based on the updated subgraph of the communications network at the current time, a current alarm propagation time corresponding to the third fault propagation condition ([96]: At block 724, the training module 502 can perform event causal inference on the events based on the host subgraph so as to obtain the event subgraph.), wherein the current alarm propagation time is a difference between an alarm occurrence time at the start point of the third fault propagation condition and an alarm occurrence time of the first fault alarm, and the alarm occurrence time at the start point of the third fault propagation condition is determined from the updated subgraph of the communications network at the current time ([93]: At block 716, the training module 502 can determine correlation of the host in each time window or time slot. For example, the training module 502 can determine a host Bayesian network in each time window.); and selecting, by the network device from the third fault propagation condition, a fault propagation condition in which a difference between the corresponding current alarm propagation time and the fault propagation time is less than a time threshold ([94]: At block 718, the training module 502 can combine the correlated host groups. For example, the training module 502 can combine the host Bayesian networks from multiple time windows. For example, a conditional frequency table can be determined for each Bayesian network. The conditional frequency tables can be combined to obtain a combined conditional frequency table, for example, a weighted conditional frequency table. A combined Bayesian network can be constructed based on the combined conditional frequency table.), and using the selected fault propagation condition as the fault propagation condition that meets the condition ([95]: At block 720, the training module 502 can extract host subgraphs from the combined Bayesian network. For example, each node in a host subgraph is not connected to another node (for example, all the other nodes) in the Bayesian network outside the host subgraph.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi, Tucker and Keen to incorporate the teachings of Qi and selecting, by the network device from the one or more fault propagation conditions, a second fault propagation condition whose end point is the object on which the first fault alarm currently occurs and that matches the updated subgraph of the communications network at the current time; selecting, by the network device from the second fault propagation condition based on the updated subgraph of the communications network at the current time, a third fault propagation condition with a start point at which a second fault alarm occurs before the current time; determining, by the network device based on the updated subgraph of the communications network at the current time, a current alarm propagation time corresponding to the third fault propagation condition, wherein the current alarm propagation time is a difference between an alarm occurrence time at the start point of the third fault propagation condition and an alarm occurrence time of the first fault alarm, and the alarm occurrence time at the start point of the third fault propagation condition is determined from the updated subgraph of the communications network at the current time; and selecting, by the network device from the third fault propagation condition, a fault propagation condition in which a difference between the corresponding current alarm propagation time and the fault propagation time is less than a time threshold, and using the selected fault propagation condition as the fault propagation condition that meets the condition. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding claim 7, Coull in view of Stokes, Qi, Tucker and Keen teaches the method according to claim 4. Qi teaches further comprising: determining, by the network device, an occurrence probability of the each of the one or more fault propagation conditions ([94]: The training module 502 can combine the host Bayesian networks from multiple time windows. For example, a conditional frequency table can be determined for each Bayesian network. The conditional frequency tables can be combined to obtain a combined conditional frequency table, for example, a weighted conditional frequency table. A combined Bayesian network can be constructed based on the combined conditional frequency table (i.e. determining probability of fault propagation based on the weighted table)); and when a quantity of the fault propagation conditions that meet the condition is greater than 1, determining, by the network device, a start point of a fault propagation condition that has a highest occurrence probability in the fault propagation conditions that meet the condition as a fault source of the first fault alarm ([102]: If the hosts of the events are close enough to hosts of an event subgraph, it is determined that the events match the event subgraph. If the events match only one of the subgraphs, the method 1000 proceed to block 1008, where the online grouping module 504 can compute a joint probability of the matched event subgraph. At block 1014, the online grouping module 504 can determine whether the joint probability of the event subgraph exceeds a predefined threshold. If it is determined that the joint probability exceeds the predefined threshold, the online grouping module 504 can store the matched subgraph at block 1016.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi, Tucker and Keen to incorporate the teachings of Qi and determining, by the network device, an occurrence probability of the each of the one or more fault propagation conditions; and when a quantity of the fault propagation conditions that meet the condition is greater than 1, determining, by the network device, a start point of a fault propagation condition that has a highest occurrence probability in the fault propagation conditions that meet the condition as a fault source of the current fault alarm. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding claim 8, Coull in view of Stokes, Qi, Tucker and Keen teaches the method according to claim 7. Qi teaches wherein the one or more fault propagation conditions are extracted by the network device based on the frequent subgraph mining algorithm from the updated subgraph comprised in each of the plurality of subgraph sets ([102]: If the hosts of the events are close enough to hosts of an event subgraph, it is determined that the events match the event subgraph. If the events match only one of the subgraphs, the method 1000 proceed to block 1008, where the online grouping module 504 can compute a joint probability of the matched event subgraph. At block 1014, the online grouping module 504 can determine whether the joint probability of the event subgraph exceeds a predefined threshold.); and wherein determining, by the network device, the occurrence probability of each of the one or more fault propagation conditions comprises: determining, by the network device, a quantity of updated subgraphs in which a first fault propagation condition occurs in a first subgraph set ([102]: At block 1006, the online grouping module 504 can match the events to the event subgraphs. For example, the online grouping module 504 can match the events to the event subgraphs based on the similarities between the events and the event subgraphs.), wherein the first fault propagation condition is a fault propagation condition extracted from the first subgraph set, and the plurality of subgraph sets comprise the first subgraph set ([102]: If the hosts of the events are close enough to hosts of an event subgraph, it is determined that the events match the event subgraph.); and determining, by the network device, an occurrence probability of the first fault propagation condition based on a ratio of the quantity to a total quantity of updated subgraphs in the first subgraph set ([102-103]: At block 1014, the online grouping module 504 can determine whether the joint probability of the event subgraph exceeds a predefined threshold. If it is determined at block 1006 that more than one subgraph matches the events, the online grouping module 504 can compute at block 1010 the joint probability for each of the matched subgraphs and the online grouping module 504 can select at block 1012 one of the subgraphs with the greatest joint probability before proceeding to block 1014.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi, Tucker and Keen to incorporate the teachings of Qi and determining, by the network device, a quantity of updated subgraphs in which a first fault propagation condition occurs in a first subgraph set, wherein the first fault propagation condition is a fault propagation condition extracted from the first subgraph set, and the plurality of subgraph sets comprise the first subgraph set; and determining, by the network device, an occurrence probability of the first fault propagation condition based on a ratio of the quantity to a total quantity of updated subgraphs in the first subgraph set. One of ordinary skilled in the art would have been motivated to combine the teachings in order to determine a root cause of the group of historical alarm events (Qi, [83]). Regarding claim 9, Coull in view of Stokes, Qi, Tucker and Keen teaches the method according to claim 7. Keen teaches wherein determining, by the network device, the occurrence probability of each of the one or more fault propagation conditions comprises: determining, by the network device, a quantity of times that a first fault propagation condition occurs in the plurality of updated subgraphs, to obtain a first quantity of times ([104]: The technique 600 can include partitioning at operation 610 an analysis period, determining at operation 620 an average score for all groups of event types, determining at operation 630 group scores for time intervals, determining at operation 640 a hit-rate metric for a group), wherein the one or more fault propagation conditions comprises the first fault propagation condition; determining, by the network device, a quantity of times that a connection relationship between a start point of the first fault propagation condition and a second event occurs in the plurality of updated subgraphs, to obtain a second quantity of times, wherein the fault-related event comprises the second event, and the second event is an event corresponding to the first fault propagation condition ([104-105]: The technique 600 can include partitioning at operation 610 an analysis period, determining at operation 620 an average score for all groups of event types, determining at operation 630 group scores for time intervals. the analysis window may be partitioned at operation 610 into many time intervals of equal duration. In some implementations, the duration of the time intervals may be configured based on an expected duration of a chain of related events (e.g., the time difference between the first event and the last event occurring in the chain of events) within a computer network environment.); and determining, by the network device, an occurrence probability of the first fault propagation condition based on a ratio of the first quantity of times to the second quantity of times ([106]: A score for a group of event types in a time interval may be determined as being equal to a number of event types from the group occurring in the time interval divided by a total number of event types in the group. This score may be determined for a plurality of groups of event types for a plurality of time intervals. The scores for a group may be determined at operation 630 for the time intervals. For example, the score for a group for a time interval may be determined at operation 630 as being equal to a number of event types from the group occurring in the time interval divided by a total number of event types in the group.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi, Tucker and Keen to incorporate the teachings of Keen and determining, by the network device, a quantity of times that a first fault propagation condition occurs in the plurality of updated subgraphs, to obtain a first quantity of times, wherein the one or more fault propagation conditions comprises the first fault propagation condition; determining, by the network device, a quantity of times that a connection relationship between a start point of the first fault propagation condition and a second event occurs in the plurality of updated subgraphs, to obtain a second quantity of times, wherein the fault-related event comprises the second event, and the second event is an event corresponding to the first fault propagation condition; and determining, by the network device, an occurrence probability of the first fault propagation condition based on a ratio of the first quantity of times to the second quantity of times. One of ordinary skilled in the art would have been motivated to combine the teachings in order for intrusion detection using GDM for selected subgraphs (Keen, [59]). Regarding claim 10, Coull in view of Stokes, Qi and Tucker teaches the method according to claim 1. Coull in view of Stokes, Qi and Tucker however does not teach determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs comprises: extracting, by the network device, the one or more fault propagation conditions from the plurality of updated subgraphs based on a frequent subgraph mining algorithm. Keen teaches wherein determining, by the network device, the one or more fault propagation conditions based on the plurality of updated subgraphs comprises: extracting, by the network device, the one or more fault propagation conditions from the plurality of updated subgraphs based on a frequent subgraph mining algorithm ([15]: The set of components 140 may comprise a GDM component 150 to run GDM algorithms that use graph-based data structures in conjunction with data mining algorithms to identify intrusion patterns. [53, 57-59]: The method 311 may continue on to detecting intrusion at block 345 with respect to the at least one network using GDM for a selected subgraph and the one or more communications graphs.) Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Coull in view of Stokes, Qi and Tucker to incorporate the teachings of Keen and determining, by the network device, a plurality of subgraph sets based on the plurality of graph embedding vectors and a clustering algorithm; and extracting, by the network device based on a frequent subgraph mining algorithm, the one or more fault propagation conditions from the updated subgraph comprised in each of the plurality of subgraph sets. One of ordinary skilled in the art would have been motivated to combine the teachings in order for intrusion detection using GDM for selected subgraphs (Keen, [59]). Regarding Claims 15-19 and 20, they do not teach or further define over claims 2-6 and 10 respectively. Therefore, claim 15-19 and 20 are rejected for the same reason as set forth above in claims 2-6 and 10 respectively. Additional References The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. a. Jeong et al., US 20190056983 A1: IT SYSTEM FAULT ANALYSIS TECHNIQUE BASED ON CONFIGURATION MANAGEMENT DATABASE. b. San Andres et al., US 20130218354 A1: POWER DISTRIBUTION NETWORK EVENT CORRELATION AND ANALYSIS. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUJANA KHAKURAL whose telephone number is (571)272-3704. The examiner can normally be reached on M-F: 7:30AM - 5:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SUJANA KHAKURAL/Examiner, Art Unit 2453 /KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453