DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 03/23/2026 has been entered.
Response to Amendment
This office action is in response to applicant’s RCE filed on 03/23/2026. Claims 1-20 are pending. Claims 1, 9, and 17 are independent.
Response to Arguments
Rejections under 35 U.S.C. § 103:
Applicant’s arguments, see pages 8-10 of applicant’s remarks, filed on 03/23/2026 (hereinafter “REMARKS”), with respect to the rejection of the claims under 35 U.S.C. § 103 have been fully considered and are partially persuasive. Specifically, see page 9 of REMARKS, that the references do not teach “… the hyperedge representing an involvement of the two or more of the entities in a particular security behavior of interest”. Although Joseph Durairaj teaches connecting nodes based on relations in order to detect malicious activity, the nodes and relations differ from those of the other prior art of record and the instant application. Therefore, the previous rejection is withdrawn. However, after consideration of the filed IDS a new ground(s) of rejection is made over Dupont et al. (U.S. PGPub No. 2014/0096249; hereinafter “Dupont”) in view of Xie et al. (U.S. Patent No. 10,135,788; hereinafter “Xie”) and further in view of Panse et al. (US PGPub No. 2023/0011043; hereinafter “Panse”).
Dupont teaches detecting threats by spotting malicious activity in electronic data of an organization (¶ 0013, ¶ 0016, ¶ 0025, ¶ 0160).
Panse teaches edges which are formed from connections between data compute nodes of a datacenter (abstract, ¶ 0005, ¶ 0008). Data relating to these connections between entities of the datacenter are collected and used for generation of a graph which is used for threat detection (¶ 0005-0009). The connections in the graph are used for detection of lateral movement of threats between entities (¶ 0008).
Therefore, a new ground(s) of rejection is made over Dupont in view of Xie in view of Panse.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 5, 7, 9, 13, 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Dupont et al. (U.S. PGPub No. 2014/0096249; hereinafter “Dupont”) in view of Xie et al. (U.S. Patent No. 10,135,788; hereinafter “Xie”), and further in view of Panse et al. (US PGPub No. 2023/0011043; hereinafter “Panse”).
As per claim 1: Dupont discloses a system comprising:
a non-transitory memory (a computer memory hierarchy example in accordance with an embodiment of the present disclosure [Dupont ¶ 0040, Fig. 12]; a persistent store [Dupont ¶ 0409]; when the graph reaches this size, the entire graph is written to disk (or some other slower portion of the memory hierarchy) [Dupont ¶ 0775]); and
one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising (in this context that functionality can be used to pass instructions on to the routine carrying out the incremental computation [Dupont ¶ 0583, ¶ 0525, Fig. 12, CPU, Main Memory, Secondary Storage (Hard Disk Drives, Solid State Drives, Virtual Memory)]; multiple processors or different computers examine different sets of items, where such items, partition the universe of items, and each processor will write to its own file [Dupont ¶ 776]):
receiving a plurality of signals associated with security behaviors of interest, wherein the plurality of signals correspond to a plurality of computing events occurring with a computing architecture corresponding to a service provider (A typed update … an evidence or event that can be forwarded to different components … one or several evidences or events that are affected by the changes … Because we are dealing with continuous and very large streams of data, forwarding typed updates [107] instead of resending the whole results every time an evidence or event is updated greatly reduces the amount of traffic between components, especially when it comes to updating previously computed results [Dupont ¶ 0160]; This model represents assessed behavior [205] which can be either individual behavior [210] or collective behavior [215]. In order to detect anomalies [270], the system establishes baseline behaviors … detection of anomalies in recent or past behavior … also attempts to predict behavior in the near future … Actors [220] and their assessed behaviors [205] can then be evaluated on an absolute scale using scores [285], and on a relative scale using ranking [275] mechanisms, in order to assess the relevance [280] of any detected anomaly [270] [Dupont ¶ 0164]; Observed events [102] that have been collected and captured by the data collection component, including but not limited to documents [162], messages exchanged on a communication channel [156] such as email, instant messages, phone logs, and voicemail, as well as structured events such as database records [Dupont ¶ 0170-0173]; That model can be integrated with the organization’s infrastructure to provide complete coverage of human and machine activities [Dupont ¶ 0013]), and wherein the plurality of signals comprise digital representations of the security behaviors of interest (the present disclosure provides techniques that allow an organization to proactively detect such threats by spotting precursory signs of malicious activity, and thus intervene and prevent the threats from being executed [Dupont ¶ 0016]; The system is able to infer potentially damaging activities, whether of unintentional or malicious nature, without requiring the prior definition of the type and characteristics of these activities. It relies on the analysis of potentially massive volumes of heterogeneous electronic data (includes both text-bearing and non-text-bearing records) stored inside or outside any organization [Dupont ¶ 0025]);
determining metadata for each of the plurality of signals based on a corresponding one of the plurality of computing events (Data handled by the event passing infrastructure [460] Is pushed to components in the processing and analysis layer [402] [Dupont ¶ 0174]; data collection component [400] collects data continuously or in batch mode from a variety of heterogeneous data sources [401], extracts their content and their metadata and stores the extraction results for access by downstream components of the system [Dupont ¶ 0175]; The continuous categorization component [420] analyzes the incoming stream of events [100] to assign one or more categories to those events [100], using any number and variety of categorization components [146], and maintaining the validity and quality of the results even in the case of categorization components [146] that are inherently data dependent. [Dupont ¶ 0176]);
[generating] a plurality of vertices for entities corresponding to the plurality of signals in an n-dimensional space for a hypergraph (a multi-dimensional behavior model [Dupont ¶ 0015, ¶ 0025, ¶ 0163, ¶ 0186]; The continuous discussion building component [410] establishes discussions [136] as a structure linking causally related items [122] [Dupont ¶ 0177]; The hypergraph [114] system described here extends this definition further by allowing an edge [115.20] to connect any number of vertices [115.21] and edges [115.20] [Dupont ¶ 0527]; Atom [115.19] Any hypergraph [114] element… records to store all atoms … a set of types will be predefined by the system that correspond to the two kinds of atoms [115.19] [Dupont ¶ 0530]; In some embodiments atoms [115.19] may require an attribute that represents a “logical ID”, i.e. an id that uniquely identifies the atom [115.19] and is shared across successive versions of the atom [115.19] in the underlying hypergraph store [115.22] [Dupont ¶ 0530]; Vertex [115.21]: The fundamental unit from which hypergraphs [114] are formed… predefine a base type for OSF [110] records [115.24] representing vertices [115.21] [Dupont ¶ 0531]; the continuous embodiment of discussion [136] building is based on accumulation of relationships between actors [220], events [100] and items [122] stored in a hypergraph [114] data structure … relationships and the subsequent structures built on them are all considered evidences [108] to be used in the discussion [136] building procedure. The hypergraph system … building discussions [136] on a continuous basis. In the default embodiment the hypergraph [114] is represented as a set of OSF [110] values serialized and stored in records [115.24] in a hypergraph store [115.22] which in most embodiments consists of one or more large archives [Dupont ¶ 0514]);
connecting the plurality of vertices by at least one hyperedge in the n-dimensional space based on each of the plurality of signals shared by two or more of the entities (The continuous discussion building component [410] establishes discussions [136] as a structure linking causally related items [122] [Dupont ¶ 0177, Examiner’s Note: connecting related items]; as edges [115.20] can now be incident on any number of vertices [115.21] or other edges [115.20] [Dupont ¶ 0512]; Edge [115.20]: A relationship between a set of atoms [115.19]. Edges [115.20] minimally require an attribute containing a list of atoms … The OSF [110] embodiment will predefine a base type for OSF [110] records [115.24] representing edges [115.20] [Dupont ¶ 0532]; Atom [115.19] Any hypergraph [114] element… records to store all atoms … a set of types will be predefined by the system that correspond to the two kinds of atoms [115.19] [Dupont ¶ 0530]; if edge123 shares an atom [115.19] with edge234 they are both in the same closure [Dupont ¶ 0557]), the hyperedge representing [an involvement of the two or more of the entities in a particular security behavior of interest] (the use of a hypergraph [114] data structure, which greatly increases expressivity over a conventional graph, as edges [115.20] can now be incident on any number of vertices [115.21] or other edges [115.20] [Dupont ¶ 0512, ¶ 0527, ¶ 0532]);
generating the hypergraph based on the plurality of vertices and the at least one hyperedge (The continuous discussion building component [410] establishes discussions [136] as a structure linking causally related items [122] [Dupont ¶ 0177]; the hypergraph store [115.22] is an archive or set of archives that are split up into segments [115.23]. New segments [115.23]-- are allocated as the hypergraph [114] grows, and aged elements are removed from the hypergraph [114] by removing segments [115.23]. In order to allocate a new segment [115.23] the system first looks to see if there are any collected segments [115.23] (i.e. they have been removed from active use), or extends the archive to allocate a new segment [115.23] [Dupont ¶ 0541]; If a matched rule triggers a discussion [136] building computation the sequence is somewhat more involved. First the working set [115.17] of the query [115.1] is expanded to produce an on the fly hypergraph [114] of evidences (i.e. the working set [115.17]) related to the item and any discussions [136] that triggered the computation [120.25] [Dupont ¶ 0587]; as edges [115.20] can now be incident on any number of vertices [115.21] or other edges [115.20] [Dupont ¶ 0512]; Edge [115.20]: A relationship between a set of atoms [115.19]. Edges [115.20] minimally require an attribute containing a list of atoms … The OSF [110] embodiment will predefine a base type for OSF [110] records [115.24] representing edges [115.20] [Dupont ¶ 0532]);
and executing a search operation associated with a security threat of interest for one or more of the security behaviors of interest based on the hypergraph, wherein the search operation is based on a query identifying data associated with at least one of the plurality of computing events, the metadata, or the entities (Hypergraph Query: The system implements an engine for running queries [115.1] against atoms [115.19] in the hypergraph [114]… The feature is used to select a value from the OSF [110] value representing an atom [115.19] and the match condition is satisfied if the two values can be unified successfully [Dupont ¶ 0538]; Queries [115.1] have two purposes: to retrieve elements from the hypergraph [114] and to trigger hypergraph [114] computations in response to new atoms [115.19] being added to the hypergraph store [115.22]. The same query matching procedure [115.10] is used for both purposes [Dupont ¶ 0545]; The query procedure effectively creates a working set for each atom that it examines … hypergraph operations … selecting the atoms that go into an index as well as by feature matching and constraints [Dupont ¶ 0550]; calculate the closure of an atom … find the set of all directly connected elements … if edge123 shares an atom with edge234 they are both in the same closure [Dupont ¶ 0557, ¶ 0546-0566]).
Dupont discloses the claimed subject matter as discussed above but does not explicitly disclose generating a plurality of vertices for entities corresponding to the plurality of signals in an n-dimensional space for a hypergraph. However, Xie teaches generating a plurality of vertices for entities corresponding to the plurality of signals in an n-dimensional space for a hypergraph (Each node on a particular hypergraph may correspond to a set of events or a set of users, with edge attributes specifying their connectivity relationship [Xie, Col. 1, ln 48-50]; nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes [Xie, Col. 2, ln 4-6]; identifying additional suspicious graph nodes based on an initial list of suspicious graph nodes and the graph structure, using a graph diffusion process. Using the suspicious graph nodes to detect malicious graph communities includes: using one or more graph algorithms to generate sub-graphs each corresponding to a graph community; examining each graph community; and outputting the nodes of communities determined to be suspicious communities as suspicious community nodes [Xie, Col. 2, ln 22-57]; set of computed feature profile [Xie, Col. 5, ln 7-8; Col. 5, ln 1-55, Fig. 2]. Each feature profiles will be used to construct hypergraphs for graph analysis [Xie, Col. 5, ln 1-55; Fig. 2]; Each node on a graph corresponds to a feature profile. Each feature profile can be constructed from a set of correlated events or a set of correlated accounts. In some implementations, the set of correlated events or correlated user accounts is identified by taking the set of events or the set of accounts that appeared from the same IP address within a specified time window [Xie, Col. 5, ln 7-22]). Dupont and Xie are analogous art because they are from the same field of endeavor of hypergraph analysis. Therefore, based on Dupont in view of Xie, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Xie to the system of Dupont in order to effectively analyze the received data by identifying the vertices of the hypergraph. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim.
Dupont in view of Xie discloses the claimed subject matter as discussed above but does not explicitly disclose an involvement of the two or more of the entities in a particular security behavior of interest. However, Panse teaches an involvement of the two or more of the entities in a particular security behavior of interest (The connection graph, in some embodiments, is defined by nodes representing DCNs in the datacenter and edges representing remote service connections between the nodes. If a first DCN accesses a second DCN multiple separate times, then these separate connections are represented by separate edges such that the graph can include multiple edges between the same pair of nodes [Panse ¶ 0006]; a lateral movement threat detector that uses the connection graph in order to identify lateral movement threats [Panse ¶ 0008]; identify anomalous events [Panse ¶ 0008]; Each path, in some embodiments, is represented by a set of nodes of the graph (that includes the node representing the DCN associated with the particular anomalous event) connected by an ordered set of edges [Panse ¶ 0010]). Dupont in view of Xie and Panse are analogous art because they are from the same field of endeavor of graph analysis. Therefore, based on Dupont in view of Xie in view of Panse, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Panse to the system of Dupont in view of Xie in order to detect threats in the form of lateral attack movement through a path of connections between entities. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim.
As per claim 5: Dupont in view of Xie in view of Panse teaches all the limitations of claim 1. Furthermore, Dupont discloses wherein the search operation is associated with an identification of a scope of a computing activity associated with at least a portion of the plurality of signals (The feature is used to select a value from the OSF [110] value representing an atom [115.19] and the match condition is satisfied if the two values can be unified successfully [Dupont ¶ 0538]; Queries [115.1] have two purposes: to retrieve elements from the hypergraph [114] and to trigger hypergraph [114] computations in response to new atoms [115.19] being added to the hypergraph store [115.22]. The same query matching procedure [115.10] is used for both purposes [Dupont ¶ 0545]; The query procedure effectively creates a working set for each atom that it examines … hypergraph operations … selecting the atoms that go into an index as well as by feature matching and constraints [Dupont ¶ 0550]; calculate the closure of an atom … find the set of all directly connected elements … if edge123 shares an atom with edge234 they are both in the same closure [Dupont ¶ 0557, ¶ 0546-0566]; The system is able to infer potentially damaging activities, whether of unintentional or malicious nature, without requiring the prior definition of the type and characteristics of these activities. It relies on the analysis of potentially massive volumes of heterogeneous electronic data (includes both text-bearing and non-text-bearing records) stored inside or outside any organization [Dupont ¶ 0025]; reports [310] on behavior and information analysis can be regularly scheduled or generated on-demand. The system can be set up to continuously monitor specific queries [325]. Finally, a complete audit trail [330] is available that comprises collected data as well as all types of evidence [100] stored in the collection repository [320]. Access to this audit trail [330], like the rest of the application data [315], is restricted by access controls [335] whose scope is determined by a coloring scheme [345] [Dupont ¶ 0167, ¶ 0485]).
As per claim 7: Dupont in view of Xie in view of Panse teach all the limitations of claim 1. Furthermore, Dupont discloses wherein the search operation is associated with a creation of a threat-focused alert for a subset of the plurality of computing events linked by one of the at least one hyperedge (The system continuously raises alerts [305] about behavior flagged as anomalous, for which notifications can be automatically sent to the user … reports [310] on behavior and information analysis can be regularly scheduled or generated on-demand. The system can be set up to continuously monitor specific queries [325] [Dupont ¶ 0167]; The anomaly detection component [450] also produces alerts [305] by aggregating anomalies [270] and reports [310] sent to the user [ 455]. The system also comprises time-based and behavior-based continuous visualizations [204] of those alerts [305]. Anomalies [270] detected by this component are also fed to visualizations [204] in order to highlight anomalous patterns to the user [ 455], and can optionally trigger mitigating or preventive actions [Dupont ¶ 0185]; the system auto-matically generate alerts [305] for the top-ranked actors [220] against a particular trait [295] (as described in the section on Anomaly detection) or by letting the user query the behavior model [200] against a trait [295] and returning the top-ranked actors [220] [Dupont ¶ 0968]; The continuous discussion building component [410] establishes discussions [136] as a structure linking causally related items [122] [Dupont ¶ 0177]; In one OSF [110] embodiment queries [115.1] produce OSF [110] values as part of the matching procedure [115.10]. These queries [115.1] also contain constraints [115.9] expressed as unification equations that are used to build up the resulting match record [115.16] values [Dupont ¶ 0583]; This expansion of the working set [115.17] may also create new transitory edges [115.20] reflecting heuristics and other ad-hoc methods for specifying or limiting relationships [Dupont ¶ 0587]; as edges [115.20] can now be incident on any number of vertices [115.21] or other edges [115.20] [Dupont ¶ 0512]).
As per claim 9: Dupont in view of Xie in view of Panse teach all the limitations of claim 1 above. The limitations of claim 9 are substantially similar to claim 1, and therefore the claim is likewise rejected.
As per claim 13: Dupont in view of Xie in view of Panse teach all the limitations of claim 9. The limitations of claim 13 are substantially similar to claim 5 above, and therefore the claim is likewise rejected.
As per claim 15: Dupont in view of Xie in view of Panse teach all the limitations of claim 9. The limitations of claim 15 are substantially similar to claim 7 above, and therefore the claim is likewise rejected.
As per claim 17: Dupont in view of Xie in view of Panse teach all the limitations of claim 1 above. Furthermore, Dupont discloses a non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising (a computer memory hierarchy example in accordance with an embodiment of the present disclosure [Dupont ¶ 0040, Fig. 12]; a persistent store [Dupont ¶ 0409]; when the graph reaches this size, the entire graph is written to disk (or some other slower portion of the memory hierarchy) [Dupont ¶ 0775]; in this context that functionality can be used to pass instructions on to the routine carrying out the incremental computation [Dupont ¶ 0583, ¶ 0525, Fig. 12, CPU, Main Memory, Secondary Storage (Hard Disk Drives, Solid State Drives, Virtual Memory)]). The limitations of claim 9 are substantially similar to claim 1, and therefore the claim is likewise rejected.
Claims 2-4, 6, 8, 10-12, 14, 16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dupont in view of Xie in view of Panse further in view of Silberman et al. (U.S. PGPub No. 2023/0086863; hereinafter “Silberman”).
As per claim 2: Dupont in view of Xie in view of Panse teach all the limitations of claim 1. Furthermore, Dupont discloses wherein the operations further comprise: generating a hypergraph data object for the hypergraph, wherein the hypergraph data object comprises identifiers for the plurality of signals and [event hashes] associated with the plurality of computing events for the metadata (the hypergraph store [115.22] is an archive or set of archives that are split up into segments [115.23]. New segments [115.23]-- are allocated as the hypergraph [114] grows, and aged elements are removed from the hypergraph [114] by removing segments [115.23]. In order to allocate a new segment [115.23] the system first looks to see if there are any collected segments [115.23] (i.e. they have been removed from active use), or extends the archive to allocate a new segment [115.23] [Dupont ¶ 0541]; In some embodiments atoms [115.19] may require an attribute that represents a “logical ID”, i.e. an id that uniquely identifies the atom [115.19] and is shared across successive versions of the atom [115.19] in the underlying hypergraph store [115.22] [Dupont ¶ 0530]; data collection component [400] collects data continuously or in batch mode from a variety of heterogeneous data sources [401], extracts their content and their metadata and stores the extraction results for access by downstream components of the system [Dupont ¶ 0175]; the continuous embodiment of discussion [136] building is based on accumulation of relationships between actors [220], events [100] and items [122] stored in a hypergraph [114] data structure … relationships and the subsequent structures built on them are all considered evidences [108] to be used in the discussion [136] building procedure. The hypergraph system … building discussions [136] on a continuous basis. In the default embodiment the hypergraph [114] is represented as a set of OSF [110] values serialized and stored in records [115.24] in a hypergraph store [115.22] which in most embodiments consists of one or more large archives [Dupont ¶ 0514]); and storing the hypergraph data object in a searchable database accessible by a computing security system (In the default embodiment the hypergraph [114] is represented as a set of OSF [110] values serialized and stored in records [115.24] in a hypergraph store [115.22] which in most embodiments consists of one or more large archives [Dupont ¶ 0514]; the hypergraph store [115.22] is an archive or set of archives that are split up into segments [115.23] [Dupont ¶ 0541]; A user of the system [455] is typically an analyst or human operator whose role is to respond to alerts raised by the system before a malicious act is perpetrated, or right after unintentional damage has occurred, as well as to actively investigate any leads or patterns with the help of the system’s analysis results [Dupont ¶ 0169, Fig. 4]).
Dupont in view of Xie in view of Panse discloses the claimed subject matter as discussed above but does not explicitly disclose event hashes. However, Silberman teaches event hashes (computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest [Silberman abstract]; generating, by one or more computers, a text-based cybersecurity event digest based on a target cybersecurity event that includes a plurality of distinct pieces of event metadata, wherein the generating the text-based cybersecurity event digest includes … computing, via a hashing algorithm, a cybersecurity hash signature of the target cybersecurity event based on the text-based cybersecurity event digest [Silberman ¶ 0015]; store a plurality of distinct hashes (or a plurality of distinct hash signatures (e.g., cybersecurity hashing-based signatures) for each piece of alert or event data included in the one or more corpora of alert/event data [Silberman ¶ 0064]). Dupont in view of Xie in view of Panse and Silberman are analogous art because they are from the same field of endeavor of n-dimensional space security searching. Therefore, based on Dupont in view of Xie in view of Panse in view of Silberman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Silberman to the system of Dupont in view of Xie in view of Panse in order to represent each event as a distinct hash for efficient search (¶ 0015, ¶ 0064). Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim.
As per claim 3: Dupont in view of Xie in view of Panse in view of Silberman teach all the limitations of claim 2. Furthermore, Dupont and Silberman disclose wherein the operations further comprise: providing a search system for retrievals of security search result data from the hypergraph data object using a search option including at least one of the identifiers or the event hashes (searching, based on the distinct cyber-security hashing-based signature of the cybersecurity event [Silberman abstract, ¶ 0007, ¶ 0015]; construct an alert similarity search query that may include a target alert representation (e.g., cybersecurity hashing-based signature, etc.) as a search parameter [Silberman ¶ 0099]; The system implements an engine for running queries [115.1] against atoms [115.19] in the hypergraph [114]… The feature is used to select a value from the OSF [110] value representing an atom [115.19] and the match condition is satisfied if the two values can be unified successfully [Dupont ¶ 0538]).
As per claim 4: Dupont in view of Xie in view of Panse teach all the limitations of claim 1. Furthermore, Dupont discloses wherein the at least one hyperedge comprises at least one relationship between the two or more entities (The hypergraph [114] system described here extends this definition further by allowing an edge [115.20] to connect any number of vertices [115.21] and edges [115.20] [Dupont ¶ 0527]; Atom [115.19] Any hypergraph [114] element… records to store all atoms … a set of types will be predefined by the system that correspond to the two kinds of atoms [115.19] [Dupont ¶ 0530]; Edge [115.20]: A relationship between a set of atoms [115.19]. Edges [115.20] minimally require an attribute containing a list of atoms … The OSF [110] embodiment will predefine a base type for OSF [110] records [115.24] representing edges [115.20] [Dupont ¶ 0532]; Atom [115.19] Any hypergraph [114] element… records to store all atoms … a set of types will be predefined by the system that correspond to the two kinds of atoms [115.19] [Dupont ¶ 0530]), and wherein each of the at least one relationship is correlated with [a hash of an event object] for each of the plurality of computing events (the continuous embodiment of discussion [136] building is based on accumulation of relationships between actors [220], events [100] and items [122] stored in a hypergraph [114] data structure … relationships and the subsequent structures built on them are all considered evidences [108] to be used in the discussion [136] building procedure. The hypergraph system … building discussions [136] on a continuous basis. In the default embodiment the hypergraph [114] is represented as a set of OSF [110] values serialized and stored in records [115.24] in a hypergraph store [115.22] which in most embodiments consists of one or more large archives [Dupont ¶ 0514]; Observed events [102] that have been collected and captured by the data collection component, including but not limited to documents [162], messages exchanged on a communication channel [156] such as email, instant messages, phone logs, and voicemail, as well as structured events such as database records [Dupont ¶ 0170-0173]).
Dupont in view of Xie in view of Panse discloses the claimed subject matter as discussed above but does not explicitly disclose a hash of an event object. However, Silberman teaches a hash of an event object (computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest [Silberman abstract]; generating, by one or more computers, a text-based cybersecurity event digest based on a target cybersecurity event that includes a plurality of distinct pieces of event metadata, wherein the generating the text-based cybersecurity event digest includes … computing, via a hashing algorithm, a cybersecurity hash signature of the target cybersecurity event based on the text-based cybersecurity event digest [Silberman ¶ 0015]; store a plurality of distinct hashes (or a plurality of distinct hash signatures (e.g., cybersecurity hashing-based signatures) for each piece of alert or event data included in the one or more corpora of alert/event data [Silberman ¶ 0064]). Dupont in view of Xie in view of Panse and Silberman are analogous art because they are from the same field of endeavor of n-dimensional space security searching. Therefore, based on Dupont in view of Xie in view of Panse in view of Silberman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Silberman to the system of Dupont in view of Xie in view of Panse in order to represent each event as a distinct hash for efficient search (¶ 0015, ¶ 0064). Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim.
As per claim 6: Dupont in view of Xie in view of Panse teach all the limitations of claim 1. Furthermore, Dupont discloses wherein the search operation utilizes [a hash] associated with one of the plurality of computing events for a security investigation (The system implements an engine for running queries [115.1] against atoms [115.19] in the hypergraph [114]… The feature is used to select a value from the OSF [110] value representing an atom [115.19] and the match condition is satisfied if the two values can be unified successfully [Dupont ¶ 0538]; A user of the system [455] is typically an analyst or human operator whose role is to respond to alerts raised by the system before a malicious act is perpetrated, or right after unintentional damage has occurred, as well as to actively investigate any leads or patterns with the help of the system's analysis results [Dupont ¶ 0169]), and wherein the search operation requests identification of vertices related to [the hash] based on the at least one hyperedge (The query procedure effectively creates a working set for each atom that it examines … hypergraph operations … selecting the atoms that go into an index as well as by feature matching and constraints [Dupont ¶ 0550]; calculate the closure of an atom … find the set of all directly connected elements … if edge123 shares an atom with edge234 they are both in the same closure [Dupont ¶ 0557, ¶ 0546-0566]).
Dupont in view of Xie in view of Panse discloses the claimed subject matter as discussed above but does not explicitly disclose a hash; the hash. However, Silberman teaches a hash (computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest [Silberman abstract]; generating, by one or more computers, a text-based cybersecurity event digest based on a target cybersecurity event that includes a plurality of distinct pieces of event metadata, wherein the generating the text-based cybersecurity event digest includes … computing, via a hashing algorithm, a cybersecurity hash signature of the target cybersecurity event based on the text-based cybersecurity event digest [Silberman ¶ 0015]; store a plurality of distinct hashes (or a plurality of distinct hash signatures (e.g., cybersecurity hashing-based signatures) for each piece of alert or event data included in the one or more corpora of alert/event data [Silberman ¶ 0064]); the hash (computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest [Silberman abstract]; generating, by one or more computers, a text-based cybersecurity event digest based on a target cybersecurity event that includes a plurality of distinct pieces of event metadata, wherein the generating the text-based cybersecurity event digest includes … computing, via a hashing algorithm, a cybersecurity hash signature of the target cybersecurity event based on the text-based cybersecurity event digest [Silberman ¶ 0015]; store a plurality of distinct hashes (or a plurality of distinct hash signatures (e.g., cybersecurity hashing-based signatures) for each piece of alert or event data included in the one or more corpora of alert/event data [Silberman ¶ 0064]). Dupont in view of Xie in view of Panse and Silberman are analogous art because they are from the same field of endeavor of n-dimensional space security searching. Therefore, based on Dupont in view of Xie in view of Panse in view of Silberman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Silberman to the system of Dupont in view of Xie in view of Panse in order to represent each event as a distinct hash for efficient search (¶ 0015, ¶ 0064). Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim.
As per claim 8: Dupont in view of Xie in view of Panse teach all the limitations of claim 1. Furthermore, Dupont discloses wherein the metadata comprises at least one of an entity name, an entity identifier, a username, a host name, or an IP address from each of the plurality of computing events (such as detected emotive tones or entities (event names, people names, geographical locations, etc.) which are derived from the analysis of data and metadata extracted from events [100], including periodic sequences [132] that match a periodic pattern [126] [Dupont ¶ 0994, Fig. 121]), and wherein the metadata further comprises [a hash for each of the plurality of computing events calculated using a corresponding event log].
Dupont in view of Xie in view of Panse discloses the claimed subject matter as discussed above but does not explicitly disclose a hash for each of the plurality of computing events calculated using a corresponding event log. However, Silberman teaches a hash for each of the plurality of computing events calculated using a corresponding event log (It shall be noted that, in one or more embodiments, corpora of alert/event data may include event data, alert data, log data that may be generated external to the system 100 and/or the method 200 [Silberman ¶ 0063]; computing a cybersecurity hashing-based signature of the cybersecurity event based on the cybersecurity event digest [Silberman abstract]; generating, by one or more computers, a text-based cybersecurity event digest based on a target cybersecurity event that includes a plurality of distinct pieces of event metadata, wherein the generating the text-based cybersecurity event digest includes … computing, via a hashing algorithm, a cybersecurity hash signature of the target cybersecurity event based on the text-based cybersecurity event digest [Silberman ¶ 0015]; store a plurality of distinct hashes (or a plurality of distinct hash signatures (e.g., cybersecurity hashing-based signatures) for each piece of alert or event data included in the one or more corpora of alert/event data [Silberman ¶ 0064]). Dupont in view of Xie in view of Panse and Silberman are analogous art because they are from the same field of endeavor of n-dimensional space security searching. Therefore, based on Dupont in view of Xie in view of Panse in view of Silberman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Silberman to the system of Dupont in view of Xie in view of Panse in order to represent each event as a distinct hash for efficient search (¶ 0015, ¶ 0064). Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim.
As per claim 10: Dupont in view of Xie in view of Panse teach all the limitations of claim 9. The limitations of claim 10 are substantially similar to claim 2 above, and therefore the claim is likewise rejected.
As per claim 11: Dupont in view of Xie in view of Panse in view of Silberman teach all the limitations of claim 10. The limitations of claim 11 are substantially similar to claim 3 above, and therefore the claim is likewise rejected.
As per claim 12: Dupont in view of Xie in view of Panse teach all the limitations of claim 9. The limitations of claim 12 are substantially similar to claim 4 above, and therefore the claim is likewise rejected.
As per claim 14: Dupont in view of Xie in view of Panse teach all the limitations of claim 9. The limitations of claim 14 are substantially similar to claim 6 above, and therefore the claim is likewise rejected.
As per claim 16: Dupont in view of Xie in view of Panse teach all the limitations of claim 9. The limitations of claim 16 are substantially similar to claim 8 above, and therefore the claim is likewise rejected.
As per claim 18: Dupont in view of Xie in view of Panse teach all the limitations of claim 17. The limitations of claim 18 are substantially similar to claim 2 above, and therefore the claim is likewise rejected.
As per claim 19: Dupont in view of Xie in view of Panse in view of Silberman teach all the limitations of claim 18. The limitations of claim 19 are substantially similar to claim 3 above, and therefore the claim is likewise rejected.
As per claim 20: Dupont in view of Xie in view of Panse teach all the limitations of claim 17. The limitations of claim 20 are substantially similar to claim 4 above, and therefore the claim is likewise rejected.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES P MOLES whose telephone number is (703)756-1043. The examiner can normally be reached M-F 8:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAMES P MOLES/Examiner, Art Unit 2494
/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494