Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
2. This is in response to the amendments filed on 12/30/2025. Claims 1-2, 5-10, 13-20 have been amended. Claims 1-20 are currently pending and have been considered below.
The Drawing objections, 35 USC 101 (non-statutory subject matter) rejection to the claims 17-20, claim rejections under 35 USC 102 to the claims 9-20, claim rejections under 35 USC 112(b) to the claim 6 have been reconsidered and withdrawn.
Response to Arguments
3. Applicant’s arguments filed on 12/30/2025 have been fully considered but they are not persuasive.
Arguments regarding claim rejections under 35 USC 101 (patent subject matter eligibility)
In response to Applicant’s argument that claims 1-15 are patent subject matter eligible, the Examiner respectfully disagrees. Examiner noted that claim language is directed to an abstract idea and the claimed subject matter can be performed mentally or by using only pencil and paper. The recited limitation in the claim “generating…. a risk ….for…user entity …. generating a risk for each device entity….”, is a general, non-descriptive computation of risk, a concept performed in the human mind and can be performed by using only pencil and paper. Also, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements, do not add significantly more to the abstract idea, as they are well-understood, routine, conventional computer functions.
In response to Applicant’s argument that the claimed subject matter provides for a technical improvement in the technology of mitigating security threats. The Examiner noted that although the claims might encompass an embodiment that provides a technological improvement, the claims are not limited to any embodiment that would necessarily provide an improvement in the technology of mitigating security threats. All the functionalities recited in the claims can be performed by any general-purpose computer or any software.
Also, in response to Applicant’s argument that the independent claims of the present patent application are patent subject matter eligible for the same reasons that the independent claims of the allowed and related patent application is. The Examiner noted that, the references in this patent application relied upon for any teaching or matter concerning the limitations only recited in the instant application claims. Any limitations recited in any other allowed or related patent applications, will not be considered.
Arguments regarding claim rejections under 35 USC 103
In response to Applicant’s argument that, the entity clusters claimed in the present application correspond to the core entities claimed in the related application; and the entity cluster networks claimed in the present application correspond to the base stories claimed in the related application. The Examiner noted that, the references in this patent application relied upon for any teaching or matter concerning the limitations only recited in the instant application claims. Any limitations recited in any other allowed or related patent applications, will not be considered. The examiner maintains the rejection of all the limitations in the amended claims with the existing references as in the previous action, and the rejection of such is sustained below.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
4. Claims 1-6, 9-14 and 17-19 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Iyer et al (US 20190138718 A1) in view of Apostolopoulos et al. (US 20180219888 A1)
Regarding Claim 1:
Iyer discloses:
a. A method of computer security risk assessment, (Abstract, Para.0063; “methods … for associating an entity with a risk … indicate a security threat associated with the entity's activity”, “methods … performed by an …. computing device”) comprising:
generating, by a processor, relationships between entities, (Para.0028, Abstract, Para.0079, Para.0083; “creating … a watch list of entities (e.g., employees within an organization)”, “…entities included in a watch list …. indicating the activity of the …. entities”, “entity activity …. include …. email events … network access events … login events”, ”three failed login attempts per day per entity… correspond to an increased security threat” watch lists of entities/employees within an organization who are observed for the same type of activities like failed login attempts, construed as generating relationships between entities) the entities comprising user entities that are users (Para.0028; “…entities (e.g., employees within an organization)”) and device entities that are devices; (Para.0077; “An entity may be associated with … one or more entity devices”)
generating, by the processor, a plurality of entity clusters based on relationships between the entities, (FIG.6B/Para.0130, Para.0028, Para.0100; “one or more watch lists (e.g., subsets of entities) …correspond to different organizational units (e.g., finance, engineering, legal, HR)”, “creating …. a watch list of entities (e.g., employees within an organization)”, “login events …to identify when multiple entities log into resources” one or more watch lists/ subsets of entities are construed as plurality of entity clusters, when subsets of entities/one or more watch lists within an organization exhibit same type of activities, e.g., log into resources, then it is construed as plurality of entity clusters are formed based on their relationship) each entity cluster comprising a plurality of the entities; (Para.0028; “ …. a watch list of entities (e.g., employees within an organization)”)
generating, by the processor, a plurality of entity cluster networks based on connections between the entity clusters, (Claim.19, FIG.6B/Para.0131, Para.0028; “a processor coupled to the network interface …. to execute operations including…. a subset of the set of entities to be subjected to additional monitoring”, ”all the entities … added to a watch list…. within a specific organization unit (e.g., Finance, Legal).… so that the activity of the entity will be monitored”, “creating … a watch list of entities ……by monitoring … behaviors … for a …group, such as an organizational unit (e.g., Human Resources, Finance, … etc.) and monitor for suspicious activity of employees from the ….group to determine if activity of any the employees diverge ….” different organizational units, such as Human Resources, Finance, Marketing department, contain entity clusters/watch lists. From FIG.6B it is seen that financial group entities form financial entities watch list, engineering entities form engineering entities watch list and so on, thus each of the groups/organizational units (i.e., financial entities watch list, engineering entities watch list) are construed as plurality of entity cluster networks. Creating a watch list of entities and monitoring behaviors associated with certain activity of a group of entities to observe whether the behavior or activity of group of entities diverge from normal behavior is construed as generating a plurality of entity cluster networks based on connections between the entity clusters) each cluster network comprising a plurality of the entity clusters; (Claim.4, Para.0130; “the subset of the set of entities …. comprises …. a portion of the subset of the set of entities to be subjected to additional monitoring”, “one or more watch lists (e.g., subsets of entities) ….. to select …. the entities that are included within the watch list…. multiple watch lists …. correspond to different organizational units (e.g., finance, engineering, legal, HR)…” different organizational units (e.g., finance, engineering, legal, HR) contain associated watch lists/subsets of entities, a portion of the subset of the set of entities is subjected to additional monitoring, a portion of the subset of the set of entities/one or more watch lists correspond to different organizational units are construed as each cluster network comprising a plurality of the entity clusters)
b. generating, by the processor, a risk for each entity cluster network, comprising:
generating a risk for each entity cluster in the entity cluster network, (Para.0032, Para.0031, Para.0028; “a risk …. assigned to a certain object”, “An object may represent … an entity (such as a particular user or a particular organization) ….”, “risk …. for a subset of all employees in an organization (e.g., only employees on a watch list) … by monitoring … behaviors that are most likely to be associated with an insider threat” monitoring risk associated with behavior that are most likely to be associated with an insider threat for each of the watch lists and organizational units are construed as generating a risk for each entity cluster in the entity cluster network) comprising:
generating a risk for each user entity in the entity cluster; (Para.0032, Para.0031; “a risk …. assigned to a certain object”, “An object may represent … an entity …. such as a particular user ….”)
generating a risk for each device entity in the entity cluster; (Para.0032, Para.0031, Para.0028; “a risk score assigned to a certain object”, “An object may represent … an asset (such as a particular computer system or a particular application)”) and
c. generating the risk for the entity cluster based on the risk for each user entity and the risk for each device entity in the entity cluster; (Para.0028, Para.0055, Para.0031; “risk …. for a subset of all employees in an organization (e.g., only employees on a watch list)”, “risk …. assigned to a plurality of objects”, “objects associated with … an enterprise system comprising a plurality of computer systems …. An object may represent …. an entity (such as a particular user or a particular organization), or an asset (such as a particular computer system or a particular application)”) and
generating the risk for the entity cluster network based on the risk for each entity cluster in the entity cluster network; (Para.0132, Para.0130, Para.0074; “risk …. for multiple …. entity”, “one or more watch lists (e.g., subsets of entities) …. multiple watch lists that may correspond to different organizational units (e.g., finance, engineering, legal, HR)”, “activity of one or more entities (e.g., one or more employees…) and associates the entities with risk …. represent a security threat imposed by an entity to e.g., an organization) …
d. generating…. an entity cluster network risk …. for each entity cluster network; (disclosed above)
e. identifying, by the processor and based on user input, (Para.0056, Para.0031; “The set of objects …specified by the risk …identifier (input field 236) ……”, “An object may represent ….an entity (such as a particular user or a particular organization….”) one or more of the entity cluster networks that represent a security threat; (Para.0074, Para.0028; “activity of one or more entities (e.g., one or more employees….) and associates the entities with risk …. represent a security threat imposed by an entity to e.g., an organization…. for example, email events ….login events”, “monitor suspicious activity (e.g., …. sending large email attachments.… for a …. group, such as an organizational unit (e.g., Human Resources, Finance, … etc.) and monitor for suspicious activity of employees from the …group”) and
f. performing, ….. in relation to the user entities and the device entities of the entity clusters of the identified entity cluster networks, ….. represented by the identified entity cluster networks. (Para.0088, Para.0083, Para.0110; “an analysis of the entity's activity was performed …..indicate that the activity is associated with a critical threat level”, “to identify …. activity that is anomalous…. more than five failed login attempts correspond to an increased security threat”, “The activity may pertain to a set of entities ….. or a subset of the entities (e.g., entities on the watch list) or to an individual entity”)
however, Iyer does not explicitly disclose:
d. generating, by the processor, an entity cluster …... risk ranking based on the risk for each entity cluster ….
f. performing, by the processor, an action ….. to mitigate the security threat…. In an analogous reference Apostolopoulos discloses:
d. generating, by the processor, an entity cluster …... risk ranking based on the risk for each entity cluster …. (Para.0233, Para.0229, Para.0037; “the number of groups can be ranked based on their group interest scores…. top ranked groups (i.e., the most ….anomalousDays)”, “the group interest score can be generated by ….the features in the group that are characteristic of the anomalies included in the anomalousDay”, “a group of …entities”)
f. performing, by the processor, (Claim 29, Para.0247; “A computer system comprising: a processor”, “a computer system …. used to implement the security platform”) an action ….. to mitigate the security threat…. (Para.0036, Para.0034; “the security platform supplies …. the kill chain to enable …. remediation of any detected anomaly or threat”, ““kill chain” methodology to identify and stop the progression of malicious activities …..”)
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Iyer’s method for associating an entity with a risk indicating a security threat associated with the entity's activity by enhancing Iyer’s method to include Apostolopoulos’s method for analyzing a security data for identifying security threats in a computer network.
The motivation: An entity cluster network risk ranking offers a strategic, holistic approach to risk management by prioritizing threats based on their interconnectedness and potential for impact. By moving beyond assessing individual threats in isolation, organizations can make more informed decisions about resource allocation and strengthen their overall security posture. Moreover, performing an action to mitigate a security threat is essential for protecting an organization's assets and ensuring business continuity.
With respect to independent claims 9 and 17, a corresponding reasoning was given earlier in this section with respect to claim 1; therefore, claims 9 and 17 rejected, for similar reasons, under the grounds as set forth for claim 1.
Regarding Claim 2:
Iyer in view of Apostolopoulos discloses:
The method of claim 1, further comprising: extending, by the processor, at least one of the entity cluster networks with external content. (Iyer, Para.0123, Para.0111; “email events to monitor emailing activity of a particular entity …. for example, emails sent to an email address external to an organization”, “monitor activity of a subset of the set of entities …. identify events of a specific type, such as …. email events”)
With respect to dependent claim 10, a corresponding reasoning was given earlier in this section with respect to claim 2; therefore, claim 10 rejected, for similar reasons, under the grounds as set forth for claim 2.
Regarding Claim 3:
Iyer in view of Apostolopoulos discloses:
The method of claim 2, wherein the external content comprises a list of known problematic internet protocol addresses, (Iyer, Para.0096; “identify activity of a particular entity…. within the …. events (e.g., domain names and IP addresses) …. to identify when and how often an entity is accessing domains external to the organization, which may include email…..”) a list of known problematic processes, a list of know problematic hashes, human resources data, and classified information.
With respect to dependent claim 11, a corresponding reasoning was given earlier in this section with respect to claim 3; therefore, claim 11 rejected, for similar reasons, under the grounds as set forth for claim 3.
Regarding Claim 4:
Iyer in view of Apostolopoulos discloses:
The method of claim 2, wherein generating the risk for each entity cluster network is further based on the external content. (Iyer, Para.0127; “web volume (e.g. web traffic) between entities within an organization to web domains external to the organization… The portion …. that states “…risk…=…. extreme”, 80, BestConcept=“High” ….. specify that the entity …. rule is incorporating a …. risk”)
With respect to dependent claim 12, a corresponding reasoning was given earlier in this section with respect to claim 4; therefore, claim 12 rejected, for similar reasons, under the grounds as set forth for claim 4.
Regarding Claim 5:
Iyer in view of Apostolopoulos discloses:
The method of claim 4, further comprising adding by the processor, a connection between two cluster entity networks based on the external content. (Iyer, Para.0119, Para.0123; “add an entity to a watch list…. identify one or more entities with activity that exceeds the normal activity …… add an entity to the subset of entities (e.g., watch list) in response to determining that the risk …. exceeds a risk …. threshold value”, “monitor emailing activity of a particular entity and …. an update to the entity's risk …. when the entity's email activity, for example, emails sent to an email address external to an organization, exceeds a threshold quantity ….”)
With respect to dependent claim 13, a corresponding reasoning was given earlier in this section with respect to claim 5; therefore, claim 13 rejected, for similar reasons, under the grounds as set forth for claim 5.
Regarding Claim 6:
Iyer in view of Apostolopoulos discloses:
The method of claim 1, wherein the connections between the entity clusters comprise:
an anomaly, a violation, a correlation rule, a correlation anomaly, a similarity, an organization anomaly, a shared external entity, a usage of a shared entity, and a user-defined connection; (Apostolopoulos, Para.0216, Para.0135; “set of …. nodes interconnecting entities nodes that form a …cluster ….. including anomaly nodes and entity nodes”, “Each node …. represents one of the entities …..”)
wherein: each connection is characterized by a connection risk; (Para.0200, Para.0135, Para.0099; “a particular edge corresponds to an activity of a user …. determines that a particular edge relates to an anomaly (e.g., the edge connecting to an anomaly node)”, “Each node ….. represents one of the entities involved in the event, and each edge represents a relationship between two of the entities…. any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device“, “event …refers to … activity on a network with respect to an entity of focus…one or more”) and
wherein generating the risk for each entity cluster network is further based on at least one connection risk. (Para.0037, Para.0135, Para.0099, Para.0216; “graph-…. framework…. to detect risky behaviors…. Includes…. user activity …. The user activity can include …. anomalies … capture how risky the …. activity is …. defined…...”, “the graph …. identify a relationship between entities involved in an event …. performed by one entity with respect to another entity”, “event …refers to … activity on a network with respect to an entity”, “set of ….nodes interconnecting entities nodes that form a …cluster”)
With respect to dependent claims 14 and 19, a corresponding reasoning was given earlier in this section with respect to claim 6; therefore, claims 14 and 19 rejected, for similar reasons, under the grounds as set forth for claim 6.
Regarding Claim 18:
Iyer in view of Apostolopoulos discloses:
The non-transitory computer-readable medium of claim 17, wherein the processing further comprises:
extending at least one of the entity cluster networks with external content, (disclosed in claim 2) the external content comprising:
a list of known problematic internet protocol addresses, a list of known problematic processes, a list of know problematic hashes, human resources data, and classified information. (disclosed in claim 3)
Claims 7-8, 15-16 and 20 are rejected under AIA 35 U.S.C. 103 as being unpatentable Iyer et al (US 20190138718 A1) in view of Apostolopoulos et al. (US 20180219888 A1) and further in view of Crabtree et. Al (US 20220060497 A1)
Regarding Claim 7:
Iyer in view of Apostolopoulos discloses:
The method of claim 1, further comprising: ….
however, Iyer in view of Apostolopoulos does not explicitly disclose:
…. generating, by the processor, a display of one of the entity cluster networks based on the entity cluster network risk rankings, the display comprising:
the entities of each of the entity clusters arranged in a circular pattern in the displayed entity cluster network;
the relationships between the entities in the displayed entity cluster network; and
the connections between the entity clusters in the displayed entity cluster network;
wherein the relationships are displayed as paths within the circular pattern and the connections are displayed as paths within the circular pattern.
In an analogous reference Crabtree discloses:
…. generating, by the processor, a display of one of the entity cluster networks based on the entity cluster network risk rankings, (Para.0122, Para.0023, Para.0113; “ranking the groups …. based on calculated risk levels ….”, “calculating a risk of the anomalous behavior using the …..graph by determining a relationship between the entity for which anomalous behavior has been identified and a different entity of the plurality of entities”, “the …. graph …. contains 12 nodes …. comprising: seven computers and devices…. Device ….. is a member of …group….”) the display comprising: the entities of each of the entity clusters arranged in a circular pattern in the displayed entity cluster network; (Para.0113; “the …. graph …. contains 12 nodes …. comprising: seven computers and devices designated by …..circles ….”)
the relationships between the entities in the displayed entity cluster network; (Para.0112; “FIG. 23 is a …. graph …. represents the relationships between entities associated with an organization….”) and
the connections between the entity clusters in the displayed entity cluster network; (Para.0112; “….. an organization's network infrastructure as nodes …. in the graph and the physical or logical connections between them as edges between the nodes”)
wherein the relationships are displayed as paths within the circular pattern and the connections are displayed as paths within the circular pattern. (Para.0113; “seven computers and devices designated by … circles …. The edges (lines) between the nodes indicate relationships between the nodes….. …. several …. paths …. user 2301 is an administrator to device 2302 to which device 2303 has connected”)
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Iyer in view of Apostolopoulos’s method for associating an entity with a risk indicating a security threat associated with the entity's activity by enhancing Iyer in view of Apostolopoulos’s method to include Crabtree’s method for cybersecurity analysis using user and entity behavioral analysis.
The motivation: A circular arrangement of entity clusters can offer significant benefits in data visualization, network analysis, and specialized fields like genomics and organizational design. This approach is particularly effective when representing cyclical relationships, hierarchical structures, and complex interconnections.
With respect to dependent claim 15, a corresponding reasoning was given earlier in this section with respect to claim 7; therefore, claim 15 rejected, for similar reasons, under the grounds as set forth for claim 7.
Regarding Claim 8:
Iyer in view of Apostolopoulos and further in view of Crabtree discloses:
The method of claim 7, further comprising:
Generating, by the processor, a label adjacent to each of the displayed entities, the label oriented radially and adjacent to the circular pattern. (Crabtree, FIG.23 and FIG.25/Para.0116; “nodes …. comprising: seven computers and devices designated by …..circles 2502, 2503, 2504, 2506, 2507, 2509, 2510 ….The edges (lines) between the nodes indicate relationships between the nodes, and have a direction and relationship indicator such as “AdminTo,” “MemberOf,” ……” relationship indicator is construed as the label)
With respect to dependent claim 16, a corresponding reasoning was given earlier in this section with respect to claim 8; therefore, claim 16 rejected, for similar reasons, under the grounds as set forth for claim 8.
Regarding Claim 20:
Iyer in view of Apostolopoulos and further in view of Crabtree discloses:
The non-transitory computer-readable medium of claim 17, wherein the processing further comprises:
generating a display of one of the entity cluster networks based on the entity cluster network risk rankings, the display comprising:
each of the entity clusters arranged in a circular pattern in the displayed entity cluster network;
the relationships between the entities in the displayed entity cluster network; and
the connections between the entity clusters in the displayed entity cluster network; and (disclosed in claim 7)
generating a label adjacent to each of the displayed entities, the label oriented radially and adjacent to the circular pattern; (disclosed in claim 8) and
wherein the relationships are displayed as paths within the circular pattern and the connections are displayed as paths within the circular pattern. (disclosed in claim 7)
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAYEDA SALMA NAHAR whose telephone number is (703)756-4609. The examiner can normally be reached M-F 12:00 PM to 6:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached on (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAYEDA SALMA NAHAR/Examiner, Art Unit 2435
/AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435