COMPUTING RESOURCE GRAPH EXPLORATION

DETAILED ACTION This Action is in response to Applicant’s amendment filed on 12/26/25. Claims 1, 3, 10, 11 and 13 have been amended. Claims 2 and 12 have been cancelled Claims 20-22 have been added Claims 1, 3-11 and 13-22 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claims 1, 3 and 9 (see applicant’s remarks; pages 1-5) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. In particular, the examiner has introduced Crabtree to disclose the amended limitations and claim limitations argued by the applicant, as seen in the rejection below. Further, the applicant states claims 10, 11, 13 and 19 are similar to claims 1, 3 and 9, and presents the same rationale as that of claims 1, 3 and 9 (see applicant’s remarks; pages 4 and 5), as such, the arguments are moot for the same reason discussed above. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 3-11 and 13-22 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta et al. (U.S. 2024/0007342 A1) (applicant submitted prior art; see IDS filed 05/21/25) in view of Hawkinson et al. (U.S. 2023/0099424 A1) (applicant submitted prior art; see IDS filed 05/21/25) and further in view of Crabtree et al. (U.S. 2022/0377093 A1). Regarding claims 1, 10 and 11, Gupta discloses a method and system for remediating alerts using graph exploration, comprising: creating a graph including a plurality of nodes and a plurality of edges (see Gupta; paragraphs 0006 and 0109; Gupta discloses creating a knowledge graph comprising a plurality of first nodes, wherein edges between two nodes of the plurality of nodes indicate communication between the two nodes), wherein the plurality of nodes includes a plurality of computing resource nodes representing respective computing resources among a computing infrastructure and a plurality of user nodes representing respective entities which make changes to the computing infrastructure (see Gupta; paragraphs 0012, 0055, 0059, 0084; Gupta discloses nodes representing compute nodes, i.e. “computing resource nodes”, in which applications use resources of the compute nodes, i.e. “representing respective computing resources”, in a networked system, i.e. “computing infrastructure” and subscriber devices, i.e. “user nodes”, in which services or microservices for changes are used, i.e. “respective entities which make changes to the computing infrastructure”); querying the graph based on a computing resource indicated in an alert (see Gupta; paragraphs 0011, 0104, 0105, 0110 and 0118; Gupta discloses a request, i.e. “querying”, to determine changes in the graph. An alarm, i.e. “an alert”, is used when an anomalous condition is detected. A ranking service provides a rank that indicates the node, i.e. “a computing resource”, that is likely the root cause of an observed anomaly. In particular, a request is made to perform a graph analysis based on the alarms, i.e. “querying the graph…indicated in an alert”); identifying a root cause of the alert based on results of the querying of the graph (see Gupta; paragraphs 0105-0108, 0118, and 0177; Gupta discloses root cause analysis, i.e. “identifying root cause”, framework used to perform alarm, i.e. “the alert”, propagation analysis in response to, i.e. “based on…”, the request for graph analysis and the rankings, i.e. “results of the querying”). While Gupta discloses “identifying a root cause…”, as discussed above, Gupta does not explicitly disclose performing at least one mitigation action based on the identified root cause. In analogous art, Hawkinson discloses performing at least one mitigation action based on the identified root cause (see Hawkinson; paragraph 0051; Hawkinson discloses root cause analysis may be performed for selecting a mitigation process for mitigating or resolving the anomaly associated with the known pattern, i.e. “mitigation action based on the identified root cause”). One of ordinary skill in the art would have been motivated to combine Gupta and Hawkinson because they both disclose features of root cause analysis, and as such, are within the same environment. Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the feature of mitigation as taught by Hawkinson into the system of Gupta in order to provide the benefit of efficiency by applying a mitigation process to the observer anomaly (see Gupta; paragraphs 0105 and 0110). While Gupta discloses “creating a graph including a plurality of nodes and a plurality of edge”, as discussed above, the combination of Gupta and Hawkinson does not explicitly disclose a plurality of action nodes representing respective actions that make changes to the computing infrastructure initiated by one of the entities, wherein each action node among the plurality of action nodes is connected, via an edge among the plurality of edges, to a user node among the plurality of user nodes that represents an entity that initiated the action represented by the action node. In analogous art, Crabtree discloses a plurality of action nodes representing respective actions that make changes to the computing infrastructure initiated by one of the entities, wherein each action node among the plurality of action nodes is connected, via an edge among the plurality of edges, to a user node among the plurality of user nodes that represents an entity that initiated the action represented by the action node (see Crabtree; paragraphs 0020, 0024, 0025, 0112, 0117 and 0123; Crabtree discloses behavior data, e.g. actual and hypothetical behavior, in the form of a behavior graph comprises action nodes representing actions by connected resources, e.g. people or devices, i.e. “action nodes representing respective actions…initiated by one of the entities”. The connected resources are represented as nodes, i.e. “a user node among the plurality of user nodes”, in a cyber-physical graph. The behavior graph and cyber-physical graph comprise edges representing relationships between the nodes. The actions include various actions such as malicious actions, i.e. “actions that make changes to the computing infrastructure”. The behavior graph data is incorporated into the cyber-physical graph to produce a graph visualization, e.g. a graph with the combined data, of connected resources and their relationships with the actions, i.e. “wherein each action node among the plurality of action nodes is connected, via an edge among the plurality of edges, to a user node among the plurality of user nodes” to reflect the current state of internal relationships corresponding to security in the infrastructure). One of ordinary skill in the art would have been motivated to combine Gupta, Hawkinson and Crabtree because they all disclose features of threat detection in a network, and as such, are within the same environment. Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the feature a behavior cyber-physical graph as taught by Crabtree into the combined system of Gupta and Hawkinson in order to provide the benefit of efficiency by allowing a contextualized visualization of a security infrastructure that reflects the current state of the internal relationships present in the infrastructure (see Crabtree; paragraph 0123) when applying a mitigation process to an observer anomaly (see Gupta; paragraphs 0105 and 0110). Further, Gupta discloses the additional limitations of claim 10, a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process (see Gupta; paragraph 0008; Gupta discloses a non-transitory computer-readable medium having instructions stored thereon that, when executed, cause one or more processors to execute a framework analysis system). Further, Gupta discloses the additional limitations of claim 11, a processing circuitry (see Gupta; paragraph 0298; Gupta discloses processing circuitry); and a memory, the memory containing instructions that, when executed by the processing circuitry (see Gupta; paragraphs 0296 and 0298; Gupta discloses a memory and instructions executed by processing circuitry). Regarding claims 3 and 13, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 2 and 12, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein each action node is further connected to a computing resource node representing a computing resource that was created or modified via the action (see Crabtree; paragraphs 0107, 0112, 0117 and 0123; Crabtree discloses the action node data from the behavior graph is incorporated into the cyber-physical graph, which includes connected resource nodes to produce a graph visualization, e.g. a combined graph, of the action nodes and connected resource nodes and their relationships, i.e. “action node is further connected to a computing resource node representing a computing resource that was created or modified via the action”). The prior art used in the rejection of the current claim is combined using the same motivation as was applied in claims 1 and 11. Regarding claims 4 and 14, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 1 and 11, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein the graph further includes a plurality of time values corresponding to respective edges of the plurality of edges, wherein the graph is queried based further on a time of the alert (see Gupta; paragraphs 0061, 0109, 0114 and 0230; Gupta discloses providing telemetry data, e.g. time series data, i.e. “a plurality of time values”, corresponding to a plurality of edges, i.e. “respective edges of the plurality of edges”, between the nodes of the graph based on the time of the detected anomaly alarms, i.e. “based on a time of the alert”). Regarding claims 5 and 15, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 4 and 14, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein a result of querying the graph includes a subset of the plurality of nodes and the plurality of edges, wherein the subset corresponds to a state of the computing infrastructure as represented in the graph at the time of the alert (see Gupta; paragraphs 0105-0109, 0114, 0118, and 0177; Gupta discloses the graph analysis and the rankings, i.e. “results of the querying”, include a first and second node, i.e. “subset of the plurality of nodes”, and the corresponding edges. The first and second nodes correspond to time series data of the anomaly alarm, i.e. “state of the computing infrastructure as represented in the graph at the time of the alert”). Regarding claims 6 and 16, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 1 and 14, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein identifying the root cause of the alert further comprises: detecting at least one anomaly based on a result of querying the graph, wherein the at least one anomaly is at least one anomalous change to the computing infrastructure (see Gupta; paragraphs 0089, 0105, 0106, 0112 and 0230; Gupta discloses determining and issuing an alarm for anomalies based on a ranking, i.e. “based on a result of querying the graph”. The anomaly is associated with changes, i.e. “anomalous change”). Regarding claims 7 and 17, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 6 and 16, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein the at least one anomalous change is determined based on one of the entities which made the at least one anomalous change (see Gupta; paragraphs 0089, 0105, 0106, 0112 and 0230; Gupta discloses the anomaly is based on the node, i.e. “one of the entities which made the at least one anomalous change”, likely to be the root cause of the observed anomaly). Regarding claims 8 and 18, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 1 and 11, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses aggregating a plurality of nodes having at least one common root cause among the plurality of nodes (see Gupta; paragraphs 0007, 0008 and 0105; Gupta discloses edges of graph indicating nodes associated with root cause of anomalies); and updating the graph based on the aggregated plurality of nodes having the at least one common root cause, wherein the updated graph is queried (see Gupta; paragraphs 0007, 0008, 0105 and 0218; Gupta discloses updating based on the ranking and weighting of the edges between the nodes of the graph). Regarding claims 9 and 19, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 8 and 18, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein aggregating the plurality of nodes having the at least one common root cause further comprises: generating an aggregated node based on the plurality of nodes having the at least one common root cause, wherein updating the graph further comprises replacing the plurality of nodes having the at least one common root cause with the aggregated node (see Crabtree; paragraphs 0100, 0108, 0115, 0017 and 0123; Crabtree discloses aggregate behavioral metrics, e.g. actions, of the nodes for a group, which has the same pattern, i.e. “root cause”, of the action, i.e. “at least one common root cause”, to be produce in a graph visualization of the combined behavior graph and cyber-physical graph. In other words, the graph data is updated by replacing individual actions that have the same pattern with an aggregated node showing a group of the same actions, i.e. “replacing the plurality of nodes having the at least one common root cause with the aggregated node”). The prior art used in the rejection of the current claim is combined using the same motivation as was applied in claims 1 and 11. Regarding claims 20 and 22, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 6 and 16, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein performing the at least one mitigation action further includes causing a display of the graph including the at least one anomalous change (see Crabtree; paragraphs 0083, 0113, 0117, 0123; Crabtree discloses presenting needed information of an anomalous network behavior, via the graph visualization, i.e. “causing a display of the graph including the at least one anomalous change”, to responding parties for mitigating the attack, i.e. “at least one mitigation action”). The prior art used in the rejection of the current claim is combined using the same motivation as was applied in claims 1 and 11. Regarding claim 21, Gupta, Hawkinson and Crabtree disclose all the limitations of claims 6 and 16, as discussed above, and further the combination of Gupta, Hawkinson and Crabtree clearly discloses wherein the graph further includes a plurality of alert nodes representing respective alerts, each alert node being connected to the computing resource node representing the computing resource indicated by the respective alert (see Crabtree; paragraphs 0085, 0100, 0107, 0117 and 0123; Crabtree discloses alerts being presented in the information for behavior and actions as nodes in the graph corresponding to the connected resource nodes, i.e. “alert node being connected to the computing resource node representing the computing resource indicated by the respective alert”). The prior art used in the rejection of the current claim is combined using the same motivation as was applied in claims 1 and 11. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Coull et al. (U.S. 2024/0007495 A1) discloses a semantic graph with nodes and edges related to a cyber-threat alert. Miserendino et al. (U.S. 2023/0344839 A1) discloses cyberattack campaigns are represented by temporal graphs based on detection of suspicious activities. Batson et al. (U.S. 2023/0127836 A1) discloses security events graph with nodes representing computer network entities connected by edges. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADAM A COONEY whose telephone number is (571)270-5653. The examiner can normally be reached M-F 7:30am-5:00pm (every other Fri off). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached at 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.A.C/Examiner, Art Unit 2458 04/01/26 /UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2458