DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/21/2026, 03/09/2026 and 09/02/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Specifically, while the claims 1, 8 and 15 recite “wherein nodes and edges with higher risk score are visually distinguishable from nodes and edges with lower risk scores”, the specification lacks a detailed description of the visual distinguishment. As established in Ariad Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351, 94 USPQ2d 1161,5 1172 (Fed. Cir. 2010), the specification must convey with reasonable clarity to those skilled in the art that the inventor had possession of the claimed invention. Merely stating that machine learning is used, without further elaboration, does not satisfy this requirement.
Claims that depend on rejected base claims (i.e. claims 1, 8, 15) inherit by the nature of their dependency all rejections that are applied to their corresponding base claims.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing
out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the
invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly
claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 13 and 20:
The claims recite limitations, such as “wherein nodes and edges with higher risk score are visually distinguishable from nodes and edges with lower risk scores”, without providing sufficient detail to inform, with reasonable certainty, those skilled in the art about the scope of the invention. Specifically, the claim language lacks clarity regarding the visual distinguishment.
As established in Nautilus, Inc. v. Biosig Instruments, Inc., 572 U.S. 898, 901, 910, 110 USPQ2d 1688, 1693 (2014), a claim is indefinite if, when read in light of the specification and the prosecution history, it fails to inform, with reasonable certainty, those skilled in the art about the scope of the invention. Additionally, MPEP § 2173.02 emphasizes that claims must be clear and precise to delineate the metes and bounds of the subject matter to be protected.
Claims that depend on rejected base claims (i.e. claims 1, 8 and 15) inherit by the nature of their dependency all rejections that are applied to their corresponding base claims. Thus, claims 2-7, 9-14 and 16-20 are, in addition to any separate rejection disclosed above, also rejected using the same grounds of rejection as indicated in the rejection of their corresponding base claims above.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 3-5, 7-8, 10, 12-15 and 17-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over U.S. Patent No. 12,242,602 (hereinafter “PAT602”) in view of Duer et al. (US 2019/0102286, hereinafter Duer) as obviousness type double patenting.
Regarding Claims 1, 8 and 15, the following limitations of Instant Application as obviously disclosed by claims of PAT602:
receiving, by a visualizer, a sub-graph, wherein the sub-graph is identified based on traversing a plurality of related nodes of a data structure and determining that a root-cause condition associated with a node has been met (Claim 1),
the root-cause condition corresponds to a suspected or actual originating cause of a malicious activity in a computing environment (Claim 4),
wherein the data structure comprises a plurality of nodes and a plurality of edges representing the computing environment (Claim 1);
generating, by the visualizer, a rendered sub-graph that visually represents the sub-graph, wherein nodes and edges of the sub-graph are visually represented based on their corresponding risk scores (Claim 1 and Claim 2); and
causing, by the visualizer, display of the rendered sub-graph on a graphical user interface (GUI) (Claim 1);
However, PAT602 does not explicitly claim “wherein nodes and edges with higher risk score are visually distinguishable from nodes and edges with lower risk scores”.
In an analogous art, Duer teaches wherein nodes and edges with higher risk score are visually distinguishable from nodes and edges with lower risk scores (Duer - [0029]: The visualization is a graph of nodes and edges. For example, there are two types of nodes as indicated by the key 152, one is a vulnerability finding (rectangle) and the other are trace nodes (circle). In addition, different sizes and colors may be used to represent different types of trace nodes and different vulnerability types. For example, one color of rectangle nodes may be used to represent cross-site scripting (CSS) vulnerabilities).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Duer to color code the graph based on risks.
Regarding Claim 3: PAT602 teaches wherein traversing the plurality of related nodes support detecting lateral movement of a malicious activity in a computing environment based on relationships and linking actions between the plurality of related nodes, wherein a linking action indicates movement of a file from a first node to a second node and a subsequently executed operation associated with the file (Claim 2 and claim 3).
Regarding Claim 4: PAT602 teaches wherein the root-cause condition is associated with a plurality of root-cause conditions that cause traversing the plurality of related nodes to stop, wherein each of the plurality of root-cause conditions define stop conditions for halting traversal (Claim 4).
Regarding Claim 5: PAT602 teaches wherein traversing the plurality of related nodes comprises identifying insights associated with the plurality of related nodes, wherein a machine learning model processes the insights to determine whether the root-cause condition has been met (Claim 5).
Regarding Claim 7: PAT602 teaches wherein the sub-graph comprises a set of traversed nodes from the plurality of related nodes, wherein the sub-graph is associated with an execution path of a potentially malicious activity based on a relationship analyzed between the set of traversed nodes (Claim 7).
Claims 8, 10-12 and 14 are directed to system claims and do not teach or further define over the limitations recited in claims 1, 3-5 and 7. Therefore, they are rejected for the reasons same as discussed above.
Claims 15, 17-20 are directed to CRM claims and do not teach or further define over the limitations recited in claims 1, 3-5. Therefore, they are rejected for the reasons same as discussed above.
Claims 1, 8 and 15 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over U.S. Patent No. 11,556,636 (hereinafter “PAT636”) in view of Duer et al. (US 2019/0102286, hereinafter Duer) as obviousness type double patenting.
Regarding Claim 1, the following limitations of Instant Application as obviously disclosed by claims of PAT636:
receiving, by a visualizer, a sub-graph, wherein the sub-graph is identified based on traversing a plurality of related nodes of a data structure and determining that a root-cause condition associated with a node has been met (Claim 1),
the root-cause condition corresponds to a suspected or actual originating cause of a malicious activity in a computing environment (Claim 1),
wherein the data structure comprises a plurality of nodes and a plurality of edges representing the computing environment (Claim 2);
generating, by the visualizer, a rendered sub-graph that visually represents the sub-graph, wherein nodes and edges of the sub-graph are visually represented based on their corresponding risk scores (Claim 1); and
causing, by the visualizer, display of the rendered sub-graph on a graphical user interface (GUI) (Claim 8);
However, PAT602 does not explicitly claim “wherein nodes and edges with higher risk score are visually distinguishable from nodes and edges with lower risk scores”.
In an analogous art, Duer teaches wherein nodes and edges with higher risk score are visually distinguishable from nodes and edges with lower risk scores (Duer - [0029]: The visualization is a graph of nodes and edges. For example, there are two types of nodes as indicated by the key 152, one is a vulnerability finding (rectangle) and the other are trace nodes (circle). In addition, different sizes and colors may be used to represent different types of trace nodes and different vulnerability types. For example, one color of rectangle nodes may be used to represent cross-site scripting (CSS) vulnerabilities).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Duer to color code the graph based on risks.
Claim 8 is directed to system claims and do not teach or further define over the limitations recited in claims 1. Therefore, they are rejected for the reasons same as discussed above.
Claim 15 is directed to CRM claims and do not teach or further define over the limitations recited in claim 1. Therefore, they are rejected for the reasons same as discussed above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 6-9, 11, 14-16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hasan et al. (NPL - Towards Optimal Cyber Defense Remediation in Energy Delivery Systems, 2019 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), IEEE, 9 December 2018 (2019-12-09), pages 1-7, IDS reference) in view of Duer et al. (US 2019/0102286, hereinafter Duer).
Regarding claim 1: Hasan discloses A computerized system comprising:
receiving, by a visualizer, a sub-graph, wherein the sub-graph is identified based on traversing a plurality of related nodes of a data structure and determining that a root-cause condition associated with a node has been met, the root-cause condition corresponds to a suspected or actual originating cause of a malicious activity in a computing environment, wherein the data structure comprises a plurality of nodes and a plurality of edges representing the computing environment (Hasan - [Page 3, Section A]: Attack graph generation: The labels of the graph nodes are displayed at the right hand side of AG diagram (Fig. 3)). [Page 3, section C]: To calculate the critical path from system administrator perspective, a product of cumulative probability (CP) of every node in AG and Criticality of that node is computed. Here, critical path is the path which creates maximum damages to the system if an attacker has chosen this path to attain his/her goal);
However, Hasan doesn’t explicitly teach, but Duer discloses:
one or more computer processors (Duer - [0056]: Fig. 5, one or more processors or processing units 504); and
computer memory storing computer-useable instructions that, when used by the one or more computer processors (Duer - [0056]: The program code in the different embodiments may be embodied on different physical or tangible computer-readable media, such as memory 206 or persistent storage 208) a system memory 506, cause the one or more computer processors to perform operations comprising:
generating, by the visualizer, a rendered sub-graph that visually represents the sub-graph, wherein nodes and edges of the sub-graph are visually represented based on their corresponding risk scores; and causing, by the visualizer, display of the rendered sub-graph on a graphical user interface (GUI), wherein nodes and edges with higher risk score are visually distinguishable from nodes and edges with lower risk scores (Duer - [0029]: The visualization is a graph of nodes and edges. For example, there are two types of nodes as indicated by the key 152, one is a vulnerability finding (rectangle) and the other are trace nodes (circle). In addition, different sizes and colors may be used to represent different types of trace nodes and different vulnerability types. For example, one color of rectangle nodes may be used to represent cross-site scripting (CSS) vulnerabilities).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Hasan with Duer so a sub-graph is visually presented for usability.
Regarding claim 2: Hasan as modified discloses wherein causing display of the rendered sub-graph further comprises causing display of information associated with the nodes or edges identified in the rendered sub-graph, wherein the information is visually represented in a table or based on varied lines styles (Duer - [0029]: Referring to FIG. 1B, a compact illustration of trace nodes and vulnerability findings 150 is provided. In this example, one cluster includes 25 vulnerability findings (i.e., 25 boxes) grouped by a fixed location suggestion in the center. The visualization is a graph of nodes and edges).
The reason to combine is in the same rational as claim 1.
Regarding claim 6: Hasan as modified discloses wherein the plurality of nodes and the plurality of edges are associated with behaviors identifier (Duer - [0029]: Edges only link one vulnerability finding and one trace node, but not two vulnerability findings or trace nodes. One edge between one vulnerability finding and one trace node indicates that the trace node is in the trace of the vulnerability finding).
The reason to combine is in the same rational as claim 1.
Regarding claim 7: Hasan as modified discloses wherein the sub-graph comprises a set of traversed nodes from the plurality of related nodes, wherein the sub-graph is associated with an execution path of a potentially malicious activity based on a relationship analyzed between the set of traversed nodes (Hasan - [Page 3, section C]: To calculate the critical path from system administrator perspective, a product of cumulative probability (CP) of every node in AG and Criticality of that node is computed. Here, critical path is the path which creates maximum damages to the system if an attacker has chosen this path to attain his/her goal).
Regarding claims 8-9, 11 and 14: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1-2 and 6-7. Therefore, claims 8-9, 11 and 14 are also rejected for similar reasons set forth in claims 1-2 and 6-7. Furthermore, Duer in paragraph [0045] discloses the computer program product may include a non-transitory computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the embodiments.
Regarding claims 15-16 and 20: Claims are directed to method claims and do not teach or further define over the limitations recited in claims 1-2 and 7. Therefore, claims 15-16 and 20 are also rejected for similar reasons set forth in claims 1-2 and 7.
Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hasan et al. (NPL - Towards Optimal Cyber Defense Remediation in Energy Delivery Systems, 2019 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), IEEE, 9 December 2018 (2019-12-09), pages 1-7, IDS reference) in view of Duer et al. (US 2019/0102286, hereinafter Duer) and Knapp et al. (Pub. No.: US 2017/0353460, hereinafter Knapp).
Regarding claims 3, 10 and 17: Hasan as modified discloses wherein traversing the plurality of related nodes support detecting lateral movement of a malicious activity in a computing environment based on relationships and linking actions between the plurality of related node (Hasan - [Page 3, section C]: The attack graph of an EDS network provides the logical representation of attacker’s lateral movements. To analyze the risk of those movements, we need to estimate the complexity of movements per stage in the creation of an AG).
However, Hasan as modified doesn’t explicitly teach but Knapp discloses wherein a linking action indicates movement of a file from a first node to a second node and a subsequently executed operation associated with the file (Knapp - [0144]: the ability to control which files are determined to be “safe” and therefore allowed to be transferred to a protected node within a protected system; the ability to ensure that only files that are authorized are allowed to be copied onto, executed by, or otherwise used by a protected node within a protected system).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Hasan and Duer with Knapp so that a file could be moved to another node and being executed in another node. The modification would have allowed the system to control the file movement and execution.
Claims 4, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hasan et al. (NPL - Towards Optimal Cyber Defense Remediation in Energy Delivery Systems, 2019 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), IEEE, 9 December 2018 (2019-12-09), pages 1-7, IDS reference) in view of Duer et al. (US 2019/0102286, hereinafter Duer) and Parekh et al. (Patent No.: US 7,139.837, hereinafter Parekh).
Regarding claims 4, 13 and 19: Hasan as modified doesn’t explicitly teach but Parekh discloses wherein the root-cause condition is associated with a plurality of root-cause conditions that cause traversing the plurality of related nodes to stop, wherein each of the plurality of root-cause conditions define stop conditions for halting traversal (Parekh - [Col. 7, Line 35-37]: The rule engine traverses the rule mesh till at least one of the conditions governing end of rule mesh traversal are satisfied).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Hasan and Duer with Parekh so that traversal ending condition is used to governing to stop traversal. The modification would have allowed the system to be more efficient.
Claims 5, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hasan et al. (NPL - Towards Optimal Cyber Defense Remediation in Energy Delivery Systems, 2019 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), IEEE, 9 December 2018 (2019-12-09), pages 1-7, IDS reference) in view of Duer et al. (US 2019/0102286, hereinafter Duer) and Fong et al. (Pub. No.: US 2021/0194905, hereinafter Fong).
Regarding claims 5, 12 and 18: Hasan as modified doesn’t explicitly teach but Fong discloses wherein traversing the plurality of related nodes comprises identifying insights associated with the plurality of related nodes, wherein a machine learning model processes the insights to determine whether the root-cause condition has been met (Fong - [0067]: The malicious behavior discovery and encoding 806 derives malicious (or otherwise suspect) graph patterns from existing attacks. As noted, typically these patterns are determined by human analysts, other security detection mechanisms, machine learning systems).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Hasan and Duer with Fong so that traversal nodes identify insights or patterns using machine learning. The modification would have allowed the system to be more secure.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729. The examiner can normally be reached M-F 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MENG LI/
Primary Examiner, Art Unit 2437