DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
The claims do not fall within at least one of the four categories of patent eligible subject matter because the claims may be interpreted to include only software.
Claim 16 recites “a system comprising:  one or more processors”.  A processor can be interpreted as software per se.  
Claim 19 recites “a system comprising: a computing device adapted to communicate with a plurality of computing devices in a distributed computing environment, the computing device comprising one or more processors.”   The computing device may include only processors which can be interpreted as software, per se.   The examiner notes that the computing device (i.e., only software) being adapted to communicate with other devices, does not indicate that the device itself includes any type of hardware, but is merely adapted for communication.
Software, per se, does not fall under one of the four statutory categories, and therefore, claims 16-20 do not recite statutory subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 9-11, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Kamthe (US 2014/0283062) in view of Desai et al. (US 2003/0188189).
Regarding claims 1 and 16, Kamthe teaches a method (and corresponding system), comprising:
Determining, using one or more processors, an entity baseline behavior for each entity of a plurality of entities, wherein the entity baseline behavior for each of the plurality of entities includes multiple variables (Expected past behavior using one or more parameters (i.e., baseline behavior includes multiple variables.  Records are maintains over predetermined period of time for each client device/group of client devices (i.e., plurality of entities)) – see [0061], [0015], and [0037].
Determining, using the one or more processors, an entity behavior difference for each entity of the plurality of entities at a series of points in time (Deviation (i.e., behavior difference) from earlier time points) – see [0061] and [0016].
Determining, using the one or more processors, an attack signature based on the entity behavior differences (MAC address recorded in the NAL database in order to help classify new events which have same signature) – see [0075], [0081], and figure 2 280/290.
Generating, using the one or more processors, a database of attack signatures. (MAC address recorded in the NAL database in order to help classify new events which have same signature) – see [0075], [0081], and figure 2 280/290.
Kamthe does not teach evaluating one or more correlations between the entity behavior differences for the plurality of entities at the series of points in time, or determining whether the plurality of entities is exhibiting coordinated behavior differences based on the one or more correlations.
Desai teaches a method which uses correlation to see new multi-variant attack signatures earlier in an attack cycle. Similar, seemingly unrelated, abnormal behavior (i.e., behavior differences) repeated several times (i.e., series of points in time) across multiple unrelated networks (i.e., multiple entities) would prompt operators to investigate further, and perhaps eliminate or mitigate an otherwise unsuspected or undetected attack – see [0104], [0083], and [0078], for example.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kamthe by evaluating correlations between entity behavior differences for a plurality of entities at the series of points in time and determining if the entities is exhibiting coordinated behavior differences based on the correlations, in order to eliminate or mitigate unsuspected attacks, based upon the beneficial teachings provided by Desai.  These modifications would result in increased security to the system.

Regarding claim 2, Kamthe further teaches determining whether the attack signature is a false positive, wherein each of the attack signatures in includes an indication of whether the attack signature is a false positive (Event is recorded in NAL database as false positive) – see [0081].

Regarding claim 3, the combination of Desai further teaches: computing an entity anomaly score for each entity of the plurality of entities at the series of points in time, wherein the one or more correlations are evaluated for entities have entity anomaly scores above a predetermined anomaly threshold and whether the plurality of entities is exhibiting coordinated behavior differences is determined 

Regarding claim 4, Desai further teaches generating an alert when the entity anomaly score is above the predetermined anomaly threshold (Alarm thresholds for when attribute exceeds threshold) – see [0077].

Regarding claim 5, Kamthe further teaches wherein the entity anomaly score for each entity is computer based on a divergence value of an observed current behavior of the entity compared to past behavior of the entity over a past period of time (Expected past behavior using one or more parameters (i.e., baseline behavior includes multiple variables.  Records are maintains over predetermined period of time for each client device/group of client devices – see [0061], [0015], and [0037].  Deviation (i.e., behavior difference) from earlier time points) – see [0061] and [0016]).

Regarding claim 6, Kamthe further teaches wherein the entity anomaly score for each entity is computer based on a divergence value of an observed current behavior of the entity compared to predicted current behavior of the entity over a past period of time (Expected (i.e., predicted) past behavior using one or more parameters (i.e., baseline behavior includes multiple variables.  Records are maintains over predetermined period of time for each client device/group of client devices – see [0061], [0015], and [0037].  Deviation (i.e., behavior difference) from earlier time points) – see [0061] and [0016]).

Regarding claim 9, Desai further teaches: determining whether the plurality of entities is exhibiting coordinated behavior differences is based on whether the one or more correlations are above a predetermined support threshold (Correlation related to abnormal behavior (i.e., coordinated behavior 

Regarding claims 10, 11, and 18, the combination of Kamthe and Desai further teaches: generating an alert when a predetermined group is determined to be exhibiting coordinated behavior differences, wherein each of the entities in the plurality of entities belongs to the predetermined group, and determining whether the predetermined group is exhibiting coordinated behavior differences is based on whether the entity behavior differences for a threshold fraction of entities of the predetermined group have correlations above a predetermined support threshold (Desai teaches: Correlation related to abnormal behavior (i.e., behavior differences) repeated several times across multiple (i.e., threshold) unrelated networks (i.e., multiple entities) would prompt operators to investigate further (i.e., alert) – see [0104], [0083], and [0078].  Kamthe teaches that the device data and abnormal behavior (i.e., behavior differences) is analyzed according to one of a plurality of predefined traffic classes (i.e., groups) – see [0025].  The threshold of behavior deviation depends on the predetermined class) – see [0059], [0060], and table 1).

Regarding claim 15, Kamthe teaches that the entities comprise user computing devices (Client devices) – see [0015].

Regarding claim 17, Kamthe further teaches one or more memories in communication with the one or more processors, the one or more memories configured to store the database of attack signatures (MAC address recorded in the NAL database in order to help classify new events which have same signature) – see [0075], [0081], and figure 2 280/290.

Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Kamthe (US 2014/0283062) in view of Desai et al. (US 2003/0188189), and further in view of Lim (US 2019/0141060).
The teachings of Kamthe and Desai are relied upon for the reasons set forth above.
Regarding claims 7 and 8, Kamthe and Desai teach that the correlations are evaluated for the plurality of entities across different points in time of the series of points in time, as discussed above.  However, Kamthe and Desai do not teach that the one or more correlations are horizontal/vertical correlations.
Lim teaches a security threat inference and correlation apparatus for monitoring and anticipating cyber-attacks, wherein the correlation system is configured to use vertical and horizontal correlation method – see [0042].  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kamthe and Desai by using horizontal or vertical correlation, in order to accurately and easily determine correlation, based upon the beneficial teachings provided by Lim.  	

Claims 12, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kamthe (US 2014/0283062) in view of Desai et al. (US 2003/0188189), and further in view of De Knijf et al. (2018/0191746).
Regarding claim 19, Kamthe teaches a method (and corresponding system), comprising:
Receive an entity behavior difference for each entity of a plurality of entities at each point of a series of points in time (Deviation (i.e., behavior difference) from earlier time points.  Device data analyzed according to one of a plurality of predefined traffic classes (i.e., groups)) – see [0061], [0016], and [0025].
Emit, for each entity, the received entity behavior difference (Deviation (i.e., behavior difference) from earlier time points.  ) – see [0061] and [0016].
Determine an attack signature based on the entity behavior differences (MAC address recorded in the NAL database in order to help classify new events which have same signature) – see [0075], [0081], and figure 2 280/290.
Generate a database of attack signatures. (MAC address recorded in the NAL database in order to help classify new events which have same signature) – see [0075], [0081], and figure 2 280/290.
Kamthe does not teach evaluating, for each set of behavior differences, one or more correlations between the entity behavior differences at the series of points in time, or determining whether any set of entity behavior differences are exhibiting coordinated behavior differences based on the one or more correlations, or that the one or more plurality of entities belongs to a predetermined group, the behavior difference is for the predetermined groups that the entity belongs to, or reducing the emitted entity behavior differences into sets according to the predetermined group.
Desai teaches a method which uses correlation to see new multi-variant attack signatures earlier in an attack cycle. Similar, seemingly unrelated, abnormal behavior (i.e., behavior differences) repeated several times (i.e., series of points in time) across multiple unrelated networks (i.e., multiple entities) would prompt operators to investigate further, and perhaps eliminate or mitigate an otherwise unsuspected or undetected attack – see [0104], [0083], and [0078], for example.  Kamthe further teaches that the device data and abnormal behavior (i.e., behavior differences) is analyzed according to one of a plurality of predefined traffic classes (i.e., groups) – see [0025].  The threshold of behavior deviation depends on the predetermined class) – see [0059], [0060], and table 1.
Kamthe and Desai do not teach that one or more of the plurality of entities belong to more than one predetermined groups.
De Knijf teaches that normal device behavior can be estimated for identified groups and subgroups.  The normal device behavior can include data that describes the usual behavior of devices that belong to that group.  In particular, for every group the normal behavior can be estimated based upon the behavioral data for that group – see [0039].  This indicates that the devices can belong to more than one group (the group and the subgroup).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kamthe by evaluating correlations between entity behavior 

Regarding claim 20, the combination of Desai further teaches: computing an entity anomaly score for each entity of the plurality of entities at the series of points in time (For small office, greater than 50 MB is threshold – see [0059].   The actual amount would be the anomaly score, and 50 would be the threshold), wherein the one or more correlations are evaluated for entities have entity anomaly scores above a predetermined anomaly threshold and whether the plurality of entities is exhibiting coordinated behavior differences is determined based on the one or more correlations evaluated for the entities having entity anomaly scores above the predetermined anomaly threshold score (Score above threshold = abnormal behavior.  Correlation related to abnormal behavior (i.e., behavior differences) repeated several times (i.e., series of points in time) across multiple unrelated networks (i.e., multiple entities) would prompt operators to investigate further) – see [0104], [0083], and [0078].

Regarding claim 12, Kamthe and Desai do not teach that one or more of the plurality of entities belong to more than one predetermined groups.
De Knijf teaches that normal device behavior can be estimated for identified groups and subgroups.  The normal device behavior can include data that describes the usual behavior of devices that 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kamthe and Desai by assigning the entity to more than one group (such as a group and subgroup), in order to determine the normal behavior of particular subsets of devices, based upon the beneficial teachings provided by De Knijf.  These modifications would result in increased accuracy to the system.

Allowable Subject Matter
Claims 13 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  Kamthe and Desai are relied upon for the reasons set forth above.  In addition, Buyukkayhan et al. (US 9,998,484) teaches    A method comprises obtaining at least a first software module not classified as benign or potentially malicious, extracting a set of features associated with the first software module including static, behavior and context features, computing distance metrics between the extracted feature set and feature sets of a plurality of clusters including one or more clusters of software modules previously classified as benign and exhibiting a first threshold level of similarity relative to one another and one or more clusters of software modules previously classified as potentially malicious and exhibiting a second threshold level of similarity relative to one another, classifying the first software module as belonging to a given cluster based at least in part on the computed distance metrics, and modifying access by a given client device to the first software module responsive to the given cluster being a cluster of software modules previously classified as potentially malicious – see abstract.
However, the prior art does not teach or suggest determining whether the particular group is exhibiting coordinated behavior differences based on whether a number of the entities in the particular group is above a predetermined threshold, in combination with the rest of the claims.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LISA C LEWIS whose telephone number is (571)270-7724.  The examiner can normally be reached on Monday - Thursday 7am-2pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.