DETAILED ACTION
This action is in response to the claims filed 09 November, 2020 for application 15/707859 filed 18 September, 2017. Currently claims 1, 13, 14, 17 and 18 are amended and 1-20 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1, 2, 4, 7, 9, and 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dupont et al, U.S. Patent Application Publication 2012/0137367 (“Dupont”) in view of Rasheed et al. (A Framework for Periodic Outlier Pattern Detection
in Time-Series Sequences).


Regarding independent claim 1, Dupont teaches a system for “assessing values qualitatively across a terrain comprising multiple dimensions using cognitive computing techniques, comprising: a plurality of event reception components configured to operate on each event in a stream relevant to the terrain,” (Dupont ¶0150, “The present disclosure efficiently performs continuous monitoring of data produced or circulating within an entity….” The representation used for continuous monitoring is an event stream; ¶0152, “Event [100]: The central unit of analysis of the present disclosure. Depending on its origin, an event can be an 
“the plurality of event reception components comprising: a threshold application component configured to apply a threshold to each element in the stream;” (Dupont ¶0164, “The present disclosure describes a method for building and continuously maintaining a behavioral model [200]. This model represents assessed behavior [205] which can be either individual behavior [210] or collective behavior [215]. In order to detect anomalies [270], the system establishes baseline behaviors [260] which are a synthetic representation of communication habits and normal interactions, then assesses deviations [265] by comparing assessed behaviors [205] to such a baseline.” A historically generated baseline is used to assess behavioral deviation for events / evidence (¶0153, analysis results based on events), also see example ¶0626 using a threshold of 3 standard deviations.)
“a terrain updater configured to update the terrain based on at least one event;” (Dupont ¶0160, “A typed update [107] is a light representation of an incremental change to an evidence or event that can be forwarded to different components. A typed update [107] references one or several evidences or events that are affected by the changes.” Based on the terrain definition of page 7 of the Disclosure, a terrain is a specific value of a taxonomy, e.g. a group of multiple specific values jointly representing an action by some actor. In Dupont a specific event or evidence (post-analysis information associated with an event) is a set of values which can be updated through the system.) 
“an outlier analysis module configured to determine any outlier in the stream of events;” (Dupont ¶0628, “Alternatively, compute the normalized log-probability of the input workflow instance with respect to the workflow model. If this probability is within a given multiple of standard deviations (typically 3) from the average probability of workflow instances [134] within the training set, this instance [134] is flagged as an outlier.” This threshold is appropriate for an analysis based on higher order Markov chains per ¶0625.)
“a threshold violation predictor configured to predict threshold violations based on the stream of events;” (Dupont ¶0164, “This allows the detection of anomalies in recent or past behavior, however the system also attempts to predict behavior [262] in the near future based on the behavioral model [200].” Predicting future anomalies/outliers is understood to rely on the generated user behavior model and a historic behavior related threshold such as that in ¶0628.)
“a time-ordered behavior evaluator configured to evaluate behavior based on the stream of events;” (Dupont ¶0178, “The continuous clustering component [412] produces clusters of items [122] or events [100] from the incoming data stream on a continuous basis. It is a required stage of continuous discussion building [410].” Discussions as defined in ¶0156, “Discussion [136]: A possibly heterogeneous partially ordered set of electronic record items [122] for which it is presumed that any item [122] is causally related to all items [122] immediately following it by one or more sources of evidence [108].” The discussion building process is understood as evaluating at least the relatedness of events into a behavior sequence.) and 
“a graph updater to update a graph based on the stream of events” (Dupont ¶¶0165-166, “The behavioral model [200] computed by the system, as well as the anomalies [270] produced, are presented by the system using supporting evidence [202] and visualizations [204] in one embodiment. A visualization [204] is produced in several stages. Data is generated [365] over time either by an iterative process over batches of data [370], or on a continuous basis [375] using for example a sliding window mechanism [380]. Input data [365] for a particular visualization [204] is then selected [360] either automatically by the system or interactively by a user. A layout [355] is then produced to efficiently display [350] the visualization as part of the system's user interface [300].”).

However, Dupont does not explicitly disclose: wherein the outlier analysis module determines whether frequency, periodicity, and general value of at least one outlier in the stream of events represents a beginning of a different data pattern or a change to an existing data pattern.

Rasheed teaches: wherein the outlier analysis module determines whether frequency, periodicity, and general value of at least one outlier in the stream of events represents a beginning of a different data pattern or a change to an existing data pattern (“We define a candidate outlier pattern as the one which is less frequent than the patterns with same length. For instance, in the aforementioned examples, the frequency of ab is to be compared with the frequency of all patterns with length = 2 (e.g., ac,cb,ba,ca, and ab). A frequent pattern should also repeat in a segment (subsection of the series) which is larger than the user specified minimum segment length” p573 §III.B ¶2 , “The measure of surprise of a pattern X is defined as one minus the ratio of the frequency of X over the average frequency of all patterns with same length as X” p573 §III.B ¶3, “In this section, we explain the process of periodic outlier pattern mining. The process can be summarized in the following steps: 1) build a suffix tree for the input sequence; 2) annotate the suffix tree such that each internal node records the length of the substring it represents (the string obtained by tracing from the root till the node) and the frequency of the substring in the sequence; 3) build a pattern frequency table (PFT) for recording the frequency of patterns of different length (up to the maximum pattern length); 4) identify the candidate outlier patterns; and 5) run STNR for all candidate outlier patterns to output valid periodic outlier patterns.” P573 §IV ¶1, “The events E and F are not very frequent and does not show any strong periodicity. Event C is the least frequent among those which show some periodicity. Hence, if a periodic pattern contains event C, then it would be a different or surprising pattern than the rest of the patterns” p576 §V.A ¶2, note: frequency of ab is frequency, ab is the value, periodic pattern is periodicity and a different/surprising pattern represents a beginning/change to the pattern).

Dupont and Rasheed are both in the same field of endeavor of anomaly/outlier detection in data and are analogous. Dupont discloses a multivariable anomaly detection system and Rasheed teaches a periodicity, frequency and value based outlier and different pattern detection system. It would have been obvious to one of ordinary 

Regarding claim 2, Dupont further teaches “an event acquirer configured to acquire an event comprising an associated date and set of data fields, and pass event related data to the plurality of event reception components” (Dupont ¶¶0280-0284, “Feature collection: The feature collection phase collects, for each observed event, the necessary information needed by the downstream components. It is a fully configurable component allowing the specification of all the subsets of the data stream, as well as the snippets of information to retain from each event its high level functions are described in FIG. 10 … 4. Extract time stamps needed by the downstream components.”; ¶0227 & ¶0229, collection of an audit trail allows ¶0230 pruning by date.).
Regarding claim 4, Dupont further teaches “a signal manager configured to exclude signals based on content properties of data transmitted” (Dupont ¶0255, “Predicate-based policy, for example a least-relevant-data-first pruning strategy: In conjunction with a maximum volume assigned to the collection instance [545], this policy enforces the predicate that data deemed the least relevant to the matter or project at hand will be pruned to keep the volume of a collection instance [545] below that limit.” Relevance is a calculated property of the data content.).
“an additional signal manager connected to a signal filter configured to receive signal weights from a signal weight repository” (Dupont ¶¶0280-0282, “Feature collection: The feature collection phase collects, for each observed event, the necessary information needed by the downstream components. It is a fully configurable component allowing the specification of all the subsets of the data stream, as well as the snippets of information to retain from each event its high level functions are described in FIG. 10: … 2. Prioritize incoming events [100] based on configurable prioritization predicates [1020]. See example ¶0288.).
Regarding claim 9, Dupont further teaches “time-ordered behavior evaluator employs a Markov Graph, to learn a general sequence of events performed by one actor during a time period” (Dupont ¶0605, “In one embodiment of the present disclosure, once a pattern has been detected as significant in the baseline data analyzed for the whole set of actors [220] or a subset of those, the workflow model is built as a higher-order Markov chain whose states are composed of the individual event [100] and item [122] patterns….” Per page 14 of the Disclosure the Markov graph is understood to have dependency on multiple past events and therefore to graph a higher order Markov chain; ¶0625 and ¶0628 for example of Markov chain analysis for determining outliers.).

Regarding independent claims 13 and 17, Dupont teaches a method and system for “measuring values qualitatively across a terrain comprising multiple dimensions using cognitive computing techniques, comprising: a plurality of event reception components configured to operate on each event in a stream relevant to the terrain;” (Dupont ¶0150, “The present disclosure efficiently performs continuous monitoring of data produced or circulating within an entity….” The representation used for continuous monitoring is an event stream; ¶0152, “Event [100]: The central unit of analysis of the present disclosure. Depending on its origin, an event can be an observed event [102] exogenous to the system, a derived event [104] produced by the system, or user input….”)
“a periodic set of components configured to operate periodically on demand to analyze and predict based on information received from the plurality of event reception components;” (Dupont ¶¶0209-0212, “As shown in FIG. 5, data collection is performed by the data collection component [400] within a collection session [500] in any combination of the following ways: [0210] A human user launching a collection session [500] from a machine hosting the data collection component [400] or remotely [505]. [0211] The data collection component [400] automatically collecting data in a continuous mode [510].  [0212] The data collection component [400] automatically collecting data in incremental mode [515], i.e. as a series of batch operations.”) and 
“a plurality of signal managers interfacing with the plurality of event reception components and the periodic set of components, wherein the plurality of signal managers is configured to exclude signals based on content properties of data transmitted” (Dupont ¶0255, “Predicate-based policy, for example a least-relevant-data-first pruning strategy: In conjunction with a maximum volume assigned to the collection instance [545], this policy enforces the predicate that data deemed the 
Regarding claims 14 and 18, Dupont further teaches “the plurality of event reception components comprises: a threshold application component configured to apply a threshold to each element in the stream;” (Dupont ¶0164, “The present disclosure describes a method for building and continuously maintaining a behavioral model [200]. This model represents assessed behavior [205] which can be either individual behavior [210] or collective behavior [215]. In order to detect anomalies [270], the system establishes baseline behaviors [260] which are a synthetic representation of communication habits and normal interactions, then assesses deviations [265] by comparing assessed behaviors [205] to such a baseline.” A historically generated baseline is used to assess behavioral deviation for events / evidence (¶0153, analysis results based on events), also see example ¶0626 using a threshold of 3 standard deviations.)
“a terrain updater configured to update the terrain based on at least one event;” (Dupont ¶0160, “A typed update [107] is a light representation of an incremental change to an evidence or event that can be forwarded to different components. A typed update [107] references one or several evidences or events that are affected by the changes.” Based on the terrain definition of page 7 of the Disclosure, a terrain is a specific value of a taxonomy, e.g. a group of multiple specific values jointly representing an action by some actor. In Dupont a specific event or evidence (post-
“a threshold violation predictor configured to predict threshold violations based on the stream of events;” (Dupont ¶0164, “This allows the detection of anomalies in recent or past behavior, however the system also attempts to predict behavior [262] in the near future based on the behavioral model [200].” Predicting future anomalies/outliers is understood to rely on the generated user behavior model and a historic behavior related threshold such as that in ¶0628.)
“a time-ordered behavior evaluator configured to evaluate behavior based on the stream of events;” (Dupont ¶0178, “The continuous clustering component [412] produces clusters of items [122] or events [100] from the incoming data stream on a continuous basis. It is a required stage of continuous discussion building [410].” Discussions as defined in ¶0156, “Discussion [136]: A possibly heterogeneous partially ordered set of electronic record items [122] for which it is presumed that any item [122] is causally related to all items [122] immediately following it by one or more sources of evidence [108].” The discussion building process is understood as evaluating at least the relatedness of events into a behavior sequence.) and 
“a graph updater to update a graph based on the stream of events” (Dupont ¶¶0165-166, “The behavioral model [200] computed by the system, as well as the anomalies [270] produced, are presented by the system using supporting evidence [202] and visualizations [204] in one embodiment. A visualization [204] is produced in several stages. Data is generated [365] over time either by an iterative process over batches of data [370], or on a continuous basis [375] using for example a sliding window 

However, Dupont does not explicitly disclose: However, Dupont does not explicitly disclose: the periodic set of components comprising an outlier analysis module configured to determine at least one outlier in the stream, wherein the outlier analysis module determines whether frequency, periodicity, and general value of at least one outlier in the stream represents a beginning of a different data pattern or a change to an existing data pattern.

Rasheed teaches: the periodic set of components comprising an outlier analysis module configured to determine at least one outlier in the stream, wherein the outlier analysis module determines whether frequency, periodicity, and general value of at least one outlier in the stream represents a beginning of a different data pattern or a change to an existing data pattern (“We define a candidate outlier pattern as the one which is less frequent than the patterns with same length. For instance, in the aforementioned examples, the frequency of ab is to be compared with the frequency of all patterns with length = 2 (e.g., ac,cb,ba,ca, and ab). A frequent pattern should also repeat in a segment (subsection of the series) which is larger than the user specified minimum segment length” p573 §III.B ¶2 , “The measure of surprise of a pattern X is defined as one minus the ratio of the frequency of X over the average frequency of all patterns with same length as X” p573 §III.B ¶3, “In this section, we explain the process of periodic outlier pattern mining. The process can be summarized in the following steps: 1) build a suffix tree for the input sequence; 2) annotate the suffix tree such that each internal node records the length of the substring it represents (the string obtained by tracing from the root till the node) and the frequency of the substring in the sequence; 3) build a pattern frequency table (PFT) for recording the frequency of patterns of different length (up to the maximum pattern length); 4) identify the candidate outlier patterns; and 5) run STNR for all candidate outlier patterns to output valid periodic outlier patterns.” P573 §IV ¶1, “The events E and F are not very frequent and does not show any strong periodicity. Event C is the least frequent among those which show some periodicity. Hence, if a periodic pattern contains event C, then it would be a different or surprising pattern than the rest of the patterns” p576 §V.A ¶2, note: frequency of ab is frequency, ab is the value, periodic pattern is periodicity and a different/surprising pattern represents a beginning/change to the pattern).

Dupont and Rasheed are both in the same field of endeavor of anomaly/outlier detection in data and are analogous. Dupont discloses a multivariable anomaly detection system and Rasheed teaches a periodicity, frequency and value based outlier and different pattern detection system. It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the anomaly detector of Dupont with the frequency and periodicity based outlier detector of Rasheed to yield predictable 

Regarding claims 15 and 19, Dupont further teaches “a signal manager configured to exclude signals based on content properties of data transmitted” (Dupont ¶0255, “Predicate-based policy, for example a least-relevant-data-first pruning strategy: In conjunction with a maximum volume assigned to the collection instance [545], this policy enforces the predicate that data deemed the least relevant to the matter or project at hand will be pruned to keep the volume of a collection instance [545] below that limit.” Relevance is a calculated property of the data content.).
Regarding claims 16 and 20, Dupont further teaches “a threat detector configured to detect threats” (Dupont ¶¶0811-0812, “An actor [220] that matches at least one of these archetypes would typically be flagged for investigation if for example the corresponding archetype(s) suggest a level of present or future insider threat, where an insider threat is defined as a series of malevolent or unintentional actions by a person trusted by the organization with access to sensitive or valuable information and/or assets. [0812] In particular, the behavioral model [200] can provide evidence suggesting that the individual in question is a malicious insider. This covers three main types of situations described below, each of which presents a significant threat to the organization if it goes undetected until irreversible malicious acts are committed, unless a system such as the one described in this invention flags those individuals by raising alerts [305] based on the established behavioral model [200].” Dupont addresses insider .

Claims 3, 5, 6, and 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Dupont in view of Rasheed and further in view of Adjaoute, U.S. Patent Application Publication 2016/0071017 (“Adjaoute”) further in view of Steiner et al, U.S. Patent Application Publication 2015/0355957 (“Steiner”).

Regarding claim 3, Dupont further teaches “a periodic set of components configured to operate periodically on demand,” (Dupont ¶¶0209-0212, “As shown in FIG. 5, data collection is performed by the data collection component [400] within a collection session [500] in any combination of the following ways: [0210] A human user launching a collection session [500] from a machine hosting the data collection component [400] or remotely [505]. [0211] The data collection component [400] automatically collecting data in a continuous mode [510].  [0212] The data collection component [400] automatically collecting data in incremental mode [515], i.e. as a series of batch operations.”)
“the periodic set of components configured to perform peer to peer analysis,” (Dupont ¶0809, “Third, an individual behavior [210] can be used to contrast the individual's behavior with her peers' behavior in order to yield another kind of assessment of anomalous behavior as with changes over time.” Per page 28 of the Disclosure, peer to peer analysis is understood as comparisons to similar peer actors.) 
“actor correlation analysis,” (Dupont ¶0630, “Instances for the same actor groups [225] at a prior time (peer-group referential, as formalized in the section on Anomaly detection). This allows detection of deviations from an informal workflow process [128] over time within a certain set of individual actors [220] in the organization, as well as specific actors [220] who do not follow the same workflow as the majority of the other actors [220] in the group [225] (for example, it might be interesting to detect actors [220] who are systematically sloppy and skip important stages [154] in a workflow process [128]).” Automated clustering of peer groups is requisite to perform such detection. Per page 28 of the Disclosure, actor correlation analysis is understood as the detection of groupings of actors permitting peer to peer analysis.) 
“actor behavior analysis …” (Dupont ¶0631, “[0631] Instances for the exact same actors [220] at a prior time (called baseline referential). This allows the system to detect deviations associated to a particular actor [220].” Per page 29 of the Disclosure, actor behavior analysis “examines the change in an Actor’s behavior over time by comparing the similarity of past behavior (the history) and current behavior.”).
However, Dupont is understood not to address fuzzy semantic rule analysis. Adjaoute teaches “[components of a classification system which perform] semantic rule analysis,” (Adjaoute ¶0150, “Compiled flag settings rules are fuzzy rules (business rules) developed with fuzzy logic. Fuzzy rules are used to merge the predicted classes from all the predictive models and technologies 631-636 and decide on one final prediction, herein, prevailing predicted class 660. Rules 654 are either manually written by analytical engineers, or they are automatically generated when analyzing the enriched training data 124 (FIG. 1) in steps 126, 130, 134, 138, 142, and 
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont and Rasheed, would have appreciated the benefit of semantic rule analysis as proposed by Adjaoute. The ordinarily-skilled artisan would readily see the benefits of semantic rule analysis, which would provide the well-known, predictable, and expected results of translating expert knowledge of known threats/anomalies into actionable system rules. The artisan of ordinary skill would have been motivated to combine Dupont with Adjaoute as proposed above, at least because both are directed to predictive models. 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont and Rasheed with the predictive model improvement based on fuzzy semantic rules of Adjaoute to achieve the well-known and expected benefit of incorporating expert knowledge to improve prediction.
Dupont and Adjaoute are understood not to teach predicting rates of change. Steiner teaches “[components of an anomaly detection system which] predict rates of change” (Steiner ¶0106, “Method 300 builds/creates a model or pattern of normalcy from the identified patterns of events, block 308. Utilizing the model of normalcy, method 300 may build/create rules, block 310, that determine how and whether anomalies are detected, how method 300 treats, characterizes and reacts to a detected anomaly, etc. … Method 300 may repeat 302-310, block 312, over time using 
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont, Rasheed and Adjaoute, would have appreciated the benefit of anomalous event modeling as proposed by Steiner. The ordinarily-skilled artisan would readily see the benefits of tracking a normalcy model over time, which would provide the well-known, predictable, and expected results of recognizing changes in behavior. The artisan of ordinary skill would have been motivated to combine Dupont, Rasheed and Adjaoute with Steiner as proposed above, at least because both are directed to models of insider threat detection. 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont, Rasheed and Adjaoute with the normalcy model tracking of Steiner to achieve the well-known and expected benefit of identifying normal vs. anomalous change over time.
Regarding claim 5, Dupont further teaches “a threat detector configured to detect threats” (Dupont ¶0811-0812, “An actor [220] that matches at least one of these archetypes would typically be flagged for investigation if for example the corresponding archetype(s) suggest a level of present or future insider threat, where an insider threat is defined as a series of malevolent or unintentional actions by a person trusted by the organization with access to sensitive or valuable information and/or assets. [0812] In 

Regarding claim 6, Dupont, Adjaoute, and Steiner further teach “the periodic set of components comprises a peer to peer analyzer, an actor correlation analyzer, an actor behavior analyzer,” (Dupont ¶0809, ¶0630, ¶0631) 
“a rate of change predictor,” (Steiner ¶0106) and 
“a semantic rule analyzer” (Adjaoute ¶0150).
Regarding claim 10, Dupont further teaches “the actor behavior analyzer is configured to examine any changes in actor behavior over time by comparing similarity of past behavior with current behavior” (Dupont ¶0185, “The anomaly detection component [450] continuously monitors the incoming stream of events [100] (both observed [102] and derived [104], including the behavioral model [200]) with the main goal of spotting anomalous behavior and anomalous patterns in the data based on statistical, analytical, and other types of properties associated to both recent data and historical data.” Comparing statistically the properties of recent data with historic data is one way of determining similarity of a monitored behavior stream.).
“the semantic rule analyzer is configured to encode conditional, provisional, cognitive, operational, and functional knowledge” (Adjaoute ¶0150, “Compiled flag settings rules are fuzzy rules (business rules) developed with fuzzy logic. Fuzzy rules are used to merge the predicted classes from all the predictive models and technologies 631-636 and decide on one final prediction, herein, prevailing predicted class 660. Rules 654 are either manually written by analytical engineers, or they are automatically generated when analyzing the enriched training data 124 (FIG. 1) in steps 126, 130, 134, 138, 142, and 146.” Determining the final predicted class is based on merging fuzzy membership in either automatically generated and/or manual sets. This is comparable to the Disclosure page 32’s rule sets.).

Regarding claim 12, Steiner further teaches “the rate of change predictor is configured to store similarity and correlation results over time and rates of change over time” (Steiner ¶0106, “The patterns may provide indications of relations between events in different data streams under typical operating conditions. Method 300 builds/creates a model or pattern of normalcy from the identified patterns of events, block 308. Utilizing the model of normalcy, method 300 may build/create rules, block 310, that determine how and whether anomalies are detected, how method 300 treats, characterizes and reacts to a detected anomaly, etc. … Method 300 may repeat 302-310, block 312, over time using machine learning techniques to continue to build and update 308 the model of normalcy and build and update 310 the rules.” Models, .

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Dupont in view of Rasheed, Adjaoute and Steiner and further in view of Mayhew et al, Use of Machine Learning in Big Data Analytics for Insider Threat Detection (“Mayhew”).
Regarding claim 8, Dupont, Rasheed, Adjaoute, and Steiner teach the system of claim 5. However, they do not teach exposing an API. Mayhew teaches “the threat detector employs an extreme vigilance application programming interface” (Mayhew page 921 column 1 paragraph 4, “BBAC provides an API for consuming threat status messages describing suspicious events via well-defined XML documents. This enables other components, such as the resiliency controllers being built under the Autonomic Resilient CDS (ARC) effort, to treat BBAC information as sensor input as part of a larger adaptation strategy.” Per page 36 of the Disclosure, the API is employed to expose threat information programmatically to other systems.).
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont, Rasheed, Adjaoute, and Steiner, would have appreciated the benefit of providing an API for an anomaly based threat detector as proposed by Mayhew. The ordinarily-skilled artisan would readily see the benefits of exposing an application programming interface, which would provide the well-known, predictable, and expected results of enabling other programs to check threat information or consume threat related alerts. The artisan of ordinary skill would have been motivated to combine Dupont, 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont, Adjaoute, and Steiner with the API provision of Mayhew to achieve the well-known and expected benefit of allowing coordination of threat information into larger software systems.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Please see the addition of the Rasheed reference for how the amended limitations were rejected.
Arguments regarding the invocation of 112f are persuasive and the claims are not being interpreted as invoking 112f.
The double patenting rejection will be held in abeyance and reconsidered at the time of the claims being determined to be allowable.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC NILSSON whose telephone number is (571)272-5246.  The examiner can normally be reached on M-F: 9-5.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki can be reached on (571)-272-3719.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ERIC NILSSON/Primary Examiner, Art Unit 2122