DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed December 01, 2020 have been fully considered but they are not persuasive. Applicant argues that the prior art on record does not teach determining a rarity score based on the probability of occurrence of a value of a particular field of an event. 
Examiner would point out that, Awad US 2017/0192872 A1 teaches determining a rarity score based on the probability of occurrence of a value of a particular field of an event (i.e., determining a rarity score based on probability of occurrence of input data representing click stream of an internet traffic (paragraph 0032) and/or occurrence of input data representing system identifiers (paragraph 0027)). Examiner would point out that the prior art on record teaches the claim limitations and therefore the rejections are respectfully maintained. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-30 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-29 of U.S. Patent No. 10,038,707 B2 (hereinafter 707’ patent). Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 1-30 of the present application correspond to elements of claims 1-29 of the 707’ patent. Claims 1-30 of the present application would have been obvious over claims 1-29 of the .

 Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-30 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Awad et al. US 2017/0192872 A1 [hereinafter Awad].

As per claims 1, 26 and 29, Awad teaches a method comprising: 
analyzing, by a computer system, event data representative of data traffic associated with a computer network to identify a field of the data traffic, the data traffic including a plurality of occurrences of the feature, each occurrence of the feature having one of a plurality of values of the field [paragraphs 0027, 0032, 0044, 0048 and 0111-0113];
identifying, by the computer system, a set of the values of the field whose probability of occurrence does not exceed a probability of occurrence of a particular value of the plurality of values of the field, the set of the values being those values of the field that have occurred not more than the number of times of the particular value [paragraphs 0044, 0048 and 0111-0113];  

etecting, by the computer system, that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value of the field corresponds to an anomaly, based on the rarity score [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 2, Awad further teaches the method wherein the feature is an attribute of the data traffic that can assume one of a finite number of values, and wherein the feature includes at least one of (i) an Internet Protocol (IP) address, (ii) a port, (iii) a username of a user, (iv) a device identification (ID), (v) an application name, or (vi) a geo location of a device and/or user [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 3, Awad further teaches the method wherein determining the rarity score of the particular value is performed as part of execution of a machine learning model executing at the computer system [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 4, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly is performed as part of execution of a machine learning 
model executing at the computer system [paragraphs 0044, 0048 and 0111-0113]. 
 

 
	As per claim 6, Awad further teaches the method wherein analyzing the data traffic of the device includes analyzing the data traffic in real-time [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claims 7, 27 and 30, Awad further teaches the method wherein determining the rarity score of the particular value includes determining the rarity score as a function of a number of occurrences of the particular value, the set of the values and a total number of occurrences of the feature [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 8, Awad further teaches the method wherein determining the rarity score of the particular value includes: determining a rarity of the particular value as a function of a number of occurrences of the particular value and the set of the values and a total number of occurrences of the feature, and determining the rarity score for the particular value based on a confidence interval for the rarity [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 9, Awad further teaches the method wherein determining the rarity score of the particular value includes: determining a rarity of the particular value as a sum of a 
 
	As per claim 10, Awad further teaches the method wherein the rarity score is a tuple including a score threshold and a count threshold, the count threshold indicative of a number of times the particular value can be indicated as an anomaly [paragraphs 0044, 0048 and 0111-0113]; the method further comprising: using the count threshold to determine whether the particular value is an anomaly [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 11, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes incrementing a count of a number of times the particular value is indicated as an anomaly [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 12, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes determining that the rarity score of the particular value is less than a score threshold and that a count of a number of times the particular value is indicated as an anomaly is less than a count threshold [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 13, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes: determining that the occurrence of the 
 
	As per claim 14, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes determining the particular value as an anomaly based on a score threshold and a count threshold [paragraphs 0044, 0048 and 0111-0113]; the method further comprising: dynamically adjusting the score threshold and the count threshold based on a number of times the particular value is identified as an anomaly in a predefined period [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 15, Awad further teaches the method wherein analyzing the data traffic includes: obtaining information regarding the data traffic from a log, the log representing a plurality of events of the data traffic, each of the events including at least one feature [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 16, Awad further teaches the method wherein the feature is one of a plurality of features occurring in an event of the data traffic, and wherein determining the rarity score of the particular value of the feature includes determining the rarity score of the particular value when a first feature of the features occurs at a first value in the event [paragraphs 0044, 0048 and 0111-0113]. 
 

 
	As per claim 18, Awad further teaches the method further comprising: determining that an event of which the feature is a part as an anomaly based on a rarity score for at least 
some features in the event and a number of the features whose rarity scores do not satisfy a score threshold for the event [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 19, Awad further teaches the method further comprising: determining the rarity score for each of a set of features in an event of which the feature is a part, determining a number of the set of features whose rarity scores do not satisfy a score threshold for the event, and determining the event as an anomaly if the number of set of features satisfy a feature count threshold for the event [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 20, Awad further teaches the method further comprising: determining an event of which the feature is a part as an anomaly based on whether a particular feature of a 
plurality of features of the event is determined as anomalous [paragraphs 0044, 0048 and 0111-0113]. 

	As per claim 21, Awad further teaches the method further comprising: determining an event of which the feature is a part as an anomaly based on whether a particular feature pair of a plurality of features of the event is determined as anomalous [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 22, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes: determining an event of which the feature is a part as an anomaly based on at least one of (i) a number of a plurality of features of the event that are determined as anomalous, (ii) whether a particular feature of the features is determined as anomalous, or (iii) a number of times the event has been identified as an anomaly [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 23, Awad further teaches the method further comprising: determining an event of which the feature is a part as an anomaly based on a plurality of thresholds, the 
thresholds being dynamically adjusted by the computer system based on a number of times the event is identified as an anomaly in a predefined period [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 24, Awad further teaches the method wherein analyzing the data traffic includes: tracking for each of the occurrences of the feature a corresponding value of the 
 
	As per claim 25, Awad further teaches the method wherein analyzing the data traffic includes: determining an occurrence of a feature pair, the feature pair including a first feature and a second feature, wherein the first feature is the feature, tracking for each of the occurrences of the feature pair a corresponding value of the first feature when the second feature occurs at a first value, and storing a count of the occurrences of the corresponding value [paragraphs 0044, 0048 and 0111-0113]. 

	As per claim 28, Awad further teaches the medium 28, wherein determining the rarity score of the particular value comprises: determining the rarity score of the particular value based on a confidence interval for a first parameter and a second parameter, the first parameter determined as a function of a number of occurrences of the particular value and the set of the values, the second parameter determined as a function of a total number of occurrences of the feature [paragraphs 0044, 0048 and 0111-0113]. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847.  The examiner can normally be reached on Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/Primary Examiner, Art Unit 2435