DETAILED ACTION
This action is responsive to communications filed 26 January 2021.
Claims 17-20 remain cancelled.
Claim 4 has been cancelled.
Claim 27 has been added.
Claims 1-3, 5-16 and 21-27 are subject to examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 26 January 2021 has been entered.
Response to Arguments
Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claims 1, 5, 9, 13 and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey et al. (US-20170339178-A1) hereinafter Mahaffey in view of Ridley (US-20180115574-A1) further in view of BOUBEZ (US-20150341246-A1) hereinafter Boubez.
Regarding claim 9, Mahaffey discloses:
A system for reducing storage space used in tracking behavior of a plurality of network endpoints by modeling the behavior with a behavior model ([0005] [0035] [FIG. 13] e.g. one example of a system for device monitoring, evaluation, and response, for a continuing need to develop improved systems and techniques for monitoring computing device activity, quickly and accurately identifying threats, and responding accordingly.), the system comprising: 
5storage circuitry ([0114-0119] [FIG. 7] items 745, 755, 784, 787, 790, 793 a datastore (i.e. storage circuitry)); 
communications circuitry ([0037] [FIG. 1] server system 120 coupled to a communication network 125 via a plurality of communication links 130 requires communications circuitry); and 
control circuitry ([0114-0119] [FIG. 7] server system 738, wherein there can be multiple servers that are part of a server system e.g. 740, 750, 760, 765) configured to: 
receive, by the communications circuitry ([FIGs. 4-5] server receives through network data from multiple devices requires communications circuitry), a plurality of records, each respective 10record of the plurality of records corresponding to a respective network endpoint of the plurality of network endpoints ([0058] [FIGs. 4-5] data from the monitoring is transmitted over the network to the server (i.e. received by the server), see server 415 connected to network 420 collecting data from each of the devices 410 respectively, e.g. devices 1 - 1000 and 1001 – N); 
determine the respective network endpoint, of a plurality of network endpoints, to which450522_2- 26 - each respective record of the plurality of records corresponds ([0181-183] analysis server can generate (i.e. determining) a normal context behavior model and an actual context behavior model, e.g. a norm is a ‘known ok for a device’, wherein for multiple devices requires a model for each device, wherein for each device requires appropriate records corresponding to appropriate devices, see further [0014] wherein the server determines that activity associated with a first device of the plurality of devices is outside the norm requires the appropriate record corresponding to the appropriate device, i.e. determining the respective endpoint corresponding to the record, such as a record of a first device corresponding to a first device); 
generate, for each respective 25network endpoint, a respective behavior model ([0181-183] analysis server can generate a normal context behavior model and an actual context behavior model, e.g. a norm is a ‘known ok for a device’, wherein for multiple devices requires a model for each device); and 
store, by the storage circuitry, 30each respective behavior model ([0085] models can be on the server, device, or both, see [0114-0119] [FIG. 7] items 745, 755, 784, 787, 790, 793 a datastore (i.e. storage circuitry) e.g. norm (normal pattern) anomalies, device and app characterization models, etc.).  
	Mahaffey does not explicitly disclose:
assign a respective dedicated queue for each respective network endpoint; 
transmit, to each respective 20dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned; 
generate, based on each record of each respective dedicated queue corresponding to each respective network endpoint, a respective vector representing a respective behavior model;
store, by the storage circuitry, 30each respective vector in a memory; and

	However, Ridley discloses:
assign a respective dedicated queue for each respective network endpoint ([0056] a queue may be created for each of the network sensors); 
transmit, to each respective 20dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned ([0056] a server may receive metadata from a first network sensor, and store (i.e. transmit to the queue) the metadata in a first queue associated with the first network sensor, wherein for multiple sensors requires multiple queues);
determine, based on each record of each respective dedicated queue corresponding to each respective network endpoint, a respective behavior model ([0006] queue instantiated on the server may be created to store the metadata from the network sensor, wherein by analyzing the metadata over a period of time, a machine learning module instantiated on the server may gradually learn the typical behavior of each of the embedded devices and store a description of the typical behavior in a behavioral profile (i.e. model))
	It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey in view of Ridley in order to assign a respective queue to each of the endpoints, wherein each queue receives records regarding their respective endpoints, and wherein each of the records of each queue regarding their respective endpoints is utilized to determine a behavior model for each of the respective endpoints. One of ordinary skill in the art would have been motivated to do so to detect anomalous behavior of the one or more embedded devices (Ridley, [0056]).

generate a respective vector representing a respective behavior model;
store, by the storage circuitry, 30each respective vector in a memory; and
determine an anomalous behavior state for a network endpoint in the plurality of network endpoints by comparing the respective vector of the network endpoint to a normalcy threshold in a multidimensional space.
	However, Boubez discloses:
generate a respective vector representing a respective behavior model ([0107] wavelet decomposition is used to characterize the behavior of one or more of servers, wherein the statistics and a set of wavelet coefficients are concatenated into a single n-dimensional vector (i.e. vector representing a respective behavior model));
store, by the storage circuitry, 30each respective vector in a memory ([FIG. 1] [0087] database 115 [0016-0017] metrics include one or more log entries/collected prior to the start of the time period, wherein metrics and statistics are concatenated into a vector, and wherein for a degree of anomaly to be determined from a vector based on metrics collected/logged (i.e. stored) requires that the vector is stored to be used by the system, e.g. in anomaly analysis); and
determine an anomalous behavior state for a network endpoint in the plurality of network endpoints by comparing the respective vector of the network endpoint to a normalcy threshold in a multidimensional space ([0016] computing a distance measurement from the feature vector of a first server of the plurality of servers to the center of mass, determining a degree of anomaly of the first server based on the distance measurement, and generating an alert when the degree of anomaly of the first server exceeds a predetermined threshold).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley in view of Boubez to have 
Regarding claim 1013, Mahaffey-Ridley-Boubez disclose:
The system of claim 9, as set forth above,
Mahaffey discloses:
wherein each respective record identifies a respective single network flow originating from the respective network endpoint that corresponds to the respective record ([0200] identifying the network connection an application makes, e.g. an actual netflow [0274-0278] monitor that a network transmission is being performed by app A on device D to network destination N at time T and observation collection server can receive the data gathered from device D and network appliance R and correlate the information from both based on them both involving a transmission from device D to network destination N at time T, wherein the system generates an audit trail or audit system, the audit records things that happen on the device).
	Regarding claims 1 and 21, they do not further define nor teach over the limitations of claim 9, therefore, claims 1 and 21 are rejected for at least the same reasons set forth above as in claim 9.
	Regarding claim 5, it does not further define nor teach over the limitations of claim 13, therefore, claim 5 is rejected for at least the same reasons set forth above as in claim 13.
Claims 3-4, 11-12 and 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez in view of Wright et al. (US-20170149813-A1) hereinafter Wright.
Regarding claim 11, Mahaffey-Ridley-Boubez disclose:

Mahaffey does not explicitly disclose:
encode data of each respective record within the respective 5dedicated queue as a floating point value in the respective vector.
However, Ridley discloses:
transmit, to each respective 20dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned ([0056] a server may receive metadata from a first network sensor, and store (i.e. transmit to the queue) the metadata in a first queue associated with the first network sensor, wherein for multiple sensors requires multiple queues),
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey in view of Ridley in order to assign a respective queue to each of the endpoints, wherein each queue receives records regarding their respective endpoints, and wherein each of the records of each queue regarding their respective endpoints is utilized to determine a behavior model for each of the respective endpoints. One of ordinary skill in the art would have been motivated to do so to detect anomalous behavior of the one or more embedded devices (Ridley, [0056]).
Mahaffey-Ridley do not explicitly disclose:
encode data of each respective record as a floating point value in the respective vector.
However, Wright discloses:
encode data of each respective record as a floating point value in the respective vector ([0031] extracted characteristics may be converted to features that are expressed numerically (e.g. as floating point numbers) and a n-dimensional evidence vector representing one or more events/behaviors may be generated, wherein the normalized values may be inserted into (or assigned to) the evidence vector).  
	It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley in view of Wright in order to encode data of each record within the queue as a floating point value in a multi-dimensional vector. One of ordinary skill in the art would have been motivated to do so in order to calculate a difference between corresponding feature values of an evidence vector and a protocol vector, as to represent the probability that an evidence vector is representative of a directional cluster of behavior or an anomaly (Wright, [0032]).
Regarding claim 12, Mahaffey-Ridley-Boubez-Wright disclose:
The system of claim 11, as set forth above, wherein the control circuitry is further configured to:
Mahaffey-Ridley do not explicitly disclose:
in response to determining the anomalous behavior state for the network endpoint alert a network administrator.
However, Boubez discloses:
in response to determining the anomalous behavior state for the network endpoint alert a network administrator ([0016] generating an alert when the degree of anomaly of the first server exceeds a threshold)
	It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley in view of Boubez in order to alert a network administrator when an anomaly is detected. One of ordinary skill in the art would have been motivated to do so in order to generate an alert when a degree of anomaly of the first server exceeds the predetermined threshold (Boubez, [0016]).   
Regarding claim 25, Mahaffey-Ridley-Boubez disclose: 

Mahaffey-Ridley-Boubez do not explicitly disclose:
tracking behavior of each respective network point over time by comparing a current position of the respective vector in the multidimensional space to a previous position of a previous version of the respective vector in the multidimensional space.
However, Wright discloses:
tracking behavior of each respective network endpoint over time by comparing a current position of the respective vector in the multidimensional space to a previous position of a previous version of the respective vector in the multidimensional space ([0016] prototype vector may refer to an n-dimensional vector of numerical features that represents one or more objects, or previous events or behaviors, wherein an evidence vector may be compared to one or more prototype vectors to determine a “best fit” (e.g. the most similar vector; i.e. tracking behavior by comparing a current position of the vector to a previous position) such as by a directional cluster (determine the degree of directional anomaly) and/or magnitude cluster (determine the degree of magnitude anomaly), the assessment information resulting from the comparisons may be combined into a composite assessment to determine the prototype vector that share the largest amount of characteristics and/or characteristic values with a compared evidence vector).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley-Boubez in view of Wright to have tracked behavior of each respective network point over time by comparing a current position of the respective vector to a previous version. One of ordinary skill in the art would have been motivated to do so to identify whether the network event corresponding to the evidence vector most likely represents expected behavior or anomalous behavior (Wright, [0016]).
.
Claims 2 and 10  is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez in view of He et al. (US-20140181825-A1) hereinafter He.
Regarding claim 10, Mahaffey-Ridley-Boubez disclose:
The system of claim 9, as set forth above, wherein to generate the respective vector representing the respective behavior model the control circuitry is further configured to:
Mahaffey discloses:
identify a plurality of modules 5programmed to generate behavior models ([0119] baseline generator 770, anomaly evaluation component 775, context ontology 778, filter 781 must be known to the system to be utilized as to generate the proper models/patterns, as stored in datastores 784, 787, 790, 793 i.e. for normal usage patterns (e.g. baseline), anomalies, application characterization models, and device characterization models); 
	Mahaffey does not explicitly disclose:
identify a plurality of modules 5programmed to generate the respective vectors representing the respective behavior models
identify a module of the plurality of modules that is idle; and 
command the idle module to generate the respective vector representing the respective behavior model.  
However, Boubez discloses:
identify a plurality of modules 5programmed to generate the respective vectors representing the respective behavior models ([0016] concatenating the metrics and the statistics into a corresponding n-dimensional feature vector; wherein the processing components must be known to the system to be utilized as to generate the proper vectors/models),

Mahaffey-Boubez do not explicitly disclose:
identify a module of the plurality of modules that is idle; and 
command the idle module.
	However, He discloses:
identify a module of the plurality of modules that is idle ([0090] determines whether there is an idle computing unit); and 
command the idle module ([0090] assigns the new job to one of the idle computing units).  
	It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Boubez in view of He in order to identify if an idle module exists and utilize and idle modules to perform the determination of vectors representing behavior models. One of ordinary skill in the art would have been motivated to do so to assign a new job to the highest-performing processing module such as an idle unit (He, [0085]).
	Regarding claim 2, it does not further define nor teach over the limitations of claim 10, therefore, claim 2 is rejected for at least the same reasons set forth above as in claim 10.
Claims 6 and 14  is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez in view of Varsanyi et al. (US-20140201838-A1) hereinafter Varsanyi.
Regarding claim 14, Mahaffey-Ridley-Boubez disclose:
The system of claim 13, as set forth above, wherein to encode the data of each respective record within the respective dedicated queue the control circuitry is further configured to:

extract respective data from a respective field of a respective single network flow; and 
concatenate the respective data into a string
However, Varsanyi discloses:
5extract respective data from a respective field of a respective single network flow ([0064] extract a model or description of semantic operations performed between two network agents, the model may include descriptive metadata (e.g. query string)); and 
concatenate the respective data into a string ([0064] extract a model or description of semantic operations performed between two network agents, the model may include descriptive metadata (e.g. query string) [0130] pull specific patterns of data out of the stream and compose valid data, e.g. using a string template to recognize a string).  
	It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley-Boubez in view of Varsanyi in order to extract data and concatenate it into a string. One of ordinary skill in the art would have been motivated to do so to decode elements into a data form useful for building a model (Varsanyi, [0126]).
	Regarding claim 6, it does not further define nor teach over the limitations of claim 14, therefore, claim 6 is rejected for at least the same reasons set forth above as in claim 14.
Claims 7 and 15  is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez-Varsanyi in view of Park (US-20140058539-A1) in view of Parameshwara et al. (US-20190138616-A1) hereinafter Parameshwara.	I			
Regarding claim 15, Mahaffey-Ridley-Boubez-Varsanyi disclose:
The system of claim 14, as set forth above, wherein the control circuitry is further configured to:
Mahaffey-Ridley-Boubez-Varsanyi do not explicitly disclose:
form a document with the string by 5concatenating the string with a plurality of other strings;

analyze, 28 - analyze, using the doc2vec algorithm, the documement using a shallow neural network; and 
output, based on the analyzing, the respective vector. 
However, Park discloses:
form a document with the string by 5concatenating the string with a plurality of other strings ([0064] documents (e.g. concatenated strings)); 
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley-Boubez-Varsanyi in view of Park in order to form documents from concatenated strings. One of ordinary skill in the art would have been motivated to do so to capture and preserve recurring term usage patterns (Park, [0064]).
Mahaffey-Ridley-Boubez-Varsanyi-Park do not explicitly disclose:
feed the document into a Document to Vector ("doc2vec") algorithm; 
analyze, 28 - analyze, using the doc2vec algorithm, the documement using a shallow neural network; and 
output, based on the analyzing, the respective vector. 
However, Parameshwara discloses:
feed the document into a Document to Vector ("doc2vec") algorithm ([0024] applying a doc2vec model on columns of a product database (i.e. document)); 
analyze, 28 - analyze, using the doc2vec algorithm, the documement using a shallow neural network ([0024] neural network model includes applying a doc2vec model to create a document vector, creating a document vector is equated as analyzing the document using a shallow neural network, {note: the specification in [0036] denotes feeding the document into the doc2vec algorithm and using a shallow neural network to generate a vector}); and 
output, based on the analyzing, the respective vector ([0024] create a document vector (i.e. output) e.g. a neural network model applying a doc2vec model).

Regarding claim 7, it does not further define nor teach over the limitations of claim 15, therefore, claim 7 is rejected for at least the same reasons set forth above as in claim 15.
Claims 8 and 16  is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez-Wright in view of Andersson et al. (US-6836719-B2) hereinafter Andersson.	I			
Regarding claim 16, Mahaffey-Ridley-Boubez-Wright disclose:
The system of claim 11, as set forth above,
Mahaffey discloses:
wherein the plurality of records is of a first data size ([0211] large amount of data available for collection [0215] large volume of data), 
Mahaffey does not explicitly disclose:
wherein a 15sum of a data size of each respective behavior model is of a second data size, and wherein the second data size is two or more orders of magnitude smaller than the first data size.  
However, Andersson discloses:
wherein a 15sum of a data size of each respective behavior model is of a second data size, and wherein the second data size is two or more orders of magnitude smaller than the first data size ([col. 1, ls. 66-col. 2, ls. 10] extracting, from the map data base, one or more road attributes for the current and/or upcoming road section, and relating the road attributes to the driver behavior model, so the size of the map database may be made smaller, since only said attributes need to be stored, wherein if one attribute defines a behavior and multiple attributes are recorded, then the size of the behavior will be at least two or more orders of magnitude smaller than the recorded data, i.e. all of the data including more than just attribute data).
	It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey in view of Andersson to have behavior data be two or more orders of magnitude smaller than the first data size. One of ordinary skill in the art would have been motivated to do so to make the size of the map database smaller (Andersson, [col. 1, ls. 66-col. 2, ls. 3]).
	Regarding claim 8, it does not further define nor teach over the limitations of claim 16, therefore, claim 8 is rejected for at least the same reasons set forth above as in claim 16.
Claims 22-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez-He-Varsanyi.
Regarding claim 22, Mahaffey-Ridley-Boubez disclose:
The non-transitory computer-readable medium of claim 21, as set forth above, wherein the generating the respective vectors representing the respective behavior models further comprises: 
Mahaffey discloses:
identifying a plurality of modules 5programmed to generate behavior models ([0119] baseline generator 770, anomaly evaluation component 775, context ontology 778, filter 781 must be known to the system to be utilized as to generate the proper models/patterns, as stored in datastores 784, 787, 790, 793 i.e. for normal usage patterns (e.g. baseline), anomalies, application characterization models, and device characterization models); 
	Mahaffey does not explicitly disclose:
identifying a plurality of modules 5programmed to generate the respective vectors representing the respective behavior models;
identifying modules of the plurality of modules that is idle; and 

assigning a first portion of the identified idle modules to the first dedicated queues.
However, Boubez discloses:
identifying a plurality of modules 5programmed to generate the respective vectors representing the respective behavior models ([0016] concatenating the metrics and the statistics into a corresponding n-dimensional feature vector; wherein the processing components must be known to the system to be utilized as to generate the proper vectors/models),
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey in view of Boubez to identify modules programmed to generate respective vectors representing the respective behavior models. One of ordinary skill in the art would have been motivated to do so in order to generate an alert when a degree of anomaly of the first server exceeds the predetermined threshold (Boubez, [0016]).
Mahaffey-Boubez do not explicitly disclose:
identifying modules of the plurality of modules that is idle; and 
determining first dedicated queues each having a number of records that exceed a threshold value; and
assigning a first portion of the identified idle modules to the first dedicated queues
	However, He discloses:
identifying modules of the plurality of modules that is idle ([0090] determines whether there is an idle computing unit); and 
assigning a first portion of the identified idle modules to the first dedicated queues ([0090-0092] assigns the new job to one of the idle computing units, and storing jobs in the job queue if there are no idle threads available (i.e. idle threads handle jobs from the job queue)).  

Mahaffey-Boubez-He do not explicitly disclose:
determining first dedicated queues each having a number of records that exceed a threshold value;
However, Varsanyi discloses:
determining first dedicated queues each having a number of records that exceed a threshold value ([0201] queue-size threshold, wherein once the threshold is reached requires determining if the threshold is reached, and then processing may be forced);
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Boubez-He in view of Varsanyi in order to determine queues having a number of records that exceed a threshold value to commence processing of the queue. One of ordinary skill in the art would have been motivated to do so to provide queue discipline, i.e. for low latency when traffic is light and low overhead when traffic is heavy (Varsanyi, [0201]).
Regarding claim 23, Mahaffey-Ridley-Boubez-He-Varsanyi disclose:
The non-transitory computer-readable medium of claim 22, as set forth above, wherein the generating the respective vectors representing the respective behavior models further comprises:
Mahaffey does not explicitly disclose:
assigning a second portion of the identified idle modules to second dedicated queues based on a load balancing scheme.

transmit, to each respective 20dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned ([0056] a server may receive metadata from a first network sensor, and store (i.e. transmit to the queue) the metadata in a first queue associated with the first network sensor, wherein for multiple sensors requires multiple queues),
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey in view of Ridley in order to assign a respective queue to each of the endpoints, wherein each queue receives records regarding their respective endpoints, and wherein each of the records of each queue regarding their respective endpoints is utilized to determine a behavior model for each of the respective endpoints. One of ordinary skill in the art would have been motivated to do so to detect anomalous behavior of the one or more embedded devices (Ridley, [0056]).
Mahaffey-Ridley do not explicitly disclose:
assigning a second portion of the identified idle modules to second dedicated queues based on a load balancing scheme.
However, He discloses:
assigning a second portion of the identified idle modules to second dedicated queues based on a load balancing scheme ([0085] [0092] In the two-way SMT example of FIG. 8, the scheduling module 118 can be more simply said to assign the new job to the computing unit handling the youngest job. In block 912, the scheduling module 118 stores the new job in the job queue 120 if there are no idle threads available (i.e. assigned for the future), wherein In this case, the scheduling module 118 can select one of the computing units using the following illustrative and non-limiting logic: (a) first, the scheduling 118 identifies the most-urgent job currently being handled by each of the qualifying computing units, to provide a set of most-urgent jobs; (b) second, the scheduling module 118 identifies a least-urgent job within the set of most-urgent jobs, providing a "least-urgent-among-most-urgent" job, e.g., a "youngest-oldest" job; (c) third, the scheduling module 118 identifies the computing unit associated with the youngest-oldest job, to provide an identified computing unit; and (d) fourth, the scheduling module 118 assigns the new job to an idle thread of the identified computing unit, If both computing units are idle, the scheduling module 118 can select one of them based on any selection criterion, such as by randomly selecting a computing unit, i.e. assigning when it is idle compared to the non-idle unit, e.g. balancing the load across idle units).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley in view of He in order to load balance assignment of queues across idle modules. One of ordinary skill in the art would have been motivated to do so to assign a job to an idle thread of the identified computing unit (He, [0085]).
Regarding claim 24, Mahaffey-Ridley-Boubez-He-Varsanyi disclose:
The non-transitory computer-readable medium of claim 22, as set forth above, wherein the generating the respective vectors representing the respective behavior models further comprises: 
Mahaffey does not explicitly disclose:
randomly assigning a second portion of the identified idle modules to second dedicated queues.
However, Ridley discloses:
transmit, to each respective 20dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned ([0056] a server may receive metadata from a first network sensor, and store (i.e. transmit to the queue) the metadata in a first queue associated with the first network sensor, wherein for multiple sensors requires multiple queues),

Mahaffey-Ridley do not explicitly disclose:
randomly assigning a second portion of the identified idle modules to second dedicated queues.
However, He discloses:
randomly assigning a second portion of the identified idle modules to second dedicated queues ([0085] [0092] In the two-way SMT example of FIG. 8, the scheduling module 118 can be more simply said to assign the new job to the computing unit handling the youngest job. In block 912, the scheduling module 118 stores the new job in the job queue 120 if there are no idle threads available (i.e. assigned for the future), wherein In this case, the scheduling module 118 can select one of the computing units using the following illustrative and non-limiting logic: (a) first, the scheduling 118 identifies the most-urgent job currently being handled by each of the qualifying computing units, to provide a set of most-urgent jobs; (b) second, the scheduling module 118 identifies a least-urgent job within the set of most-urgent jobs, providing a "least-urgent-among-most-urgent" job, e.g., a "youngest-oldest" job; (c) third, the scheduling module 118 identifies the computing unit associated with the youngest-oldest job, to provide an identified computing unit; and (d) fourth, the scheduling module 118 assigns the new job to an idle thread of the identified computing unit, If both computing units are idle, the scheduling module 118 can select one of them based on any selection criterion, such as by randomly selecting a computing unit, i.e. assigning when it is idle compared to the non-idle unit, e.g. balancing the load across idle units).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley in view of He in order to randomly assign queues across idle modules. One of ordinary skill in the art would have been motivated to do so to assign a job to an idle thread of the identified computing unit (He, [0085]).
Claim 26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez-Wright in view of Dang et al. (US-10635565-B2) hereinafter Dang.
Regarding claim 26, Mahaffey-Ridley-Boubez-Wright disclose:
The method of claim 25, as set forth above,
Mahaffey-Ridley-Boubez-Wright do not explicitly disclose:
wherein the comparing is performed using a Kalman filter.
However, Dang discloses:
wherein the comparing is performed using a Kalman filter ([col. 21, ls. 45-56] Kalman filter may be used to monitor the stream for outlier detection).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley-Boubez-Wright in view of Dang to have compared using a Kalman filter. One of ordinary skill in the art would have been motivated to do so to monitor a data stream for outlier detection (Dang, [col. 21, ls. 45-56]).
Claim 27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Ridley-Boubez in view of Vasseur et al. (US-20150195296-A1) hereinafter Vasseur.
Regarding claim 27, Mahaffey-Ridley-Boubez disclose:
The method of claim 1, as set forth above, further comprising: 
Mahaffey-Ridley-Boubez do not explicitly disclose:

However, Vasseur discloses:
tracking behavior of the network endpoint in the plurality of network endpoints by deriving a multivariate Gaussian distribution to determine a current position of the respective vector of the network endpoint in the multidimensional space ([0103] aggregated statistics define the size and shape of a Gaussian distribution, i.e. the mean vector represents the coordinates of the center of the distribution (i.e. position)).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Mahaffey-Ridley-Boubez in view of Vasseur to have tracked behavior of the network endpoint by deriving a multivariate Gaussian distribution to determine a current position of the respective vector in the multidimensional space. One of ordinary skill in the art would have been motivated to do so to define a Gaussian distribution wherein the mean vector represents the coordinates of the center of the distribution (Vasseur, [0103]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Skibiski et al. (US-20100082301-A1) EVENT IDENTIFICATION SENSOR ANALYTICS; 
Kupreev et al. (US-20180069880-A1) SYSTEM AND METHOD FOR DETECTING ANOMALOUS ELEMENTS OF WEB PAGES;
GUPTA et al. (US-20160261465-A1) BEHAVIORAL ANALYSIS TO AUTOMATE DIRECT AND INDIRECT LOCAL MONITORING OF INTERNET OF THINGS DEVICE HEALTH;
SIPPLE (US-20150101053-A1) SYSTEM AND METHOD FOR DETECTING INSIDER THREATS;
Bird et al. (US-9143393-B1) SYSTEM, METHOD AND APPARATUS FOR CLASSIFYING DIGITAL DATA;
Christodorescu et al. (US-20180198812-A1) CONTEXT-BASED DETECTION OF AMOMALOUS BEHAVIOR IN NETWORK TRAFFIC PATTERNS;
Devitt et al. (US-20100049676-A1) ARRANGEMENT AND METHOD FOR NETWORK MANAGEMENT;
Runkle et al. (US-20080243439-A1) SENSOR EXPLORATION AND MANAGEMENT THROUGH ADAPTIVE SENSING FRAMEWORK;
Eliazar (US-20090312985-A1) MULTIPLE HYPOTHESIS TRACKING;
KAWAI et al. (US-20160055044-A1) FAULT ANALYSIS METHOD, FAULT ANALYSIS SYSTEM, AND STORAGE MEDIUM;
Cohen et al. (US-20160366164-A1) NETWORK INTRUSION DATA ITEM CLUSTERING AND ANALYSIS;
Simhon et al. (US-20170300532-A1) EVENT LOG ANALYSIS;
Razin et al. (US-20170017537-A1) APPARATUS AND METHOD OF LEVERAGING SEMI-SUPERVISED MACHINE LEARNING PRINCIPALS TO PERFORM ROOT CAUSE ANALYSIS AND DERIVATION FOR REMEDIATION OF ISSUES IN A COMPUTER ENVIRONMENT;
Dasgupta et al. (US-20170279837-A1) GATHERING FLOW CHARACTERISTIS FOR ANOMALY DETECTION SYSTEMS IN PRESENCE OF ASYMMETRICAL ROUTING;
James et al. (US-20180234302-A1) SYSTEMS AND METHODS FOR NETWORK MONITORING;
Harutyunyan et al. (US-20190138420-A1) METHODS AND SYSTEMS THAT EFFICIENTLY STORE AND ANALYZE MULTIDIMENSIONAL METRIC DATA;
Sekhar Kakaraparthi (US-20190163515-A1) METHOD AND SYSTEM FOR RESOLVING ANOMALY EVENTS OCCURRING IN A VIRTUAL ENVIRONMENT IN REAL-TIME;
Weingarten et al. (US-20190052659-A1) METHODS, SYSTEMS, AND DEVICES FOR DYNAMICALLY MODELING AND GROUPING ENDPOINTS FOR EDGE NETWORKING.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alex H. Tran whose telephone number is (571)272-8173.  The examiner can normally be reached on Monday-Friday 11AM-6PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Divecha B. Kamal can be reached on (571)272-5863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Alex H. Tran/Examiner, Art Unit 2453                                                                                                                                                                                         
/KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453