DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to an amendment filed on 02/26/2021.
Claims 1-20 have been amended 
Applicant’s arguments/amendments with respect to pending claims 1-20 have been carefully considered and therefore the claims are rejected under new grounds. Examiner respectfully points out that this action is made final (see MPEP 706.07a).

Response to Amendment
	The rejection of claims 8-14 under 35 U.S.C. 101 is withdrawn in view of the claims amendment.

Response to Arguments
Applicant’s arguments with respect to pending claims 1-20 have been carefully examined but they are considered moot in view of the new rejection.

Claim Rejections - 35 USC § 112
Claims 3, 10 and 17 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint the recurring time periods are selected from the group consisting of times of the day, days of the week, weeks of the month/year, months of the year, and combinations thereof” recited by said claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

	Claims 1-3, 5-10, 12-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Malkov et al. US 2020/0159624 A1 (hereinafter Malkov) in view of Stirtzinger et al. US 2014/0143873 A1 (hereinafter Stirtzinger).
Regarding claim 1, Malkov substantially discloses:
A method for detecting abnormal activity occurring on a computing system, the method comprising (“systems, methods and processes” designed to “learn and establish baseline parameters of routine, normal and non-compromised behavior and activity of virtual machines” (VMs, running on a host machine 80) and to “detect and recognize anomalous events” (Malkov: par. 3, 19, 83-84, 114, Fig. 1, 3)):
observing, by a at least one processor over a period of time, activity occurring on a computing system; establishing, for the computing system based on the observations, normal ranges that are associated with the activity   normal ranges] indicative of normal, routine and non-compromised operations of the respective instance.  In embodiments, various baseline parameters (normal ranges) are established and programmed into machine learning logic module 200 prior to launch of System 100 and serve as starting points for module 200” (Malkov: par. 115).
During the anomaly detection phase, the anomaly detection engine 300A “monitors and analyzes…that same data as that data [that] is generated from systems logs…and compares its statistical analysis of same to the baseline parameters [normal ranges] established by the machine learning module 200”; anomalous activity is detected when “activity [is] outside of the baseline parameters [normal ranges] established in machine learning module/process 200 (atypical activity)” (Malkov: par. 116, 119)).
Malkov does not expressly disclose multiple ranges associated with the activity for different recurring time periods. However, in a related application, Stirtzinger normal ranges, corresponding to baseline parameters of Malkov] of the behavior profile [normal activity] are identified as anomalous behavior” (Stirtzinger: par. 6, 10, 49, 51). “Indexing the behavior profile [normal/reference activity] based on the timestamp may facilitate the construction of patterns of behavior based on hourly activity, daily activity, weekly activity, monthly activity, etc.”, such that when “the comparison data deviates from the pattern of behavior, the  comparison data may be identified as anomalous behavior” (Stirtzinger: par. 42-43, 50-51, 53, 61). It would have been obvious to one of ordinary skill in the art to combine Malkov and Stirtzinger. One would have done so, at least to provide flexibility, as “the behavior profile may be generated for any date range supported by the [collected] raw data” (Stirtzinger: par. 52, 53), and because using multiple time periods (e.g. “day of the week”) for analysis, helps to “identify an entity who meets the most criteria for suspect activity” (Stirtzinger: par. 51). Accordingly, Malkov in view of Stirzinger discloses normal ranges that are associated with the activity for different recurring time periods, and further discloses:
monitoring, by the at least one processor, the computing system for the activity (The “anomaly detection engine 300A works in conjunction with machine learning module 200 to continuously and in real time monitor system and event logs and compare with established baseline parameters, as are continuously refined by machine learning logic module 200, to detect anomalous events”, when the monitored activity falls outside the normal range (Malkov par. 116, ; Fig. 3, 5; and as outlined above)); and
documenting, by the at least one processor, the activity on the computing system that falls outside the normal range (“the quantized events compiled by AI anomaly detection engine 300A may be interactively visualized on a computer monitor” (Malkov: par. 156; Fig. 5).
The aforementioned covers all the limitations of claim 1.

Regarding claims 2-3 and 5-7, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. In addition, Malkov in view of Stirtzinger discloses:
(2) Notifying a user when the activity on the computing system falls outside the normal ranges during their associated recurring time periods (When anomalies and threat events are detected, i.e. “activity outside of the baseline parameters”, “alerting authorized, pre-determined ( designated) users” of the anomalous activity, via e.g. “Simple Notification Service ("SNS"), email, voice call and text message” (Malkov: par. 10, 116; Fig. 3. Stirtzinger: e.g. par. 61, Fig 6)).
(3) The recurring time periods are selected from the group consisting of times of the day, days of the week, weeks of the month/year, months of the year, and combinations thereof (Stirtzinger: par. 42-43, 50-51, 53, 61; and as outlined for the rejection of claim 1).
 (5) When activity is detected on the computing system which falls outside the normal ranges during their associated recurring time periods, compiling information about the activity from multiple sources (Malkov par. 115, 119; and as outlined for the rejection of claim 1).
(6) Presenting, to a user, a report that documents activity that falls outside the normal ranges during their associated recurring time periods (Malkov: par. 149-150, 156, Fig. 5; where the documented activity includes anomalous activity. Stirtzinger: e.g. par. 12, 51, 61, Fig. 6).
(7) The report documents events occurring in association with the activity that falls outside the normal ranges during their associated recurring time periods (Malkov: par. 149-150, 156, Fig. 5; where the documented activity includes anomalous activity. Stirtzinger: e.g. par. 12, 51, 61, Fig. 6).

Regarding claims 8-10 and 12-14, they correspond to claims 1-3 and 5-7 respectively, and claims 8-10 and 12-14 do not disclose beyond the features of claims 1-3 and 5-7. Therefore, claims 8-10 and 12-14 are rejected under 35 U.S.C 103, as being unpatentable over Malkov in view of Stirtzinger for the same reasons outlined for the rejection of claims 1-3 and 5-7.

Regarding claims 15-17 and 19-20, they correspond to claims 1-3 and 5-6 respectively, and claims 15-17 and 19-20 do not disclose beyond the features of claims 1-3 and 5-6. Therefore, claims 15-17 and 19-20 are rejected under 35 U.S.C 103, as being unpatentable over Malkov in view of Stirtzinger for the same reasons outlined for the rejection of claims 1-3 and 5-6.

Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Malkov in view of Stirtzinger and further in view of Masser et al. US 2012/0179936 A1 (hereinafter Masser).
Malkov as modified by Stirtzinger does not expressly disclose the features of similar claims 4, 11 and 18. However, Masser discloses:
(4, 11 and 18) When activity is detected on the computing system which falls outside the normal ranges during their associated recurring time periods, gathering additional information about the activity (Masser: par. 35, 40-44; when activity falls outside the standard deviation (normal ranges), i.e. an anomaly is detected, additional data is collected to further characterize the detected anomaly, and to determine whether the detected anomaly is or is not caused by an actual threat). 
It would have been obvious to one of ordinary skill in the art to combine Malkov as modified above and Masser. One would have done so, at least to further characterize a detected anomaly, and to determine whether the detected anomaly is or is not caused by an actual threat (per Masser). Accordingly, Malkov in view of Stirtzinger and Masser discloses all the features of claims 4, 11 and 18. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Bhatia et al. US 2019/0318100 A1
Kapoor et al. US 2012/0240185 A1

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ADRIAN STOICA/Examiner, Art Unit 2494                                                                                                                                                                                                        
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        3-22-2021