DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/16/2020 has been entered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Amendments
The amendment filed 12/16/2020 has been entered. Claims 1-20 remain pending in the application. 
Response to Arguments
Regarding the rejection of claims 1, 17, and 20 under 35 USC 103:
Applicant’s arguments with respect to said claims have been considered but are moot because the arguments do not apply to the present combination of references being used in the current rejection.  
The examiner now uses Yang (US 20170295070 A1) and Zhang (US 20180212819 A) to teach the limitations of claims 1, 17, and 20. Claims 1-4 and 17-20 are now rejected in light of applicant’s amendments under 103 over Yang in view of Zhang.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 

Claims 1-4 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Yang (US 20170295070 A1) in view of Zhang (US 20180212819 A1).
Regarding claim 1, Yang teaches a method implemented by a computer to detect abnormal behavior in a network, the method comprising: obtaining Performance Monitoring (PM) data that represents normal behavior of network elements in the network under normal conditions, the PM data comprising one or more of optical layer data, packet layer data, service or traffic layer data, and hardware operating metrics; (Yang, in Para. [0022-0024], discloses obtaining data from computer nodes (i.e. network elements) and determines normal activity (i.e. normal conditions) within the network, the data can include raw packet data (i.e. packet layer data))
determining a baseline model of normal behavior based on machine learning training of the PM data; (Yang, in Para. [0024], discloses the machine learning engine (i.e. baseline model) learning the patterns of activity and determining the normal activity within the network)
receiving live PM data that represents live behavior of the network elements in the network; (Yang, in Para. [0016 and 0024], discloses detecting anomalies real-time based on received data)
utilizing the live PM data with the baseline model to detect an anomaly or abnormal in the network; and (Yang, in Para. [0016 and 0024], discloses the machine learning engine (i.e. baseline model) detecting anomalous activity)
While Yang teaches detecting abnormal behavior, Yang fails to explicitly teach replacing the network element.
However, Zhang from the analogous technical field teaches detect an anomaly or abnormal behavior of one or more of the network elements in the network; and (Zhang, in Para. [0109], discloses a fault monitored network element (i.e. abnormal network element))
causing an action to address the anomaly or abnormal behavior of the one or more of the network elements, wherein the action comprises one or more of a replacement of the one or more network elements associated with the anomaly or abnormal behavior and a configuration change of the one or more network elements associated with the anomaly or abnormal behavior (Zhang, in Para. [0109], discloses replacing a fault monitored network element (i.e. abnormal network element) with a redundancy network element or another network element)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang to incorporate the teachings of Zhang, with a motivation to ensure the network operates normally (Zhang, Para. [0109]).  
As per claims 17-19, these claims recite a token apparatus to perform the steps as recited by the method of claims 1 and 3-4, and has limitations that are similar to those of claims 1 and 3-4, thus is rejected with the same rationale applied against claims 1 and 3-4.
As per claim 20, this claim recites a token non-transitory computer readable medium to perform the steps as recited by the method of claim 1, and has limitations that are similar to those of claim 1, thus is rejected with the same rationale applied against claim 1.
Regarding claim 2, Yang as modified by Zhang teaches the method of claim 1. 
Yang further teaches wherein the obtaining and the determining are performed offline, and (Yang, in Para. [0014], discloses getting data from logs (i.e. offline))
(Yang, in Para. [0016 and 0024], discloses detecting anomalies real-time based on received data).
Regarding claim 3, Yang as modified by Zhang teaches the method of claim 1. 
Yang further teaches wherein the live PM data and the PM data are associated with the behavior of the network elements operating on any of an optical layer, a Time Division Multiplexing (TDM) layer, and a packet layer (Yang, in Para. [0022-0024], discloses obtaining data from computer nodes (i.e. network elements) and learning patterns (i.e. behavior), the data can include raw packet data (i.e. packet layer data))
Regarding claim 4, Yang as modified by Zhang teaches the method of claim 1. 
Yang further teaches wherein the action further comprises a notification to a network operator (Yang, in Para. [0024], discloses presenting an alert to a user like a network administrator (i.e. network operator)).
Claims 5-7 and 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over Yang in view of Zhang, in further view of Shumpert (US 20160342903 A1).
Regarding claim 5, Yang as modified by Zhang teaches the method of claim 1. 
While Yang as modified by Zhang teaches detection of an anomaly, Yang as modified by Zhang fails to explicitly teach labeling of data based on anomalies.
However, Shumpert from the analogous technical field teaches wherein the PM data is labeled prior to the training to differentiate between various root causes related to different anomalies (Shumpert, in Para. [0007 and 0076], discloses using labeled sensor reading (i.e. data) to train a model, where separate labels can be implemented for different types of anomalies or normal states).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang as modified by Zhang to incorporate the teachings of Shumpert, with a motivation dynamically detect anomalies based on data (Shumpert, in Para. [0001]).  
Regarding claim 6, Yang as modified by Zhang teaches the method of claim 1. 
While Yang as modified by Zhang teaches detection of an anomaly, Yang as modified by Zhang fails to explicitly teach labeling of data based on anomalies.
However, Shumpert from the analogous technical field teaches wherein the PM data is labeled prior to the training to at least differentiate between normal PM data and anomalous PM data (Shumpert, in Para. [0007], discloses using labeled (normal or anomalous) sensor reading (i.e. data) to train a model).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang as modified by Zhang to incorporate the teachings of Shumpert, with a motivation dynamically detect anomalies based on data (Shumpert, in Para. [0001]).  
Regarding claim 7, Yang as modified by Zhang and Shumpert teaches the method of claim 6. 
Shumpert further teaches wherein the training utilizes the labeled PM data and supervised learning to build one or more classifiers to recognize the anomaly (Shumpert, in Para. [0008], discloses using labeled data and supervised learning to train multivariate clustering algorithms (i.e. classifiers) used to classify).
Regarding claim 9, Yang as modified by Zhang and Shumpert teaches the method of claim 6. 
Shumpert further teaches wherein the training further comprises adjusting a threshold of the baseline model to adjust precision and sensitivity of the model (Shumpert, in Para. [0034], discloses an updateable threshold).
Regarding claim 10, Yang as modified by Zhang and Shumpert teaches the method of claim 6. 
Shumpert further teaches wherein the labeled PM data utilizes the simulated PM data with additional labels for a root cause of the anomaly (Shumpert, in Para. [0076], discloses separate labels can be implemented for different types of anomalies or normal states).
Regarding claim 11, Yang as modified by Zhang and Shumpert teaches the method of claim 5. 


Shumpert further teaches wherein the training utilizes the labeled PM data and supervised machine learning to build one or more classifiers to recognize various root causes associated with each label (Shumpert, in Para. [0008], discloses using labeled data and supervised learning to train multivariate clustering algorithms (i.e. classifiers) used to classify).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Yang in view of Zhang, in further view of Shumpert and Raugas (US 20150128263 A1).
Regarding claim 8, Yang as modified by Zhang and Shumpert teaches the method of claim 6. 
While Yang as modified by Zhang and Shumpert teaches labeling of data based on anomalies and classifiers, Yang as modified by Zhang and Shumpert fails to explicitly teach a plurality of classifiers which combine.
However, Raugas from the analogous technical field teaches wherein the training utilizes the labeled PM data to build a plurality of classifiers with multiple intermediate classifiers and a final classifier as a combination of the multiple intermediate classifiers, and wherein the final classifier is configured to recognize the anomaly and a type of the anomaly (Raugas, in Fig. 2 and in Para. [0071], discloses a plurality of machine learning models that generates a set of score (i.e. classifiers) where the scores are then aggregated (i.e. combined) the scores by the fuser (i.e. final classifier), where the aggregated score shows similarity to a class of malicious software (i.e. type of anomaly)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang as modified by Zhang and Shumpert to incorporate the teachings of Raugas, with a motivation to detect malware in a computer network using supervised machine learning (Raugas, in Para. [0006]).  
Claims 12-16 rejected under 35 U.S.C. 103 as being unpatentable over Yang in view of Zhang, in further view of Miller (US 20190188212 A1).
Regarding claim 12, Yang as modified by Zhang teaches the method of claim 1. 
While Yang as modified by Zhang teaches detection of an anomaly, Yang as modified by Zhang fails to explicitly teach anomaly detection using unlabeled data.
However, Miller from the analogous technical field teaches wherein the PM data is unlabeled prior to the training, and the corresponding model provides a single probability output of the anomaly based on the live PM data (Miller, in Fig. 4 and in Para. [0064, 0089, 0092 and 0100], discloses receiving unlabeled data, and then using probability for outlier (i.e. anomaly) detection and more specifically p-value).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Yang as modified by Zhang to incorporate the teachings of Miller, with a motivation to detect anomalous activity related to cyber security in unlabeled samples (Miller, in Para. [0002 and 0006]).  
Regarding claim 13, Yang as modified by Zhang and Miller teaches the method of claim 12. 
Miller further teaches wherein the PM data is representative of a normally functioning network such that the single probability output provides an indication of a departure from the normally functioning network (Miller, in Para. [0077, 0089-0092 and 0100], discloses the probability for outlier (i.e. anomaly) detection and more specifically p-value being in relation to null (or normal) samples (i.e. normally functionally)).
Regarding claim 14, Yang as modified by Zhang and Miller teaches the method of claim 12. 
Miller further teaches wherein the single probability output is a p-value from multiple different PM types (Miller, in Para. [0006], discloses the data including a variety of data types).
Regarding claim 15, Yang as modified by Zhang and Miller teaches the method of claim 12. 
Miller further teaches wherein the training builds a set of Probability Density Functions (PDFs) from the PM data, builds a likelihood function for each PDF, and builds a global likelihood function based on a product of each individual likelihood function, and wherein the global likelihood function is a single multivariate function to describe a network component (Miller, in Para. [0075-0076, 0121, 0125, and 0132], discloses probabilities in relation to density, likelihood estimates of the probabilities, global maximization and optimization, where globally means on the entire database results in maximum multinomial likelihood estimate).
Regarding claim 16, Yang as modified by Zhang and Miller teaches the method of claim 15. 
Miller further teaches wherein the global likelihood function is used to calculate a p-value and the anomaly is detected based on the p-value (Miller, in Para. [0132 and 0134], discloses maximum likelihood (i.e. global) which leads to derived p-values, where p-values are related to anomalies).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JESSICA JANA SOUTH whose telephone number is (571)272-3208.  The examiner can normally be reached on M-Th 9:00-18:00 (Flex).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 






/JESSICA J SOUTH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/TRANG T DOAN/Primary Examiner, Art Unit 2431