DETAILED ACTION
1.	This action is in response to the application 15/919628 filed on March 13, 2018. Claims 1-20 are pending and have been examined.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
3.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


4.	Claims 1, 10, and 19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 analysis:
In the instant case, the claim(s) 1, 10, and 19 are directed to a method, system, and computer-readable storage media, respectively. Thus, they fall within one of the four statutory categories (i.e., process, machine, manufacture, or composition of matter).
Step 2 analysis:
Step 2A: Prong 1 analysis:
The claim(s) recite(s):
Claim 1, 10, 19:
-        determining whether input data are labeled or unlabeled… (mental process); 
-        determining a set of features from the input data points… (mental process); 
        generating… single variable rules… (mental process);
-        generating… multi variable rules… (mental process);
-        filtering the candidate single-variable and multi-variable rules… (mental process);
Accordingly, the claims recite an abstract idea which is one of the judicial exceptions.

Step 2A: Prong 2 analysis:
              This judicial exception is not integrated into a practical application because the additional elements in claim 1, 10, and 19 “obtaining… input data points…” and “outputting… valid rules” are mere data gathering and outputting which are insignificant extra-solution activity to the judicial exception as discussed in MPEP 2106.05(g). Also, in claim 1, 10, and 9 the additional element “supervised machine learning” is generally linking the use of judicial exception to a particular technological environment of field of use (Machine Learning technology) as discussed in MPEP 2106.05(h). The claims do not recite additional elements that integrate the judicial exception into a practical application. The claims are directed to an abstract idea.
Step 2B analysis:
              The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of claims 1, 10, and 19 are merely adding insignificant extra-solution activity to the judicial exception and generally linking the use of judicial exception to a particular technological environment or field of use. The obtaining step is an insignificant extra-solution activity that is a well understood, routine, and  MPEP 2106.05(d)(I). The outputting step is an insignificant extra-solution activity that is a well understood, routine, and conventional function (Cai pg. 3157 para. 2 discloses a system that combines outputs from several outputs to generate a final output. There is no inventive concept in the claim. The claim is not patent eligible.
5.	Claims 2 and 11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more, and the rejection of claim 1 and 10 are incorporated into the claims 2 and 11 respectively. Claims 2 and 11 recite more specifics to the judicial exceptions identified in the rejection of claims 1 and 10 respectively. Generating labels, generating clusters, and determining a set of features are more specifics to the judicial exceptions in claims 1 and 10. These limitations are abstract ideas of the “mental process” grouping which can be performed in one’s mind with the aid of pencil and paper. The additional element “unsupervised machine learning” is generally linking the use of judicial exception to a particular technological environment of field of use (Machine Learning technology) as discussed in MPEP 2106.05(h). Claims 2 and 11 do not recite any other additional elements, than the ones recited in claims 1 and 10, which integrate the judicial exception into a practical application or amount to significantly more. The claims are not patent eligible.
6.	Claim(s) 3-7 and 12-16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more, and the rejection of claims 1 and 10 are incorporated into the claims. Claims 3-7 and 12-16 recite more specifics to the judicial exceptions identified in the rejection of claims 1 and 10. Rules periodically updated, data corresponding to user generated event, evaluating candidate rules, maintaining metrics about 
7. 	Claims 8, 9, 17, and 18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more, and the rejection of claim 1 is incorporated into the claims 8 and 9 and rejection of claim 10 is incorporated into claims 17 and 18. Claims 8, 9, 17, and 18 recite more specifics to the judicial exceptions identified in the rejection of claims 1 and 10. They recite the following limitation: providing a user interface, receive… rules from user, and validate… rules. The providing step is adding insignificant extra-solution activity to the judicial exception. The receive… rules from user is mere data gathering and adding insignificant extra-solution activity to the judicial exception as discussed in MPEP 2106.05(g). The validate… rules step is an abstract idea of the “mental process” grouping which can be performed in one’s mind with the aid of pencil and paper. The claims do not recite any other additional elements, than the ones recited in claims 1 and 10, which integrate the judicial exception into a practical application or amount to significantly more. The claims are not patent eligible.	
Claim Rejections - 35 USC § 103
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


9.	Claims 1, 2, 4-6, 10, 11, 13-15, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over “Comparison of feature selection and classification algorithms in identifying malicious executables” to reference Cai et al., (hereinafter, “Cai”), in view of “Rule Induction from Rough Approximations” to reference Grzymala-Busse, (hereinafter, “Busse”).
10.	As per claims 1, 10, and 19 Cai teaches: method for generating rules for identifying malicious accounts or events (Cai pg. 3171 para. 2 discloses classifiers that “have the capability to automatically extract features from binary executables, accurately and expeditiously distinguish those malicious files from the benign”), A system comprising: one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform the operations compromising: (Cai performs their method using a computer with memory (Cai, pg. 3170, last paragraph, "All experiments ... were performed on a Linux based desktop computer with ... 512 Megabyte memories"), and One or more computer-readable storage media encoded with instructions that, when executed by one or more computers, cause the one or more computers (Cai performs their method using a desktop computer which has storage (Cai, pg. 3170, last paragraph, "All experiments ... were performed on a Linux based desktop computer") respectively. Regarding claims 1, 10, and 19 Cai further teaches:
	obtaining input data points associated with a plurality of users (Cai pg. 3156 para. 1 gives examples of malicious emails sent to thousands of recipients. Sending emails to recipients can be associated with a plurality of users). 
in response to determining that the data points are labeled, determining a set of features from the input data points using supervised machine learning techniques (Cai pg. 3158 para. 7 discloses different feature selection method from data samples. Feature selection method like maximal difference needs to know if a file is benign or malicious (Cai pg. 3159 last para.). Since the selection is made using a method that requires labels, it can be considered supervised machine learning.
outputting final set of valid rules (Cai pg. 3157 para. 5 discloses “an inductive rule-based learner that generates Boolean rules based on feature attributes”).
Cai fails to explicitly teach determining whether the input data points are labeled or unlabeled; generating a group of candidate single variable rules using the determined set of features, wherein each rule specifies a matching condition based on a corresponding feature dimension; generating a group of candidate multi-variable rules from the single-variable rules; and filtering the candidate single-variable and multi-variable rules using the labeled input data points to generate a final set of valid rules. However, Busse teaches
	determining whether the input data points are labeled or unlabeled (Busse on pg. 371 left col. para 2 discloses how complete (labeled) data sets are characterized and on pg. 378 left col. para. 3 discloses treating data with missing attribute values as incomplete (unlabeled)).
	generating a group of candidate single variable rules using the determined set of features, wherein each rule specifies a matching condition based on a corresponding feature dimension (Busse on pg. 375 right col. para. 1 discloses “rules with at least one attribute–value pair matching the corresponding attribute–value pair of a case.” An example of a single variable rule using determined set of feature is (Temperature, high) -> (Trip, no) as shown on Busse pg. 375 left col. para. 1)
	generating a group of candidate multi-variable rules from the single-variable rules (Busse on pg. 375 left col. para. 1 gives an example of a multi-variable rule (Wind, medium) & (Temperature, low) -> (Trip, no) created using logical expression “AND” on single variable rules).
	filtering the candidate single-variable and multi-variable rules using the labeled input data points to generate a final set of valid rules (Busse on pg. 377 right col. para. 1 discloses “only rules with (Trip,yes) on the right-hand side are informative; the remaining rules, with (Trip, SPECIAL) on the right-hand side should be ignored.” Ignoring certain rules and using only rules considered informative to induce a final rule can be considered filtering).
Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify the teachings of Cai and incorporate the teachings to Busse with a motivation use inductive rule-based learner that generates Boolean rules based on feature attributes as a learning algorithm to classify data (Cai pg . 3157 para. 4). One would be motivated to use the combination to extract rules using rule induction where because “Rule induction is an important technique in data mining or machine learning (Busse pg. 371 para. 1)” and “Rule sets, induced from data sets, are used most frequently to classify new, unseen cases (Busse pg. 375 para. 2).”
claims 2 and 11, the combination of Cai and Busse as shown above teaches the method of claim 1 and system of claim 10 respectively, wherein in response to determining that the data points are not labeled:
	generating labels using unsupervised machine learning (Busse Table 23.13 pg. 383 assigns conditional probabilities (labels) to clusters of data points);
	generating clusters of positively labeled data points (Busse on pg. 382 right col. para. 2 creates set of blocks of attributes-value pairs where each block {1,3,5}, {4,6,7,8} etc. is a cluster);
	determining a set of features for each cluster (Busse on pg. 382 right col. para. 2 each cluster of data is labeled with attribute (feature) value. Ex: [(Wind, low)] = {1,3,5}).
	As per claims 4 and 13, the combination of Cai and Busse as shown above teaches the method of claim 1 and system of claim 10 respectively, wherein
	each data point corresponds to a user generated event and includes a group of attributes describing the event (Cai pg. 3156 para. 1 gives examples of malicious email attachments sent to thousands of recipients. Each data point corresponds to an attachment sent in an email (a user generated) event and includes attributes describing the email/malicious executables in the event).
As per claims 5 and 14, the combination of Cai and Busse as shown above teaches the method of claim 1 and system of claim 10 respectively, wherein filtering the candidate single-variable and multi-variable rules comprises evaluating the candidate rules on the labeled data points based on accuracy and effectiveness metrics (Cai pg. 3163 para. 4 teaches 
 As per claims 6 and 15, the combination of Cai and Busse as shown above teaches the method of claim 1 and system of claim 10 respectively, wherein
maintaining metrics about each rule in the final set of valid rules including one or more of rule effectiveness, false positive rate, and recency (Cai pg. 3158 para. 4 discloses that the for text categorization “feature selection method feature selection method based on information gain metric yielded performance by removing up to 98% of the terms.” Cai also gives example of support vector machine classifier for text classification with feature selection metric called bi-normal separation that outperformed others by a substantial margin in range of situation).
12.	Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Cai in view of Busse as applied to claim 1 and 10 respectively as shown above, further in view of US 10949854 B1 to reference Kramme et al., (hereinafter, “Kramme”).
	As per claim 3 and 12, the combination of Cai and Busse as shown above teaches the method of claim 1 and system of claim 10 respectively. Cai and Busse fails to explicitly teach the rules are periodically updated based on recent data points, however, Kramme teaches:
the rules are periodically updated based on recent data points (Kramme para. [0040] discloses machine learning rule generator that analyzes various types of data to update fraud detection and/or classification rules).
Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify the teachings of Cai and Busse and incorporate the .
13.	Claims 7-9 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Cai in view of Busse as applied to claim 1 and 10 respectively as shown above, further in view of US 20070289013 A1 to reference Lim, (hereinafter, “Lim”).
	As per claim 7 and 16, the combination of Cai and Busse as shown above teaches the method of claim 6 and system of claim 15 respectively. Cai and Busse fails to explicitly teach rules that fail to satisfy metric thresholds are removed (Lim pg. 14 para. 4 discloses a rule editor that help manage rules by creating, editing, or deleting rules).
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to modify the teachings of Cai and Busse and incorporate the teachings to Lim with a motivation to use a user interface to present and delete the rules based on effectiveness of the rule. One would be motivated to use the combination to allow a user “to cleanse and perform assertion of the abnormal and normal classification” (Lim pg. 13 para. 2).
	As per claim 8 and 17, the combination of Cai and Busse as shown above teaches the method of claim 1 and system of claim 10 respectively. Cai and Busse fails to explicitly teach providing a user interface configured to selectively present rules and data about the effectiveness of each rule (Lim pg. 13 para. 2-3 discloses using a graphic user interface that displays the generated rules and are displayed as “Abnormal” and “Normal” rules).

14.	As per claim 9 and 18, the combination of Cai, Busse, and Lim as shown above teaches the method of claim 8 and system of claim 17 respectively, wherein 
the user interface is further configured to receive manually generated rules from a user, wherein the manually generated rules are backtested against historical data to validate the manually generated rules (Lim pg. 13 para. 2 discloses using a graphic user interface named Incident Editor that allows user to “cleanse and perform assertion of the abnormal and normal classification of network traffic based on previous generated rules. The Incident Editor allows the user to select a pattern discovery method and displays the generated rules based on the selected pattern discovery method”).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAHUL GURUNG whose telephone number is (571) 272-8406. The examiner can normally be reached on 7:30 am to 4:00 pm from Mondays to Thursdays.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki, can be reached at telephone number (571) 272-3719. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
/RAHUL GURUNG/Examiner, Art Unit 2122                                                                                                                                                                                                        

/ERIC NILSSON/Primary Examiner, Art Unit 2122