DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims 12-16:
Applicant's arguments have been fully considered but they are not persuasive. It is further noted that where Applicant argues against the claims having been rejected under 35 USC 102, this appears to have been a formatting error on page 8 of the 9/25/2020 Office action. The claims were rejected under the 35 USC 103 heading and the rejections comprised the respective 35 USC 103 rationales.
Concerning the references, Applicant argues “Tsai may disclose "instances" and distinguish normal instances from intrusions… but computing cell densities of cells representing entities that are above to perform an action in the computing environment is outside of Tsai.” In response, it is noted that the Chari reference included as part of the 103 rationale and rejection would disclose the claimed entities being enabled to perform an action as per at least the abstract, [0005], and [0033] of Chari (i.e., user devices and respective accounts as entities performing transactions as actions).

Regarding claim 16, the rejection was based on the citation to FIG. 4 of Tsai (i.e., the features as plotted).

Regarding claims 5, 13, and 18:
Applicant's arguments have been fully considered but they are not persuasive.

Applicant further argues that “Chari remains absent the deriving of neighborhood features from entities that are neighbors to the first entity and deriving of link-based features based on relationships for the first entity to other entities.” In response, it is noted that at least [0107], [0110], and [0152] of Chari recite community information and edge neighbor information as part of features which are extracted for determining anomaly scores. Further, path information between accounts is also extracted as part of the features used to determine the scores. As such, it is considered that the Chari reference discloses forms of claimed link-based and neighborhood features (of accounts and their associated transactions).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5, 3, 6-7, 10, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chari (US 2016/364794 A1) in view of Ben Simhon (US 2016/0147583 A1) and Ji (US 2010/0132039 A1).

Regarding claim 5, Chari discloses: Chari discloses: A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to: 
generate a graphical representation of entities associated with a computing environment and enabled to perform an action in the computing environment; 
Refer to at least the abstract, FIG. 3-4, and [0044] of Chari with respect to generating a graph from transaction data, including vertices for source, destination, and other entities.  
Refer to at least the abstract, [0005], and [0033] of Chari with respect to accounts and their associated transactions.
derive features for the entities represented by the graphical representation, the features comprising neighborhood features and link-based features, a neighborhood feature for a first entity of the entities derived based on entities that are neighbors of the first entity in the graphical representation, and a link-based feature for the first entity derived based on relationships of other entities in the graphical representation with the first entity; and 
Refer to at least the abstract, FIG. 4, [0045], [0059], [0106]-[0111], [0116], and [0122] of Chari with respect to extracting features from the graph, including edge path, distance, and/or PageRank information.  
determine, using a plurality of anomaly detectors based on respective features of the derived features, whether the first entity is exhibiting anomalous behavior,
Refer to at least the abstract and [0057] of Chari with respect to determining and flagging anomalous accounts or transactions based on scoring the extracted feature information.
wherein a first anomaly detector of the plurality of anomaly detectors computes a first [probability] of a first subset of the derived features, and determines whether the first entity is exhibiting anomalous behavior based on the first [probability], and
Refer to at least [0114]-[0115] and [0122]-[0123] of Chari with respect to calculating a probability for the features for fraud detection.
Refer to at least [0079]-[0084], [0088]-[0090], [0096], and [0101]-[0105] of Chari with respect to scoring a transaction via scoring multiple sets of extracted features of a graph or graphs associated with the transaction. 
wherein a second anomaly detector of the plurality of anomaly detectors computes a second [probability] of a different second subset of the derived features, and determines whether the first entity is exhibiting anomalous behavior based on the second [probability].
Refer to at least [0079]-[0084], [0088]-[0090], [0096], and [0101]-[0105] of Chari with respect to scoring a transaction via scoring multiple sets of extracted features of a graph or graphs associated with the transaction. 
Chari does not specifically disclose: parametric distribution; wherein the determining comprises: ranking the plurality of anomaly detectors to identify top-ranked anomaly detectors, and using detections performed by the top-ranked anomaly detectors including the first anomaly detector and the second anomaly detector to determine whether the first entity is exhibiting anomalous behavior. However, Chari in view of Ben Simhon and Ji discloses: parametric distribution;
Refer to at least [0084] and [0093] of Ben Simhon with respect to using a form of claimed parametric distribution for observed metrics for determining anomalies. 
wherein the determining comprises: ranking the plurality of anomaly detectors to identify top-ranked anomaly detectors, and using detections performed by the top-ranked anomaly detectors including the first anomaly detector and the second anomaly detector to determine whether the first entity is exhibiting anomalous behavior.
Refer to at least the abstract, [0008]-[0009], and [0039]-[0042] of Ji with respect to selecting from among candidate monitors based on clustering and network topology data. 
The teachings of Chari and Ben Simhon concern substantially similar subject matter, and further, the teachings of Chari consider probability calculation. As such, they are considered to be combinable. The teachings of Ji further concern network security and are considered to likewise be combinable. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Chari to include use of parametric distributions because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time of the invention; it further would have been obvious to include ranking and selecting monitors for at least the purposes of increasing a detection rate while decreasing a cost of deployment as per the cited portions of Ji.

Regarding claim 3, Chari-Ben Simhon-Ji discloses: The non-transitory machine-readable storage medium of claim 5, wherein the first anomaly detector determines whether the first entity is exhibiting anomalous behavior based on a threshold for the first parametric distribution.
Refer to at least [0035] and [0078] of Chari with respect to thresholds associated with scores.
Refer to at least [0013] of Ben Simhon with respect to thresholds associated with scores.
This claim would have been obvious for substantially the same reasons as claim 5 above. 

Regarding claim 6, Chari-Ben Simhon-Ji discloses: The non-transitory machine-readable storage medium of claim 5, wherein the instructions upon execution cause the system to use a third anomaly detector of the plurality of anomaly detectors: compute a density measure for a given data point based on relationships of the given data point to other data points, each data point of the given data point and the other data points containing values of features of a third subset of the derived features, determine whether the first entity is exhibiting anomalous behavior further based on the density measure.
Refer to at least [0114]-[0115] and [0122]-[0123] of Chari with respect to calculating a probability for the features for fraud detection.
Refer to at least [0079]-[0084], [0088]-[0090], [0096], and [0101]-[0105] of Chari with respect to scoring a transaction via scoring multiple sets of extracted features of a graph or graphs associated with the transaction; [0088]-[0089] of Chari specifically reciting deriving and scoring a third set of features. 
Refer to at least FIG. 12 of Ben Simhon with respect to probability density calculation.
This claim would have been obvious for substantially the same reasons as claim 2 above. 

Regarding claim 7, it is rejected for substantially the same reasons as claims 5 and 6 above.

Regarding claim 10, Chari-Ben Simhon-Ji discloses: The non-transitory machine-readable storage medium of claim 5, wherein the graphical representation of the entities is a first graphical representation of the entities generated based on event data within a first time window of a first time length, and wherein the instructions upon execution cause the system to: generate a second graphical representation of entities associated with the computing environment based on event data within a second time window of a different second time length; derive features for the entities represented by the second graphical representation, the features comprising neighborhood features and link-based features; and determine, using a plurality of anomaly detectors based on respective features of the derived features for the entities represented by the second graphical  representation, whether the first entity is exhibiting anomalous behavior.
Refer to at least FIG. 6 and [0094]-[0097] of Chari with respect to time windows and respective graphs. 

Regarding claim independent claim 18, it is substantially similar to independent claim 1, but further comprises edge pair language. As such, claim 18 is rejected for substantially the same reasons as claim 1 above, including with respect to said edge pair language (e.g., [0068] of Chari).

Claims 8-9, 21, and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chari-Ben Simhon-JI as applied to claims 5, 3, 6-7, 10, and 18 above, and further in view of Tsai (US 2008/0306715 A1).

Regarding claim 8, Chari-Ben Simhon-JI does not fully disclose: wherein computing the density measure comprises computing distances of the given data point to the other data points in a grid of data points, where the other data points are nearest data points to the given data point, and where the grid of data points includes a plurality of axes representing respective features of the subset of the 6 derived features. However, Chari-Ben-Simhon-JI in view of Tsai discloses: wherein computing the density measure comprises computing distances of the given data point to the other data points in a grid of data points, where the other data points are nearest data points to the given data point, and where the grid of data points includes a plurality of axes representing respective features of the subset of the derived features.
Refer to at least FIG. 4, [0009]-[0010], [0024]-[0026], and [0037] of Tsai with respect to normalizing extracted feature data and disposing to corresponding cubes according to threshold values of density and DGT values; using said cubes with a given model for identifying anomalies. 

Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Chari-Ben Simhon-JI with those of Tsai because all of the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time of the invention.

Regarding claim 9, it is rejected for substantially the same reasons as claim 8 above (i.e., the above citations).

Regarding claim 21, Chari-Ben Simhon-JI-Tsai discloses: The non-transitory machine-readable storage medium of claim 5, wherein each of the first parametric distribution and the second parametric distribution is parameterized by a mean and a standard deviation of the derived features of a respective subset of the first and second subsets.
Refer to at least [0022]-[0023] of Tsai with respect to data normalizing via mean and standard deviation.
This claim would have been obvious for substantially the same reasons as claim 8 above.

Claim 23 is substantially similar to claim 21 above, and is therefore likewise rejected.

Claims 12-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tsai (US 2008/0306715 A1) in view of Chari (US 2016/364794 A1).

egarding claim 13, Tsai discloses: A system comprising: a processor; and a non-transitory storage medium storing instructions executable on the processor to: for a subset of features of entities associated with a computing environment, pre-compute densities of cells within a multi-dimensional grid that includes data points placed in the multi-dimensional grid according to values of features of the subset of features, wherein each data point of the data points represents the subset of features for a respective entity of the entities, and wherein a density pre-computed for a respective cell of the cells is based on relationships between data points in the respective cell and other data points in the multi-dimensional grid, 
Refer to at least FIG. 1 of Tsai with respect to feature extraction and normalization. 
Refer to at least the table on page 2 of Tsai with respect to exemplary features. 
Refer to at least FIG. 4, [0009]-[0010], [0024]-[0026], and [0037] of Tsai with respect to normalizing extracted feature data and disposing to corresponding cubes according to threshold values of density and DGT values; using said cubes with a given model for identifying anomalies. 
in response to receiving a data point for a particular entity, identify a cell in which the received data point is contained, and 
use the pre-computed density of the identified cell in determining whether the particular entity is anomalous.
Refer to at least the abstract, FIG. 1, [0026], [0030], and [0037] of Tsai with respect to identifying relationships of said cubes; determining anomalies through use of the model. 
Tsai does not specify: distances of data points in the respective cell to other data points in the multi-dimensional grid; wherein each of the entities associated with the computing environment are enabled to perform an action in the computing environment. However, Tsai in view of Chari discloses: distances of data points in the respective cell to other data points in the multi-dimensional grid;
Refer to at least [0114]-[0115] and [0122]-[0123] of Chari with respect to calculating a probability for the features for fraud detection.
wherein each of the entities associated with the computing environment are enabled to perform an action in the computing environment.
Refer to at least the abstract, [0005], and [0033] of Chari with respect to accounts and their associated transactions.
The teachings of Tsai and Chari concern substantially similar subject matter, and are considered to be combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Tsai with those of Chari because all of the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods with no change in their respective functions, and the combination would have yielded predictable results to one of ordinary skill in the art at the time (i.e., calculating probabilities for features for fraud detection and further applying the feature model to a specific implementation such as accounts and transactions—see at least [0008] of Tsai).

Regarding claim 16, it is rejected for substantially the same reasons as claim 13 above (e.g., FIG. 4 of Tsai).

Regarding claims 12 and 14-15, they are rejected for substantially the same reasons as elements of claims 1, 10, 18, and 20. 
The teachings of Tsai and Chari concern substantially similar subject matter, and are considered to be combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Tsai with those of Chari because all of the .

Claims 22 and 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chari-Ben Simhon-Ji as applied to claims 5, 3, 6-7, 10, and 17-18 above, and further in view of “OddBall: Spotting Anomalies in Weighted Graphs,” hereinafter Akoglu.

Regarding claim 22, Chari-Ben-Simhon-JI does not disclose: wherein each of the first parametric distribution and the second parametric distribution is one of a power law distribution, a gamma distribution, or a t-distribution. However, Chari-Ben Simhon-JI in view of Akoglu discloses: wherein each of the first parametric distribution and the second parametric distribution is one of a power law distribution, a gamma distribution, or a t-distribution.
Refer to at least the abstract and 3.3 of Akoglu with respect to power law equations for anomaly detection.
The teachings of Chari-Ben Simhon-JI and Akoglu concern the similar subjsect matter of graph-based anomaly detection, and are considered to be within the same field of endeavor and combinable as such. Further, at least [0151]-[0154] of Chari concern egonets. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Chari-Ben Simhon-JI to include power law equations because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time of the invention. Additionally, Akoglu considers advantages in at least its introduction and conclusion.

.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751.  The examiner can normally be reached on 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432