Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/10/2021 has been entered.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	

DETAILED ACTION
The Examiner would like to thank the Applicant for the well-presented response, which was useful in the examination. The Examiner appreciates the Applicant’s efforts to perform a careful analysis and make appropriate amendments to the claims.

Claims 10, 12, 14, and 17 have been canceled. Claim 23 has been added. Claims 1-9, 11, 13, 15-16, and 18-23 are pending. Claims 1-9, 11, 13, 15-16, and 18-23 have been examined. Claims 1-9, 11, 13, 15-16, and 18-23 have been allowed. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Attorneys Myrna Schelling and Robert Mayer on 3/25/2021.

Claim 17 has been canceled. Claims 1, 6, 9, and 23 have been amended as following:

1.  (Currently Amended) A method for analysing data comprising: 
generating an initial model; 
receiving a plurality of data records comprising a plurality of data items of at least one particular event; 
based on the initial model, determining in real time an expected value of at least one of the plurality of data items of the plurality of data records;
based on the initial model, determining in real time a value for a number of occurrences of the at least one particular eventacross the plurality of data records; 
determining an average value of the at least one of the plurality of data items over a period of time, across the plurality of data records;
determining a change in the value for the number of occurrences of the at least one particular event over a period of time, across the plurality of data records;
comparing, using one or more processors, the average value of the at least one of the plurality of data items with the expected value from the initial model; 
based on the comparing, identifying the average value of the at least one of the plurality of data items as being an abnormal value, the abnormal value being indicative of potentially anomalous activity occurring on a computing network, the identifying of the abnormal value being based at least in part on a rate of change of the average value of the at least one of the plurality of data items; 
updating the initial model in real-time in response to the identifying of the abnormal occurrences of the at least one particular event to create a derived statistical model, the initial model being updated with the identified abnormal value or the change in the value for the number of occurrences of the at least particular one event;
determining clustering of the plurality of data items such that at least a first cluster and a second cluster are identified; 
determining, based on the derived statistical model, that a series of data points has moved from the first cluster to the second cluster has deviated based on the derived statistical model, the movement being indicative of abnormal anomalous activity; and 
transmitting an alert message to a recipient based on the identifying of the abnormal value or the moving the series of data points and indicating the potentially anomalous activity. 

6. (Currently Amended) A system for analysing data comprising: 
a data analysis system that generates an initial model; 
at least one data entry device that continually receives data records comprising a plurality of data items of at least one particular event, each of the data records being associated with a point in time, the plurality of data items being indicative of electronic trading requests; 
the data analysis system further 
derives a statistical model based on a plurality of data records and the initial model,
after deriving the statistical model, accepts at least one of the plurality of data items, 
based on the derived statistical model, determines in real time an expected value of the at least one of the plurality of data items,
occurrences of the at least one particular event 
determines an average value of the at least one of the plurality of data items over a period of time, across the plurality of data records,
determining a change in the value for the number of occurrences of the at least one particular event over a period of time, across the plurality of data records,
compares the average value of the at least one of the plurality of data items with the expected value from the derived statistical model to determine abnormal values, the determining of the abnormal value being based at least in part on a rate of change of the average value of the at least one of the plurality of data items, 
and 
updates the derived statistical model in real-time using the average value of the at least the one of the plurality of data items, the change in the value for the number of occurrences of the at least one particular event, or the abnormal values,
wherein the data analysis system detects the abnormal values when the average value of the at least one of the plurality of data items is indicative of abnormal anomalous activity performed by a computing bot executing the electronic trading requests; 
determines, based on the derived statistical model, that a series of data points has moved from the first cluster to the second cluster, the movement being indicative of abnormal anomalous activity; and 
transmits an alert message to a recipient based on the determination of the abnormal anomalous activity relative to the abnormal values or the moving the series of data points.


deriving a statistical model based on a plurality of data records particular event and an initial model; 
after deriving the statistical model, receiving at least one additional data record comprising a plurality of data items; 
based on the derived statistical model, determining in real time an expected value of at least one of the plurality of data items; 
based on the derived statistical model, determining in real time a value for a number of occurrences of the at least one particular event across the plurality of data records;
determining an average value of the at least one of the plurality of data items over a period of time, across the plurality of data records; 
determining a change in the value for the number of occurrences of the at least one particular event over a period of time, across the plurality of data records;
comparing, using one or more processors, the average value  of the at least one of the plurality of data items  with the expected value from the derived statistical model; 
based on the comparing, identifying the average value of the at least one of the plurality of data items as an abnormal value, the abnormal value being indicative of potentially anomalous activity occurring on a computing network, the identifying of the abnormal value being based at least in part on a rate of change of the average value of the at least one of the plurality of data items; 
updating the derived statistical model in real-time in response to the identifying the abnormal value or the change in the value for the number of occurrences of the at least one particular event, the derived statistical model being updated with the identified abnormal value or the change in the value for the number of occurrences of the at least one particular 
determining clustering of the plurality of data items such that at least a first cluster and a second cluster are identified; 
determining, based on the derived statistical model, that a series of data points has moved from the first cluster to the second cluster, the movement being indicative of abnormal anomalous activity; and 
transmitting an alert message to a recipient based on the identifying of the abnormal value or the moving the series of data points and indicating the potentially anomalous activity.

23.  (Currently Amended) A method for analysing data comprising: 
generating an initial model, the initial model being indexed to allow rapid retrieval;   
receiving a plurality of data records comprising a plurality of data items of at least one particular event, each data record having a timestamp; 
based on the initial model, determining in real time an expected value of at least one of the plurality of data items of the plurality of data records;
based on the initial model, determining in real time a value for a number of occurrences of the at least one particular event across the plurality of data records; 
pre-processing the plurality of data records comprising a plurality of data items, by determining an average value of the at least one of the plurality of data items over a period of time, across the plurality of data records;
storing the average value of the at least one of the plurality of data items in a database;
determining a change in the value for the number of occurrences of the at least one particular event over a period of time, across the plurality of data records;

based on the comparing, identifying the average value of the at least one of the plurality of data items as being an abnormal value, the abnormal value being indicative of potentially anomalous activity occurring on a computing network, the identifying of the abnormal value being based at least in part on a rate of change of the average value of the at least one of the plurality of data items; 
updating the initial model in real-time in response to the identifying of the abnormal value or the change in the value for the number of occurrences of the at least one particular event to create a derived statistical model, the initial model being updated with the identified abnormal value or the change in the value for the number of occurrences of the at least one particular event;
determining clustering of the plurality of data items such that at least a first cluster and a second cluster are identified; 
determining, based on the derived statistical model, that movement of a series of data points from membership of the first cluster to membership of the second cluster has deviated based on the derived statistical model, the movement being indicative of abnormal anomalous activity; and 
transmitting an alert message to a recipient based on the identifying of the abnormal value or the moving of the series of data points and indicating the potentially anomalous activity,
wherein the derived statistical model is self-learning, continually updated by additional data records and persisted for use as the additional data items are analysed, and wherein the initial model is persisted as a database of insights into the plurality of data records, the insights further comprising anomalies in the plurality of data items.

Allowable Subject Matter
Claims 1-9, 11, 13, 15-16, and 18-23 are allowed. The following is an examiner’s statement of reasons for allowance: 

As per claims 1, 6, 9, and 23 Mathis and Spiliopoulou does not teach:
receiving a plurality of data records comprising a plurality of data items of at least one particular event;
based on the initial model, determining in real time a value for a number of occurrences of the at least one particular event across the plurality of data records;
determining a change in the value for the number of occurrences of the at least one particular event over a period of time, across the plurality of data records; and
the identifying of the abnormal value being based at least in part on a rate of change of the average value of the at least one of the plurality of data items;
in combination with other limitations recited in the claims.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CUONG V LUU whose telephone number is (571)272-8572.  The examiner can normally be reached on Monday-Friday 8:30-5:00.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/CUONG V LUU/Examiner, Art Unit 2129                                                                                                                                                                                                        

/REHANA PERVEEN/Supervisory Patent Examiner, Art Unit 2129