Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-8, and 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over Pajouh, Hamed Haddad, GholamHossein Dastghaibyfard, and Sattar Hashemi (“Two-tier network anomaly detection model: a machine learning approach,” Journal of Intelligent Information Systems 48.1 (2017): 61-74; hereinafter “Pajouh”) in view of Sharma et al. (U.S. 2017/0032285, hereinafter “Sharma”).
Regarding Claim 1, Pajouh teaches a network anomaly analysis apparatus (p. 61, Abstract and p. 70, section 4.5), comprising:
a storage unit, being configured to store a plurality of network status data, wherein each of the network status data comprises a plurality of network feature values (p. 70, section 4.5—it is inherent that the PC includes a storage unit to store the dataset, which contains the network status data); and
a processor, being electrically connected to the storage unit (p. 70, section 4.5) and configured to dimension-reduce each of the network status data into a principal component datum by analyzing the network feature values comprised in the network status data according to 
wherein the processor selects a second subset of the principal component data as a plurality of testing data, derives an accuracy rate by testing the classification model and the clustering model by the testing data (p. 67, Table 5 – p. 68, section 4.1—the Test+ dataset is a second subset that is a plurality of testing data).
Pajouh does not specifically teach that the processor determines that the accuracy rate fails to reach a first threshold, selects a third subset of the principal component data as a plurality of validation data after determining that the accuracy rate fails to reach the first threshold, updates the classification model by classifying the validation data into a plurality of second normal data and a plurality of second abnormal data according to the classification algorithm, updates the clustering model by clustering the second abnormal data into a plurality of second abnormal groups according to the clustering algorithm, and outputs the updated classification model and the updated clustering model.
However, Sharma teaches a processor determines that an accuracy rate fails to reach a first threshold, selects a third subset of the principal component data as a plurality of validation data after determining that the accuracy rate fails to reach the first threshold, updates a classification model by classifying the validation data into a plurality of second normal data and a plurality of second abnormal data according to the classification algorithm, updates the 
All of the claimed elements were known in Pajouh and Sharma and could have been combined by known methods with no change in their respective functions. It therefore would have been obvious to a person of ordinary skill in the art at the time of filing of the applicant’s invention to combine the three subsets of the dataset and training iterations of Sharma with the dividing a dataset and the classification and clustering models of Pajouh to yield the predictable result of wherein the processor selects a second subset of the principal component data as a plurality of testing data, derives an accuracy rate by testing the classification model and the clustering model by the testing data, determines that the accuracy rate fails to reach a first threshold, selects a third subset of the principal component data as a plurality of validation data after determining that the accuracy rate fails to reach the first threshold, updates the classification model by classifying the validation data into a plurality of second normal data and a plurality of second abnormal data according to the classification algorithm, updates the clustering model by clustering the second abnormal data into a plurality of second abnormal groups according to the clustering algorithm, and outputs the updated classification model and the updated clustering model. One would be motivated to make this combination for the purpose of improving accuracy by repeated testing and training using different data.
Regarding Claim 8, Pajouh teaches a network anomaly analysis method (p. 61, Abstract and p. 70, section 4.5), being adapted for an electronic computing apparatus, the electronic computing apparatus storing a plurality of network status data, each of the network status data comprising a plurality of network feature values (p. 70, section 4.5—it is inherent that the PC includes a storage unit to store the dataset, which contains the network status data), the network anomaly analysis method comprising:
dimension-reducing each of the network status data into a principal component datum by analyzing the network feature values comprised in the network status data according to a dimension-reduce algorithm (pp. 64-65, section 3.1);
selecting a first subset of the principal component data as a plurality of training data (pp. 64-65, section 3.1);
deriving a classification model by classifying the training data into a plurality of first normal data and a plurality of first abnormal data according to a classification algorithm (pp. 65-66, section 3.2);
deriving a clustering model by clustering the first abnormal data into a plurality of first abnormal groups according to a clustering algorithm (pp. 66-67, section 3.3—k-Nearest Neighbor {KNN} is a clustering model);
selecting a second subset of the principal component data as a plurality of testing data; deriving an accuracy rate by testing the classification model and the clustering model by the testing data (p. 67, Table 5 – p. 68, section 4.1—the Test+ dataset is a second subset that is a plurality of testing data).
Pajouh does not specifically teach:
determining that the accuracy rate fails to reach a first threshold;

updating the classification model by classifying the validation data into a plurality of second normal data and a plurality of second abnormal data according to the classification algorithm;
updating the clustering model by clustering the second abnormal data into a plurality of second abnormal groups according to the clustering algorithm; and
outputting the updated classification model and the updated clustering model.
	However, Sharma teaches determining that the accuracy rate fails to reach a first threshold; selecting a third subset of the principal component data as a plurality of validation data after determining that the accuracy rate fails to reach the first threshold; updating the classification model by classifying the validation data into a plurality of second normal data and a plurality of second abnormal data according to the classification algorithm; updating the clustering model by clustering the second abnormal data into a plurality of second abnormal groups according to the clustering algorithm; and outputting the updated classification model and the updated clustering model (¶ [0068] – [0070]—a dataset is divided into three subsets, including testing and validation. The 10 testing iterations and potential early stopping describe updating models until accuracy reaches a threshold. ¶ [0038] – [0040] describe using classification and clustering models).
All of the claimed elements were known in Pajouh and Sharma and could have been combined by known methods with no change in their respective functions. It therefore would have been obvious to a person of ordinary skill in the art at the time of filing of the applicant’s invention to combine the three subsets of the dataset and training iterations of Sharma with the 
Regarding Claims 5 and 12, Pajouh/Sharma teaches the dimension-reduce algorithm is one of a high correlation filter, a random forests algorithm, a forward feature construction algorithm, a backward feature elimination algorithm, a missing values ratio algorithm, a low variance filter algorithm, and a principal component analysis algorithm (Pajouh, p. 63, section 2).
Regarding Claims 6 and 13, Pajouh/Sharma teaches the classification algorithm is one of a support vector machine, a linear classification algorithm and a K-nearest neighbor algorithm (Sharma, ¶ [0008]).
Regarding Claims 7 and 14, Pajouh/Sharma teaches the clustering algorithm is one of a K-means algorithm, an agglomerative clustering algorithm and a divisive clustering algorithm (Sharma, ¶ [0038]).
Regarding Claim 15, Pajouh teaches a non-transitory computer readable storage medium, having a computer program stored therein, the computer program executing a network anomaly analysis method after being into an electronic computing apparatus (p. 61, Abstract and .

Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Pajouh in view of Sharma, as applied to claims 1 and 8, above, and further in view of Kadir et al. (U.S. 2020/0279649, hereinafter “Kadir”).
Regarding Claims 2 and 9, Pajouh/Sharma does not specifically teach the processor calculates a distance from each of the principal component data to the classification model and selects the principal component data whose distance is smaller than a second threshold as the validation data. However, Kadir teaches a processor calculates a distance from each of the principal component data to the classification model and selects principal component data whose distance is smaller than a second threshold as the validation data (¶ [0104] – [0111]—a distance threshold is used to select data for validation and further training).
All of the claimed elements were known in Pajouh/Sharma and Kadir and could have been combined by known methods with no change in their respective functions. It therefore would have been obvious to a person of ordinary skill in the art at the time of filing of the applicant’s invention to combine the distance calculation of Kadir with the principal component data and classification model of Pajouh/Sharma to yield the predictable result of the processor calculating a distance from each of the principal component data to the classification model and selects the principal component data whose distance is smaller than a second threshold as the .

Claims 3-4 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Pajouh in view of Sharma, as applied to claims 1 and 8, above, and further in view of Bansal et al. (U.S. 2017/0220939, hereinafter “Bansal”).
Regarding Claims 3 and 10, Pajouh/Sharma does not specifically teach each of the principal component data has a piece of time information, the processor divides the principal component data into a plurality of groups according to the pieces of time information, and wherein the processor selects at least one principal component datum from each of the groups as the validation data. However, Bansal teaches each of principal component data has a piece of time information, a processor divides the principal component data into a plurality of groups according to the pieces of time information, and wherein the processor selects at least one principal component datum from each of the groups as the validation data (¶ [0013] and [0033] – [0034]).
All of the claimed elements were known in Pajouh/Sharma and Bansal and could have been combined by known methods with no change in their respective functions. It therefore would have been obvious to a person of ordinary skill in the art at the time of filing of the applicant’s invention to combine the dividing using time information of Bansal with the dividing principal component data of Pajouh/Sharma to yield the predictable result of each of the principal component data having a piece of time information, the processor divides the principal component data into a plurality of groups according to the pieces of time information, and wherein the processor selects at least one principal component datum from each of the groups as 
Regarding Claims 4 and 11, Pajouh/Sharma/Bansal teaches each of the principal component data has a piece of regional information, the processor divides the principal component data into a plurality of groups according to the pieces of regional information, and wherein the processor selects at least one principal component datum from each of the groups as the validation data (Bansal, ¶ [0044] and [0050]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. This art includes:
Miller et al. (U.S. 2019/0188212) teaches a system that performs clustering and classifying for network anomaly detection
Segev et al. (U.S. Patent 10,148,680) teaches a system that performs anomaly detection using dimension reduction, a classifier, and KNN clustering
Syarif, Iwan, Adam Prugel-Bennett, and Gary Wills (“Unsupervised clustering approach for network anomaly detection,” International conference on networked digital technologies. Springer, Berlin, Heidelberg, 2012) teaches using clustering techniques to improve intrusion detection classifiers

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAL W SCHNEE whose telephone number is (571)270-1918.  The examiner can normally be reached on M-F 7:30 a.m. - 6:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamran Afshar can be reached on 571-272-7796.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HAL SCHNEE/Primary Examiner, Art Unit 2125