Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.        Claims 1 - 20 are pending.  Claims 1, 10, 20 are independent.    File date is 1-31-2019.  

Claim Rejections - 35 USC § 102  
2.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

3.        Claims 1 - 3, 9 - 12, 18, 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Deardorff et al. (US PGPUB No. 20200195670).     	
 
Regarding Claims 1, 10, 20, Deardorff discloses a method for detecting anomalous network activity in a cloud-based compute environment and a system for detecting anomalous network activity in a based compute environment and a non-transitory computer readable medium having stored thereon instructions for causing processing circuitry to perform a process for detecting anomalous network activity in a cloud-based compute environment, the method and the system and the process comprising:
a)  receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; (Deardorff ¶ 058, ll 1-7: configured to analyze 
b)  creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding the created profiles stored in one or more databases)    
c)  dynamically updating the virtual entity of a profile with the respective network activity observations of the virtual entity; (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in activity data actions across a variety of tool sets and systems; patterns observed upon one or more networks; profile the intent and predict possible future activity based on observed behavior and recognized intent (i.e. unobserved behavior)) and
d)  determining whether anomalies have been detected. (Deardorff ¶ 036, ll 6-10: issue alerts (i.e. reports) to inform user of anomalous activity; review data associated with alert and perform any appropriate action; ¶ 087, ll 1-9: detect anomalies upon entity exhibiting behavior that is unexpected and based on its assigned behavioral profile)    

Furthermore for Claim 10, Deardorff discloses wherein a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuity, configure the system to perform operations. (Deardorff ¶ 029, ll 1-14: general purpose computer activated by a computer program stored in a computer readable storage 

Regarding Claims 2, 11, Deardorff discloses the method of claim 1 and the system of claim 10, wherein creating the profile further comprises: creating a virtual entity group profile when a virtual entity in the set of virtual entities is identified as a member of the virtual entity group which has similar network behavior. (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding created profiles stored in one or more databases; ¶ 068, ll 1-5: profile module groups instances of similar network activity data together; assign a label indicative of the type of behavior exhibited; (member of a group))     

Regarding Claims 3, 12, Deardorff discloses the method of claim 2 and the system of claim 11, wherein creating the profile further comprises: creating a connections group when a virtual entity in the set of virtual entities is identified as having similar network behavior with the connections group. (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding created profiles stored in one or more databases; ¶ 068, ll 1-5: profile module groups instances of similar network activity data together; assign a label indicative of the type of behavior exhibited; (i.e. member of a group))   

Regarding Claims 9, 18, Deardorff discloses the method of claim 1 and the system of claim 10, further comprising:
a)  reporting the anomaly, when an anomaly has been detected; and 
b)  taking a mitigating activity, when an anomaly has been detected. (Deardorff ¶ 036, ll 6-10: issue alerts (i.e. reporting the anomaly) to inform user of anomalous activity; review any data associated with alert and perform any appropriate action (i.e. mitigating activity); ¶ 087, ll 1-9: detect anomalies upon entity exhibiting behavior that is unexpected based on its assigned behavioral profile)    

Claim Rejections - 35 USC § 103  
4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 4, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Baumard (US PGPUB No. 20160078365). 

Regarding Claims 4, 13, Deardorff discloses the method of claim 3 and the system of claim 12. 
Deardoff does not explicitly disclose a set of probabilistic distributions over values of a large set of factors. 
However, Baumard discloses wherein creating the profile further comprises: including a set of probabilistic distributions over values of a large set of factors, wherein the factors represent an 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardoff for a set of probabilistic distributions over values of a large set of factors as taught by Phan. One of ordinary skill in the art would have been motivated to employ the teachings of Phan for the benefits achieved from a system that enables the utilization of an extensive set of anomaly detection methods.  (Baumard ¶ 023, ll 12-23)    

6.        Claims 5 - 8, 14 - 17 is rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Baumard and further in view of Phan et al. (US PGPUB No. 20200057956). 

Regarding Claims 5, 14, Deardorff-Baumard discloses the method of claim 4 and the system of claim 13, wherein the factors of the large set of factors include observable and unobservable factors, and the factors may be learned from observable factors. (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in activity actions across a variety of tool sets and systems, and patterns observed upon one or more networks; profile the intent and predict possible future activity based on observed behavior and recognized intent (i.e. unobserved behavior))   
Deardoff-Baumard does not explicitly disclose factors learned from probabilistic dependencies.

        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardoff-Baumard for factors learned from probabilistic dependencies as taught by Phan.  One of ordinary skill in the art would have been motivated to employ the teachings of Phan for the benefits achieved from a system that enables the determination of anomalies utilizing an extensive set of anomaly detection mechanisms.  (Phan ¶ 017, ll 1-7)  

Regarding Claims 6, 15, Deardorff-Baumard discloses the method of claim 5 and the system of claim 14, wherein the aggregated learned distribution of values of all the factors represents a modeled baseline of the virtual entity’s observed behavior or internal state. (Deardorff ¶ 071, ll 3-12: through modelling processes, system can issue alerts based on activity or behavior that deviates from what is expected; (indicated model indicates a specific behavior pattern))    

Regarding Claims 7, 16, Deardorff-Baumard discloses the method of claim 6 and the system of claim 15, wherein determining whether anomalies have been detected further comprises: checking the updated profiles to determine if significant deviations in values exceed a threshold of normal virtual entity behavior. (Deardorff ¶ 100, ll 1-6: a statement that a value exceeds a threshold in the resolution of a relevant system; (i.e. indicated action completed when 

Regarding Claims 8, 17, Deardorff-Baumard discloses the method of claim 7 and the system of claim 16, wherein checking whether the significance of the deviations takes into account both the difference between the expected and actual numeric values of a factor, and the uncertainty in the expected values and the uncertainty in the measurement of the actual observation. (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in activity actions across a variety of tool sets and systems, and patterns observed upon one or more networks; profile the intent and predict possible future activity based on observed behavior and recognized intent (i.e. unobserved behavior); ¶ 100, ll 1-6: a statement that a value exceeds a threshold in the resolution of a relevant system; (i.e. indicated action completed when threshold value is exceed); ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity (i.e. threshold exceeded); review any data associated with alert and perform any appropriate action)  

7.        Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Liisberg et al. (US PGPUB No. 20170262325). 

Regarding Claim 19, Deardorff discloses the system of claim 18, wherein the system is further conjured to: include a virtual entity associated with an anomaly. (Deardorff ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity; review any data associated with alert and perform 
Deardoff does not specifically disclose blocking a virtual entity associated with an anomaly.
However, Liisberg discloses wherein block a virtual entity associated with an anomaly. (Liisberg ¶ 033, ll 1-9: if an anomaly is detected, sending a signal which ensures that communication associated with processes is disrupted (i.e. communication blocked))    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff for blocking a virtual entity associated with an anomaly as taught by Liisberg. One of ordinary skill in the art would have been motivated to employ the teachings of Liisberg for the benefits achieved from a system that enables as a security measure communication to be blocked in the event an anomaly is detected. (Liisberg ¶ 033, ll 1-9)  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920.  The examiner can normally be reached on M - F 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KYUNG H SHIN/                                                                                                         April 4, 2021Primary Examiner, Art Unit 2443