DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter
Claims 1-8, 10-15 and 21-26 are allowed.
Reasons for Allowance
According to 37 CFR 1.104(e), if the examiner believes that the record of the prosecution as a whole does not make clear his or her reasons for allowing a claim or claims, the examiner may set forth such reasoning. Accordingly, Examiner concludes that, for clarity, the record requires that Examiner set forth reasons for the allowance of claims 1-8, 10-15 and 21-26. The applicant or patent owner may file a statement commenting on the following reasons for allowance within THREE MONTHS FROM THE “MAILING DATE” of this communication.
The following is an examiner’s statement of reasons for allowance.
For example, the cited prior art of record comprises inter alia the following references:
	US 10,148,680 B1			Segev et al.
	US 2018/0039555 A1		Salunke et al.
	US 2019/0155672 A1		Wang et al.

Regarding claims 1, 11 and 21, Segev teaches: a system (110, FIG. 1B) (col. 11, ln. 60 through col. 12, ln. 5 “Server 110”) comprising:

a network interface (116, FIG. 1B) (col. 12, lns. 1-5 and 23-37 “Communication module 116 may...include...network interface”); and
one or more processors (113, FIG. 1B) in communication with the memory and the network interface, the one or more processors (col. 12, lns. 1-5 and 23-52 “processor 113, may cause...detecting anomaly”) configured to;
create an anomaly detection model including a singular value matrix and a data pattern matrix from a matrix of historical network traffic data (col. 4, lns. 44-51 “create an anomaly detection model/receiving a dataset comprising a plurality m of MDDPs...constructing...based on the received data...an embedded space; and classifying...an arrived MDDP as an anomaly or as normal”; col. 1, lns. 34-51 “high dimensional big data (HDBD) are common in....streaming...HDBD is a collection of multi-dimensional data points (MDDPs)”; col. 4, lns. 52-65 “m x n matrix A of data, where each row in A contains n extracted parameters (features) and m measurements. The measurements are...streamed”; col. 5, ln. 57 through col. 6, ln. 3 “HDBD may be processed using a matrix A representing MDDP as a training dataset of size m x n, where m is the number of data points (rows in the matrix) and n denotes the dimensions [] of the data point features...training data can contain anomalies/patterns”; col. 2, lns. 8-24 “Anomaly detection... identifies, in a given dataset, patterns”; note: Segev’s matrix may be a singular value matrix because a “numerical value” is a “singular value” and Segev’s features n may “be described in [a] numerical (e.g., 3.14)...manner” [see: col. 1, lns. 63-65] also note that Segev’s data (e.g., MDDP) can be “historical data” [see: col. 10, lns. 47-58]);

receive streaming network traffic data (col. 10, lns. 26-42 “Data provided/ received...may comprise...streaming data”);
perform a log transform on the streaming network traffic data (col. 4, lns. 5-13 “assembled logs, from streamed data”; col. 27, lns. 58-59 “the logarithm value of streaming network traffic data/NAMDDP is stored”; note: Segev may “transform” its “streamed data” into “assembled logs” [see: col. 4, lns. 5-13]);
apply the anomaly detection model to a matrix of the streaming network traffic data in real time as the streaming network traffic data is received (col. 19, lns. 37-44 “Online detection can be applied to analyze real-time raw HDBD/data 
detect (340A/340B, FIG. 3A) anomalous patterns in the streaming network traffic data based on patterns identified by the anomaly detection model (col. 10, lns. 26-42; col. 25, ln. 58 through col. 26, ln. 49 “online detection 340A/340B...of NAMDDPs/streaming network traffic”; col. 31, lns. 22-36 “output of the detection step is...a decision mechanism that determines whether...data is normal or abnormal”).
However, Segev does not explicitly disclose: wherein the one or more processors is configured to detect the anomalous patterns in the streaming network traffic data by being configured to: perform an error calculation between a row of the matrix of the streaming network traffic data and a corresponding row of a reconstructed matrix of the streaming network traffic data; assign a value to a result of the error calculation based on a cumulative distribution function for a plurality of error calculation results; determine whether a cumulative distribution function value for the error calculation exceeds a specified threshold cumulative distribution function value; and in response to determine that the cumulative distribution function value for the error calculation exceeds the specified threshold cumulative distribution function value, identify the corresponding streaming network traffic data as anomalous; and associate anomalous patterns in streaming network traffic data with internet protocol addresses.
Salunke teaches: associate anomalous patterns in streaming network traffic data with internet protocol addresses (¶ 93 “information about the detected anomalies...may include...IP addresses...which triggered the alert”; ¶ 75 “anomaly detection services 130 may monitor...streams”).
However, Segev in view of Salunke does not explicitly disclose: wherein the one or more processors is configured to detect the anomalous patterns in the streaming network traffic data by being configured to: perform an error calculation between a row of the matrix of the streaming network traffic data and a corresponding row of a reconstructed matrix of the streaming network traffic data; assign a value to a result of the error calculation based on a cumulative distribution function for a plurality of error calculation results; determine whether a cumulative distribution function value for the error calculation exceeds a specified threshold cumulative distribution function value; and in response to determine that the cumulative distribution function value for the error calculation exceeds the specified threshold cumulative distribution function value, identify the corresponding streaming network traffic data as anomalous.
In an analogous art, Wang teaches:
detecting (340, FIG. 3 / 600, FIG. 6) anomalous patterns in data (¶ 63, 47 “output [] anomalous groups”);
performing an error calculation (¶ 60 “determine the differences in the area under [a] curve”);
assigning a value based on a CDF (¶ 60 “convert the latency histogram data into a cumulative distribution function (CDF) curves”).
 wherein the one or more processors is configured to detect the anomalous patterns in the streaming network traffic data by being configured to: perform an error calculation between a row of the matrix of the streaming network traffic data and a corresponding row of a reconstructed matrix of the streaming network traffic data; assign a value to a result of the error calculation based on a cumulative distribution function for a plurality of error calculation results; determine whether a cumulative distribution function value for the error calculation exceeds a specified threshold cumulative distribution function value; and in response to determine that the cumulative distribution function value for the error calculation exceeds the specified threshold cumulative distribution function value, identify the corresponding streaming network traffic data as anomalous.

Claims 2-8, 10, 12-15 and 22-26 depend from claims 1, 11 and 21, therefore the dependent claims are allowable for at least the reasons set forth above.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kalish Bell whose telephone number is (571) 272-5294.  The examiner can normally be reached on 9am-5pm, M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KALISH K BELL/Examiner, Art Unit 2432


/MORSHED MEHEDI/Primary Examiner, Art Unit 2432