DETAILED ACTION
Claims 1-20 are presented for examination.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings received on 26 June 2019 are accepted.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


Claims 1, 2, 4, 6-9, 11, 13-16, and 18-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, and 4-6 of U.S. Patent No. 10,380,340 B2.
Although the claims at issue are not identical, they are not patentably distinct from each as outlined in the table below. Differences, if any, are underlined.
Instant Application
Patent no. 10,372,906 B2
Patent no. 10,380,340 B2
Claim 1. A method for generating a model for determining anomalous behavior within activities of a computer system, the method comprising: 
1. A computer program product for determining whether an anomaly of current activities occurs in a computer system having a system log of recorded activities generated by a plurality of processes executing on the computer system, the computer program product comprising: a computer readable storage medium having computer readable program instructions embodied therewith, wherein the computer readable program instructions are executable by a computer processor, the program instructions comprising:
1. A method of generating a behavioral model of a computer system, the computer system having a system log that records activities generated by a plurality of processes executing on the computer system, the method comprising the steps of:
one or more processors partitioning the system log into a plurality of strands, each strand including activities that share a common attribute, the activities included as past activities of the computer system;
one or more processors partitioning a system log of a computer system into a plurality of strands, wherein respective strands are comprised of past activities of the computer system events that share a common attribute;
program instructions to partition the system log into a plurality of strands, each strand including activities that share a common characteristic, the activities including past activities of the computer system;

the one or more processors selecting attributes from said respective strands;
program instructions to select attributes of activities from the plurality of strands;
the one or more processors selecting attributes from the plurality of strands;
the one or more processors generating a plurality of first n-grams, wherein a first n-gram of the first plurality of first n-grams is comprised of the attributes selected from successive activities within a strand and respectively identified by a set of integers;
program instructions to generate first distinct n-grams, based on the attributes of activities selected from the plurality of strands, wherein an n-gram includes attributes from successive activities within a strand;




program instructions to generate a first plurality of n-gram groups, each n-gram group including one or more of the first distinct n-grams in which a first one of the one or more of the first distinct n-grams coexists in a strand also containing a second one of the one or more of the first distinct n-grams;
the one or more processors generating a first plurality of n-gram groups, each n-gram group including a plurality of the first distinct n-grams in which a first one of the plurality of first distinct n-grams coexists in a strand also containing a second one of the plurality of first distinct n-grams;
the one or more processors generating a plurality of n-gram group arrangements, wherein an n-gram group arrangement of the plurality of n-gram group arrangements is comprised of a plurality of n-gram groups, each of said n-gram groups being found in combination in at least one strand,

and wherein an n-gram group arrangement is identified by an array of integers representing component n-gram groups; and
program instructions to generate a first plurality of n-gram group arrangements, each n-gram group arrangement including a plurality of n-gram groups, each of the n-gram groups contained, in combination, in at least one strand,


and wherein a first set of integers respectively identifies the first plurality of distinct n-grams, a combination of integers of the first set of integers that respectively correspond to the first plurality of distinct n-grams identifies an n-gram group of the first plurality of n-gram groups, 

and the first plurality of n-gram group arrangements are represented by arrays of combinations of integers, each combination of integers corresponding to an n-gram group of the first plurality of n-gram groups;
the one or more processors generating a first plurality of n-gram group arrangements, each n-gram group arrangement including a plurality of n-gram groups, each of then-gram groups being found, in combination, in at least one strand,

and wherein a first set of integers respectively identifies the first plurality of distinct n-grams, an array of integers of the first set of integers that respectively correspond to the first plurality of distinct n-grams identifies an n-gram group of the first plurality of n-gram groups, 

and the first plurality of n-gram group arrangements are represented by arrays of n-gram group integer arrays, each n-gram group integer corresponding to an array of integers of an n-gram group of the first plurality of n-gram groups;
generating a behavioral model including said n-grams, said plurality of n-gram groups and said plurality of n-gram group arrangements.
program instructions to generate a behavioral model based on the past activities of the computer system, wherein the behavioral model contains the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements; and
the one or more processors generating a behavioral model based on the past activity of the computer system, wherein the behavioral model contains the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements; and
[additional limitations permitted]
program instructions to determine whether an anomaly of current activities occurs in the computer system, based on determining whether the current activities represented as second distinct n-grams, second plurality of n-gram groups, and second plurality of n-gram group arrangements are found in the behavioral model.
the one or more processors determining whether an anomaly of current activity occurs in the computer system, based on generating a plurality of second distinct n-grams, a second plurality of n-gram groups, and a second plurality of n-gram group arrangements from attributes of partitioned strands of current activity of the computer system, applied to the behavior model.

2. The computer program product of claim 1, wherein the first distinct n-grams are represented in a hash table mapping each n-gram into an integer identifier.
2. The method of claim 1, wherein the first distinct n-grams are represented in a hash table mapping each n-gram into an identifier.
4. The method of claim 1, wherein the plurality of n-gram groups represent common sequences of first n-grams appearing at the start of a process or common sequences of distinct n-grams appearing at the end of a process.

4. The method of claim 1, wherein the plurality of n-gram groups represent common sequences of first distinct n-grams appearing at the start of a process or common end sequences of first distinct n-grams appearing at the end of a process.
6. The method of claim 1, wherein determining whether an anomaly of events occurs in the computer system, based on the behavioral model, comprises the steps of: 

the one or more processors partitioning the system log, associated with recorded events of current activity of the computer system, into a plurality of strands; 
5. The computer program product of claim 1, wherein determining whether an anomaly of computer processing activities occurs in the computer system, based on the behavioral model, comprises the steps of:
program instructions to partition the system log, associated with recorded activities of current activity of the computer system, into a plurality of strands;
5. The method of claim 1, wherein determining whether an anomaly of activities occurs in the computer system, based on the behavioral model, comprises the steps of:

the one or more processors partitioning the system log, associated with recorded activities of current activity of the computer system, into a plurality of strands;
the one or more processors generating a plurality of second n-grams from the plurality of strands associated with the current activity of the computer system; 
program instructions to generate second distinct n-grams from the plurality of strands associated with the current activities of the computer system;
the one or more processors generating the plurality of second distinct n-grams from the plurality of strands associated with the current activity of the computer system;
the one or more processors generating a plurality of second n-gram groups, each n- gram group including a one or more of the second n-grams in which a first one of the one or more second distinct n-grams coexists in a strand also containing a second one of the one or more second distinct n-grams; 
program instructions to generate a second plurality of n-gram groups, each n-gram group including one or more of the second distinct n-grams in which a first one of the one or more of the second distinct n-grams coexists in a strand also containing a second one of the one or more of the second distinct n-grams;
the one or more processors generating the second plurality of n-gram groups, each n-gram group including a plurality of the second distinct n-grams in which a first one of the plurality of second distinct n-grams coexists in a strand also containing a second one of the plurality of the second distinct n-grams;
the one or more processors generating a plurality of second n-gram group arrangements, each n-gram group 



wherein a second set of integers respectively identifies second distinct n-grams, a combination of integers of the second set of integers that respectively correspond to second distinct n-grams, identifies an n-gram group of the second plurality of n-gram groups, and each n-gram group arrangement is identified by an array of second plurality n-gram group integer combinations;

the one or more processors determining whether an anomaly exists between the current activity of the computer system and the past activity of the computer system, based on one or more of:the second n-grams appearing in the first n-grams, the second n-gram groups appearing the first n-gram groups, andthe second n-gram group arrangements appearing in the first n-gram group arrangements; and 
[Determining whether something appears or fails to appear is the same determination]
program instructions to determine whether an anomaly exists between the current activities of the computer system and the past activities of the computer system, based on one or more of: one of the second distinct n-grams failing to appear in the first distinct n-grams, the second plurality of n-grams groups failing to appear in the first plurality of n-gram groups, and the second plurality of n-gram group arrangements failing to appear in the first plurality of n-gram group arrangements; and
the one or more processors determining whether an anomaly exists between the current activity of the computer system and the past activity of the computer system, based on one or more of:the second distinct n-grams appearing in the first distinct n-grams, the second plurality of n-gram groups appearing the first plurality of n-gram groups, and the second plurality of n-gram group arrangements appearing in the first plurality of n-gram group arrangements; and
the one or more processors, responsive to a determination that an anomaly exists between the current activity and the past activity, providing a notification of the detection of the anomaly to an end user of the computer system.
program instructions, responsive to a determination that an anomaly exists between the current activity and the past activity, to provide an alert of the detection of the anomaly.
the one or more processors, responsive to a determination that an anomaly exists between the current activity and the past activity, providing an indication of the detection of the anomaly to an end user of the computer system.
7. The method of claim 6, wherein the determination that an anomaly exists includes at least one second n-gram that is absent in the first n-grams, and at least one of: a second n-gram group of the one or more second n-gram groups, which is absent in the plurality of first n- gram groups, and a 


Claims 8, 9, 11, 13-16, and 18-20 are substantially similar to respective claims 1, 2, 4, 6, and 7 above.
See above and claims 7-8, 10, and 11.
See above.



Allowable Subject Matter
Claims 1, 2, 4, 6-9, 11, 13-16, and 18-20 would be allowable if rewritten or amended to overcome the Double Patenting rejections under 35 U.S.C. §101, set forth in this Office action.
Claims 3, 5, 10, 12, and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:
US patent 9,329,980 B2, Baril, et al. [herein “Baril”] figure 3 shows a time indexed table of function calls of the production input data for n-gram analysis. Baril figure 3 further shows a histogram of n-gram sequences. But Baril fails to teach or suggest representing n-gram group arrangement represented by arrays of integers, each integer corresponding to n-gram groups.
US 2006/0193159 A1 Tan, et al. [herein “Tan”] paragraph 38 defines N-gram as “a textual word or binary data.” Binary data is a set of integers. Similarly, Tan paragraph 38 teaches hash function “generate an M-bit hash value” which is also a set of integers. Tan paragraph 58 teaches “Hash value calculator 910 generates the M-bit hash value, which is then used by the memory lookup module 210 to retrieve the corresponding entry in the compressed first and second memory tables 150, and 160.” The tables are an array of respective integers. Thus, Tan teaches compressing n-gram data into memory tables. But Tan fails to teach a plurality of n-gram group arrangements each comprising a plurality of n-gram groups and each n-gram group arrangement is identified by an array of integers. Tan teaches n-gram groups, and an array of n-gram groups in the memory tables, but not n-gram group arrangements.
Furthermore, it would not be obvious to take the histogram information of Baril and place that statistical summary information into the memory tables taught by Tan. Tan teaches the compressed memory tables are used for pattern matching and the histogram statistical information of Baril is not pattern matching information. Thus, the combination of Baril and Tan would not achieve the arrangement of limitations as now claimed.
US 2016/0226890 A1 Harang [herein “Harang”] paragraphs 46, 50, 51, and 53 teach hashing and re-hashing an n-gram analysis with corresponding hash table. The indices of the hash table and second hash table are each integer identifiers of the corresponding n-grams. However, Harang fails to teach or 
US 2016/0164901 A1 Mainieri, et al. [herein “Mainieri”] paragraph 75 teaches collecting samples of system calls and determining differences of addresses. The differences in addresses can be grouped into n-grams by ordering them by time of collection. Mainieri paragraph 79 teaches n-gram words to define processes snippets.
Sultana, A., et al. “An improved Hidden Markov Model for anomaly detection using frequent common patterns” IEEE ICC 2012, Communication & Info. Sys. Security Symp., pp. 1113-7 (2012) [herein “Sultana”] teaches using frequent common patterns found in trace sequences to train a HMM model for anomaly detection in order to reduce the training time required.
Zolotukhin, M. & Hamalainen, T. “Detection of Zero-day Malware Based on the Analysis of Opcode Sequences” 11th Annual IEEE CCNC Security Privacy & Content Protection, pp. 386-391 (2014) [herein “Zolotukhin”] teaches using a SVM model with opcodes to classify new files as either benign or malware.
US patent 8,225,402 B1 Averbuch, et al. [herein “Averbuch”] column 9 lines 16-22 teaches applying an n-gram analysis to yield a large sparse matrix “that includes an n-gram distribution of the tokens.” A matrix is an array of integers. The n-grams are n-grams but Averbuch fails to teach n-gram groups and fails to teach generating n-gram group arrangements represented by an array of integers.
US patent 8,271,403 B2 Rieck, et al. [herein “Rieck”] columns 7-8, particularly column 8 lines 17-20, teach using a trie data structure for n-gram analysis of network traffic. Rieck column 7 lines 51-55 teach using a hash table for storing and comparing n-gram histograms. But Rieck fails to teach generating n-gram group arrangements represented by an array of integers.
US patent 8,620,842 B1 Cormack [herein “Cormack”] column 21 lines 20-25 teach “a hashing technique may also be used to map the occurrence(s) of multiple unique N-grams onto a single element of a vector or array that is smaller than 28*N. In certain embodiments, a hashing technique is used to reduce the dimensionality of document information profile to be approximately 108.” However, Cormack fails to teach n-gram groups and fails to teach generating n-gram group arrangements represented by an array of integers.
None of the references taken either alone or in combination with the prior art of record disclose “wherein an n-gram group arrangement of the plurality of n-gram group arrangements is comprised of a plurality of n-gram groups, each of said n-gram groups being found in combination in at least one strand, and wherein an n-gram group arrangement is identified by an array of integers representing component n-gram groups” in combination with the remaining elements and features of the claimed invention.
Conclusion
Prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Ghosh, A., et al. "Using Program Behavior Profiles for Intrusion Detection" USENIX Association (1999)
teaches
Technology background; lookup sequence of system call events and see if similar to normal system call behavior – comparing with a threshold.
Hubballi, N., et al. "Sequencegram: n-gram Modeling of System Calls for Program based Anomaly Detection" IEEE (2011)

Storing system call n-grams in a tree structure. Calculating an anomaly score based on frequency binning.
Zolotukhin, M., et al. "Online Anomaly Detection by Using N-gram Model and Growing Hierarchical Self-Organizing Maps" IEEE, pp. 47-52 (2012)

Applying machine learning techniques to Anomaly Detection. Using n-grams extracted from network logs.


Examiner respectfully requests, in response to this Office action, support is shown for language added to any original claims on amendment and any new claims. Indicate support for newly added claim language by specifically pointing to page(s) and line number(s) in the specification and/or drawing figure(s).
When responding to this Office Action, Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections.  See 37 CFR 1.111(c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jay B Hann whose telephone number is (571)272-3330.  The examiner can normally be reached on M-F 10am-7pm EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rehana Perveen can be reached on (571)272-3676.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Jay Hann/Primary Examiner, Art Unit 2129                                                                                                                                                                                                        24 April 2021