DETAILED ACTION
This final rejection is responsive to amendments and remarks filed 14 April 2021.
Claims 1-2, 5-8, 11-14, and 17-18 are amended. No claims have been added, cancelled, or withdrawn. Therefore, claims 1-18 are presently pending.

Response to Arguments
Applicant’s amendments to the claims overcome the previous claim objections to claims 5-6, 11-12, and 17-18, which are hereby withdrawn,
 Applicant’s amendments to the claims overcome the previous rejection to claims 2-6, 8-12, and 14-18 under 35 U.S.C. § 112, which are hereby withdrawn. 
Applicant's arguments with respect to the rejection under 35 U.S.C. § 103 have been fully considered but they are not persuasive. 
While Elbasiony appears to disclose only one path explicitly for anomaly detection, the broadest reasonable interpretation of the limitation “detecting anomalies” as recited in claim 1 may include misuse detection, as disclosed in Elbasiony (see Elbasiony, p. 758, Figure 5). The Examiner has interpreted an anomaly as anything out of the normal, and Elbasiony discloses in both the misuse and anomaly detector components that connections are detected as either normal or intrusive/anomalous (Elbasiony, pp. 757-758, Section 4). So pathways in the misuse detection and the anomaly detection components, as disclosed in Figure 5 of Elbasiony, may teach the newly amended limitations of a “first path” and “second path” for detecting anomalies, which is elaborated in the rejection below.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-2, 7-8, and 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Elbasiony et al. (“A hybrid network intrusion detection framework based on random forests and weighted k-means,” 7 March 2013, Ain Shams Engineering Journal 4, pp. 753-762) (“Elbasiony”) in view of Pajouh et al. (“Two-tier network anomaly detection model: a machine learning approach,” 2017, Journal of Intelligent Information Systems 48, pp. 61-74) (“Pajouh”).
Regarding claim 1, Elbasiony teaches a computer-implemented method, implemented by at least one computing platform operating in a cluster-based parallel computing environment (Elbasiony, p. 754, Section 1, “The proposed methods are evaluated over a real network connections data which are generated from the Defense Advanced Research Projects Agency (DARPA) network connections.” The evaluation of network connections data suggests at least one computing platform operating in a cluster-based parallel computing environment.); 
comprising:
acquiring a plurality of records, each record having a corresponding number of attributes (Elbasiony, p. 755, Section 2.3, “The KDD’99 datasets are used as training and test sets to achieve our experiments. These datasets are 41 extracted features data from DARPA tcpdump data in 1998. KDD’99 datasets consist of three datasets; the first one is the full training set which has 4,898,431 connection records. The second one is the 10% training set which was taken from the full training set, it has 494,021connection records. The third one is the test set which has 311,029 connections data.”);
identifying outliers in the plurality of records using labels generated from processing the plurality of records through a pipeline of different deep learning models, wherein each deep learning model includes a set of unique instructions configured to output a unique numeric output (Elbasiony, p. 754, Section 2.1, “the misuse detector [included in a pipeline of different deep learning models] classifies the network features database to normal and intrusions [labels generated from processing] based on the patterns generated previously in the offline phase. If an intrusion is found, the alarm system raises an alarm.” Elbasiony, p. 757, Section 4, “The online phase is a part of the misuse detection method; it is mainly responsible for comparing the network connections data [the plurality of records] to the generated intrusion patterns, if any intrusion is detected, a misuse alarm will be generated, and the attack features will be sent to the random attack selector component of the anomaly detection part. If the connection features do not match any attack [identifying outliers], this connection is considered as uncertain data because it could be a novel attack, and will be sent to data preprocessor and merger component of the anomaly detection part in preparation for checking if it is an intrusion or normal connection.”), 
wherein a first set of numeric outputs of a first set of models are used as numeric inputs to a second set of models (Elbasiony, p. 758, Figure 5, “The proposed hybrid intrusion detection framework” shows an offline phase of the misuse detection component, or a first set of models, that feeds a first set of numeric outputs as numeric inputs to an online phase of the misuse detection component, which is included in a second set of models. Elbasiony, p. 757, Section 4, “The online phase is a part of the misuse detection method; it is mainly responsible for comparing the network connections data to the generated intrusion patterns, if any intrusion is detected, a misuse alarm will be generated, and the attack features will be sent to the random attack selector component of the anomaly detection part. If the connection features do not match any attack, this connection is considered as uncertain data because it could be a novel attack, and will be sent to data preprocessor and merger component of the anomaly detection part in preparation for checking if it is an intrusion or normal connection. The offline phase contains the intrusion pattern generator of the misuse detection part, which uses the training dataset to build intrusion patterns used by the online phase. The pattern builder also outputs the feature importance values [example of a first set of numeric outputs] calculated by random forests algorithm used in the anomaly detection part.”), and 
wherein the labels are a binary value based on pre-set threshold values, the binary value being one of true or false (Elbasiony, p. 754, Section 2.1, “the misuse detector classifies the network features database to normal and intrusions [“normal” and “intrusions” represent binary outputs from the misuse detector classifier, also interpreted as binary values false for intrusions and true for intrusions] based on the patterns generated previously in the offline phase. If an intrusion is found, the alarm system raises an alarm.” Elbasiony, p. 757, Section 4, “The online phase is a part of the misuse detection method; it is mainly responsible for comparing the network connections data to the generated intrusion patterns, if any intrusion is detected, a misuse alarm will be generated, and the attack features will be sent to the random attack selector component of the anomaly detection part. If the connection features do not match any attack [based on pre-set threshold values], this connection is considered as uncertain data because it could be a novel attack, and will be sent to data preprocessor and merger component of the anomaly detection part in preparation for checking if it is an intrusion or normal connection.”), and
wherein the second set of models includes:
a first path comprising a first group of models (Elbasiony, p. 758, Figure 5, the online phase of the misuse detection may disclose a first path comprising a first group of models. The first path may begin at the “Random-Forest- Based Misuse Detector,” which then branches off to the “Misuse Alarm System.”); and
a second path different from the first path and comprising a second group of models, wherein the second group includes at least one more model than the first group (Elbasiony, p. 758, Figure 5, the anomaly detection component may disclose a second path different from the first path comprising a second group of models, wherein the second group includes at least one more model than the first group. The second path may begin at the “Random-Forest- Based Misuse Detector,” which then branches off to “Anomaly Detection.”); and
detecting anomalies in the first path and the second path … based on the plurality of records and the labels (Elbasiony, p. 754, Section 2.1, “the misuse detector classifies the network features database to normal and intrusions based on the patterns generated previously in the offline phase. If an intrusion is found, the alarm system raises an alarm.” Elbasiony, pp. 757-758, Section 4, “The online phase is part of the misuse detection method; it is mainly responsible for comparing the network connections data to the generated intrusion patterns, if any intrusion is detected, a misuse alarm will be generated, and the attack. … The anomaly detector component determines the anomalous and normal clusters by ordering the clusters according to the count of known intrusions into them, and select the clusters containing more known intrusions as anomalous clusters, finally, the anomaly alarm system component generates an alarm if anomaly clusters are detected.”).
Elbasiony does not teach the (italicized portion of the) method, comprising:
… detecting anomalies … using a probabilistic classifier ….
However, Pajouh teaches the method, comprising:
detecting anomalies … using a probabilistic classifier (Pajouh, pp. 63-64, Section 3 and Figure 1, “First tier consists data preprocessing and dimension reduction which has better result for decision making and first stage of classification using Naïve Bayes.”).
Both Elbasiony and Pajouh are directed to network anomaly detection. Elbasiony discloses an “anomaly detector component” (Elbasiony, p. 758, Section 4 and Figure 5) but does not disclose using a probabilistic classifier for anomaly detection. However, Pajouh discloses using a Naïve Bayes classifier for anomaly detection. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the misuse detector component and anomaly detector component in Elbasiony to include a probabilistic classifier, as disclosed in Pajouh. One would be motivated to do so because of Naïve Bayes’ “good performance on low amount of training class instance for classification” (Pajouh, p. 66, Section 3.2).

Regarding claim 2, Elbasiony in view of Pajouh teaches the method of claim 1.
Elbasiony further teaches the method, wherein the pipeline of deep learning models consists of at least two of: 
a model that uses a frequency of occurrence of a term in a document, 
a model that derives topic features, 
a clustering based model (Elbasiony, p. 756, Section 3.2, “The k-means algorithm is a simple iterative method to partition a dataset into a specified number of clusters, K. The algorithm is initialized by picking random K points as the initial K clusters ‘centroids,’ then, the algorithm iterates between two steps till convergence.” Elbasiony, p. 758, Section 4.1, “The wk-means is a modified version of k-means algorithm by including weights of the data features.”), 
an iterative clustering based model (Elbasiony, p. 756, Section 3.2, “The k-means algorithm is a simple iterative method to partition a dataset into a specified number of clusters, K. The algorithm is initialized by picking random K points as the initial K clusters ‘centroids,’ then, the algorithm iterates between two steps till convergence.” Elbasiony, p. 758, Section 4.1, “The wk-means is a modified version of k-means algorithm by including weights of the data features.”), and/or 
a model that uses tree-structures for attribute classifications (Elbasiony, p. 754, Section 2.1, “The misuse detection method (see Fig. 1) employs the random forests algorithm as a data mining classification algorithm.”).

Regarding claims 7-8, claims 7-8 are directed to a computer system comprising multiple processors in a parallel computing environment, the processors configured to perform the operations of claims 1-2, respectively. Therefore the rejections made to claims 1-2 are applied to claims 7-8.

Regarding claims 13-14, claims 13-14 are directed to a computer-readable medium having code stored thereon, the code, upon execution, causing a processor to implement a method comprising the steps of claims 1-2, respectively. Therefore the rejections made to claims 1-2 are applied to claims 13-14.
In addition, Elbasiony discloses, “The proposed methods are evaluated over a real network connections data which are generated from the Defense Advanced Research Projects Agency (DARPA) network connections …. All the algorithms are implemented in C#.Net based on the original implementation of these algorithms” (Elbasiony, p. 754, Section 1).

Claims 3-6, 9-12, and 15-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Elbasiony and Pajouh, further in view of Huang et al. (“Topic Detection from Microblogs Using T-LDA and Perplexity,” 2017, IEEE, 24th Asia-Pacific Software Engineering Conference Workshops, pp. 71-77) (“Huang”).
Regarding claim 3, Elbasiony in view of Pajouh teaches the method of claim 2.
Elbasiony further teaches the method, wherein 
… the clustering based model comprises a KMeans algorithm (Elbasiony, p. 756, Section 3.2, “The k-means algorithm is a simple iterative method to partition a dataset into a specified number of clusters, K. The algorithm is initialized by picking random K points as the initial K clusters ‘centroids,’ then, the algorithm iterates between two steps till convergence.” Elbasiony, p. 758, Section 4.1, “The wk-means is a modified version of k-means algorithm by including weights of the data features.”), 
the iterative clustering based model comprises a KMeans Anomaly Detector System (Elbasiony, p. 756, Section 3.2, “The k-means algorithm is a simple iterative method to partition a dataset into a specified number of clusters, K. The algorithm is initialized by picking random K points as the initial K clusters ‘centroids’, then, the algorithm iterates between two steps till convergence.” Elbasiony, p. 758, Section 4.1, “The wk-means is a modified version of k-means algorithm by including weights of the data features.” Elbasiony, p. 758, Section 4 and Figure 5, “The anomaly detector component [KMeans Anomaly Detector System] determines the anomalous and normal clusters.”), and
the model that uses tree-structures for attribute classification comprises a Random Forest anomaly detector model (Elbasiony, p. 754, Section 2.1, “The misuse detection method (see Fig. 1) employs the random forests algorithm as a data mining classification algorithm.”).
Elbasiony and Pajouh do not teach the method, wherein
the model that uses frequency of occurrence comprises a term frequency inverse document frequency (TF-IDF) algorithm, [and]
the model that derives topic features comprises a Latent Dirichlet Algorithm (LDA) model ….
However, Huang teaches the method, wherein
the model that uses frequency of occurrence comprises a term frequency inverse document frequency (TF-IDF) algorithm (Huang, p. 71, Section 1, “Firstly, we select key words from microblogs contents according to TF-IDF weight.”), [and]
the model that derives topic features comprises a Latent Dirichlet Algorithm (LDA) model (Huang, p. 71, Section 1, “Firstly, we select key words from microblogs contents according to TF-IDF weight. Secondly, we decide appropriate K-value of the LDA and T-LDA on the basis of Perplexity-K curve. Thirdly, we conduct contrast experiments to extract topics acquired from LDA, T-LDA and K-Means.”).
Both the combination of Elbasiony and Pajouh and the disclosure of Huang are directed to extracting features from data or text records. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the features preprocessing in the combination to include a model that uses TF-IDF and Latent Dirichlet Algorithm, as disclosed in Huang. One would be motivated to do so, because TF-IDF “takes into account the word frequency and the number of document that contains the words, which makes it convenient to select key words . . . and the key words that reflect topic contents can be kept to the maximum extent” (Huang, p. 73, Section IV-A). Further, “[t]opic modeling is one of the representative methods in automated approaches, and many researchers have applied LDA to topic detection” to extract topics automatically (Huang, pp. 71-72, Section II).

Regarding claim 4, Elbasiony in view of Pajouh teaches the method of claim 2.
Elbasiony further teaches the method, wherein 
… the model that derives topic features comprises … a clustering based model that uses KMeans algorithm (Elbasiony, p. 756, Section 3.2, “The k-means algorithm is a simple iterative method to partition a dataset into a specified number of clusters, K. The algorithm is initialized by picking random K points as the initial K clusters ‘centroids’, then, the algorithm iterates between two steps till convergence.” Elbasiony, p. 758, Section 4.1, “The wk-means is a modified version of k-means algorithm by including weights of the data features.”) and 
a classifier model that uses a multitude of decision trees (Elbasiony, p. 758, Figure 5, “The proposed hybrid intrusion detection framework,” or a classifier model, uses a “Random-Forest-Based Misuse Detector.” Elbasiony, p. 755, Section 2.2, “The random forests algorithm is a classification algorithm consisting of a collection of tree structured classifiers.”), 
including two distinct pipelines of deep learning models differentiated by KMeans clustering (Elbasiony, p. 758, Figure 5, “The proposed hybrid intrusion detection framework” uses two distinct pipelines of deep learning models “Misuse Detection” and “Anomaly Detection,” which is differentiated by KMeans clustering.), and 
a Random Forest Anomaly Detector (Elbasiony, p. 758, Figure 5, “The proposed hybrid intrusion detection framework” uses a “Random-Forest-Based Misuse Detector.”).
Huang further teaches the method, wherein
the model that uses frequency of occurrence comprises a term frequency inverse document frequency (TF-IDF) algorithm (Huang, p. 71, Section 1, “Firstly, we select key words from microblogs contents according to TF-IDF weight.”), [and]
the model that derives topic features comprises a Latent Dirichlet Algorithm (Huang, p. 71, Section 1, “Firstly, we select key words from microblogs contents according to TF-IDF weight. Secondly, we decide appropriate K-value of the LDA and T-LDA on the basis of Perplexity-K curve. Thirdly, we conduct contrast experiments to extract topics acquired from LDA, T-LDA and K-Means.”) ….
Both the combination of Elbasiony and Pajouh and the disclosure of Huang are directed to extracting features from data or text records. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the features preprocessing in the combination to include a model that uses TF-IDF and Latent Dirichlet Algorithm, as disclosed in Huang. One would be motivated to do so, because TF-IDF “takes into account the word frequency and the number of document that contains the words, which makes it convenient to select key words . . . and the key words that reflect topic contents can be kept to the maximum extent” (Huang, p. 73, Section IV-A). Further, “[t]opic modeling is one of the representative methods in automated approaches, and many researchers have applied LDA to topic detection” to extract topics automatically (Huang, pp. 71-72, Section II).

Regarding claim 5, Elbasiony in view of Pajouh and Huang teaches the method of claim 3.
Elbasiony further teaches the method, wherein 
the plurality of records is [preprocessed for features] (Elbasiony, p. 754, Section 2.1, “In the online phase [of misuse detection], network packets are captured by network sensors and converted to a network features database after some preprocessing.”),
followed by the KMeans algorithm of the pipeline to establish a similarity/distance based statistical baseline for anomaly detection (Elbasiony, p. 758, Figure 5, the “Anomaly Detection” takes input from the online phase of “Misuse Detection.” Elabasiony, pp. 755-756, Section 3.1, “The proposed anomaly detection method (see Fig. 3) employs the k-means algorithm as a data mining clustering algorithm to detect novel intrusions. It captures the network connections data and converts it to an anomaly detection dataset by preprocessing, then, data are partitioned into homogeneous clusters using the k-means algorithm …. The algorithm is initialized by picking random K points as the initial K clusters ‘centroids’, then, the algorithm iterates between two steps till convergence: Step 1: assignment of each point to its closest centroid. Step 2: relocation of each centroid to the mean of its assigned points. The k-means algorithm uses the Euclidean metric to quantify distance between points.” Elbasiony, p. 758, Section 4.1, “The wk-means is a modified version of k-means algorithm by including weights of the data features.” Elbasiony, p. 759, Section 4.3, “The main job of the wk-means algorithm is to partition the network connection data into homogenous clusters based on similarity measures.”); and 
wherein the KMeans Anomaly Detector system is used for anomaly detection at an output of the KMeans algorithm (Elbasiony, p. 758, Section 4 and Figure 5, “The anomaly detector component [KMeans Anomaly Detector system at an output of the KMeans algorithm] determines the anomalous and normal clusters.”), and 
wherein a Random Forest classifier in the Random Forest Anomaly Detector model are used to detect anomalies during prediction (Elbasiony, p. 754, Section 2.1, “The misuse detection method (see Fig. 1) employs the random forests algorithm as a data mining classification algorithm. Like all supervised learning techniques, the method operates in two phases: training phase and classification phase. The first phase works offline to build intrusion and normal patterns based on a training dataset, the second phase works online to detect network intrusions [detect anomalies during prediction] based on the patterns generated from the first phase.”).
Huang further teaches the method, wherein
the plurality of records is trained with the TF-IDF algorithm (Huang, p. 71, Section 1, “Firstly, we select key words from microblogs [analogous to plurality of records in Elbasiony] contents according to TF-IDF weight.”), 
followed by the LDA model (Huang, p. 71, Section I, “Firstly, we select key words from microblogs contents according to TF-IDF weight. Secondly, we decide appropriate K-value of the LDA and T-LDA on the basis of Perplexity-K curve. Thirdly, we conduct contrast experiments to extract topics acquired from LDA, T-LDA and K-Means.”) ….
Both the combination of Elbasiony and Pajouh and the disclosure of Huang are directed to extracting features from data or text records. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the features preprocessing in the combination to include a model that uses TF-IDF and Latent Dirichlet Algorithm, as disclosed in Huang. One would be motivated to do so, because TF-IDF “takes into account the word frequency and the number of document that contains the words, which makes it convenient to select key words . . . and the key words that reflect topic contents can be kept to the maximum extent” (Huang, p. 73, Section IV-A). Further, “[t]opic modeling is one of the representative methods in automated approaches, and many researchers have applied LDA to topic detection” to extract topics automatically (Huang, pp. 71-72, Section II).
 
Regarding claim 6, Elbasiony in view of Pajouh and Huang teaches the method of claim 4.
Elbasiony further teaches the method, further including, 
using [features from preprocessing] as inputs to the KMeans algorithm (Elbasiony, p. 754, Section 2.1, “In the online phase [of misuse detection], network packets are captured by network sensors and converted to a network features database after some preprocessing.” Elbasiony, p. 758, Figure 5, the “Anomaly Detection,” which includes the KMeans algorithm, takes input from the online phase of “Misuse Detection.” Elabasiony, pp. 755-756, Section 3.1, “The proposed anomaly detection method (see Fig. 3) employs the k-means algorithm as a data mining clustering algorithm to detect novel intrusions. It captures the network connections data and converts it to an anomaly detection dataset by preprocessing, then, data are partitioned into homogeneous clusters using the k-means algorithm …. The algorithm is initialized by picking random K points as the initial K clusters ‘centroids’, then, the algorithm iterates between two steps till convergence: Step 1: assignment of each point to its closest centroid. Step 2: relocation of each centroid to the mean of its assigned points. The k-means algorithm uses the Euclidean metric to quantify distance between points.” Elbasiony, p. 758, Section 4.1, “The wk-means is a modified version of k-means algorithm by including weights of the data features.”).
Huang further teaches the method, further including,
using outputs of both the TF-IDF algorithm and the LDA algorithm as inputs (Huang, p. 71, Section I, “Firstly, we select key words from microblogs contents according to TF-IDF weight. Secondly, we decide appropriate K-value of the LDA and T-LDA on the basis of Perplexity-K curve. Thirdly, we conduct contrast experiments to extract topics acquired from LDA, T-LDA and K-Means.”).
Both the combination of Elbasiony and Pajouh and the disclosure of Huang are directed to extracting features and topics from data or text records. It would have been obvious to one of ordinary skill in the art before the effective filing date to modify the features preprocessing in the combination to include a model that uses TF-IDF and Latent Dirichlet Algorithm, as disclosed in Huang, as inputs to the KMeans model, as disclosed in Elbasiony. One would be motivated to do so, because TF-IDF “takes into account the word frequency and the number of document that contains the words, which makes it convenient to select key words . . . and the key words that reflect topic contents can be kept to the maximum extent” (Huang, p. 73, Section IV-A). Further, “[t]opic modeling is one of the representative methods in automated approaches, and many researchers have applied LDA to topic detection” (Huang, pp. 71-72, Section II) to extract topics automatically, and “LDA and K-Means are common methods to extract topics in texts” (Huang, p. 74, Section IV-B).

Regarding claims 9-12, claims 9-12 are directed to a computer system comprising multiple processors in a parallel computing environment, the processors configured to perform the operations of claims 3-6, respectively. Therefore the rejections made to claims 3-6 are applied to claims 9-12.

Regarding claims 15-18, claims 15-18 are directed to a computer-readable medium having code stored thereon, the code, upon execution, causing a processor to implement a method comprising the steps of claims 3-6, respectively. Therefore the rejections made to claims 3-6 are applied to claims 15-18.
In addition, Elbasiony discloses, “The proposed methods are evaluated over a real network connections data which are generated from the Defense Advanced Research Projects Agency (DARPA) network connections …. All the algorithms are implemented in C#.Net based on the original implementation of these algorithms” (Elbasiony, p. 754, Section 1).











Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Desai et al. (US 2020/0265119) (“Desai”) is directed to site-specific anomaly detection and discloses a pipeline of models for anomaly detection, which may include a random forest classifier and a k-means clustering model (Desai, FIG. 2 and PP[0022, 0026, 0034]). 
Maatta et al. (US 2012/0278890) (“Maatta”) is directed to intrusion detection in communication networks and discloses a framework for anomaly detection, which include a misuses and anomaly detector feeding into a classifier (Maatta, FIG. 1 and PP[0047-0052]).

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE F LEE whose telephone number is (571)270-7487.  The examiner can normally be reached on Monday thru Friday, 10:00AM-6:00PM EDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang can be reached on (571)270-7092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/C.F.L./Examiner, Art Unit 2124                                                                                                                                                                                                        
/MIRANDA M HUANG/Supervisory Patent Examiner, Art Unit 2124