DETAILED ACTION
In view of the appeal brief filed on 9/24/2020, PROSECUTION IS HEREBY REOPENED. The following rejections are set forth below.

To avoid abandonment of the application, appellant must exercise one of the following options:


(1) File a reply under 37 CFR 1.111 (if this office action is non-final) or a reply under 37 CFR 1.113 (if this office action is final); or,


(2) Initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fees and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in the 37 CFR 41.20 have been increased since they were previously paid, then the appellant must pay the difference between the increased fees and the amount previously paid.

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:

/ALEXANDER G KALINOWSKI/Supervisory Patent Examiner, Art Unit 3691                                                                                                                                                                                                        
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-20 of copending Application No. 15/971943.  Although the clams at issue are not identical, they are not patentably distinct from each other because the claims are directed to a pattern library having pattern images with known risk scores to detect 
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


*Analysis has been updated based on the new 2019 Patent Eligibility Guidance (2019 PEG).*
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (abstract idea) without significantly more.
Analysis
Claim 8: Ineligible.
The claim recites a series of steps. The claim is directed to a process, which is a statutory category of invention (Step 1: YES).
The claim is analyzed to determine whether it is directed to a judicial exception.  The claim recites the limitations of receiving a time-ordered series of historical events with associated characteristics, generating a state space representation of the series of historical events, establishing an event pattern layer using event sequence vectors obtained from the state space Step 2A1-Yes).
Next, the claim is analyzed to determine if it is integrated into a practical application. The claim recites additional limitation of using a computer to perform the steps. The processor (computer) in the steps is recited at a high level of generality, i.e., as a generic processor performing a generic computer function of processing data. This generic processor limitation is no more than mere instructions to apply the exception using generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to the abstract idea (Step 2A2-No).
Next, the claim is analyzed to determine if there are additional claim limitations that individually, or as an ordered combination, ensure that the claim amounts to significantly more Step 2A2 above, the additional element in the claim amounts to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in Step 2B, i.e., mere instructions to apply an exception using a generic computer component cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. 
Viewing the limitations as an ordered combination does not add anything further than looking at the limitations individually. When viewed either individually, or as an ordered combination, the additional limitations do not amount to a claim as a whole that is significantly more than the abstract idea itself. Therefore, the claim does not amount to significantly more than the recited abstract idea (Step 2B: NO). The claim is not patent eligible.
The analysis above applies to all statutory categories of the invention including claims 1 and 15.  Furthermore, the dependent claims 2-7 and 9-14 and 16-20 do not resolve the issues raised in the independent claim 8.  Claims 2-7 and 9-14 and 16-20 do not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination.  Accordingly, claims 1-7 and 9-20 are rejected as ineligible for patenting under 35 U.S.C. 101 based upon the same analysis.  
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-3, 5-10, 12-17, and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by (US 20170063904).
	Regarding claims 1, 8, , A method of detecting potential fraud (Muddu, para. 135) comprising: 
receiving a time-ordered series of historical events with associated characteristics, by executing first program instructions in a computer system (Abstract, Para. 135, 174-180, 278, 300, 572, Fig, 18 and 62); 
generating a state space representation of the series of historical events, by 5executing second program instructions in the computer system (Par. 31, 147, 161, 175-181, 294-301, Fig. 22; Fig. 22 shows a diagram of an example architecture of the security platform; After mapping the nodes to the ID grid, the process at S902 creates groups of nodes that are in same position of the ID grid, and iteratively minimizing L1-norm; “Norm” in this context is a function that assigned strictly positive strength to each vector space strength; Analysis module 382 takes into account historical event data in 370, 372 and 374; See batch analysis module 382 which employs third party data 384.  More time leads to more batch analysis and real-time analysis 330, with model registry storing model states for machine learning models); 
(Muddu, “anamoly” as detected variation from expected behavior; ML-based CEP engine has advantages in comparison to conventional CEP engines at least because of its ability to recognize unknown patterns, and bring in historical data without overburdening the computer system through ML models; Trained decision tree is superior to user rule for ability to make predicitons; Also, PST-SIM metric is useful to capture similarity between frequent subsequences of two sequences; Para. 5, 149, 270-280, 382-385, 535-538, 625-626)
creating a pattern image for the series of historical events from the event pattern 10layer by applying iterative cluster analysis on the event sequence vectors to combine similarities into patterns, by executing fourth program instructions in the computer system (Muddu, Model training process thread continuously retaining model state; 1616 describes single pass traing process logic; Occurring without recursion or iteration over same input; Process then identifies one or more node clusters in the graph based on the assigned positions of the nodes on ID grid; Specifially, the process creates node groups by iteratively relocating on the ID grad to position on the L1-norm for each node is minimum; After finding positions for nodes that are optimum, each group of nodes represents cluster (Para. 5, 149, 205, 270-280, 314, 350, 370, 382-385, 532-538, 625-626)) 
assigning a risk score to the pattern image, by executing fifth program instructions in the computer system (Muddu, Markovian process flows, with risk scoring mechanism to develop user and entity profiles; Para. 140-144, 147);  
 (Historical data stored from past events for evaluation; Para. 140-144, 147, 251, 412, 416-420); 
and using the pattern library to establish that a series of current events is potentially fraudulent, by executing seventh program instructions in the computer system (Security platform performs behavioral analytics (UEBA) to detect security anomaly and threats; Platform includes both real-time and batch paths/modes for detecting anomalies and threats; Visual presentation allows prompt action to make determinations; Historical data allows real-time evaluations for deployed actions in network; Para. 140-144, 147, 251, 412, 416-420)).  
Regarding claim 2, 9, and 16, Muddu discloses generating a current pattern image for the series of current events, wherein the pattern library includes multiple historical pattern images each having an associated risk score and is used to train a cognitive system, the cognitive system provides a current risk score based on risk scores associated 5with one or more likely matches from the pattern library to the current pattern image, and the series of current events is determined to be potentially fraudulent responsive to a determination that the current risk score exceeds a predetermined threshold (Para., 5, 136, 137, 149, 205-207, 350, 370, 385, 401-404, 643; Anomaly is detected variation from an expected pattern of behavior on the part of the entity.  An anomaly represents an event of possible concern, which may be actionable or warrant further investigation.  An anomaly is detectable, and a set of anomalies may be evaluated together and may result in a determination of a threat, with a “threat” as an interpretation of a threat anomaly indicator, and an anomaly, is an event of possible concern and possibly may be actionable or warrant further investigation.  A detected anomaly in the activity is often associated with one or more entities’ of the computer network, such as one or more physical computing devices, virtual computing devices, users, software modules, accounts, identifiers, and/or addresses. An anomaly or set of anomalies may be evaluated (scored) together, which evaluation may result in a determination of a threat indicator.  Threat indicators represent an escalation of events of concern and are evaluated to identify if a threat to the security of the network exists; Process concludes at step with identifying a security threat if the pattern matching score satisfies a specific criterion; Pattern matching 6 or above). 
Regarding claim 3, 10, and 17, Maddu discloses the characteristics include at least a time, a location, an entity, and an amount (Para. 135, 153, 217, 244, 278-279; Machine data as used includes timestamped event data; time; Particular event as represented by the event data indicates that a particular point in time identified by the timestamp, the user “psibbal” uses the IP address “10.33.240.240” to communicate with an external IP address “74.125.239.107,” (Location) transfers 106 bytes of data (an amount); an anomaly detected by machine learning modiles in the ML-based CEP engine can correspond to an event, a sequence of events, an entity, a group of entities, or combination)). 
Regarding claim 5, 12, and 19, Maddu discloses establishing an aggregator layer based on an aggregator associated with one of the characteristics, wherein the pattern image for the series of historical events is created from both the event pattern layer and the aggregator layer (Para. 5, 10, 136-139, 149, 153-158, 164, 176-179, 205-207, 220-221, 244, 276-277, 282-287, 350-352, 363, 370, 401-404, 508-515, 643, Fig. 2; Above the visualization layer, a software framework layer implements the software services executing on the visualization layer.  Examples are Apache Hadoop, Spark, Storm.  The ML-based CEP engine disclosed is advantageous in comparison to conventional CEP engines at least because of its ability to recognize unknown patterns and to incorporate historical data without overburdening the distributed computation system by use of Machine learning models.  Technologies employed implement the data receiver may include Flume, and REST Flume, an open source distributed service for collecting, aggregating, and moving large amounts of log data).
Regarding claim 6, , 13, and 20, Muddu discloses where the aggregator is selected from the group consisting of a customer, a geography, and an account (Para. 139, 153, 155, 177-179, 220-221, 244, 282-287, 318, 350-352, 363, 508-515; Flume is an open source distributed service for collecting, aggregating, and moving large amounts of data.The environment may present a networked computing environment of one or multiple companies or organizations, and can be implemented across multiple geographic regions (customer and geography); The anomaly data associated with a particular entity may include the underlying event data associated with the anomalous activity, annotated information about that entity (user ID account with device)).
Regarding claim 7, Muddu discloses performing an action in response to establishing that the series of current events is potentially fraudulent, the action selected from a group consisting of a notification, a denial, and a challenge (Para. 151-152, 599-605, 661-662; If the machine generated traffic is an anomaly, the anomaly detection module passes the anomaly threat analysis module.  The threat analysis modules determines if the anomaly is a threat and generates a notification (an alarm), if it is one (notification); When a security threat has been detected, the security platform then reports the threat to an administrator of the network (via the GUI features described above), and/or writes the security threat into a threat log for later review by an administrator (notification); the beaconing anomaly indicates that the device represented by device node sends suspicious beaconing messages periodically to a user device associated with the user represented by user node challenge; These might trigger action, such as stopping intrusion, shutting down network access, locking users, preventing information theft, etc.).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 20170063904), in view of Norman (US 20100325412). 
Regarding claim 4, 11, and 18, Muddu fails to disclose constructing a Petri-net model for the series of historical events wherein nodes of the Petri-net model correspond to the historical events, the characteristics are identified as pre-conditions or post-conditions by directed arcs toward or away from a given node, and nodes are separated by transitions, 5wherein the state space representation of the series of historical events is generated based on the Petri-net model.  However, Nornan discloses another way of modeling threats against a system that was inspired by attack trees is the use of a Petri nets of just ordinary graphs, where the petri net is a graph with some extra features (informally it is a graph accompanied with a function describing the initial state of the Petri-Net, and a relation with some additional restrictions describing the possible transitions of the system.  Think graph with tokens on vertices; In [7,4], Tidwell et al extends the concept of attack trees with parameters.  See also [3], hisotircal clustering in stratified node topology; In [5], automatic attack trees via the notion of attack tree chaining from description of system).
It would have been obvious to one of ordinary skill in the art, at the effective date of filing, to have modified Muddu with the perti-net model of Norman.  Doing so allows more accurate estimation techniques for examining incidences of fraud and potential of future fraudulent activities based on graphical representations of the past historical events. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON M DUCK whose telephone number is (469)295-9049.  The examiner can normally be reached on MON-FRI: 8AM – 5 PM CST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alex Kalinowski can be reached on 571-272-6771.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

	/BRANDON M DUCK/               Examiner, Art Unit 3698