Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

 Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
 
Claims 1, 10, and 19 recite (emphasis added by examiner) “the alert being indicative that an anomaly in data collected from a plurality of data sources may be present in at least one of the data sources.” The recitation of the phrase “may be present” leaves it unclear if the alert occurs when an anomaly is present or not as the phrase “may be” is by definition indefinite.

 Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1)/(2) as being anticipated by Muddu et al (US Pat. 9,516,053; cited on IDS), hereafter, “Muddu.”

As to claim 1, Muddu discloses a computing system comprising: one or more processors; and one or more computer-readable media having thereon computer-executable instructions that are structured such that, when executed by the one or more processors (Abstract and Fig. 3), cause the computing system to: 
receive one or more entities related to an alert and a date when the alert occurred, the alert being indicative that an anomaly in data collected from a plurality of data sources may be present in at least one of the data sources (column 14, lines 17-41, particularly, “The event data represents events that take place in the network environment. For example, data source 304 is a source of data pertaining to logs including, for example, user log-ins and other access events. These records may be generated from operational (e.g., network routers) and security systems (e.g., firewalls or security software products). Data source 306 is a source of data from different types of applications, including software as a service (e.g., Box.TM.).” and column 58, line 54-
search all the plurality of data sources for the one or more entities around the alert date to determine which of the data sources of the plurality of data sources include the one or more entities (column 69, line 29-column 70, line 28, particularly, “At step 3820, for each event, the process acquires an event-specific relationship graph (e.g., a mini-graph), for example, from the data intake and preparation stage via the distributed messaging platform. The event-specific relationship graph is indicative of entities involved in the associated event and one or more relationships between the entities involved in the event…For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period.”); and 
for those data sources including the one or more entities, perform an anomaly lookup procedure on the data sources during a first time window to determine an initial set of suspicious anomalies (column 69, line 29-column 70, line 28, particularly, “At step 3820, for each event, the process acquires an event-specific relationship graph (e.g., a mini-graph), for example, from the data intake and preparation stage via the distributed messaging platform. The event-specific relationship graph is indicative of entities involved in the associated event and one or more relationships between the entities involved in the event…For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period…In some embodiments, the stored data entry for the combined computer network activity includes information about an activity 

As to claim 10 and 19, they are rejected by a similar rationale to that set forth in claim 1’s rejection. 

As to claims 2 and 11, Muddu discloses searching for the one or more entities around the alert date further comprises: for those data sources including the one or more entities, identifying data including the one or more entities that is of a type that is useable by the anomaly lookup procedure; and performing the anomaly lookup procedure on the useable data (column 69, line 29-column 70, line 28, particularly, “At step 3820, for each event, the process acquires an event-specific relationship graph (e.g., a mini-graph), for example, from the data intake and preparation stage via the distributed messaging platform. The event-specific relationship graph is indicative of entities involved in the associated event and one or more relationships between the entities involved in the event…For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period…In some embodiments, the stored data entry for the combined computer network activity includes information about an activity type, an originating entity, a target entity, the number of times the computer network activities occur in the time period, a start time, an end time, an average gap period between the computer network activities that occur in the time period, or a standard deviation of gap periods between the computer network activities that occur in the time period.”) .

As to claims 3 and 12, Muddu discloses the type of the data that is useable by the anomaly lookup procedure is one of categorical data or continuous data (column 58, line 54-column 59, line 47, particularly, “In some embodiments, processing of event data 2302 is performed in real-time as the event data is received. In such an embodiment, real-time processing may be performed by a processing engine optimized for high rate or real-time processing, such as Apache Storm or Apache Spark Streaming.” and column 69, line 29-column 70, line 28, particularly, “At step 3820, for each event, the process acquires an event-specific relationship graph (e.g., a mini-graph), for example, from the data intake and preparation stage via the distributed messaging platform. The event-specific relationship graph is indicative of entities involved in the associated event and one or more relationships between the entities involved in the event”).

As to claims 4 and 13, Muddu discloses the one or more entities comprise one or more of a machine name, a user name, an IP address, or a network identifier (column 69, line 29-column 70, line 28, particularly, “For each event, the process identifies one or more computer network activities of a particular type based on the event-specific relationship graph. The identified computer network activities are associated with the same entity and occur during a predefined time period…In some embodiments, the stored data entry for the combined computer network activity includes information about an activity type, an originating entity, a target entity, the number of times the computer network activities occur in the time period, a start time, an end time, an average gap period between the computer network activities that occur in the time period, or a standard deviation of gap periods between the computer network activities that occur in the time period.”)

As to claims 5, 14, and 20, Muddu discloses perform the anomaly lookup procedure during a second time window that is of a longer time period than the first time window to thereby help determine if the initial set of suspicious anomalies are of a malicious type or are of a random type (column 26, lines 47-52, “The time period depends on the environment (e.g., the network traffic) and the administrator. In some implementations, the composite relationship graph is stored (or "mined" in data mining context) per day; however, the graph mining time period can be a week, a month, and so forth.”).

As to claims 6 and 15, Muddu discloses rank the initial set of suspicious anomalies to determine an order at which each of the suspicious anomalies should be investigated further (column 60, lines 27-35; “Process 2600 continues at step 2606 with identifying a threat indicator if the threat indicator score satisfies a specified criterion (e.g., a threshold). Continuing with the given example, the specified criterion may be set such that a threat indicator is identified if the threat indicator score is 6 or above, for example.”).

As to claims 7 and 16, Muddu discloses the date that alert occurred also includes an associated time stamp (column 69, line 29-column 70, line 28, particularly, “In some embodiments, the stored data entry for the combined computer network activity includes information about an activity type, an originating entity, a target entity, the number of times the computer network activities occur in the time period, a start time, an end time, an average gap period between the computer network activities that occur in the time period, or a standard deviation of gap periods between the computer network activities that occur in the time period.”).

As to claims 8 and 17, Muddu discloses performing the anomaly lookup procedure comprises: determining a count of the initial set of suspicious anomalies during the first time window; and comparing the count during the first time window to a count determined during a third time window that is longer than first time window (column 26, lines 47-52, “The time period depends on the environment (e.g., the network traffic) and the administrator. In some implementations, the composite relationship graph is stored (or "mined" in data mining context) per day; however, the graph mining time period can be a week, a month, and so forth.”).

As to claims 9 and 18, Muddu discloses the plurality of data sources include logs from one or more of a specific computer, routers on a network, an application, an operating system, network infrastructure, and cloud computing infrastructure (column 14, lines 14-41).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US Pat. 9,407,651 (Mathis) – The method involves generating a predictive model for network-site analytics metric based on a segment of time-series data, where the predictive model performs time-series analysis by taking recognized cycles into consideration by applying a mathematical model that represents recognized cycles. Expected value range is predicted for the network-site analytics metric for next time step after the segment using the predictive model. A determination is made whether actual value for the network-site analytics metric for the next time step is anomalous value based on the expected value range.
US Pat. 7,363,656 (Weber et al) – The anomalies which are low-level differences in network operation relative to some comparison period, are identified. The anomalies are collected into operationally relevant events by traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class. The event severity comprising the type, number and severity of anomalies that led to the identification of the event, is determined and the event reports are sent to an operator.
US Pat. 8,495,429 (Fu et al) – The method involves parsing a log message from an unstructured text string to a structured form and the log message is stored in computer-based memory. The structured log messages that contain a same value of a same program variable are grouped. The invariants for respective types of log message groups are identified. The invariants are applied to log sequences of respective log types to detect anomalies using a computer-based processor.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246.  The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Thomas J Dailey/
Primary Examiner, Art Unit 2452