DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed on 02/26/2021 have been fully considered but they are not persuasive.
Regarding 101 Remarks pages 10-15:
Applicant argues that “Regarding group (c), the above elements are not directed to any of the certain mental processes - concepts performed in the human mind activities identified by the Revised Guidance. In particular, the computer-implemented "receiving an unstructured input stream of data instances from the computing environment, the unstructured input stream being time stamped" is not a mental process but a process implemented by a computer. The computer-implemented process of "categorizing the data instances of the unstructured input stream of data instances, the data instances comprising any of a one principle value or a categorical attribute determined through machine learning:" is not a mental process in that it is computer implemented and that it utilizes machine learning. The computer-implemented process step of "generating anomaly scores for each of the data instances collected over a period of time" and "detecting a change in the categorical attribute that is indicative of an anomaly" are also not a mental process in that they are computer-implemented. For at least these reasons, it is submitted that claim 1 does not recite an abstract idea since the claim process steps, either in whole or in part, are not directed to concepts performed in the human mind.” [Remarks pages 10-11].
The steps of receiving an unstructured input stream of data instances … … categorizing the data instances… generating anomaly scores and detecting a change in the categories are directed to observing a stream of data, categorizing the data based on similarities, scoring that data based on a set of rule(s) and therefore observing if a change happens based on the categorical instances such as a change of similarity 
Applicant also argued that “In Prong 2 of Step 2A, even if the pending claims in this case could somehow be construed as being directed to an abstract idea, which the undersigned denies, the claims are nevertheless directed to patent eligible subject matter because they integrate a practical application. The Revised Guidance explains: "[a] claim that integrates a judicial exception into a practiced application will apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception. (Revised Guidance, at 9 and 10.)” [Remarks pages 12-15]. 
The only additional elements appear to be extra-solution activity such as data gathering and the generic recitation that the method is performed on a computer implemented with machine learning algorithms, which, as noted above, cannot themselves provide significantly more than the judicial exception. Moreover, the act of making the anomaly detection may itself be mentally performable - that is, part of the judicial exception. The judicial exception cannot integrate itself into a practical 

Regarding art rejection:
Regarding applicant arguments “The requirement of the principal value and a categorical attributes being determined from machine learning is not taught by Mudda.” [Claim 11 page 17 and claim 1 page 19].
The requirement of the principal value and a categorical attributes can be ant data with a category. The specification gives some examples such as log time, user, login location etc. (see specification ¶ 31). Therefore incoming data processed using machine learning as stated in ¶ 143 of Mudda corresponds to the requirement of the principal value and a categorical attributes being determined from machine learning. Furthermore, applicant argues that the instances can be data instances that are not part of the even data, but the claim does not limit or define the instances, therefore any instances can read on the limitation. 
Regarding applicant’s arguments with respect to amended claims 11 and 16 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 16-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.. 
The term "tokens less than a certain character count and not using a specific character set" in claim 16 is a relative term which renders the claim indefinite.  The term "less than a certain character count and not using a specific character set" is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. For the purpose of examining, ‘tokens less than a certain character count and not using a specific character set’ is interpreted as ‘any character count rule’. Appropriate clarification/correction is required. 
Claims 17-20 are rejected as they are being directly or indirectly dependent on rejected claim 16.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The analysis of the claims’ subject matter eligibility will follow the 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50-57 (January 7, 2019) (“2019 PEG”).

With respect to claim 1.
Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 1 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to receiving unstructured input stream of data instances that are time stamped, categorizing the data instances, generate anomaly scores for each data collected over period of time and detect a change in the categories that indicate a change. Each of the following limitations:
• “receiving an unstructured input stream of data instances…the unstructured input stream being time stamped".
• “categorizing the data instances of the unstructured input stream of data instances, the data instances comprising any of a one principle value or a categorical attribute…".
• "generating anomaly scores for each of the data instances collected over a period of time".
• "detecting a change in the categorical attribute that is indicative of an anomaly”.
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, 
Step 2A Prong Two Analysis: This judicial exception is not integrated into a practical application. In particular, the claim only recites additional elements that are mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. See MPEP 2106.05(f). The additional element of the “computing environment”, “machine learning” is recited at a high level of generality, and comprises only a processor to simply perform the generic computer functions Generic computers performing generic computer functions, alone, do not amount to significantly more than the abstract idea. The generic computer components in these steps are recited at a high-level of generality (i.e., as a generic computer component performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with 

With respect to claim 2.
Claim 2 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 2 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to a change in anomaly scores that is performed using a counterfactual analysis. Each of the following limitations:
• “wherein the change in anomaly scores is performed using a counterfactual analysis".
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses evaluate the anomaly scores using counterfactual analysis. A human is able to create possible alternatives to the changes of the scores by evaluation and judgments. Accordingly, the claim recites an abstract idea.

With respect to claim 3.
Claim 3 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 3 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances over the continuous time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity. Each of the following limitations:
• “removing at least a portion of the data instances".
•”regenerating the anomaly scores for each of the data instances over the continuous time intervals”.
•”wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity”
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses removing portion of the instances by 

With respect to claim 4.
Claim 4 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 4 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to tokenizing segments within the unstructured input stream; filtering or removing a portion of the tokenized segments based on a set of filtering criteria; applying a weight to one or more of the filtered, tokenized segments; comparing the filtered, tokenized segments to one another to determine if a match exists therebetween; and categorizing the filtered, tokenized segments based on the comparison. Each of the following limitations:
• “tokenizing segments within the unstructured input stream".
•”filtering or removing a portion of the tokenized segments based on a set of filtering criteria”.
•”applying a weight to one or more of the filtered, tokenized segments.”
•” comparing the filtered, tokenized segments to one another to determine if a match exists therebetween”.
•”categorizing the filtered, tokenized segments based on the comparison”.
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, 

With respect to claim 5.
Claim 5 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 5 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to when a match does not exist, a new category is created and attributed to one or more of the filtered, tokenized segments. Each of the following limitations:
• “when a match does not exist, a new category is created and attributed to one or more of the filtered, tokenized segments".
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations 

With respect to claim 6.
Claim 6 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 6 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to applying tokenization rules to exclude at least a portion of the segments of the unstructured log file. Each of the following limitations:
• “applying tokenization rules to exclude at least a portion of the segments of the unstructured log file".
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses evaluating the segments by excluding a portion of segments of the unstructured log file. Accordingly, the claim recites an abstract idea.

With respect to claim 7.

Step 1 Analysis: Claim 7 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to applying filtering rules to remove tokenized segments corresponding to only numerical values or tokenized segments corresponding to date-related words, or tokenized segments corresponding to numbers with trailing units. Each of the following limitations:
• “applying filtering rules to remove tokenized segments corresponding to only numerical values or tokenized segments corresponding to date-related words, or tokenized segments corresponding to numbers with trailing units".
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses evaluating the filtering process by using only numerical values or segments that corresponds to date-related words or numbers with trailing units. Accordingly, the claim recites an abstract idea.

With respect to claim 8.
Claim 8 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 8 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to wherein comparing the filtered, tokenized segments to one another further comprises determining distances between the filtered, tokenized segments based on deletions and replacements, further wherein the distances between the filtered, tokenized segments indicates if they are close enough to match. Each of the following limitations:
• “wherein comparing the filtered, tokenized segments to one another further comprises determining distances between the filtered, tokenized segments based on deletions and replacements, further wherein the distances between the filtered, tokenized segments indicates if a weighted number of operations relative to a total weight of the tokenized segments is within 15%".
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses evaluating a distance between the filtered distance that has been deleted or replaced and indicate if the distance is close enough to match. Accordingly, the claim recites an abstract idea.

With respect to claim 9.
Claim 9 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 9 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to creating features for a current group of the data instances; applying an anomaly detection algorithm that takes as inputs the features for the current group, and group features calculated using set functions for groups earlier than the current group; and generating the anomaly scores, the anomaly scores being indicative of how anomalous are the features for the current group. Each of the following limitations:
• “creating features for a current group of the data instances”. 
• “applying an anomaly detection algorithm that takes as inputs the features for the current group, and group features calculated using set functions for groups earlier than the current group”. 
• “generating the anomaly scores, the anomaly scores being indicative of how anomalous are the features for the current group."
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses creating features for a group of the data, evaluating an algorithm for detection of anomaly and evaluating judgment scores using set functions which can be done in pen and paper. Accordingly, the claim recites an abstract idea.

With respect to claim 10.
Claim 10 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 10 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to enacting changes in the computing environment relative to at least a portion of the categorical attributes to prevent future instances of the anomalous activity. Each of the following limitations:
• “enacting changes in … relative to at least a portion of the categorical attributes to prevent future instances of the anomalous activity”. 
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses enacting changes to prevent future anomaly activities, which a human can prevent future instances based on categorical attributes. Accordingly, the claim recites an abstract idea.

With respect to claim 11.
Claim 11 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 11 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to receiving an unstructured input stream of data instances, the data instances in the unstructured input stream being time stamped; categorizing the data instances of the unstructured input stream of data instances, the data instances comprising at least one principle value and a set of categorical attributes; grouping the data instances into groups based on continuous time intervals, each of the continuous time intervals having a length; applying set functions to each of the groups; and generating an anomaly score for each of the groups using the set functions. Each of the following limitations:
• “receiving an unstructured input stream of data instances, the data instances in the unstructured input stream being time stamped”.
• “categorizing the data instances of the unstructured input stream of data instances, the data instances comprising at least one principle value and a set of categorical attributes…”.
• “grouping the data instances into groups based on continuous time intervals and at least one principle value, each of the continuous time intervals having a length”.
• “applying set functions to each of the groups; and generating an anomaly score for each of the groups using the set functions.” 
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses observing unstructured input stream of data, evaluate the instances by categorizing them which a human can mentally read data and 
Step 2A Prong Two Analysis: This judicial exception is not integrated into a practical application. In particular, the claim only recites additional elements that are mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. See MPEP 2106.05(f). The additional element of the “computing environment”, “machine learning” is recited at a high level of generality, and comprises only a processor to simply perform the generic computer functions Generic computers performing generic computer functions, alone, do not amount to significantly more than the abstract idea. The generic computer components in these steps are recited at a high-level of generality (i.e., as a generic computer component performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using generic computer components such as “computing environment”, “machine learning” to perform the abstract idea amounts to no more than mere instructions to apply the exception using a generic computer component. Mere 

With respect to claim 12.
Claim 12 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 12 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to applying a counterfactual analysis or a regularity analysis to identify which of the set of categorical attributes for a group is influencing one or more anomalies in the groups that are indicative of the anomalous activity in the computing environment. Each of the following limitations:
• “applying a counterfactual analysis or a regularity analysis to identify which of the set of categorical attributes for a group is influencing one or more anomalies in the groups that are indicative of the anomalous activity...” 
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses evaluate the anomaly scores using counterfactual analysis. A human is able to create possible alternatives to the changes of the scores by evaluation and judgments, which would indicate influence in the activity. Accordingly, the claim recites an abstract idea.

With respect to claim 13.
Claim 13 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 13 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed wherein generating the anomaly score further comprises applying an anomaly detection algorithm to values generated using the set function to detect changes in the groups over the continuous time intervals. Each of the following limitations:
• “wherein generating the anomaly score further comprises applying an anomaly detection algorithm to values generated using the set function to detect changes in the groups over the continuous time intervals” 
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses evaluating an algorithm for detection of anomaly and evaluating judgment scores using set functions which can be done in pen and paper. Accordingly, the claim recites an abstract idea.

With respect to claim 14.

Step 1 Analysis: Claim 14 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed determining a change in the anomaly score; removing at least a portion of the data instances; regenerating the anomaly score for each of the data instances which remain after the removing; and comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score. Each of the following limitations:
• “determining a change in the anomaly score”.
• “removing at least a portion of the data instances”. 
• “regenerating the anomaly score for each of the data instances which remain after the removing”.
• “comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score.” 
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses evaluating a change in the anomaly score, removing portion of the data instances, evaluate anomaly scores for each remaining data instances and comparing the new score with the anomaly score to identify what 


With respect to claim 15.
Claim 15 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 15 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to identifying when a categorical attribute of the set of categorical attributes influences the anomaly score for the set of categorical attributes if an output of an anomaly detection algorithm is approximately identical to alternative instances in which the set of categorical attributes exists. Each of the following limitations:
• “identifying when a categorical attribute of the set of categorical attributes influences the anomaly score for the set of categorical attributes if an output of an anomaly detection algorithm is within 30% to alternative instances in which the set of categorical attributes exists”.
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations 
With respect to claim 16.
Claim 16 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 16 is directed to a method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis: the claim is directed to receiving an unstructured log file of a computing environment, the unstructured log file comprising temporal data; tokenizing segments within the unstructured log file; filtering or removing a portion of the tokenized segments based on a set of filtering criteria; applying a weight to one or more of the filtered, tokenized segments; comparing the filtered, tokenized segments to one another to determine if a match exists therebetween; and categorizing the filtered, tokenized segments based on the comparison. Each of the following limitations:
• “receiving an unstructured log file…, the unstructured log file comprising temporal data”.
• “tokenizing segments within the unstructured log file”.
• “filtering or removing a portion of the tokenized segments based on a set of filtering criteria, wherein the filtering excludes tokens less than a certain character count and not using a specific character set”.
• “applying a weight to one or more of the filtered, tokenized segments”.

• “categorizing the filtered, tokenized segments based on the comparison.”
as drafted, is a process that, under its broadest reasonable interpretation, covers mental processes (concepts performed in the human mind (including an observation, evaluation, judgment, opinion)) but for the recitation of generic computer components. For example, but for the generic computer components language, the above limitations in the context of this claim encompasses observing unstructured data including temporal data, evaluating the input streams by tokenizing or labeling the input, removing tokens or labels based on a filtering criteria, judging a weight of the filtered segments, comparing the filtered segments to evaluate if a match exist and categorizing the filtered segments based on the comparison, which a human skill in the art would be able to do in the head or by using a pen and paper. Accordingly, the claim recites an abstract idea.
Step 2A Prong Two Analysis: This judicial exception is not integrated into a practical application. In particular, the claim only recites additional elements that are mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea. See MPEP 2106.05(f). The additional element of the “computing environment” is recited at a high level of generality, and comprises only a processor to simply perform the generic computer functions Generic computers performing generic computer functions, alone, do not amount to significantly more than the abstract idea. The generic computer components in these steps are recited at a high-level of generality (i.e., as a generic computer component performing a generic computer function) such that it amounts no more than mere instructions to apply the 
Step 2B Analysis: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using generic computer components such as “computing environment” to perform the abstract idea amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.

Claims 17-20 recites similar languages recited in claims 5-8. Therefore the rejection of claims 5-8 above applies equally here

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
 
 
Claims 1, 4-9, 11 and 15 are rejected under 35 USC 103 as being unpatentable over Mudda et al. (US 2017/0063910 A1) in view of Chandola et al. (Anomaly Detection: A Survey).

Regarding claim 1, 
Mudda teaches a computer-implemented method for detecting anomalous activity in a computing environment (see ¶ 137, “anomalous activity detection in a networked environment”, also see ¶ 139, “The environment 10 may represent a networked computing environment of one or multiple companies or organizations, and can be implemented across multiple geographic regions”), the method comprising: 
receiving an unstructured input stream of data instances from the computing environment (see ¶ 143, “incoming data is processed using machine learning/data science techniques to extract knowledge from large volumes of data that are structured or unstructured”, also see ¶ 248, “the event view enables the security platform to both implement late binding and have a homogeneous way to access the unstructured event data”), the unstructured input stream being time stamped (see ¶ 174, “a time series database 370 that represents the database for storing time stamped data”, also see ¶ 222, “even if the events arrive in an order that is not the same as how they actually took place, as long as the events have timestamps”, teaches unstructured input being time stamped); 
categorizing the data instances of the unstructured input stream of data instances, the data instances comprising any of a one principle value or a categorical attribute determined through machine learning (see ¶ 143, “incoming 
generating anomaly scores for each of the data instances collected over a period of time (see ¶ 358, “processing the event data 2302 through an anomaly model.  According to an embodiment, an anomaly model includes at least model processing logic defining a process for assigning an anomaly score to the event data 2302”, also see ¶ 359 “the resulting anomaly score may be a value between 0 and 10, with 0 being the least anomalous and 10 being the most anomalous”, also see ¶ 379, “identifying threat indicators based on duration of detected anomalous behavior.  Anomalies may be detected over a period of time”); 

detecting a change in the categorical attribute that is indicative of an anomaly.
Chandola teaches detecting a change in the categorical attribute that is indicative of an anomaly (see page 15:5 section 1.4, “For each of the six categories, we not only discuss the techniques, but also identify unique assumptions regarding the nature of anomalies made by the techniques in that category. These assumptions are critical for determining when the techniques in that category would be able to detect anomalies, and when they would fail. For each category, we provide a basic anomaly detection technique, and then show how the different existing techniques in that category are variants of the basic technique. This template provides an easier and more succinct understanding of the techniques belonging to each category. Further, for each category we identify the advantages and disadvantages of the techniques.”)
Both Mudda and Chandola pertain to the problem of anomaly detection, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda and Chandola to detect change in the categories attributes. The motivation for doing so would be for the purpose of showing changes and identify advantages and disadvantages of techniques in each category to differentiate between normal and anomalous behavior (Chandola Abstract).

Regarding claim 4, 
Mudda and Chandola teach the method of claim 1,
wherein categorizing the data instances of the unstructured input stream of data instances comprises: tokenizing segments within the unstructured input stream (see ¶ 190,” "extracting a token from an event" will be understood as extracting a token from the event data that represents the event.”, also see ¶ 206, “the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, an event identifier (ID), a process ID, a type of the event, a type of machine that generates the event, and so forth”); 
filtering or removing a portion of the tokenized segments based on a set of filtering criteria (see ¶ 164, “The data receivers 310 may also optionally filter some of the event data”, also see ¶ 0165, “the semantic processor 316 may perform parsing of the incoming event data, enrichment (also called decoration or annotation) of the event data with certain information, and optionally, filtering the event data”, also see ¶ 167, “An optional filter attribution block 322 in the semantic processor 316 removes certain pre-defined events.  The attribution filter 322 in the semantic processor 316 may further remove events that need not be processed by the security platform”); 
applying a weight to one or more of the filtered, tokenized segments (see ¶ 235, “Depending on the model, other criteria for an event to be considered relevant for model training and/or updating purposes may include, for example, when a new event includes a particular machine identifier, a particular user identifier, and/or the recency of the new event.  Moreover, some models may assign a different weight to the new event based on what type of event it is.”); 
comparing the filtered, tokenized segments to one another to determine if a match exists therebetween (see ¶ 262, “two sessions is determined based on comparing three items: "from-session-link-context", "to-session-link-context", and "Link-Event time"… Two existing sessions should be linked or correlated if the newly added session (1) matches a link event time range, (2a) has a match in one of its from-session-link-context or to-session-link-context with those of one existing session, and (2b) has at least a partial match in one of its from-session-link-context or to-session-link-context with those of another existing session”, also see ¶ 634, “assigning an anomaly score indicating a confidence level that the entity identifier matches a particular entry in the external data source based on the comparing.”); 
and categorizing the filtered, tokenized segments based on the comparison (see ¶ 143, “incoming data is processed using machine learning/data science techniques to extract knowledge from large volumes of data that are structured or unstructured”, also see ¶ 249, “ the fields can be used by a machine learning model to identify which subset of the event data (e.g., serverIP, sourceIP, sourcePort, etc.) is the information that the model wants to receive.”, also see ¶ 273, “The event feature set can include at least a subset of the raw event data; metadata associated with the raw event data; transformed, summarized, and/or normalized representation of portions of the raw event data; derived attributes from portions of the raw event data; labels for portions of the raw event data; or any combination”, also see ¶ 445, “Anomalies can be classified into various types.  As examples, anomalies can be alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login 

Regarding claim 5, 
Mudda and Chandola teach the method of claim 4,
Mudda further teaches wherein when a match does not exist, a new category is created and attributed to one or more of the filtered, tokenized segments (see ¶ 204, “after the data connectors 802 obtain/receive the data, if the data format of the data is unknown (e.g., the administrator has not specified how to parse the data), then the format detector 804 can be used to detect the data format of the input data.  For example, the format detector 804 can perform pattern matching for all known formats to determine the most likely format of a particular event data”, also see 476, “as shown in FIG. 44A, the GUI provides a bubble 4400 prompting the user to tag the threat with "Threat Watchlist," "False Positive," "Important," "Reviewed," "Save for Later," or to define a new category for tagging (via the "New Threat Watchlist" selection)”). 

Regarding claim 6, 
Mudda and Chandola teach the method of claim 5,
further comprising applying tokenization rules to exclude at least a portion of the segments of the unstructured log file (see ¶ 147, “To operate in real-time, the evaluation is performed primarily or exclusively on event data pertaining to current events contemporaneously with the data being generated by and/or received from the data source(s).  In certain embodiments, the real-time processing path excludes historical data (i.e., stored data pertaining to past events) from its evaluation.  Alternatively in an embodiment, the real-time processing path excludes third-party data from the evaluation in the real-time processing path.  These example types of data that are excluded from the real-time path can be evaluated in the batch processing path”, also see ¶ 164, “The data receivers 310 may also optionally filter some of the event data. For example, to reduce the workload of the security platform”, also see ¶ 218, “if the network administrator wishes to receive data in a new data format, he can edit the configuration file to create rules (e.g., in the form of functions or macros) for the particular data format including, for example, identifying how to tokenize the data”, also see ¶ 704, “The semantic processor 316 (FIG. 3) can process the event data to remove, add or modify at least some of the information and generate the traffic log 8050 in a condition that is suitable for further processing by the system 8025 efficiently”).

Regarding claim 7, 
Mudda and Chandola teach the method of claim 6,
Mudda further teaches further comprising applying filtering rules to remove tokenized segments corresponding to only numerical values or tokenized segments corresponding to date-related words, or tokenized segments corresponding to numbers with trailing units (see ¶ 164, “the data receivers 310 may also optionally filter some of the event data”, also see ¶ 167, “The attribution filter 322 in the semantic processor 316 may further remove events that need not be processed by the security platform.  An example of such an event is an internal data transfer that occurs between two IP addresses as part of a regular file backup.  In some embodiments, the functions of semantic processor 316 are configurable by a configuration file to permit easy updating or adjusting”, IP addresses filtering corresponds to tokenized segments corresponding to only numerical values or the tokenized segments corresponding to date-related words because IP addresses can include date-related words and also can be tokenized segments corresponding to numbers with trailing units). 

Regarding claim 8, 
Mudda and Chandola teach the method of claim 7,
Mudda further teaches wherein comparing the filtered, tokenized segments to one another further comprises determining distances between the filtered, tokenized segments based on deletions and replacements, further wherein the distances between the filtered, tokenized segments indicates if a weighted number of operations relative to a total weight of the tokenized segments is within 15% (see ¶ 167, “filter attribution block 322 in the semantic processor 316 removes certain pre-defined events.  The attribution filter 322 in the semantic processor 316 may further remove events that need not be processed by the security platform.”, 

Regarding claim 9, 
Mudda and Chandola teach the method of claim 1,
Mudda further teaches wherein generating the anomaly scores comprises: creating features for a current group of the data instances (see ¶ 270, “the input data of the ML-based CEP engine includes event feature sets, where each event feature set corresponds to an observable event in the target computer network”, also see ¶ 292, “if the model type topology 1714 specifies users as the entity type, the ML-); 
applying an anomaly detection algorithm that takes as inputs the features for the current group, and group features calculated using set functions for groups earlier than the current group (see ¶ 341, “a particular machine learning model can be configured to process a time slice of data to produce a score for detecting a network security-related issue, and with model state sharing, the size of the time slice can be controlled by whichever event processing engine currently utilizes the particular machine learning model… the time slice can be set by the batch processing engine 
to whichever time period length is suitable for grouping the historic events”, also see ¶ 345, “the combination of the behavioral baseline establishment technique and the model state sharing technique can be particularly useful to detect a specific entity's anomalous behavior when historical data of that specific entity is not available (e.g., a new employee joins the enterprise)”); 
and generating the anomaly scores, the anomaly scores being indicative of how anomalous are the features for the current group (see ¶ 359, “the resulting anomaly score may be a value between 0 and 10, with 0 being the least anomalous and 10 being the most anomalous.”)

Regarding claim 11, 
 a computer-implemented method for detecting anomalous activity in a computing environment (see ¶ 137, “anomalous activity detection in a networked environment”, also see ¶ 139, “The environment 10 may represent a networked computing environment of one or multiple companies or organizations, and can be implemented across multiple geographic regions”), the method comprising: 
receiving an unstructured input stream of data instances (see ¶ 143, “incoming data is processed using machine learning/data science techniques to extract knowledge from large volumes of data that are structured or unstructured”, also see ¶ 248, “the event view enables the security platform to both implement late binding and have a homogeneous way to access the unstructured event data”), the data instances in the unstructured input stream being time stamped (see ¶ 174, “a time series database 370 that represents the database for storing time stamped data”, also see ¶ 222, “even if the events arrive in an order that is not the same as how they actually took place, as long as the events have timestamps”, teaches unstructured input being time stamped); 
categorizing the data instances of the unstructured input stream of data instances, the data instances comprising at least one principle value and a set of categorical attributes determined through machine learning (see ¶ 143, “incoming data is processed using machine learning/data science techniques to extract knowledge from large volumes of data that are structured or unstructured”, also see ¶ 249, “ the fields can be used by a machine learning model to identify which subset of the event data (e.g., serverIP, sourceIP, sourcePort, etc.) is the information that the model wants to receive.”, also see ¶ 273, “The event feature set can include at least a subset of the anomalies can be alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc. Anomalies typically occur at a particular date and time and involve one or more participants, which can include both users and devices.”, also see ¶ 564-566, “The method further generates or identifies classification metadata of the user and the device, based on event data about the login event, to further explain the relevance of the user and the device in a security context.”);
grouping the data instances into groups based on continuous time intervals … (see ¶ 292, “The model type topology 1714 specifies how the ML-based CEP engine 1500 groups and distributes model-specific process threads to, for example, the different computation workers 1526 in the distributed computation system 1520. The model type topology 1714 also specifies how the ML-based CEP engine 1500 groups and distribute the input data for the model-specific process threads of the same model type 1602”, also see ¶ 611 “timing analysis could yield two or more feature scores, including at least a feature score based on a periodicity of communications associated with a particular entity and a feature score based on variance in interval periods between communications associated with a particular entity. Feature scores are 
each of the continuous time intervals having a length (see ¶ 341, “if the batch processing engine is utilizing the model, the time slice can be set by the batch processing engine to whichever time period length is suitable for grouping the historic events (i.e., events that are already stored as opposed to being currently streamed) into batches for processing”);
applying set functions to each of the groups (see ¶ 182, “The security platform 300 can detect anomalies and threats by determining behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices, and then comparing activities of those entities to their behavior baselines to determine whether the activities are anomalous, or even rise to the level of threat. The behavior baselines can be adaptively varied by the platform 300 as new data are received. These functions can be performed by one or more machine-learning models in the real-time path, the batch path, or both”, also see ¶ 193, “The data intake and preparation stage 800 can include a number of components that perform a variety of functions disclosed herein.  In the example of stage 800, the data intake and preparation stage of the security platform includes a number of data connectors 802, a format detector 804, a number of parsers 806, a field mapper 808, a relationship graph generator 810, an identity resolution module 812, a number of decorators 814, and event view adder 816.”); 
and generating an anomaly score for each of the groups using the set functions (see ¶ 358, “processing the event data 2302 through an anomaly model.  ).
Mudda do not explicitly teach grouping the data instances into groups based on continuous time intervals and at least one principle value.
Chandola teaches grouping the data instances into groups based on continuous time intervals and at least one principle value (see page 15:14 section 3.2.2 mobile phone fraud, “Each call record is a vector of features, both continuous (e.g., CALLDURATION) and discrete (e.g., CALLING-CITY). However, there is no inherent primitive representation in this domain. Calls can be aggregated by time, for example into call-hours or call-days or user or area, depending on the granularity desired”, where data instances are grouped based on call duration or location (principle value) on continues time interval).
Both Mudda and Chandola pertain to the problem of anomaly detection, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda and Chandola to group data based on continuous time intervals and a value. The motivation for doing so would be for the purpose of showing changes and identify advantages and disadvantages of techniques in each category to differentiate between normal and anomalous behavior (Chandola Abstract).

Regarding claim 15, 
Mudda and Chandola teach the method of claim 11,
Mudda further teaches wherein the regularity analysis further comprises identifying when a categorical attribute of the set of categorical attributes influences the anomaly score for the set of categorical attributes if an output of an anomaly detection algorithm is within 30% to alternative instances in which the set of categorical attributes exists (see ¶ 315, “the model deliberation process thread processes the most recent time slice from the group-specific data stream to compute a score associated with the most recent time slice.  The most recent time slice can correspond to an event or a sequence of event observed at the target computer network”, also see ¶ 371 “a threat indicator score can be assigned based on the processing of the anomaly data with a threat indicator being identified if the threat indicator score satisfies a specified criterion.  For example, the 20 entities associated with a particular anomaly may lead to assigning an threat indicator score of 6 on a scale of 1 to 10.  Accordingly a threat indicator is identified because the assigned threat indicator score is at least 6”).


 
Claims 2, 12 and 13 are rejected under 35 USC 103 as being unpatentable over Mudda et al. (US 2017/0063910 A1) in view of Chandola et al. (Anomaly Detection: A Survey) and in further view of Green et al (US 2013/0238476 A1).

Regarding claim 2, 
Mudda and Chandola teach the method of claim 1, 
Mudda not teach that the change in anomaly scores is performed using a counterfactual analysis. 
Green is in the field of improving the financial outcome of individuals (para 0003) and discloses that the change in anomaly scores is performed using a counterfactual analysis (see ¶ 7, “an electronic device that performs counterfactual testing…Based on the comparison and a testing metric, the electronic device determines a result of the counterfactual testing”, also see ¶ 111, “Counterfactual module 938 may compare the financial output values 964 for the modified and the original functional representations, and may determine one or more results 966 based on one or more testing metrics 974 and/or one of performance metrics 972”).
Mudda, Chandola and Green pertain to the problem of behavioral patterns, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda, Chandola and Green to perform the change of anomaly scores using counterfactual analysis. The motivation for doing so would be for the purpose of reducing false positive classification such as possibility of fraud when sharing functional representations and also identify outliers that deviate from normal behavior (see Green ¶ 75).

Regarding claim 12, 
Mudda and Chandola teach the method of claim 11, 
 identify which of the set of categorical attributes for a group is influencing one or more anomalies in the groups that are indicative of the anomalous activity in the computing environment (see ¶ 493, “each Anomalies Detailed View provides different boxes and graphics to illustrate parameters that correspond to the type of anomaly in the view.”, also see ¶ 723, “the rarity criterion for determining whether an event is anomalous can include additional parameters, such as a minimum number of features and/or feature pairs in the event to be anomalous, a list of features and/or feature pairs in the event to be anomalous.”), 
Mudda do not teach applying a counterfactual analysis or a regularity analysis. 
Green teaches applying a counterfactual analysis or a regularity analysis (see ¶ 7, “an electronic device that performs counterfactual testing…Based on the comparison and a testing metric, the electronic device determines a result of the counterfactual testing”, also see ¶ 111, “Counterfactual module 938 may compare the financial output values 964 for the modified and the original functional representations, and may determine one or more results 966 based on one or more testing metrics 974 and/or one of performance metrics 972”).
Mudda, Chandola and Green pertain to the problem of behavioral patterns, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda, Chandola and Green to perform the change of anomaly scores using counterfactual analysis. The motivation for doing so would be for the purpose of reducing false positive classification such as 

Regarding claim 13, 
Mudda, Chandola and Green teach the method of claim 12, 
Mudda further teaches wherein generating the anomaly score further comprises applying an anomaly detection algorithm to values generated using the set function to detect changes in the groups over the continuous time intervals (see ¶ 14 and figure 6, “FIG. 6 shows an example representation of the process of building adaptive behavioral baselines and evaluating against such baselines to support the detection of anomalies”, also see ¶ 379, “Anomalies may be detected over a period of time, for example, as shown in FIG. 29, anomalies 1 through M are detected at time periods t1 through tm”).

Claims 3 and 14 are rejected under 35 USC 103 as being unpatentable over Mudda et al. (US 2017/0063910 A1) in view of Chandola et al. (Anomaly Detection: A Survey) in view of Green et al (US 2013/0238476 A1) in further view of Flanders et al. (US 2016/0055654 A1).

Regarding claim 3, 
Mudda, Chandola and Green teaches the method of claim 2,
wherein the counterfactual analysis (see ¶ 7, “an electronic device that performs counterfactual testing…Based on the comparison and a testing metric, the electronic device determines a result of the counterfactual testing”, also see ¶ 111, “Counterfactual module 938 may compare the financial output values 964 for the modified and the original functional representations, and may determine one or more results 966 based on one or more testing metrics 974 and/or one of performance metrics 972”).
Mudda, Chandola and Green pertain to the problem of behavioral patterns, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda, Chandola and Green to perform the change of anomaly scores using counterfactual analysis. The motivation for doing so would be for the purpose of reducing false positive classification such as possibility of fraud when sharing functional representations and also identify outliers that deviate from normal behavior (see Green ¶ 75).
Mudda, Chandola and Green do not teach removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances over the continuous time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity. 
Flanders teaches removing at least a portion of the data instances (see ¶ 22, “eliminate scene pixels with low anomaly scores from further processing”); 
regenerating the anomaly scores for each of the data instances over the continuous time intervals (see ¶ 2, “for each scene pixel remaining in the plurality of scene pixels, computing an updated intermediate anomaly score using the updated anomaly equation”); 
and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity (see ¶ 2, “comparing the updated intermediate anomaly scores to an updated threshold, the updated threshold being greater in value than the previous threshold…The method further includes declaring which scene pixels include anomalies based on comparisons of the computed full dimension anomaly scores to a full dimension anomaly score threshold, the full dimension anomaly score threshold being greater in value than the threshold and the updated threshold.). 
Mudda, Chandola, Green and Flanders pertain to the problem of behavioral patterns and anomaly detection, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda, Chandola, Green and Flanders to perform a removal and regeneration of anomaly instances. The motivation for doing so would be for the purpose of processing a few terms of all scene pixels, eliminate most scene pixels, and calculate more terms on high anomaly scoring scene pixels as needed to form an updated anomaly equation if the number of eliminated scene pixels is less than a specified fraction of a total number of scene pixels and a number of computed intermediate anomaly scores is less than a counter. The way the algorithm can run faster (Flanders abstract and ¶ 41).

Regarding claim 14, 
Mudda, Chandola and Green teaches the method of claim 13,
Green further teaches the counterfactual analysis (see ¶ 7, “an electronic device that performs counterfactual testing…Based on the comparison and a testing metric, the electronic device determines a result of the counterfactual testing”, also see ¶ 111, “Counterfactual module 938 may compare the financial output values 964 for the modified and the original functional representations, and may determine one or more results 966 based on one or more testing metrics 974 and/or one of performance metrics 972”).
Mudda, Chandola and Green pertain to the problem of behavioral patterns, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda, Chandola and Green to perform the change of anomaly scores using counterfactual analysis. The motivation for doing so would be for the purpose of reducing false positive classification such as possibility of fraud when sharing functional representations and also identify outliers that deviate from normal behavior (see Green ¶ 75).

Mudda, Chandola and Green do not teach determining a change in the anomaly score; removing at least a portion of the data instances; regenerating the anomaly score for each of the data instances which remain after the removing; and comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score. 

Flanders teaches determining a change in the anomaly score (see ¶ 2, “for each scene pixel remaining in the plurality of scene pixels, computing an updated intermediate anomaly score using the updated anomaly equation”); 
removing at least a portion of the data instances (see ¶ 22, “eliminate scene pixels with low anomaly scores from further processing”); 
regenerating the anomaly score for each of the data instances which remain after the removing (see ¶ 2, “for each scene pixel remaining in the plurality of scene pixels, computing an updated intermediate anomaly score using the updated anomaly equation”); 
and comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score (see ¶ 2, “comparing the updated intermediate anomaly scores to an updated threshold, the updated threshold being greater in value than the previous threshold…The method further includes declaring which scene pixels include anomalies based on comparisons of the computed full dimension anomaly scores to a full dimension anomaly score threshold, the full dimension anomaly score threshold being greater in value than the threshold and the updated threshold). 
Mudda, Chandola, Green and Flanders pertain to the problem of behavioral patterns and anomaly detection, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine .

Claim 10 is rejected under 35 USC 103 as being unpatentable over Mudda et al. (US 2017/0063910 A1) in view of Chandola et al. (Anomaly Detection: A Survey) in further view of Sadovsky et al (US 2015/0180894 A1).

Regarding claim 10, 
Mudda and Chandola teaches the method of claim 1,
Mudda and Chandola do not teach further comprising enacting changes in the computing environment relative to at least a portion of the categorical attributes to prevent future instances of the anomalous activity. 
Sadovsky teaches further comprising enacting changes in the computing environment relative to at least a portion of the categorical attributes to prevent future instances of the anomalous activity (see ¶ 28, Upon detection of anomalous activity by anomaly detector 26, different actions may be performed, one or more reports may be automatically created and delivered (e.g., anomaly report 265), one or 
Mudda, Chandola and Sadovsky pertain to the problem of anomaly detection, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda, Chandola and Sadovsky to perform enacting changes to prevent future activities. The motivation for doing so would be for the purpose of detecting anomalous activity using event information that is received from accounts from within an online service (Sadovsky abstract).

Claims 16-20 are rejected under 35 USC 103 as being unpatentable over Mudda et al. (US 2017/0063910 A1) in view of Dubey et al. (US 2018/0173698 A1).
Regarding claim 16. 
Mudda teaches a computer-implemented method for anomaly detection, comprising: receiving an unstructured log file of a computing environment (see ¶ 143, “incoming data is processed using machine learning/data science techniques to extract knowledge from large volumes of data that are structured or unstructured”, also see ¶ 248, “the event view enables the security platform to both implement late binding and have a homogeneous way to access the unstructured event data”), the unstructured log file comprising temporal data (see ¶ 174, “a time series database 370 that represents the database for storing time stamped data”, also see ¶ 222, “even if the events arrive in an order that is not the same as how they actually took place, as long as the events have timestamps”, teaches unstructured input being time stamped); 
tokenizing segments within the unstructured log file (see ¶ 190,” "extracting a token from an event" will be understood as extracting a token from the event data that represents the event.”, also see ¶ 206, “the received data representing an event, which field represents a token that may correspond to a timestamp, an entity, an action, an IP address, an event identifier (ID), a process ID, a type of the event, a type of machine that generates the event, and so forth”); 
filtering or removing a portion of the tokenized segments based on a set of filtering criteria (see ¶ 164, “The data receivers 310 may also optionally filter some of the event data”, also see ¶ 0165, “the semantic processor 316 may perform parsing of the incoming event data, enrichment (also called decoration or annotation) of the event data with certain information, and optionally, filtering the event data”, also see ¶ 167, “An optional filter attribution block 322 in the semantic processor 316 removes certain pre-defined events.  The attribution filter 322 in the semantic processor 316 may further remove events that need not be processed by the security platform”); 
applying a weight to one or more of the filtered, tokenized segments (see ¶ 235, “Depending on the model, other criteria for an event to be considered relevant for model training and/or updating purposes may include, for example, when a new event includes a particular machine identifier, a particular user identifier, and/or the recency of the new event.  Moreover, some models may assign a different weight to the new event based on what type of event it is.”); 
comparing the filtered, tokenized segments to one another to determine if a match exists therebetween (see ¶ 262, “two sessions is determined based on comparing three items: "from-session-link-context", "to-session-link-context", and "Link-; 
and categorizing the filtered, tokenized segments based on the comparison (see ¶ 143, “incoming data is processed using machine learning/data science techniques to extract knowledge from large volumes of data that are structured or unstructured”, also see ¶ 249, “ the fields can be used by a machine learning model to identify which subset of the event data (e.g., serverIP, sourceIP, sourcePort, etc.) is the information that the model wants to receive.”, also see ¶ 273, “The event feature set can include at least a subset of the raw event data; metadata associated with the raw event data; transformed, summarized, and/or normalized representation of portions of the raw event data; derived attributes from portions of the raw event data; labels for portions of the raw event data; or any combination”, also see ¶ 445, “Anomalies can be classified into various types.  As examples, anomalies can be alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc. Anomalies typically occur at a particular date and time and involve one or more participants, which can include both users and devices.”, also see ¶ .

Mudda does not teach wherein the filtering excludes tokens less than a certain character count and not using a specific character set 
Dubey teaches wherein the filtering excludes tokens less than a certain character count and not using a specific character set (see ¶ 127, “relatively long repeated phrases, e.g., over a length of 20 words, can be filtered out regardless of how many times the phrases appear in the documents 618.”);
Both Mudda and Dubey pertain to the problem of data analyzing, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Mudda and Dubey to filter words/phrases that contains a length over a specific amount of characters/words. The motivation for doing so would be for the purpose of eliminating portions of unwanted data to minimize the size of data to be processed (see Dubey ¶¶ 69 and 121).

Regarding claim 17. 
Mudda and Dubey teach the method of claim 16, 
Mudda further teaches wherein when a match does not exist, a new category is created and attributed to one or more of the filtered, tokenized segments (see ¶ 204, “after the data connectors 802 obtain/receive the data, if the data format of the data is unknown (e.g., the administrator has not specified how to parse the data), then ).

Regarding claim 18. 
Mudda and Dubey teach the method of claim 16, 	
Mudda further teaches further comprising applying tokenization rules to exclude at least a portion of the segments of the unstructured log file (see ¶ 147, “To operate in real-time, the evaluation is performed primarily or exclusively on event data pertaining to current events contemporaneously with the data being generated by and/or received from the data source(s).  In certain embodiments, the real-time processing path excludes historical data (i.e., stored data pertaining to past events) from its evaluation.  Alternatively in an embodiment, the real-time processing path excludes third-party data from the evaluation in the real-time processing path.  These example types of data that are excluded from the real-time path can be evaluated in the batch processing path”, also see ¶ 164, “The data receivers 310 may also optionally filter some of the event data. For example, to reduce the workload of the security platform”, also see ¶ 218, “if the network administrator wishes to receive data in a new data format, he can edit the configuration file to create rules (e.g., in the form of functions or macros) for the particular data format including, for example, identifying ).

Regarding claim 19. 
Mudda and Dubey teach the method of claim 16, 	
Mudda further teaches further comprising applying filtering rules to remove tokenized segments corresponding to only numerical values or tokenized segments corresponding to date-related words, or tokenized segments corresponding to numbers with trailing units (see ¶ 164, “the data receivers 310 may also optionally filter some of the event data”, also see ¶ 167, “The attribution filter 322 in the semantic processor 316 may further remove events that need not be processed by the security platform.  An example of such an event is an internal data transfer that occurs between two IP addresses as part of a regular file backup.  In some embodiments, the functions of semantic processor 316 are configurable by a configuration file to permit easy updating or adjusting”, IP addresses filtering corresponds to tokenized segments corresponding to only numerical values or the tokenized segments corresponding to date-related words because IP addresses can include date-related words and also can be tokenized segments corresponding to numbers with trailing units).

Regarding claim 20. 

Mudda further teaches wherein comparing the filtered, tokenized segments to one another further comprises determining distances between the filtered, tokenized segments based on deletions and replacements, further wherein the distances between the filtered, tokenized segments indicates if they are within two operations to match (see ¶ 167, “filter attribution block 322 in the semantic processor 316 removes certain pre-defined events.  The attribution filter 322 in the semantic processor 316 may further remove events that need not be processed by the security platform.”, also see ¶ 407, “the method can identify an insider who poses a security threat based on a group of anomalies being close to each other in time and their confidence metrics.”, also see ¶ 427, “he computer system can further identify events that have timestamps satisfying a specific closeness criterion (e.g., the timestamps having differences less than a threshold value)”,also see ¶ 535, “In some occasions, such as those described above (e.g., to see whether a PST trainee has started to converge to another PST, or to perform the PST-SIM comparison), two PSTs need to be compared… resulting in two probability vectors, a suitable vector similarity metric (e.g., Euclidian distance, or cosine similarity) can be used to compare the two PSTs”, also see ¶ 573, “The similarity scores are assigned such that any given set of network devices that are accessed by the same or similar group of users are assigned similarity scores that are closer in value to each other than the similarity scores of any other set of network devices that are not accessed by the same or similar group of users”, these paragraphs teaches to use for example Euclidean distance or similarity score to indicate if the similarities are close in value enough to match.) 
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to IMAD M KASSIM whose telephone number is (571)272-2958.  The examiner can normally be reached on mon-fri 730-500.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamran Afshar can be reached on (571) 272-7796.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 




/IMAD KASSIM/Examiner, Art Unit 2125                                                                                                                                                                                             
/KAMRAN AFSHAR/Supervisory Patent Examiner, Art Unit 2125