DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to submission of application of 7/26/2018.
Claims 1-20 are presented for examination.
Oath/Declaration
For the record, the Examiner acknowledges that the Oath/Declaration submitted on 7/26/2018 has been received.
Information Disclosure Statement
The information disclosure statement submitted on 1/8/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is considered by examiner.
Drawings
The drawings are objected to because of the following informalities:
In FIG. 1, it is unclear what is indicated by the blocks. The blocks seem to indicate a series of steps in a process because of their content, placement, and because they are connected by lines. However, there are no arrows to indicate the direction.  For example, Block 170 appears be a decision block because it has two blocks connected to it but instead of reciting a query, it recites a statement, “THE HARDWARE-BASED ARTIFICIAL NEURAL NETWORK INCLUDES A COMPARATOR, A MEMORY LOCATION OR REGISTER, AND A TABLE THAT CONTAINS NORMAL 
FIG. 2 is objected to for the same reasons as FIG. 1.   For the purpose of prior art examination, Examiner is interpreting as a list of things that may relate to the claimed invention.  
Specification
The disclosure is objected to because of the following informalities:
In [0017], line 5 “includes” should be “include”.
In [0020], line 8 “unknow” should be “unknown”.
The specification has not been checked to the extent necessary to determine the presence of all possible minor errors.  Applicant’s cooperation is requested in correcting any errors the applicant may become aware of in the specification.
Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 1, line 5 states that the “neural network learns normal data patterns”.  But line 2 states the neural network is being trained in “real time”.  Therefore, it is not clear if there is a prior step during which the incoming data patterns are identified as “normal” and “abnormal”.  For the purpose of prior art examination, Examiner is interpreting as the neural network is initially trained prior to inference on a dataset of predefined “normal” data patterns and then updates the synaptic weights during inference in “real time” as data patterns are encountered.
Claim 1, line 6 states that a “new data pattern” is identified “when the new data pattern deviates from the normal data patterns”. Then, in line 9, the neural network “learns the new data pattern by altering the synaptic weights associated with the new data pattern”.  And in line 13 the claim states the neural network as “identifying the new data pattern as a malicious data pattern when the first rate at which the hardware-based artificial neural network alters the synaptic weights associated with the new data pattern exceeds a threshold.”  In other words, it appears that the claim is saying that a malicious data pattern is identified if the rate (which usually relates to speed) of altering the synaptic weights is faster than a threshold.  However, since the neural network is trained with single data patterns, and is updating in real time, it appears that the synaptic weights would be modified only once, due to the new data pattern.  Therefore, it’s unclear what “rate” means.  For the purpose of prior art examination, Examiner is interpreting the claim as identifying an anomaly based on a deviation from the “normal data pattern” which the network was previously trained to identify. 
Claims 2-8 are dependent from claim 1 and are therefore rejected.
Claim 9 is an independent system claim corresponding to process claim 1.  Claim 9 is rejected for the same reasons as claim 1.
Claims 10-15 are dependent from claim 9 and are therefore rejected.
Claim 17 is an independent process claim that contains subject matter which corresponds to claim 1 but has additional features that claim 1 does not.  However, Claim 17 contains the limitations that were rejected in claim 1.  Therefore claim 17 is rejected for the same reasons as claim 1.
Claims 18-20 are dependent from claim 17 and are therefore rejected.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-8, 9-12, and 14-16 are rejected under 35. U.S.C. 103 as being unpatentable over Pino et al (WO 2014/066166 A2, herein Pino) and Tang et al (Deep Learning Approach for Network Intrusion Detection in Software Defined Networking, herein Tang).
Regarding claim 1,
	Pino teaches a process comprising: 
	receiving data patterns in real time into a hardware-based artificial neural network; (Pino, paragraph [0023], line 1 “In one embodiment, by using a physically instantiated neural network (e.g., hardware-implemented neural network), an apparatus may perform high-performance network monitoring while also being energy- efficient.” And, paragraph [0015], “One embodiment of the present invention monitors, in real-time or near real-time, network traffic information by utilizing the learning abilities and parallel-analysis ability of neural networks.” In other words, monitors, in real-time or near real-time, network traffic information is receiving data patterns in real time, and hardware-implemented neural network is hardware-based artificial neural network.)
	training the hardware-based artificial neural network using the data patterns such that the hardware-based artificial neural network learns normal data patterns; (Pino, Fig. 4, and paragraph [0002], line 1 “Embodiments of the invention relate to monitoring of network traffic, such as, but not limited to, methods of training a neural network to monitor network traffic and methods of monitoring network traffic using the trained neural network.”  In other words, training a neural network to monitor network traffic is training… such that the hardware-based artificial neural network learns normal data patterns.)
	[identifying a new data pattern in the data patterns when the new data pattern deviates from the normal data patterns;]
	training the hardware-based artificial neural network using the new data pattern such that the hardware-based artificial neural network learns the new data pattern by altering synaptic weights associated with the new data pattern; (Pino, paragraph [0015], line 1 “One embodiment of the present invention monitors, in real-time or near real-time, network traffic information by utilizing the learning and parallel-analysis abilities of neural networks. Specifically, certain embodiments use neural networks to learn patterns and to respond, in parallel, to a multitude of input patterns.  The responses provided by the neural networks may be determined or learned.  The process by which a neural network learns and responds to different inputs may be generally referred to as a “training” process.” In other words, use neural networks to learn patterns is learns the new data pattern.)
Thus far, Pino does not explicitly teach identifying a new data pattern in the data patterns when the new data pattern deviates from the normal data patterns;
Pino does not explicitly teach monitoring a first rate at which the hardware-based artificial neural network alters the synaptic weights associated with the new data pattern; and identifying the new data pattern as a malicious data pattern when the first rate at which the hardware-based artificial neural network alters the synaptic weights associated with the new data pattern exceeds a threshold.
Tang teaches identifying a new data pattern in the data patterns when the new data pattern deviates from the normal data patterns; (Tang, page 1, column 2, line 17 “The second one, anomaly-based detection, compares new data with a model of normal user behavior and marks a significant deviation from this model as an anomaly using machine learning.”  In other words, new data is new data pattern, and marks a significant deviation is deviates from the normal data patterns.) 
Tang teaches monitoring a first rate at which the hardware-based artificial neural network alters the synaptic weights associated with the new data pattern; and identifying the new data pattern as a malicious data pattern when the first rate at which the hardware-based artificial neural network alters the synaptic weights associated with the new data pattern exceeds a threshold. (Tang, page 1, column 2, line 17 “The second one, anomaly-based detection, compares new data with a model of normal user behavior and marks a significant deviation from this model as an anomaly using machine learning.” And, page 2, column 1, paragraph 3, line 1 “Flow-based intrusion detection is extensively researched nowadays.  In [11], the authors propose a flow-based anomaly detection system based on a Multi-Layer Perceptron and Gravitational Search Algorithm. The system can classify benign and malicious flows with a very high accuracy rate.”   In other words, new data is new data pattern, marks a significant deviation is deviates from the normal data patterns, and classify benign and malicious flows with a very high accuracy rate is identifying the new data pattern as a malicious data pattern.)
	Both Tang and Pino are directed to neural network based intrusion detection systems.  In view of the teaching of Tang, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Tang into the teaching of Pino.  This would result in being able to compare new data with a model of normal data to identify cyber anomalies thereby being able to identify malicious software and detect zero-day attacks.  
	One of ordinary skill in the art would be motivated to do this in order to identify anomalies allowing for the ability to detect zero-day attacks, thus more completely protecting the system.
Regarding claim 2,
	the combination of Pino and Tang teach the process of claim 1,
	wherein the data patterns comprise data patterns from a data bus, data patterns from an instruction bus, or data patterns from data packets.  (Pino, Fig. 1, and Paragraph [0004], line 1 “One embodiment is a system that collects data from monitored network traffic.  The system inputs, in parallel, the data through inputs of a neural network.  The system compares an output of the neural network, generated in response to the inputted data, to at least one predetermined output.”  In other words, data from monitored network is data patterns from a data bus, data patterns from an instruction bus, or data patterns from data packets.)

    PNG
    media_image1.png
    511
    713
    media_image1.png
    Greyscale

Regarding claim 3,
	the combination of Pino and Tang teach the process of claim 1, 
	wherein the training of the hardware-based artificial neural network using the new data pattern comprises correlating instructions with address locations that write to or read from safe memory locations.  (Pino, “Fig. 4 is a flow diagram of a process for training a neural network to monitor network traffic in accordance with one embodiment.” In other words, training a neural network to monitor traffic is training the hardware-based neural network which includes correlating instructions with address locations that write or read from safe memory locations.)

    PNG
    media_image2.png
    696
    577
    media_image2.png
    Greyscale

Regarding claim 4,
the combination of Pino and Tang teach the process of claim 1,
	wherein the identifying the new data pattern comprises recognizing a pattern that is different from the normal data patterns. (Tang, page 1, column 2, line 17 “The second one, anomaly-based detection, compares new data with a model of normal user behavior and marks a significant deviation from this model as an anomaly using machine learning.”  In other words, new data is new data pattern, and marks a significant deviation is different from the normal data patterns.)
Regarding claim 6,
	The combination of Pino and Tang teach the process of claim 1,
	wherein the hardware-based artificial neural network comprises: a comparator; a memory location or register to receive the new data pattern, the memory location or register coupled to an input of the comparator; and a table containing the normal data patterns, (Pino, paragraph [0026], line 1 “Fig. 1 is an overview block diagram of a computer system 10 for monitoring network traffic in accordance with one embodiment.  Although shown as a single system, the functionality of system 10 can be implemented as a distributed system.  System 10 includes a bus 12 or other communication mechanism for communicating information, and a neural network processor 22 coupled to bus 12 for processing information.  Neural network processor 22 may be a type of general or specific purpose processor.  As described above, neural network processor 22 may be a processor that has a neural network computing architecture.  In one embodiment, neural network processor 22 may have a CMOS-based distributed neural network computing architecture.  Neural network processor 22 may also include a processing system where a general and/or specific purpose processor operates in conjunction with a hardware-implemented neural network.  System 10 further includes a memory 14 for storing information and instructions to be executed by processor 22.  Memory 14 can include any combination of random access memory (“RAM”), read only memory (“ROM”), static storage such as a magnetic or optical disk, or any other type of computer readable media.  System 10 further includes a communication device 20, such as a network interface card, to provide access to a network.  Therefore, a user may interface with system 10 directly, or remotely through a network or any other known method.”  And, Fig. 7 

    PNG
    media_image3.png
    596
    351
    media_image3.png
    Greyscale

And, Fig. 6

    PNG
    media_image4.png
    638
    620
    media_image4.png
    Greyscale


In other words, comparing unit (Fig. 7) is comparator, memory 14 is memory, and Database (Fig. 6) is table.)
	the table coupled to the input of the comparator; wherein the comparator is configured to determine that the new data pattern is not one of the normal data patterns; and (Pino, paragraph [0056], line 8 “Apparatus 700 may also include an inputting unit 704 configured to input, in parallel, the modified training vector into the neural network.  Apparatus 700 may also include a comparing unit 705 configured to compare an output of the neural network, generated in response to inputting the modified training vector, with a desired output.” In other words, inputting unit is input, and comparing unit is comparator for comparing input to data patterns stored in a table.)
	wherein in response to a determination that the new data pattern is not one of the normal data patterns, training the hardware-based artificial neural network with the new data pattern and observing the first rate to determine whether the new data pattern is malicious. (Pino, page 15, Claim 1, line 11 “comparing an output of the neural network, generated in response to inputting the modified training vector, with a desired output; and modifying the neural network so that the output of the neural network corresponds to the desired output.” In other words, comparing an output… with a desired output is determination that the new data pattern is not one of the normal data patterns, and modifying the neural network so that the output of the neural network corresponds to the desired output is training the hardware-based artificial neural network with the new data pattern.)
Regarding claim 7,
	the combination of Pino and Tang teach the process of claim 6,
	comprising training the hardware-based artificial neural network with the new data pattern when the new data pattern is not one of the normal data patterns. (Pino, page 15, Claim 1, line 11 “comparing an output of the neural network, generated in response to inputting the modified training vector, with a desired output; and modifying the neural network so that the output of the neural network corresponds to the desired output.” In other words, comparing an output… with a desired output is determination that the new data pattern is not one of the normal data patterns, and modifying the neural network so that the output of the neural network corresponds to the desired output is training the hardware-based artificial neural network with the new data pattern.)
Regarding claim 8,
The combination of Pino and Tang teach the process of claim 1,
	wherein the first rate at which the hardware-based artificial neural network alters the synaptic weights associated with the new data pattern is followed by a second rate at which the hardware-based artificial neural network alters the synaptic weights associated with the new data pattern; and wherein a decrease from a greater first rate to a lesser second rate indicates a learning of the new data pattern by the hardware-based artificial neural network. (Tang, page 4, column 1, paragraph 2, line 7 “When training a model, we tried to minimize the loss and maximize the accuracy. By comparing loss and accuracy of the training phase (see Table III), we can see that along with the decrease of the learning rate, the loss will decrease and the accuracy will increase.”  In other words, decrease of the learning rate is decrease, and accuracy will increase is indicates a learning of the new data pattern.)

    PNG
    media_image5.png
    213
    598
    media_image5.png
    Greyscale


Claims 9 -12, and 14-16 are system claims corresponding to process claims 1-4, and 6-8 respectively.  Otherwise they are the same.  Claims 9-12, and 14-16 are rejected for the same reasons as claims 1-4, and 6-8 respectively.
Claims 5 and 13 are rejected under 35. U.S.C. 103 as being unpatentable over Pino and Tang in view of Murphree (Machine Learning Anomaly Detection in Large Systems, herein Murphree).
Regarding claim 5,
	The combination of Pino and Tang teach the process of claim 1
	Thus far, the combination of Pino and Tang does not explicitly teach wherein the hardware-based artificial neural network comprises a single layer perceptron artificial neural network
	Murphree teaches wherein the hardware-based artificial neural network comprises a single layer perceptron artificial neural network (Murphree, page 5, column 1, paragraph 6, line 1 “A simple one dimensional autoencoder is trained on a distribution of samples between 0.4 and 0.6.  For proper operation of the anomaly detector, we expect to reproduce any value between 0.4 and 0.6 with a very small error when passed through the autoencoder.”  In other words, a simple one dimensional autoencoder is a single layer perceptron artificial neural network.)
	Both Murphree and the combination of Pino and Tang are directed to machine learning for anomaly detection.  In view of the teaching of Murphree it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Murphree into the teaching of Pino and Tang.  This would result in being able to use single layer perceptrons for anomaly detection.  
	One of ordinary skill in the art would be motivated to do this to more efficiently detect anomalies by using a plurality of smaller, faster, neural networks.
Claim 13 is a system claim corresponding to the process claim 5.  Other than that, they are the same.  Claim 13 is rejected for the same reasons as claim 5.
Claims 17- 20 are rejected under 35. U.S.C. 103 as being unpatentable over Pino and Tang, in view of Sartran et al (US 2018/0152466 A1, herein Sartran).
Claim 17 is a process claim that corresponds to claim 1.   However, in addition to the limitations of claim 1, claim 17 recites new limitations.
The combination of Pino and Tang teaches a process comprising: receiving in real time,
	Thus far, the combination of Pino and Tang does not explicitly teach computer system operating data from a computer system into a hardware-based artificial neural network; training the hardware-based artificial neural network using the computer system operating data such that the hardware-based artificial neural network learns normal operating conditions of the computer system;
	Sartran teaches computer system operating data from a computer system into a hardware-based artificial neural network; training the hardware-based artificial neural network using the computer system operating data such that the hardware-based artificial neural network learns normal operating conditions of the computer system; (Sartran, paragraph 19, line 10 “The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector.” And, paragraph [0021], line 1 “Smart object networks, such as sensor networks, in particular, are a specific type of network having spatially distributed autonomous devices such as sensors, actuators, etc., that cooperatively monitor physical or environmental conditions at different locations, such as, e.g., energy/power consumption, resource consumption (e.g., water/gas/etc. for advanced metering infrastructure or “AMI” applications) temperature, pressure, vibration, sound, radiation, motion pollutants, etc.” In other words, cooperatively monitor physical or environmental conditions is using the computer system operating data such that the hardware-based artificial neural network learns normal operating conditions of the computer system.)
	Sartran and the combination of Pino and Tang are both directed to using machine learning for anomaly detection of potential malware.  In view of the teaching of Sartran it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Sartran into the teaching of Pino and Tang.  This would result in being able to monitor physical and environmental conditions for the detection of anomalies.  
	One of ordinary skill in the art would be motivated to do this in order to more completely protect a computer system from cyber-attack by monitoring physical and environmental conditions.
Regarding claim 18,
	The combination of Pino, Tang and Sartran teach the process of claim 17,
	wherein the computer system operating data comprise a temperature of the computer system, a processing speed of the computer system, and a vibration of the computer system.  (Sartran, paragraph [0021], line 1 “Smart object networks, such as sensor networks, in particular, are a specific type of network having spatially distributed autonomous devices such as sensors, actuators, etc., that cooperatively monitor physical or environmental conditions at different locations, such as, e.g., energy/power consumption, resource consumption (e.g., water/gas/etc. for advanced metering infrastructure or “AMI” applications) temperature, pressure, vibration, sound, radiation, motion pollutants, etc.” In other words, monitor physical or environmental conditions…such as… temperature, pressure, vibration, sound, radiation, motion pollutants, etc. is temperature, speed, and vibration.)
Claims 19 and 20 are process claims that correspond to claims 6 and 8 respectively.  Therefore, claims 19 and 20 are rejected for the same reasons as claims 6 and 8 respectively. 
Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to BART RYLANDER whose telephone number is (571)272-8359.  The examiner can normally be reached on Monday - Thursday 8:00 to 5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang can be reached on 571-270-7092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/B.I.R./Examiner, Art Unit 2124                                                                                                                                                                                                        
/MIRANDA M HUANG/Supervisory Patent Examiner, Art Unit 2124