DETAILED ACTION
Claims 1-15, 21-24 are pending.  The 35 U.S.C. 101 abstract idea rejections were withdrawn due to amendments and arguments.  The 35 U.S.C. 112(b) rejections were withdrawn due to amendments.

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/23/2021 has been entered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
The following claims are objected to because of the following informalities:
In claim 1 at line 5, “an numerical” should read “a[[n]] numerical”
In claim 3 at line 4, “the least one attribute” should read “the at
In claims 4-6, 9, 11-13 there is underlining without changes.  The other claims should be reviewed also to ensure they do not have similar issues.
In claim 21 at line 20, “the portion of the entity data” appears without proper antecedent basis.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-15, 21-24  is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (hereinafter Muddu), U.S. Patent Application Publication 2017/0063905 in view of Madahar et al. (hereinafter Madahar), U.S. Patent 8,856,598.

receiving by a processor from a network, in real time, entity data including two or more attributes for an entity (para [0147] - "real-time processing path is configured to continuously monitor and analyze the incoming event data"; para [0167] – “correlate between one attribute with another attribute in the event data or an external attribute”; para [0250] – “a number of fields to access certain attributes of an event”), wherein one of the two or more attributes is a categorical attribute [¶148 – “can also refer to the underlying activity itself”; ¶253 – “determine the event category based on the type of machine that generated the event”; ¶253 – “Other example event categories include authentication, network, entity acquisition, and so forth.”] and one of the two or more attributes is an numerical attribute [¶148 – “a discrete set of machine data that represents or corresponds to a specific network activity”]; 
computing by a processor, in real time, two or more entity probability models for each of the two or more attributes of the entity from the entity data (para [0232]-(0235] - "the identity resolution module 812 can utilize a machine learning model to generate and track a probability of association between a user and a machine identifier''; Note: a model for each user would have two or more models); 
computing by the processor two or more population probability models associated with each attribute from entity data gathered for at least a portion of a population of entities, the two or more population probability models being indicative of behaviors associated with the two or more attributes for the population of entities (para [0140], [0184]-(0187] - "behavioral analytics can be based on include machine learning, 
comparing by the processor, in real time, at least a portion of the entity data or at least a portion of the two or more entity probability model to the two or more population probability models associated with each of the two or more attribute to identify an anomaly between the at least a portion of the entity data or the at least a portion of two or more entity probability models and the two or more population probability models, the anomaly comprising two or more anomalous differences (para [0184]-(0187], [0278]-(0280] - "anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected. The comparison may be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour), machine learning, or graphical analysis"; "time series analysis of event sequences include Bayesian time-series statistical foundation for discrete time-series data (based on variable-memory Markov models and context-tree weighting), dynamic thresholding analysis with periodicity patterns at several scales, change-point detection via maximum-a-posteriori-probability (MAP) modeling"); and 

However, while Muddu discloses in paragraph 186 “if the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected” and in paragraph 320, “if more than a threshold percentage of its security-related conclusions correspond to anomalies or threats, then the model deliberation process thread sets its own health status to failure,” Muddu fails to explicitly disclose the deviation by more than 125% in the limitation, wherein a cyber threat occurs when a portion of the entity data or the at least a portion of the two or more entity probability models deviate by more than 125%.
Madahar discloses wherein a cyber threat occurs when a portion of the entity data or the at least a portion of the two or more entity probability models deviate by more than 125% [col. 4-5, lines 65-3 – “For example, although the maximum threshold time may initially be calculated as 125% of the estimated processing time, over time it may be decided that a 150% factor may better indicate when anomalous processing has occurred, and thereby avoid "false positive" notifications.” Note: the 125% threshold is merely an example given in the specification in paragraph 39].

Given the advantage of using a higher threshold in order to avoid false positives [Madahar: col. 5, lines 2-3], one having ordinary skill in the art would have been motivated to make this obvious modification.

Regarding Claim 2, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses wherein comparing by the processor the two or more entity probability models to the two or more population probability models further comprises comparing by the process the two or more attributes of the entity with associated attributes of the population of entities (para [0399], [0404], [0521] – “underlying event data”; “comparing particular entity data” “comparing the subset of the threat indicator data” “signature comparison”]).

Regarding Claim 3, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses wherein the comparing by the processor further comprises applying by the processor a probabilistic threshold for each attribute, and wherein, if at least one attribute of the two or more entity probability models has a value that exceeds the probabilistic threshold for the least one attribute, the at least one attribute is categorized by the processor as being the anomaly (para [0317], [0362] – “In one example, the model deliberation process compares the score against a constant threshold and makes 

Regarding Claim 4, Muddu and Madahar disclose the method of claim 3.  Muddu further discloses further comprising determining by the processor if the anomaly is indicative of the entity being associated with malicious behavior by identifying by the processor additional anomalies linked to the anomaly (para. [0521] – “discover behavioral anomalies by determining whether a given sequence of events as associated with an entity deviates from an anticipated behavioral baseline”; Note: the claim defines malicious behavior as a series of anomalous events as oppose to a lone anomalous event.  Muddu discloses a sequence of events as anomalous in the above cited paragraph, which satisfy the claim’s definition of malicious.  Keep in mind, removing an in-claim definition of malicious may result in a 35 U.S.C. 112(b) rejection for a relative term.).

Regarding Claim 5, Muddu and Madahar disclose the method of claim 4.  Muddu further discloses wherein identifying by the processor additional anomalies comprises locating by the processor additional attributes that are anomalous (para [0520]-[0526] – “detect behavioral deviations from such baselines as potentially indicative of malicious activities”).



Regarding Claim 7, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses wherein the entity and the population of entities have at least a portion of their attributes in common with one another such that a comparison between the entity and the population of entities can be obtained by the processor (para [0278]-(0280], [0534]-[0540], [0671]-[0677] – e.g. “entity-specific behavioral analysis, time series analysis of event sequences, graph correlation analysis of entity activities, peer group analysis of entities, or any combination thereof”; “compare sequences and determine similarity”; “compares the beacon data 7470 with any of the known group types (also referred to as "beacon types")”).

Regarding Claim 8, Muddu and Madahar disclose the method of claim 7.  Muddu further discloses further comprising: performing the steps of claim 1 for additional entities (para [0140], [0147], [0184]-[0187], [0232]-[0235], [0435]-[0438], [0542]-[0544] – These sections discuss performing the steps for several entities.); and grouping by the processor the entity with a portion of the additional entities that are determined to have 

Regarding Claim 9, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses wherein the two or more entity probability models for each of the attributes and the two or more population probability models are created by the processor over a period of time (para [0161]-[0162], [0232]-[0235], [0671]-[0677] – “batch analyzer”; “different phases”; “machine generated traffic”)

Regarding Claim 10, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses wherein the entity comprises any of a process, a service, a computing device, a network, an end user, a host, and any combinations thereof (para [0232] - "the identity resolution module 812 can utilize a machine learning model to generate and track a probability of association between a user and a machine identifier").

Regarding Claim 11, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses further comprising creating by the processor a peer group from the population of entities, wherein the peer group comprises entities that have similar anomalies to one another (para [0278]-[0280], [0435]-[0438], [0671]-[0677] - "peer group analysis of entities"; "identified set of anomaly nodes represent a set of related anomalies").



Regarding Claim 13, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses further comprising: determining by the processor a set of anomalies for the entity, the set of anomalies comprising the anomaly and additional anomalies for the entity; and calculating by the processor an overall probability for the set of anomalies to determine if the entity is malicious (para [0278]-[0280], [0317]-[0319], [0435]-[0438], [0538]-[0542], [0671]-[0677] – e.g. “a set of anomaly nodes”; “time series analysis of event sequences include Bayesian time-series statistical foundation for discrete time-series data”; “the model deliberation process compares the score against a dynamically updated baseline ( e.g., statistical baseline)”).

Regarding Claim 14, Muddu and Madahar disclose the method of claim 12.  Muddu further discloses further comprising normalizing by the processor the overall 

Regarding Claim 15, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses further comprising generating by the processor a plurality of population probability models for subsets of entities that share a specific attribute with one another (para [0278]-[0280], [0316]-[0319], [0435]-[0438], [0534]-[0542], [0671]-[0677]  - e.g. “machine learning models in the ML-based CEP engine can correspond to an event, a sequence of events, an entity, a group of entities”).

Regarding Claim 21, Muddu discloses a system for real time detection of cyber threats, comprising: 
a processor; and a memory for storing executable instructions (para [0745] - "one or more processor(s) 8510, memory"), the processor executing the instructions to: 
receive from a network, in real time, entity data including two or more attributes for an entity within a population of entities in real time (para [0147], [0167], [0250]), wherein one of the two or more attributes is a categorical attribute and one of the two or more attributes is a numerical attribute (¶148, 253); 
compute by a processor two or more entity probability models of the entity from the entity data (para [0232]-[0235]); 
compute by a processor two or more population probability models from entity data gathered for at least a portion of the population of entities, the two or more population probability models being indicative of average behavior for the population of 
compare, by a processor, the two or more entity probability model to the two or more population probability models to identify one or more anomalous differences between the two or more entity probability models and the two or more population probability models (para [0184]-[0187], [0278]-[0280], [0435]-[0438]); and 
in response to identification by the processor of the two or more anomalous differences, alert a system administrator (para [0542]-[0544]); and 
in response to the two or more anomalous differences, alerting, in real time, a system administrator of a cyber threat (para [0542]-(0544]).
However, while Muddu discloses in paragraph 186 “if the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected” and in paragraph 320, “if more than a threshold percentage of its security-related conclusions correspond to anomalies or threats, then the model deliberation process thread sets its own health status to failure,” Muddu fails to explicitly disclose the deviation by more than 125% in the limitation, wherein a cyber threat occurs when the portion of the entity data or the at least a portion of the two or more probability models deviate by more than 125%.
Madahar discloses wherein a cyber threat occurs when the portion of the entity data or the at least a portion of the two or more probability models deviate by more than 
It would have been obvious to one having ordinary skill in the art, having the teachings of Muddu and Madahar before him before the effective filing date of the claimed invention, to modify the anomaly detection method of Muddu to incorporate the threshold of detecting an anomaly of Madahar.
Given the advantage of using a higher threshold in order to avoid false positives [Madahar: col. 5, lines 2-3], one having ordinary skill in the art would have been motivated to make this obvious modification.

Regarding Claim 22, Muddu and Madahar disclose the method of claim 1.  Muddu further discloses wherein the two or more attributes are associated with direct behaviors (para [0447] – “identify anomalies from expected or authorized network activity or behavior”).

Regarding Claim 23, Muddu and Madahar disclose the method of claim 22.  Muddu further discloses wherein the direct behavior is data exfiltration through a firewall (para [0611] – “network data traffic activity is a primary focus, the event data 6901 preferably includes timestamped machine data such as domain name system (DNS) generated log data, firewall generated log data, or proxy generated log data”).

Regarding Claim 24, Muddu and Madahar disclose the method of claim 22.  Muddu further discloses wherein the direct behavior is network connections (para [0267] – “the from and to IP address of connection” para [0447] – “identify anomalies from expected or authorized network activity or behavior”).

Examiner’s Note
The Examiner respectfully requests of the Applicant in preparing responses, to fully consider the entirety of the reference(s) as potentially teaching all or part of the claimed invention.  It is noted, REFERENCES ARE RELEVANT AS PRIOR ART FOR ALL THEY CONTAIN.  “The use of patents as references is not limited to what the patentees describe as their own inventions or to the problems with which they are concerned.  They are part of the literature of the art, relevant for all they contain.”  In re Heck, 699 F.2d 1331, 1332-33, 216 USPQ 1038, 1039 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006, 1009, 158 USPQ 275, 277 (CCPA 1968)).  A reference may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art, including non-preferred embodiments (see MPEP 2123).  The Examiner has cited particular locations in the reference(s) as applied to the claim(s) above for the convenience of the Applicant.  Although the specified citations are representative of the teachings of the art and are applied to the specific limitations within the individual claim(s), typically other passages and figures will apply as well.

Response to Arguments
Regarding the prior art rejections, Applicant's arguments have been fully considered but have been found unpersuasive.  Applicant argues that 1) Muddu discloses event data but not entity data, 2) Muddu fails to disclose wherein one of the two or more attributes is a categorical attribute and one of the two or more attributes is a numerical attribute, and 3) comparing event data against a profile is not equivalent to comparing entity data with probability models.  Examiner disagrees with each point for at least the following reasons.
First, the event data of Muddu reads on the entity data of claim 1.  Regarding the term “entity data”, Examiner notes that this is not an ipsissimis verbis test, i.e., identity of terminology is not required. In re Bond, 910 F.2d 831, 15 USPQ2d 1566 (Fed. Cir. 1990).  Under broadest reasonable interpretation, the term “entity data” encompasses data related to the entity.  Muddu discloses in paragraph 147, as Applicant points out, that “the term ‘event data’ refers to machine data related to activity on a network with respect to an entity of focus.”  These events are data related to the entity.
Second, Muddu does disclose categorical and numerical attributes.  Specifically, Muddu discloses categorical data of the event based on the type of machine that generated the event as well as other event categories including authentication, network, entity, acquisition, etc.  Additionally, Muddu discloses numerical data for the events by using a discrete set of machine data that represents or corresponds to a specific network activity.
Third, Applicant’s argument towards profiles and probability models are narrower than the claim language requires.  Applicant’s specific definitions in their arguments to 
Therefore, the arguments are not persuasive and the prior art rejections are maintained.

Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure.  Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objections made.  Applicant must also show how the amendments avoid such references and objections.  See 37 CFR §1.111(c).  Additionally when amending, in their remarks Applicant should particularly cite to the supporting paragraphs in the original disclosure for the amendments.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT H BEJCEK II whose telephone number is (571)270-3610.  The examiner can normally be reached on Monday - Friday: 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on (571) 270-3428.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/R.B./Examiner, Art Unit 2123                                                                                                                                                                                                        

/BABOUCARR FAAL/Primary Examiner, Art Unit 2184