DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The applicant amended claims 1, 4 and 7, in the amendment received on 3/15/2021.

The claims 1-20 are pending.

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot in view of the new grounds of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

Claims 1-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Venkatesh et al. (U.S. Publication No. 2012/0063641 A1) in view of Sun, J. & Xie, Yinglian & Zhang, Hui & Faloutsos, Christos. (2007). Less is More: Compact Matrix Decomposition for Large Sparse Graphs, retrieved on 8/302020 from https://www.microsoft.com/en-us/research/wp-content/uploads/2007/04/sdm07.pdf (hereinafter Sun), and further in view of Villella et al. (U.S. Publication No. 2018/0248903 A1).
With respect to claim 1, Venkatesh discloses a system for characterizing and detecting anomalies in an attributed network, the system comprising: a plurality of network devices associated with nodes of an attributed network; a dataset including a plurality of instances related to data derived from one or more nodes of the attributed network, the dataset defining a set of attributes (i.e., In the model-based approach, image features associated with behaviors such as the trajectory or shape of moving objects are extracted from video data. Then, typically a supervised learning step is performed to learn the behavior model given the observed features [a dataset comprising a set of attributes], ¶ 5.  Certain applications of the present disclosure allow multiple complex data streams with varying quantitative characteristics to be analyzed such that abnormal behavior is automatically, or substantially automatically identified [a dataset comprising a set of attributes], ¶ 17.  Certain embodiments may be used within existing devices, sensors and/or systems, ¶ 113.  The purpose of this exemplar experiment was to determine the volume anomaly detection in the compressed domain using a real-world dataset. The traffic flow in a network is the amount of traffic flowing in between each pair of ingress and egress nodes in the network, ¶ 218). 
Venkatesh also discloses a processor accessing the dataset and configured to perform operations that, access the set of attributes; initialize a residual matrix R, wherein the residual matrix R is representative of residuals inherent to the set of attributes (i.e., In some embodiments, this optical flow may be represented using bag-of-visual-words. From the bag-of-visual-words a feature-frame matrix may be constructed by amalgamating the feature vectors for all, substantially all or sufficient frames in the sequence [initialize a residual matrix R]. This is similar to the term-document matrix in document analysis and can be decomposed using SVD in a similar manner. Of course, other examples exist for aggregation. The aggregate behavior represented in this way may then be structurally decomposed into the observed into principal and residual components. Then it is possible to detect abnormal events in the residual subspaces (null space of the normal events) [initializing a residual matrix R, wherein the residual matrix R is representative of residuals inherent to the set of attributes]. The threshold in the residual space may be calculated using the Q-statistic. Of course, other examples exist for threshold determination. The location of the anomaly within the data set may be specifically identified to separate it from normal behavior within that same dataset, ¶ 50.  This model can then be used at the inference stage to decide whether the current scene is abnormal. Parametric and nonparametric patio-temporal template methods are proposed and describe a boosting-based classifier for the inference step. A large body of model-based methods also consider the trajectories of moving objects as image features for behavior analysis [a processor configured to perform operations, including: accessing the set of attributes], ¶ 5.  In certain applications, when dealing with large-scale data in general, it may not be possible, or desirable, to receive or process the whole, or a substantial portion, of the data to detect anomalies. In some applications, it may be useful to employ a pre-cursor step to transform the data to the Compressed Domain, using Compressed Sensing (CS) that involves multiplication of the data subsets with a sensing matrix, ¶ 54). 
Venkatesh further discloses update the residual matrix R by iteratively solving an objective function, wherein the objective function comprises the residual matrix R (i.e., For reducing the temporal stream, for instance by frame sub-sampling, an operator can request the server to generate random numbers and select instances corresponding to the random values +/-1, sum these two sets of instances, subtract them, and iteratively send the (very much fewer) results to the operator, ¶ 58.  To obtain a good sensing matrix [updating the residual matrix R by iteratively solving an objective function, wherein the objective function comprises the residual matrix R], the exemplar experiment started with a random Gaussian matrix and then applied the recently proposed algorithm by Elad. See M. Elad. Optimized projections for compressed sensing. IEEE Trans. Sig. Process., 55:5695-5702, 2007. This algorithm exploits the fact that the mutual coherence of .PHI., with each column normalized to unit norm, is the maximum magnitude of the off-diagonal elements of the Gram matrix G=.PHI..sup.T where the Gram matrix has the rank M. Hence, by iteratively shrinking the entries of the Gram matrix, forcing its rank to M, and taking square root, a smaller mutual coherence for .PHI. with a specified rank M is achieved, ¶ 221). 
(i.e., We now proceed to evaluate our framework, beginning with the performance of the sparsification module. As described in Figure 8, our proposed sparsification constructs an approximate matrix instead of using the true matrix. Our goal is thus to see how much accuracy we lose using sparsified matrices, compared with using the true matrix constructed formal available data.  We use the same source-destination traffic matrix used in Section 6.2. Figure 15 plots the sparsification ratio p vs. accuracy of the final approximation output by the entire framework, using the three different methods, SVD, CUR, and CMD. In other words, the accuracy is computed with respect to the true adjacency matrix constructed with all updates, section 6.4 ¶ 1) in order to spot anomalies in data (section 1 ¶ 4).
Sun also discloses access the set of adjacency information (i.e., Given a large static graph, how do we efficiently determine if certain nodes are outliers, that is, which rows or columns are significantly different than the rest? And how do we identify them? In this section, we consider anomaly detection on a static graph, with the goal of finding abnormal rows or columns in the corresponding adjacency matrix, section 7.1 ¶ 1). 
Sun further discloses use the updated residual matrix R to rank a set of possible anomalies by assigning an anomaly score to each of the plurality of instances (i.e., For each time window (e.g., 1pm-2pm), we can incrementally build an adjacency matrix A by updating its entries as data records are coming in, section 5.1 ¶ 2). 
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed 
Venkatesh and Sun may not explicitly disclose wherein the anomaly score corresponds to a degree of abnormality of the plurality of instances.
However, Villella discloses wherein the anomaly score corresponds to a degree of abnormality of the plurality of instances (i.e., In the case of anomaly-based analysis, the functionality of the analytics can include one or more of; 1) representing baseline behavior (modeling); 2) identifying deviations from the baseline behavior ( anomaly detection); 3) quantifying the degree of deviation (scoring) [wherein the anomaly score corresponds to a degree of abnormality of the plurality of instances]; 4) scaling dimensions of a value range to enhance comparisons/combinations of different data points or sets or analysis of a single data point or set (normalization), and 5) making comparisons across entities (ranking). Such entities may be user accounts, hosts/endpoints, etc. Different algorithms may have different relative advantages for different ones of these functions in different information system environments and use cases. Moreover, combinations of different algorithms maybe useful to satisfy multiple objectives such as efficient anomaly detection and attribution of an anomaly to a particular dimension of mathematical space, ¶ 22) in order to provide a SIEM (Security Information and Event Management) system that performs a number of functions related to information management such as information collection, storage, and in connection analytics, built-on or integrated into the SIEM system, for anomaly detection (¶ 4). 
(i.e., In a first branch, the system data is processed and analyzed to develop a model or baseline in a process referred to as data fitting. In a second branch, the system data is analyzed to apply the developed model to live data so as to provide information regarding an event of interest, e.g., identification and/or characterization of the event in a process referred to as data evaluation. The branches may process different or overlapping system data. For example, a first set of data may be processed by the first branch to develop a model of the data. Subsequently, live data may be processed by the second branch for event detection. The live data or a portion thereof may also be processed by the first branch (in real-time or subsequently) to further develop the data model [wherein the subset of anomalous instances is associated with the highest degree of abnormality in the attributed network], ¶ 12.  A number of processing steps may be performed in connection with one or both of the processing branches. These steps may include; pre-processing the system data to prepare the data for the advanced analytics; executing the advanced analytics on at least a portion of the pre-processing system data ("input data") so as to yield output data; and using the output data to provide the information regarding the event of interest. By appropriately preparing the system data, advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis, ¶ 13.  The pre-processing provides a data set suitable for the advanced analytics. In this regard, the particular pre-processing implemented may vary depending on the analytics implemented. By way of example, the pre-processing may include one or more of removing system data that is not required for a specific analytics use case, handling situations where values are missing that are required for the specific analytics use case, and supplementing the system data with information that may enhance the analysis. A set of data is thus provided that has attributes suitable for the specific analytics employed, ¶ 14.  As noted above, the analytics are generally incorporated into a processing pipeline that includes a modeling branch and a live data processing branch that leverages the output of the modeling branch to analyze live data. The modeling branch can continuously apply analytics specific to the use case to the input data to develop and evolve baseline information. In a particular example, the baseline information can be developed in relation to a defined feature space representation of the data that may include multiple dimensions. In preferred implementations, optimal subspace models may be developed with respect to a subspace having reduced number of dimensions. For example, the baseline information may define a data manifold reflecting baseline conditions of the data in the multidimensional feature space. An anomaly can then be detected based on some notion of distance of a data point or set of data from the manifold. This enables meaningful scoring of anomalies as well as ranking of anomalies as is useful in various use cases. In this regard, scores for different entities (e.g., a particular user, host, connection, etc.) may be normalized to enable comparisons across the entities. More generally, though, input data can be provided to the analytics whereby data can be analyzed to yield output information for developing or updating a model of the learned environment or to monitor the learned environment, ¶ 17.  In the case of anomaly-based analysis, the functionality of the analytics can include one or more of; 1) representing baseline behavior (modeling); 2) identifying deviations from the baseline behavior ( anomaly detection); 3) quantifying the degree of deviation (scoring); 4) scaling dimensions of a value range to enhance comparisons/combinations of different data points or sets or analysis of a single data point or set (normalization) [detect a subset of anomalous instances from the plurality of instances, wherein the subset of anomalous instances is associated with the highest degree of abnormality in the attributed network], and 5) making comparisons across entities (ranking) [and is based on instances ranked highest according to their assigned anomaly score]. Such entities may be user accounts, hosts/endpoints, etc. Different algorithms may have different relative advantages for different ones of these functions in different information system environments and use cases. Moreover, combinations of different algorithms maybe useful to satisfy multiple objectives such as efficient anomaly detection and attribution of an anomaly to a particular dimension of mathematical space, ¶ 22.  By way of example, the modeling discussion below initially focuses on anomaly detection. The general process involves defining a baseline in relation to some set or evolving collection of data, and analyzing another (perhaps overlapping) set or stream of data to identify anomalies where the data under analysis departs from the baseline in some manner of interest. In a subsequent evaluation process, some or all of those anomalies may be deemed events that can be scored, ranked and associated with an attribution. The resulting output information can be used in a network monitoring and information management system such as a SIEM system, ¶ 85.  Multiple raw scores may be used to yield a single output score. For example, a set of raw scores for a time period or other data set can be sorted to yield a set of scores for one or more entities (logins, endpoints, etc.). An output score can then be determined for the entity by a sub-selection process (e.g., n highest scores, spike detection) or an aggregation process (e.g., count, mean, sum). Thus, the input into such a scoring process is an N.times.1 set of anomaly scores and the output is a scaler of overall anomalousness for the data set or time window, ¶ 104).
Therefore, based on Venkatesh  in view of Sun, and further in view of Villella, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Villella to the system of Venkatesh  and Sun in order to provide a SIEM (Security Information and Event Management) system that performs a number of functions related to information management such as information collection, storage, and in connection analytics, built-on or integrated into the SIEM system, for anomaly detection.

With respect to claim 2, Venkatesh discloses wherein the set of attributes is representative of features or attributes of a network for the plurality of instances (i.e., In the model-based approach, image features associated with behaviors such as the trajectory or shape of moving objects are extracted from video data. Then, typically a supervised learning step is performed to learn the behavior model given the observed features [wherein the set of attributes is representative of features or attributes of a network for the plurality of instances], ¶ 5.  Certain applications of the present disclosure allow multiple complex data streams with varying quantitative characteristics to be analyzed such that abnormal behavior is automatically, or substantially automatically identified [wherein the set of attributes is representative of features or attributes of a network for the plurality of instances], ¶ 17). 
Venkatesh may not explicitly disclose wherein the set of adjacency information comprises link relationships for the plurality of instances throughout the network.
However, Sun discloses wherein the set of adjacency information comprises link relationships for the plurality of instances throughout the network (i.e., Without loss of generality, we use the adjacency matrix A 2 Rm×n to represent a directed graph with weights G = (V,E,W)1. Every row or column in A corresponds to a node in V . We set the value of A(i, j) to w(i, j) 2 W if there is an edge from node vi 2 V to node vj 2 V with weight w(i, j). Otherwise, we set it to zero. For example, in the network traffic matrix case, we could have m (active) sources, n (active) destinations, and for each (source, destination) pair, we record the corresponding count of flows. Note that our definition of the adjacency matrix is more general, because we omit rows or columns that have no entries. It can include both special cases such as bi-partite graphs (rows and columns referring to the different sets of nodes), and traditional graphs (rows and columns referring to the same set of nodes), section 3 ¶ 1) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.


However, Sun discloses wherein the residual matrix R is built from a set of approximation error values, wherein the approximation error values are obtained using the set of attributes and a coefficient matrix W (i.e., Figure 7 shows the flowchart of the whole mining process.  The process takes as input data from application, and generates as output mining results represented as low-rank data summaries and approximation errors. The results can be fed into different mining applications such as anomaly detection and historical analysis, section 5 ¶ 2.  Also see section 5.3 for error matrices for use in the anomaly detection) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

With respect to claim 4, Venkatesh discloses wherein the processor is further configured to execute operations that update the matrices in an alternating fashion until the objective function converges (i.e., In some cases, it can be linear with L, but this requires iterative estimation, for example, expectation maximization (EM) to reach convergence [updating matrices in an alternating fashion until the objective function converges], ¶ 15.  To obtain a good sensing matrix, the exemplar experiment started with a random Gaussian matrix and then applied the recently proposed algorithm by Elad. See M. Elad. Optimized projections for compressed sensing. IEEE Trans. Sig. Process., 55:5695-5702, 2007. This algorithm exploits the fact that the mutual coherence of .PHI., with each column normalized to unit norm, is the maximum magnitude of the off-diagonal elements of the Gram matrix G=.PHI..sup.T where the Gram matrix has the rank M. Hence, by iteratively shrinking the entries of the Gram matrix, forcing its rank to M, and taking square root, a smaller mutual coherence for .PHI. with a specified rank M is achieved [updating matrices in an alternating fashion until the objective function converges], ¶ 221). 
Vankatesh may not explicitly disclose wherein the residual matrix R is held constant as the coefficient matrix W is updated and wherein the coefficient matrix W is held constant as the residual matrix R is updated.
However, Sun discloses wherein the residual matrix R is held constant as the coefficient matrix W is updated and wherein the coefficient matrix W is held constant as the residual matrix R is updated (i.e., For each time window (e.g., 1pm-2pm), we can incrementally build an adjacency matrix A by updating its entries as data records are coming in. Each new record triggers an update on an entry (i, j) with a value increase of v, i.e.,A(i, j) = A(i, j) + v, section 5.1 ¶ 2.  Also see figure 8 showing the updating and holding of constant values) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

With respect to claim 5, Venkatesh discloses wherein a plurality of scalar parameters are used to control row sparsity or contribution of the set of attributes or the set of adjacency information (i.e., As demonstrate, the disclosed methods and systems using compressed data are scalable in both network anomaly detection and the aforementioned abnormal behaviour detection from video footages [wherein a plurality of scalar parameters are used to control row sparsity or contribution of the set of attributes or the set of adjacency information]. For the network data, both a real-world benchmark dataset (Abilene) and a simulated dataset specifically designed to test anomaly detection capability of our framework was used. For the video data, a subset of the PTA data was used, ¶ 217). 

With respect to claim 6, Venkatesh may not explicitly disclose wherein the set of possible anomalies is ranked in descending order and wherein the top m instances are returned.
However, Sun discloses wherein the set of possible anomalies is ranked in descending order and wherein the top m instances are returned (i.e., We use detection precision as our metric. We sort hosts based their row SSEs and column SSEs, and extract the smallest number of top ranked hosts (say k hosts) that we need to select as suspicious hosts, in order to detect all injected abnormal host (i.e., recall = 100% with no false negatives). Precision thus equals 1/k, and the false positive rate equals 1 − precision.  We inject only one abnormal host each time. And we repeat each experiment 100 times and take the mean, section 7.1 ¶s 7-8) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

Claims 7-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Venkatesh et al. (U.S. Publication No. 2012/0063641 A1) in view of Sun, J. & Xie, Yinglian & Zhang, Hui & Faloutsos, Christos. (2007). Less is More: Compact Matrix Decomposition for Large Sparse Graphs, retrieved on 8/302020 from https://www.microsoft.com/en-us/research/wp-content/uploads/2007/04/sdm07.pdf (hereinafter Sun), and Villella et al. (U.S. Publication No. 2018/0248903 A1), and in further view of Ide et al. (U.S. Publication No. 2014/0336985 A1).
With respect to claim 7, Venkatesh discloses a method for detecting anomalies in an attributed network, the method comprising: accessing, as an input, information associated with one or more network nodes and corresponding devices of a network (i.e., In certain embodiments this detection may be carried out in an automatic or substantial automatic manner and if desired on large-scale data. Certain applications are directed to analysing video surveillance records to identify aberrant behavior among small numbers of individuals in a crowd. Certain applications are directed to analysing data streams from large-scale sensor networks and/or large on-line databases. In certain embodiments, the disclosure is to methods and/or systems of detecting anomalies from data; including large-scale data. Certain applications may be carried out in real time or substantially real time, ¶ 2.  In addition, the problem of detecting anomalies in data streams captured by large-scale sensor networks has received much interest over the past decade, ¶ 10.  In the model-based approach, image features associated with behaviours such as the trajectory or shape of moving objects are extracted from video data. Then, typically a supervised learning step is performed to learn the behaviour model given the observed features [accessing, as an input, information associated with one or more network nodes and corresponding devices of a network], ¶ 5.  Certain applications of the present disclosure allow multiple complex data streams with varying quantitative characteristics to be analyzed such that abnormal behaviour is automatically, or substantially automatically identified [accessing, as an input, information], ¶ 17.  In certain applications, when dealing with large-scale data in general, it may not be possible, or desirable, to receive or process the whole, or a substantial portion, of the data to detect anomalies. In some applications, it may be useful to employ a pre-cursor step to transform the data to the Compressed Domain, using Compressed Sensing (CS) that involves multiplication of the data subsets with a sensing matrix [accessing, as an input, information associated with one or more network nodes and corresponding devices of a network], ¶ 54.  Alternatively, in certain applications, when the sensors cannot directly reach the central node such as in a wireless communication link over a large spatial domain, the random gossip algorithm can be applied to propagate the projection to the central node, ¶ 57.  In certain applications, where no compressed sensing is being used, it is still possible to process a significant amount of data per second under defined parameters. Certain embodiments are to a method, or methods, for detecting the presence of an infrequent event, the method comprising: monitoring a data set using a plurality of sensors; and processing, the data received by the sensors to detect the presence of the infrequent event in substantially real time, ¶ 121.  The purpose of this exemplar experiment was to determine the volume anomaly detection in the compressed domain using a real-world dataset. The traffic flow in a network is the amount of traffic flowing in between each pair of ingress and egress nodes in the network, ¶ 218.  These applications require the large scale collection of parameters relating to network nodes and devices of a network). 
Venkatesh further discloses generating, based on the information, an attribute matrix X and a plurality of parameters, wherein the attribute matrix X contain information about a plurality of instances (i.e., In certain aspects, a feature could also be the difference in parameters between two subsets of the data. In this case the analysing step may be applied to the difference between pairs of subsets; known generically as flow [a plurality of parameters], ¶ 38.  In certain applications, when dealing with large-scale data in general, it may not be possible, or desirable, to receive or process the whole, or a substantial portion, of the data to detect anomalies. In some applications, it may be useful to employ a pre-cursor step to transform the data to the Compressed Domain, using Compressed Sensing (CS) that involves multiplication of the data subsets with a sensing matrix [attribute matrix and a plurality of parameters], ¶ 54). 
Venkatesh also discloses initializing DR and DW to be identity matrices, wherein DR is a diagonal matrix which corresponds to a residual matrix R and wherein DW is a diagonal matrix which corresponds to a coefficient matrix W (i.e., To obtain a good sensing matrix, the exemplar experiment started with a random Gaussian matrix and then applied the recently proposed algorithm by Elad. See M. Elad. Optimized projections for compressed sensing. IEEE Trans. Sig. Process., 55:5695-5702, 2007. This algorithm exploits the fact that the mutual coherence of .PHI., with each column normalized to unit norm, is the maximum magnitude of the off -diagonal elements of the Gram matrix G=.PHI..sup.T where the Gram matrix has the rank M [diagonal matrices]. Hence, by iteratively shrinking the entries of the Gram matrix, forcing its rank to M, and taking square root, a smaller mutual coherence for .PHI. with a specified rank M is achieved, ¶ 221). 
Venkatesh also discloses initializing the residual matrix R (i.e., In some embodiments, this optical flow may be represented using bag-of-visual-words. From the bag-of-visual-words a feature-frame matrix may be constructed by amalgamating the feature vectors for all, substantially all or sufficient frames in the sequence. This is similar to the term-document matrix in document analysis and can be decomposed using SVD in a similar manner. Of course, other examples exist for aggregation. The aggregate behaviour represented in this way may then be structurally decomposed into the observed into principal and residual components. Then it is possible to detect abnormal events in the residual subspaces (null space of the normal events) [initializing a residual matrix R]. The threshold in the residual space may be calculated using the Q-statistic. Of course, other examples exist for threshold determination. The location of the anomaly within the data set may be specifically identified to separate it from normal behaviour within that same dataset, ¶ 50). 
W, the residual matrix R, and the diagonal matrix DR until the objective function converges (i.e., In some cases, it can be linear with L, but this requires iterative estimation, for example, expectation maximization (EM) to reach convergence [converging an objective function by iteratively updating the coefficient matrix W, the diagonal matrix DW, the residual matrix R, and the diagonal matrix DR until the objective function converges], ¶ 15.  To obtain a good sensing matrix, the exemplar experiment started with a random Gaussian matrix and then applied the recently proposed algorithm by Elad. See M. Elad. Optimized projections for compressed sensing. IEEE Trans. Sig. Process., 55:5695-5702, 2007. This algorithm exploits the fact that the mutual coherence of .PHI., with each column normalized to unit norm, is the maximum magnitude of the off-diagonal elements of the Gram matrix G=.PHI..sup.T where the Gram matrix has the rank M. Hence, by iteratively shrinking the entries of the Gram matrix, forcing its rank to M, and taking square root, a smaller mutual coherence for .PHI. with a specified rank M is achieved [converging an objective function by iteratively updating the coefficient matrix W, the diagonal matrix Dw, the residual matrix R, and the diagonal matrix DR until the objective function converges], ¶ 221). 
Venkatesh may not explicitly disclose calculating an anomaly score for the plurality of instances based on a set of values from the residual matrix R.
However, Sun discloses an adjacency matrix A (i.e., We now proceed to evaluate our framework, beginning with the performance of the sparsification module. As described in Figure 8, our proposed sparsification constructs an approximate matrix instead of using the true matrix. Our goal is thus to see how much accuracy we lose using sparsified matrices, compared with using the true matrix constructed formal available data.  We use the same source-destination traffic matrix used in Section 6.2. Figure 15 plots the sparsification ratio p vs. accuracy of the final approximation output by the entire framework, using the three different methods, SVD, CUR, and CMD. In other words, the accuracy is computed with respect to the true adjacency matrix constructed with all updates, section 6.4 ¶ 1) in order to spot anomalies in data (section 1 ¶ 4).
Sun also discloses calculating an anomaly score for the plurality of instances based on a set of values from the residual matrix R (i.e., For each time window (e.g., 1pm-2pm), we can incrementally build an adjacency matrix A by updating its entries as data records are coming in, section 5.1 ¶ 2) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.
Venkatesh and Sun may not explicitly disclose calculating an anomaly score for each of the plurality of instances based on a set of values from the residual matrix R.
However, Villella calculating an anomaly score for each of the plurality of instances based on a set of values from the residual matrix R (i.e., An anomaly can then be detected based on some notion of distance of a data point or set of data from the manifold. This enables meaningful scoring of anomalies as well as ranking of anomalies as is useful in various use cases. In this regard, scores for different entities (e.g., a particular user, host, connection, etc.) may be normalized to enable comparisons across the entities, ¶ 17.  Thus, each entity instance is scored) in order to provide a SIEM (Security Information and Event Management) system that performs a number of functions related to information management such as information collection, storage, and in connection analytics, built-on or integrated into the SIEM system, for anomaly detection (¶ 4). 
Villella also discloses ranking the plurality of instances according to their respective anomaly score, wherein a higher rank represents a higher degree of abnormality of a particular instance; and detecting a subset of anomalous instances based on the highest ranked instances of the plurality of instances (i.e., In a first branch, the system data is processed and analyzed to develop a model or baseline in a process referred to as data fitting. In a second branch, the system data is analyzed to apply the developed model to live data so as to provide information regarding an event of interest, e.g., identification and/or characterization of the event in a process referred to as data evaluation. The branches may process different or overlapping system data. For example, a first set of data may be processed by the first branch to develop a model of the data. Subsequently, live data may be processed by the second branch for event detection. The live data or a portion thereof may also be processed by the first branch (in real-time or subsequently) to further develop the data model [detecting a subset of anomalous instances based on the highest ranked instances of the plurality of instances], ¶ 12.  A number of processing steps may be performed in connection with one or both of the processing branches. These steps may include; pre-processing the system data to prepare the data for the advanced analytics; executing the advanced analytics on at least a portion of the pre-processing system data ("input data") so as to yield output data; and using the output data to provide the information regarding the event of interest. By appropriately preparing the system data, advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis, ¶ 13.  The pre-processing provides a data set suitable for the advanced analytics. In this regard, the particular pre-processing implemented may vary depending on the analytics implemented. By way of example, the pre-processing may include one or more of removing system data that is not required for a specific analytics use case, handling situations where values are missing that are required for the specific analytics use case, and supplementing the system data with information that may enhance the analysis. A set of data is thus provided that has attributes suitable for the specific analytics employed, ¶ 14.  As noted above, the analytics are generally incorporated into a processing pipeline that includes a modeling branch and a live data processing branch that leverages the output of the modeling branch to analyze live data. The modeling branch can continuously apply analytics specific to the use case to the input data to develop and evolve baseline information. In a particular example, the baseline information can be developed in relation to a defined feature space representation of the data that may include multiple dimensions. In preferred implementations, optimal subspace models may be developed with respect to a subspace having reduced number of dimensions. For example, the baseline information may define a data manifold reflecting baseline conditions of the data in the multidimensional feature space. An anomaly can then be detected based on some notion of distance of a data point or set of data from the manifold. This enables meaningful scoring of anomalies as well as ranking of anomalies as is useful in various use cases. In this regard, scores for different entities (e.g., a particular user, host, connection, etc.) may be normalized to enable comparisons across the entities. More generally, though, input data can be provided to the analytics whereby data can be analyzed to yield output information for developing or updating a model of the learned environment or to monitor the learned environment, ¶ 17.  In the case of anomaly-based analysis, the functionality of the analytics can include one or more of; 1) representing baseline behavior (modeling); 2) identifying deviations from the baseline behavior ( anomaly detection); 3) quantifying the degree of deviation (scoring); 4) scaling dimensions of a value range to enhance comparisons/combinations of different data points or sets or analysis of a single data point or set (normalization) [ranking the plurality of instances according to their respective anomaly score, wherein a higher rank represents a higher degree of abnormality of a particular instance], and 5) making comparisons across entities (ranking) [and is based on instances ranked highest according to their assigned anomaly score]. Such entities may be user accounts, hosts/endpoints, etc. Different algorithms may have different relative advantages for different ones of these functions in different information system environments and use cases. Moreover, combinations of different algorithms maybe useful to satisfy multiple objectives such as efficient anomaly detection and attribution of an anomaly to a particular dimension of mathematical space, ¶ 22.  By way of example, the modeling discussion below initially focuses on anomaly detection. The general process involves defining a baseline in relation to some set or evolving collection of data, and analyzing another (perhaps overlapping) set or stream of data to identify anomalies where the data under analysis departs from the baseline in some manner of interest. In a subsequent evaluation process, some or all of those anomalies may be deemed events that can be scored, ranked and associated with an attribution. The resulting output information can be used in a network monitoring and information management system such as a SIEM system, ¶ 85.  Multiple raw scores may be used to yield a single output score. For example, a set of raw scores for a time period or other data set can be sorted to yield a set of scores for one or more entities (logins, endpoints, etc.). An output score can then be determined for the entity by a sub-selection process (e.g., n highest scores, spike detection) or an aggregation process (e.g., count, mean, sum). Thus, the input into such a scoring process is an N.times.1 set of anomaly scores and the output is a scaler of overall anomalousness for the data set or time window, ¶ 104). 
Therefore, based on Venkatesh in view of Sun, and further in view of Villella, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Villella to the system of Venkatesh and Sun in order to provide a SIEM (Security Information and Event Management) system that performs a number of functions related to information management such as information collection, storage, and in connection analytics, built-on or integrated into the SIEM system, for anomaly detection.
Venkatesh, Sun and Villella may not explicitly disclose building a Laplacian matrix L from the adjacency matrix A.
However, Ide discloses building a Laplacian matrix L from the adjacency matrix A (i.e., The adjacency matrix .LAMBDA. is solved by expressing it as a weighted adjacency matrix and performing maximum aposteriori probability estimation of a normal distribution using a Laplace prior distribution, ¶ 36) in order for the early and certainly detecting occurrence of an anomaly even when an external environment is fluctuating (¶ 2).
Therefore, based on Venkatesh in view of Sun and Villella, and further in view of Ide, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Ide to the system of Venkatesh, Sun and Villella in order for the early and certainly detecting occurrence of an anomaly even when an external environment is fluctuating.

With respect to claim 8, Venkatesh discloses wherein the plurality of parameters include: parameter .beta., wherein parameter .beta. is used to control row sparsity of the residual matrix R (i.e., When a data subset, represented by a data vector is sparse or compressible, Compressed Sensing (CS) theory has shown that it is possible to sense the data vector via a simple, non-adaptive and linear projection y=.PHI.x. The sensing matrix .PHI. has a significantly smaller number of rows than columns, i.e. M<<N, meaning that the dimension of y is considerably smaller than x. Under suitable conditions on the approximate orthogonality between columns of the sensing matrix .PHI. it is possible to perfectly recover x from y via a convex optimization problem, which can be efficiently solved by specialized algorithms, ¶ 189.  It has been shown; see A. Lakhina et al. Diagonising network-wide traffic anomalies. In Proc. ACM SIGCOMM, 2004, that signal s is sparse in some basis and n still has noise-like behaviour. Here it was assumed that noise n are iid Gaussian with mean zero and variance .sigma..sup.2. DCT was selected as the basis after considering the daily periodic characteristics of the network traffic. The number of principal components is K=4, which in these circumstances may be a reasonable trade-off between sparsity and the amount of energy captured in the principal subspace. Here, zero-mean Gaussian noise (n) with .sigma.=0:01 was added. To simulate abnormal network conditions 70 anomalies were injected of different magnitude in the data following the procedure specified in A. Lakhina et al. Diagonising network-wide traffic anomalies. In Proc. ACM SIGCOMM, 2004, ¶ 223.  This shows that sparsity can be controlled using different variables). 
Venkatesh also discloses parameter .gamma., wherein parameter .gamma. is used to balance contribution of attribute information and network information within the objective function and the residual matrix R (i.e., When a data subset, represented by a data vector is sparse or compressible, Compressed Sensing (CS) theory has shown that it is possible to sense the data vector via a simple, non-adaptive and linear projection y=.PHI.x. The sensing matrix .PHI. has a significantly smaller number of rows than columns, i.e. M<<N, meaning that the dimension of y is considerably smaller than x. Under suitable conditions on the approximate orthogonality between columns of the sensing matrix .PHI. it is possible to perfectly recover x from y via a convex optimization problem, which can be efficiently solved by specialized algorithms [parameter .gamma., wherein parameter .gamma. is used to balance contribution of attribute information and network information within the objective function and the residual matrix R], ¶ 189.  It has been shown; see A. Lakhina et al. Diagonising network-wide traffic anomalies. In Proc. ACM SIGCOMM, 2004, that signal s is sparse in some basis and n still has noise-like behaviour. Here it was assumed that noise n are iid Gaussian with mean zero and variance .sigma..sup.2. DCT was selected as the basis after considering the daily periodic characteristics of the network traffic. The number of principal components is K=4, which in these circumstances may be a reasonable trade-off between sparsity and the amount of energy captured in the principal subspace. Here, zero-mean Gaussian noise (n) with .sigma.=0:01 was added. To simulate abnormal network conditions 70 anomalies were injected of different magnitude in the data following the procedure specified in A. Lakhina et al. Diagonising network-wide traffic anomalies. In Proc. ACM SIGCOMM, 2004, ¶ 223). 
Venkatesh further discloses parameter .alpha., wherein parameter .alpha. is used to control row sparsity of the coefficient matrix W (i.e., When a data subset, represented by a data vector is sparse or compressible, Compressed Sensing (CS) theory has shown that it is possible to sense the data vector via a simple, non-adaptive and linear projection y=.PHI.x. The sensing matrix .PHI. has a significantly smaller number of rows than columns, i.e. M<<N, meaning that the dimension of y is considerably smaller than x. Under suitable conditions on the approximate orthogonality between columns of the sensing matrix .PHI. it is possible to perfectly recover x from y via a convex optimization problem, which can be efficiently solved by specialized algorithms [parameter .alpha., wherein parameter .alpha. is used to control row sparsity of the coefficient matrix W], ¶ 189.  It has been shown; see A. Lakhina et al. Diagonising network-wide traffic anomalies. In Proc. ACM SIGCOMM, 2004, that signal s is sparse in some basis and n still has noise-like behaviour. Here it was assumed that noise n are iid Gaussian with mean zero and variance .sigma..sup.2. DCT was selected as the basis after considering the daily periodic characteristics of the network traffic. The number of principal components is K=4, which in these circumstances may be a reasonable trade-off between sparsity and the amount of energy captured in the principal subspace [parameter .alpha., wherein parameter .alpha. is used to control row sparsity of the coefficient matrix W]. Here, zero-mean Gaussian noise (n) with .sigma.=0:01 was added. To simulate abnormal network conditions 70 anomalies were injected of different magnitude in the data following the procedure specified in A. Lakhina et al. Diagonising network-wide traffic anomalies. In Proc. ACM SIGCOMM, 2004, ¶ 223). 
However, Sun also discloses wherein the plurality of parameters include: parameter .beta., wherein parameter .beta. is used to control row sparsity of the residual matrix R (i.e., The data source is assumed to generate a large volume of real time event records for constructing large graphs (e.g., network traffic monitoring and analysis). Because it is often hard to buffer and process all data that are streamed in, we propose one more step, namely, sparsification, to reduce the incoming data volume by sampling and scaling data to approximate the original full data (Section 5.1) [parameter .beta., wherein parameter .beta. is used to control row sparsity of the residual matrix R], section 5 ¶ 3) in order to spot anomalies in data (section 1 ¶ 4).
Sun further discloses wherein parameter .beta., parameter .gamma., and parameter .alpha. are scalar quantities (i.e., 4.2 proves the correctness of the matrix multiplication results after removing the duplicated rows. Note it is important that we use different scaling factors for removing duplicate columns (square root of the number of duplicates) and rows (the exact number of duplicates). Inaccurate scaling factors will incur a huge approximation error, section 4.2 ¶ 5). 
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

With respect to claim 9, Venkatesh discloses wherein the residual matrix R is initialized by multiplying the inverse of the summation of an identity matrix I, the diagonal matrix DR, and the Laplacian matrix L with the set of approximation error values in matrix form, wherein the diagonal matrix DR is multiplied with the parameter .beta. and the Laplacian matrix L is multiplied with the parameter .gamma. (i.e., In certain applications, when dealing with large-scale data in general, it may not be possible, or desirable, to receive or process the whole, or a substantial portion, of the data to detect anomalies. In some applications, it may be useful to employ a pre-cursor step to transform the data to the Compressed Domain, using Compressed Sensing (CS) that involves multiplication of the data subsets with a sensing matrix. Compression Sensing is designed to reduce the data to a manageable size. The analysing and other steps are then all performed on the compressed data. This may greatly reduce the number of processing samples while retaining good anomaly detection performance. In certain embodiment, with high probability the anomaly detection performance is approximately equivalent to that on complete data, provided that the data spectrum is sparse. This is the case in many practical situations. In other applications, the detection performance using the Compressed Domain may provide sufficient equivalents so as to be practically useful with something less than a high probability, ¶ 54.  See the multiple different matrix manipulations throughout the specification). 
However, Sun also discloses wherein the residual matrix R is initialized by multiplying the inverse of the summation of an identity matrix I, the diagonal matrix DR, and the Laplacian matrix L with the set of approximation error values in matrix form, wherein the diagonal matrix DR is multiplied with the parameter .beta. and the Laplacian matrix L is multiplied with the parameter .gamma (i.e., see figures 2-5 for matrix evaluations and summations as well as inverses) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

With respect to claim 10, Venkatesh may not explicitly disclose wherein the residual matrix R is built from a set of approximation error values, wherein the approximation error values are obtained using the attribute matrix X and the coefficient matrix W.
However, Sun discloses wherein the residual matrix R is built from a set of approximation error values, wherein the approximation error values are obtained using the attribute matrix X and the coefficient matrix W (i.e., Figure 7 shows the flowchart of the whole mining process.  The process takes as input data from application, and generates as output mining results represented as low-rank data summaries and approximation errors [wherein the approximation error values are obtained using the attribute matrix X and the coefficient matrix W]. The results can be fed into different mining applications such as anomaly detection and historical analysis, section 5 ¶ 2.  Also see section 5.3 for error matrices for use in the anomaly detection) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

With respect to claim 11, Venkatesh discloses wherein each individual row of the attribute matrix X corresponds to an individual instance of the plurality of instances (i.e., When a data subset, represented by a data vector is sparse or compressible, Compressed Sensing (CS) theory has shown that it is possible to sense the data vector via a simple, non-adaptive and linear projection y=.PHI.x. The sensing matrix .PHI. has a significantly smaller number of rows than columns, i.e. M<<N, meaning that the dimension of y is considerably smaller than x [wherein each individual row of the attribute matrix X corresponds to an individual instance of the plurality of instances]. Under suitable conditions on the approximate orthogonality between columns of the sensing matrix .PHI. it is possible to perfectly recover x from y via a convex optimization problem, which can be efficiently solved by specialized algorithms, ¶ 189). 

(i.e., In some cases, it can be linear with L, but this requires iterative estimation, for example, expectation maximization (EM) to reach convergence. The EM method also linearly scales with the sample size, but on average it has very slow convergence rates and is typically not suitable for anomaly detection in high speed data streams, ¶ 15.  Case 1: For the sensor sub-sampling case: In certain embodiments, a linear transformation on the data y=.PHI.x where .PHI..epsilon..PHI.R.sup.M.times.N is known is obtained as the CS measurement matrix whose entries are random variables. CS approaches offer many classes of CS matrices that can be efficiently implemented in practice, ¶ 198). 

With respect to claim 13, Venkatesh discloses wherein the coefficient matrix W is updated by fixing the residual matrix R to remain constant and solving for the coefficient matrix W using the objective function (i.e., For reducing the temporal stream, for instance by frame sub-sampling, an operator can request the server to generate random numbers and select instances corresponding to the random values +/-1, sum these two sets of instances, subtract them, and iteratively send the (very much fewer) results to the operator, ¶ 58.  To obtain a good sensing matrix, the exemplar experiment started with a random Gaussian matrix and then applied the recently proposed algorithm by Elad. See M. Elad. Optimized projections for compressed sensing. IEEE Trans. Sig. Process., 55:5695-5702, 2007. This algorithm exploits the fact that the mutual coherence of .PHI., with each column normalized to unit norm, is the maximum magnitude of the off-diagonal elements of the Gram matrix G=.PHI..sup.T where the Gram matrix has the rank M. Hence, by iteratively shrinking the entries of the Gram matrix, forcing its rank to M, and taking square root, a smaller mutual coherence for .PHI. with a specified rank M is achieved [wherein the coefficient matrix W is updated by fixing the residual matrix R to remain constant and solving for the coefficient matrix W using the objective function], ¶ 221). 

With respect to claim 14, Venkatesh discloses reducing the objective function to contain terms which are relevant to the coefficient matrix W (i.e., see the decomposition of matrix functions in ¶s 50 and 60 for examples). 
Venkatesh also discloses wherein the closed-form solution for the coefficient matrix W contains the diagonal matrix Dw (i.e., In some embodiments, this optical flow may be represented using bag-of-visual-words. From the bag-of-visual-words a feature-frame matrix may be constructed by amalgamating the feature vectors for all, substantially all or sufficient frames in the sequence. This is similar to the term-document matrix in document analysis and can be decomposed using SVD in a similar manner. Of course, other examples exist for aggregation. The aggregate behaviour represented in this way may then be structurally decomposed into the observed into principal and residual components. Then it is possible to detect abnormal events in the residual subspaces (null space of the normal events). The threshold in the residual space may be calculated using the Q-statistic. Of course, other examples exist for threshold determination. The location of the anomaly within the data set may be specifically identified to separate it from normal behaviour within that same dataset, ¶ 50.  The Q-static calculation is a closed-form solution for a matrix including a matrix of coefficients.  Alternatively, the features may be represented as sets of vectors before being transformed to the Compressed Domain. Then the decomposing step is performed on the sets of compressed vectors to extract the residual subspace, before thresholding the compressed data. Of course, other examples exist for feature transformation, ¶ 60.  This decomposing also requires the solving of some type of closed form equation on the matrix of coefficients). 
Venkatesh may not explicitly disclose setting a derivative of the reduced objective function to be zero and obtaining a closed-form solution for the coefficient matrix W.
However, Sun discloses setting a derivative of the reduced objective function to be zero and obtaining a closed-form solution for the coefficient matrix W (i.e., see the closed-form objective function in figure 8 with A being set to zero with the derivative being the delta v.  Also the coefficient matrix A being the resulting obtained matrix) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

With respect to claim 15, Venkatesh discloses an i-th diagonal element of the diagonal matrix DW (i.e., In some cases, it can be linear with L, but this requires iterative estimation, for example, expectation maximization (EM) to reach convergence, ¶ 15.  To obtain a good sensing matrix, the exemplar experiment started with a random Gaussian matrix and then applied the recently proposed algorithm by Elad. See M. Elad. Optimized projections for compressed sensing. IEEE Trans. Sig. Process., 55:5695-5702, 2007. This algorithm exploits the fact that the mutual coherence of .PHI., with each column normalized to unit norm, is the maximum magnitude of the off-diagonal elements of the Gram matrix G=.PHI..sup.T where the Gram matrix has the rank M. Hence, by iteratively shrinking the entries of the Gram matrix, forcing its rank to M, and taking square root, a smaller mutual coherence for .PHI. with a specified rank M is achieved [an i-th diagonal element of the diagonal matrix DW], ¶ 221). 
Venkatesh, Sun and Ide may not explicitly disclose an inverse of a function such as                         
                            
                                
                                    1
                                
                                
                                    2
                                    |
                                    
                                        
                                            W
                                            
                                                
                                                    i
                                                    .
                                                    i
                                                
                                            
                                        
                                    
                                    |
                                    2
                                
                            
                        
                     being used with matrices.
However, Villella discloses an inverse of a function such as                         
                            
                                
                                    1
                                
                                
                                    2
                                    |
                                    
                                        
                                            W
                                            
                                                
                                                    i
                                                    .
                                                    i
                                                
                                            
                                        
                                    
                                    |
                                    2
                                
                            
                        
                     being used with matrices (i.e., The Mahalanobis distance is generalized measure of distance between a given point and distribution. It can be thought of as the multi-dimensional generalization of a z-score. One drawback of the Mahalanobis distance is that it requires inverting the covariance matrix, which can be singular when the number of features is much larger than the number of observations (and is exacerbated when there are duplicate observations). There are ways to approximate the covariance matrix and perform inversion. One implementation instead uses the pseudo -inverse of the empirical covariance matrix, ¶ 121.  Thus, there is a way to use an inverse of a matrix to generate an anomaly score as shown above) in order to provide a SIEM (Security Information and Event Management) system that performs a number of functions (¶ 4).
Therefore, based on Venkatesh in view of Sun, and further in view of Villella, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Villella to the system of Venkatesh  and Sun in order to provide a SIEM (Security Information and Event Management) system that performs a number of functions related to information management such as information collection, storage, and in connection analytics, built-on or integrated into the SIEM system, for anomaly detection.

With respect to claim 16, Venkatesh discloses wherein the residual matrix R is updated by fixing the coefficient matrix W to remain constant and solving for the residual matrix R using the objective function (i.e., For reducing the temporal stream, for instance by frame sub-sampling, an operator can request the server to generate random numbers and select instances corresponding to the random values +/-1, sum these two sets of instances, subtract them, and iteratively send the (very much fewer) results to the operator, ¶ 58.  To obtain a good sensing matrix, the exemplar experiment started with a random Gaussian matrix and then applied the recently proposed algorithm by Elad. See M. Elad. Optimized projections for compressed sensing. IEEE Trans. Sig. Process., 55:5695-5702, 2007. This algorithm exploits the fact that the mutual coherence of .PHI., with each column normalized to unit norm, is the maximum magnitude of the off-diagonal elements of the Gram matrix G=.PHI..sup.T where the Gram matrix has the rank M. Hence, by iteratively shrinking the entries of the Gram matrix, forcing its rank to M, and taking square root, a smaller mutual coherence for .PHI. with a specified rank M is achieved [wherein the residual matrix R is updated by fixing the coefficient matrix W to remain constant and solving for the residual matrix R using the objective function], ¶ 221). 

With respect to claim 17, the limitations of claim 17 are rejected in the analysis of claim 14 above, and the claim is rejected on that basis.

With respect to claim 18, the limitations of claim 18 are rejected in the analysis of claim 15 above, and the claim is rejected on that basis.

With respect to claim 19, Venkatesh discloses wherein the anomaly score for each of the plurality of instances is calculated by computing the norm for each instance in the residual matrix R (i.e., Certain embodiments once provided sample data to establish the parameters of normal will automatically identify (to a system or user defined level) any weird or exceptional motion on the video stream [wherein the anomaly score for each of the plurality of instances is calculated by computing the norm for each instance in the residual matrix R], ¶ 22.  Of course, other examples exist for aggregation. The aggregate behaviour represented in this way may then be structurally decomposed into the observed into principal and residual components. Then it is possible to detect abnormal events in the residual subspaces (null space of the normal events). The threshold in the residual space may be calculated using the Q-statistic. Of course, other examples exist for threshold determination. The location of the anomaly within the data set may be specifically identified to separate it from normal behaviour within that same dataset, ¶ 50). 

With respect to claim 20, Venkatesh may not explicitly disclose ranking each instance in descending order by anomaly score and returning the top m ranked instances, wherein a higher anomaly score indicates a higher probability that the instance is anomalous.
However, Sun discloses ranking each instance in descending order by anomaly score and returning the top m ranked instances, wherein a higher anomaly score indicates a higher probability that the instance is anomalous (i.e., We use detection precision as our metric. We sort hosts based their row SSEs and column SSEs, and extract the smallest number of top ranked hosts (say k hosts) that we need to select as suspicious hosts, in order to detect all injected abnormal host (i.e., recall = 100% with no false negatives). Precision thus equals 1/k, and the false positive rate equals 1 − precision.  We inject only one abnormal host each time. And we repeat each experiment 100 times and take the mean, section 7.1 ¶s 7-8) in order to spot anomalies in data (section 1 ¶ 4).
Therefore, based on Venkatesh in view of Sun, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Sun to the system of Venkatesh in order to spot anomalies in data.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisoryaction is not mailed until after the end of the THREE-MONTH shortened statutoryperiod, then the shortened statutory period will expire on the date the advisoryaction is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will becalculated from the mailing date of the advisory action. In no event, however, willthe statutory period for reply expire later than SIX MONTHS from the date of thisfinal action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAREN M MEANS whose telephone number is (571)270-7202.  The examiner can normally be reached on 12pm-6pm ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






Jaren M. Means
/J.M.M./
Patent Examiner
Art Unit 2447	
6/8/2021

/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447