Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.        Claims 1 - 20 are pending.  Claims 1, 10, 12, 13, 20 have been amended.  Claims 1, 10, 20 are independent.    File date is 1-31-2019.   This action is in response to application amendments filed on 6-10-2021. 

Claim Rejections - 35 USC § 103  
2.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3.        Claims 1 - 3, 9 - 12, 18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Deardorff et al. (US PGPUB No. 20200195670) in view of Ayyagari et al. (US PGPUB No. 20130305357).     	
 
Regarding Claims 1, 10, 20, Deardorff discloses a method for detecting anomalous network activity in a cloud-based compute environment and a system for detecting anomalous network activity in a based compute environment and a non-transitory computer readable medium having stored thereon instructions for causing processing circuitry to perform a process for 
a)  receiving configuration data and network activity observations for a set of virtual entities in the cloud-based compute environment; (Deardorff ¶ 058, ll 1-7: configured to analyze multiple outputs to determine whether received network activity generated by an automated process; ¶ 035, ll 1-9: network analysis techniques are autonomous; wide distribution of virtual security appliances across multiple cloud environments) and
d)  determining whether anomalies have been detected in the set of virtual entities based on the profiles of the virtual entities. (Deardorff ¶ 036, ll 6-10: issue alerts (i.e. reports) to inform user of anomalous activity; review data associated with alert(s) and perform any appropriate action; ¶ 087, ll 1-9: detect anomalies upon entity exhibiting behavior (i.e. profile information) that is unexpected and based on its assigned behavioral profile)    

    Furthermore, Deardorff discloses for b): creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile; (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding the created profiles stored in one or more databases) and     
    And, Deardorff discloses for c): dynamically updating the profile of each virtual entity with the respective network activity observations of the virtual entity. (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in activity data actions across a variety of tool sets and systems; patterns observed upon one or more networks; profile the intent and 

Deardorff does not explicitly discloses for b): creating a profile for an entity based on configuration data, and for c): dynamically updating profile of an entity with respective network activity observations. 
However, Ayyagari discloses: 
b)  creating a profile for each entity based on the configuration data; (Ayyagari ¶ 115, ll 1-6: dynamic development of context aware personalized profiles for end user/embedded device, enabling tailored anomaly behavior monitoring, detection, and mitigation; ¶ 115, 15-18: dynamic development of profiles of network configuration (i.e. configuration data) for router or other network type devices (network nodes, computing nodes), to enable tailored anomaly behavior monitoring, detection, and mitigation) and     
c)  dynamically updating the profile of each entity with the respective network activity observations. (Ayyagari ¶ 115, ll 1-6: dynamic development of context aware personalized profiles for end user/embedded devices enabling tailored anomaly behavior monitoring, detection, and mitigation; ¶ 115, 15-18: dynamic development of profiles of network configuration (i.e. configuration data) for router or other network type device (network nodes, computing nodes), to enable tailored anomaly behavior monitoring, detection, and mitigation)
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff for b): creating a profile for aa entity based on configuration data, and for c): dynamically updating profile of an entity with 

Furthermore for Claim 10, Deardorff discloses wherein a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuity, configure the system to perform operations. (Deardorff ¶ 029, ll 1-14: general purpose computer activated by a computer program stored in a computer readable storage medium for performing operations; ¶ 012, ll 4-5: processor executing instructions stored on a memory (i.e. storage media) to classify network activity data)    

Regarding Claims 2, 11, Deardorff-Ayyagari discloses the method of claim 1 and the system of claim 10, wherein creating the profile further comprises: creating a virtual entity group profile when a virtual entity in the set of virtual entities is identified as a member of the virtual entity group which has similar network behavior. (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding created profiles stored in one or more databases; ¶ 068, ll 1-5: profile module groups instances of similar network activity data together; assign a label indicative of the type of behavior exhibited; (member of a group))     

Regarding Claims 3, 12, Deardorff-Ayyagari discloses the method of claim 2 and the system of claim 11, wherein creating the profile further comprises: creating a connections group when a virtual entity in the set of virtual entities is identified as having similar network behavior with the connections group. (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding created profiles stored in one or more databases; ¶ 068, ll 1-5: profile module groups instances of similar network activity data together; assign a label indicative of the type of behavior exhibited; (i.e. member of a group))   

Regarding Claims 9, 18, Deardorff-Ayyagari discloses the method of claim 1 and the system of claim 10, further comprising:
a)  reporting the anomaly, when an anomaly has been detected; and 
b)  taking a mitigating activity, when an anomaly has been detected. (Deardorff ¶ 036, ll 6-10: issue alerts (i.e. reporting the anomaly) to inform user of anomalous activity; review any data associated with alert and perform any appropriate action (i.e. mitigating activity); ¶ 087, ll 1-9: detect anomalies upon entity exhibiting behavior that is unexpected based on its assigned behavioral profile)    

4.        Claims 4, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Ayyagari and further in view of Baumard (US PGPUB No. 20160078365). 

Regarding Claims 4, 13, Deardorff-Ayyagari discloses the method of claim 3 and the system of claim 12. 

However, Baumard discloses wherein creating the profile further comprises: including a set of probabilistic distributions over values of a large set of factors, wherein the factors represent an aspect of the behavior of the virtual entity. (Baumard ¶ 023, ll 12-23: compares probability distribution of a normal system over time with the frequency distribution of incoming behaviors; modelling data distributions and then estimating probability of a deviation from known probabilities of distribution associated with these behaviors; efficient for recognition of known entities within large data sets)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff-Ayyagari for a set of probabilistic distributions over values of a large set of factors as taught by Phan. One of ordinary skill in the art would have been motivated to employ the teachings of Phan for the benefits achieved from a system that enables the utilization of an extensive set of anomaly detection methods.  (Baumard ¶ 023, ll 12-23)    

5.        Claims 5 - 8, 14 - 17 is rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Ayyagari and further in view of Baumard and Phan et al. (US PGPUB No. 20200057956). 

Regarding Claims 5, 14, Deardorff-Ayyagari-Baumard discloses the method of claim 4 and the system of claim 13, wherein the factors of the large set of factors include observable and unobservable factors, and the factors may be learned from observable factors. (Deardorff ¶ 
Deardorff-Ayyagari-Baumard does not explicitly disclose factors learned from probabilistic dependencies.
However, Phan discloses wherein factors may be learned from the probabilistic dependencies. (Phan ¶ 017, ll 1-7: anomaly detection via dependency graph; identify behavior outside of a defined norm that constitutes normal behavior; anomaly detection algorithm is based on probabilistic model and detects anomalies with higher accuracy and fewer false alarms)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff-Ayyagari-Baumard for factors learned from probabilistic dependencies as taught by Phan.  One of ordinary skill in the art would have been motivated to employ the teachings of Phan for the benefits achieved from a system that enables the determination of anomalies utilizing an extensive set of anomaly detection mechanisms.  (Phan ¶ 017, ll 1-7)  

Regarding Claims 6, 15, Deardorff-Ayyagari-Baumard discloses the method of claim 5 and the system of claim 14, wherein the aggregated learned distribution of values of all the factors represents a modeled baseline of the virtual entity’s observed behavior or internal state. (Deardorff ¶ 071, ll 3-12: through modelling processes, system can issue alerts based on activity 

Regarding Claims 7, 16, Deardorff-Ayyagari-Baumard discloses the method of claim 6 and the system of claim 15, wherein determining whether anomalies have been detected further comprises: checking the updated profiles to determine if significant deviations in values exceed a threshold of normal virtual entity behavior. (Deardorff ¶ 100, ll 1-6: a statement that a value exceeds a threshold in the resolution of a relevant system; (i.e. indicated action completed when threshold value is exceed); ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity (i.e. threshold exceeded); review any data associated with alert and perform any appropriate action)

Regarding Claims 8, 17, Deardorff-Ayyagari-Baumard discloses the method of claim 7 and the system of claim 16, wherein checking whether the significance of the deviations takes into account both the difference between the expected and actual numeric values of a factor, and the uncertainty in the expected values and the uncertainty in the measurement of the actual observation. (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in activity actions across a variety of tool sets and systems, and patterns observed upon one or more networks; profile the intent and predict possible future activity based on observed behavior and recognized intent (i.e. unobserved behavior); ¶ 100, ll 1-6: a statement that a value exceeds a threshold in the resolution of a relevant system; (i.e. indicated action completed when threshold value is exceed); ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity (i.e.   

6.        Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Ayyagari and further in view of Liisberg et al. (US PGPUB No. 20170262325). 

Regarding Claim 19, Deardorff-Ayyagari discloses the system of claim 18, wherein the system is further conjured to: include a virtual entity associated with an anomaly. (Deardorff ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity; review any data associated with alert and perform any appropriate action; ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity; review any data associated with alert and perform any appropriate action)
Deardorff-Ayyagari does not specifically disclose blocking a virtual entity associated with an anomaly.
However, Liisberg discloses wherein block a virtual entity associated with an anomaly. (Liisberg ¶ 033, ll 1-9: if an anomaly is detected, sending a signal which ensures that communication associated with processes is disrupted (i.e. communication blocked))    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff-Ayyagari for blocking a virtual entity associated with an anomaly as taught by Liisberg. One of ordinary skill in the art would have been motivated to employ the teachings of Liisberg for the benefits achieved from a system that enables as a security measure communication to be blocked in the event an anomaly is detected. (Liisberg ¶ 033, ll 1-9)  

Response to Arguments
7.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 6-10-2021, with respect to the rejection(s) Deardorff have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Deardorff in view of Ayyagari.  
A.  Applicant argues on page 7 of Remarks:    ...   Deardorff does not describe using the “configuration data” of “virtual entities” to create the behavior profiles.

    The Examiner respectfully disagrees.   Ayyagari discloses the utilization of configuration data in the generation of profile information utilized in the detection and management of anomalous behavior within a network environment.  (Ayyagari ¶ 115, ll 1-6: dynamic development of context aware personalized profiles for an end user/embedded device enabling tailored anomaly behavior monitoring, detection, and mitigation; ¶ 115, 15-18: dynamic development of profiles of network configuration for router or other network type device (computing nodes), to enable tailored anomaly behavior monitoring, detection, and mitigation)

B.  Applicant argues on page 8 of Remarks: For similar reasons similar to those presented above in regard to independent claim 1, the cited references fail to teach or suggest these recited features in the claims, as amended.

    Responses to arguments against independent claim 1 also answer arguments against independent claims 10 and 20, which have similar limitations as independent claim 1.    

C.  Applicant argues on page 8 of Remarks:    ...   Applicant has shown that the independent claims are patentable, a further discussion of the dependent claims is not necessary at this time.

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.     

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920.  The examiner can normally be reached on M - F 12pm - 8pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KYUNG H SHIN/                                                                                                    7-6-2021Primary Examiner, Art Unit 2443