DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Amendment
The Amendment filed on 07/02/2021 has been entered. 
Claims 14-18 are amended.
Claims 1-20 are pending of which claims 1, 12 and 19 are independent claims.

Response to Arguments
Applicant's arguments filed on 07/02/2021 have been fully considered but they are not persuasive.  
Applicant argues (see page 2-3) regarding claim 1 and the limitation of “aggregate anomaly scores produced by anomaly detectors in a first cluster of anomaly detectors, to generate a first aggregate anomaly score; and detect an anomaly using the first aggregate anomaly score” that 1) “Iverson fails to show or suggest generating a first aggregate anomaly score, it logically follows that Iverson cannot be said to teach or suggest "detect an anomaly using the first aggregate anomaly score”; Applicant also argues that 2) “general teaching of detecting in general cannot be said to teach or suggest "detect an anomaly using the first aggregate anomaly score" (emphasis added) because there are so many items upon which detecting may be based that a person of ordinary skill in the art would not think to detect (an anomaly) using a "first aggregate anomaly score" unless the person of ordinary skill in the art 
First, in response to argument 1), Iverson [col. 10, Line 31-36] disclosed detecting a possible system anomaly based on a given input vector. As further supported by Iverson [col. 18, Line 50-51] that the input vector could be a sequence of nearest neighbor distance scores. Therefore, Iverson teaches detecting an anomaly using the [first aggregate] anomaly score/value. However, Iverson doesn’t explicitly teach “aggregate anomaly scores produced by anomaly detectors in a first cluster of anomaly detectors, to generate a first aggregate anomaly score”, Ohana paragraph [0101] teaches the stated limitation as discussed in prior office action.  Since the aggregation score provided by the method of Ohana is a value/score which can be used as input for Iverson anomaly detection model. The combination of Iverson and Ohana teaches the argued limitation. Further, the instant application doesn’t explicitly claim how the “anomaly detection based on the first aggregate anomaly score” is implemented, therefore,  the argued limitation lacks the algorithm for how to using” the first aggregate anomaly score” to differentiating the method of Iverson. Therefore, the anomaly detection method disclosed by Iverson in combination of Ohana teaches the argued limitation. 
Secondly, in response to applicant's argument 2) that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). In this case, detecting an anomaly using a score is disclosed by Iverson and the input valud/score for detection anomaly can have many items. As a person with ordinary skill at the effective file date, it’s obvious to combine Iverson with Ohana to detect an anomaly using an aggregated score as discussed in response to argument 1). 
Therefore, claim 1 is rejected.  Independent claims 12, 19 and dependent claims 2-11, 13-14 and 20 are also rejected for reasons similar to claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 12-13 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Iverson (Patent No.: US 9,336,484) in view of Ohana et al. (Pub. No.: US 2020/0073740, hereinafter Ohana).
Regarding claim 1: Iverson discloses A non-transitory machine-readable storage medium comprising instructions that upon execution cause a system to:
determine a dependency among a plurality of anomaly detectors, the determining comprising clustering anomaly detectors of the plurality of anomaly detectors into clusters of anomaly detectors (Iverson - [Col. 6, Line 24-30]: The learning module 24 (FIG. 1) processes the training data by formatting the data into the predefined vector format and building a knowledge base containing clusters of related value ranges for the vector parameters … each cluster defines a range of allowable values for each parameter in a given vector);
detect an anomaly using the first aggregate anomaly score (Iverson - [Col. 10, Line 31-36]: Each cluster defines one set of constraints on the values allowed for each parameter in any particular monitoring input vector. If there is no cluster in the monitoring knowledge base that contains a given input vector or is “near” that input vector, then the system may be behaving in an unexpected manner indicating a possible system anomaly).
However Iverson doesn’t explicitly teach, but Ohana discloses:
aggregate anomaly scores produced by anomaly detectors in a first cluster of anomaly detectors, to generate a first aggregate anomaly score (Ohana - [0101]: The values for each cluster of each metric anomaly time interval are aggregated, for example, the average of the values of each cluster is computed. The aggregation may smooth out noisy data-points); and
prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson with Ohana so that plural values for each cluster can be aggregated. The modification would have allowed the system to smooth out noisy data-points using aggregation. 
Regarding claim 2: Iverson as modified discloses wherein the instructions that upon execution cause the system to:
aggregate anomaly scores produced by anomaly detectors in a second cluster of anomaly detectors, to generate a second aggregate anomaly score (Ohana - [0101]: The values for each cluster of each metric anomaly time interval are aggregated, for example, the average of the values of each cluster is computed. The aggregation may smooth out noisy data-points), wherein the detecting of the anomaly further uses the second aggregate anomaly score (Iverson - [Col. 10, Line 31-36]: Each cluster defines one set of constraints on the values allowed for each parameter in any particular monitoring input vector. If there is no cluster in the monitoring knowledge base that contains a given input vector or is “near” that input vector, then the system may be behaving in an unexpected manner indicating a possible system anomaly).
Ohana is combined with Iverson herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 3: Iverson as modified discloses wherein the instructions that upon execution cause the system to:
aggregate the first and second aggregate anomaly scores to produce an overall aggregate anomaly score (Ohana - [0108]: The single anomalous event score is computed according to the analysis of the metric anomaly scores for the respective system level anomalous time interval. Effectively, the single anomalous event score represents an aggregation of the multiple metric anomaly scores computed for the clusters of different metrics over multiple metric anomaly time intervals falling within each respective system level anomalous time interval),
wherein the detecting of the anomaly uses the overall aggregate anomaly score (Ohana - [0111]: Single anomalous event scores having values above the threshold trigger the alert).
prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson with Ohana so that an overall score is computed based on aggregation of plural scores for clusters. The modification would have allowed the system to generate a single score from plural cluster scores for anomaly detection. 
Regarding claim 4: Iverson as modified discloses wherein aggregating the first and second aggregate anomaly scores to produce the overall aggregate anomaly score uses weights assigned to respective aggregate anomaly scores of the first and second aggregate anomaly scores (Ohana - [0181]: The boosting assigns relatively higher weights to the relatively higher metric anomaly scores during computation of the single anomalous event score based on aggregation, for example, an average).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson with Ohana so that each cluster score is weighted when aggregated toward to a single anomaly score. The modification would have allowed the system to add weight to each cluster score. 
Regarding claim 5 : Iverson as modified discloses wherein the instructions that upon execution cause the system to:
compute values of a distance metric among the plurality of anomaly detectors, wherein the clustering is based on the values of the distance metric (Iverson - [Col, Line]: The learning module 24 (FIG. 1) processes the training data by formatting the data into the predefined vector format and building a knowledge base containing clusters of related value ranges for the vector parameters … each cluster defines a range of allowable values for each parameter in a given vector).
Regarding claim 12: Iverson discloses A system comprising:
a processor (Iverson - Fig. 9, a processor 552); and
a non-transitory storage medium storing instructions executable on the processor (Iverson - Fig. 9, memory 560) to:
determine a dependency among a plurality of anomaly detectors, the determining comprising clustering anomaly detectors of the plurality of anomaly detectors into clusters of anomaly detectors(Iverson - [Col. 6, Line 24-30]: The learning module 24 (FIG. 1) processes the training data by formatting the data into the predefined vector format and building a knowledge base containing clusters of related value ranges for the vector parameters … each cluster defines a range of allowable values for each parameter in a given vector);
detect an anomaly using the generated aggregate anomaly score (Iverson - [Col. 10, Line 31-36]: Each cluster defines one set of constraints on the values allowed for each parameter in any particular monitoring input vector. If there is no cluster in the monitoring knowledge base that contains a given input vector or is “near” that input vector, then the system may be behaving in an unexpected manner indicating a possible system anomaly).
However Iverson doesn’t explicitly teach, but Ohana discloses:
generate an aggregate anomaly score for each respective cluster of anomaly detectors based on aggregating anomaly scores produced by anomaly detectors in the respective cluster of anomaly detectors (Ohana - [0101]: The values for each cluster of each metric anomaly time interval are aggregated, for example, the average of the values of each cluster is computed. The aggregation may smooth out noisy data-points); and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson with Ohana so that plural values for each cluster can be aggregated. The modification would have allowed the system to smooth out noisy data-points using aggregation. 
Regarding claim 19: Iverson discloses A method of a system comprising a hardware processor, comprising:
computing values of a distance metric among a plurality of anomaly detectors; clustering the plurality of anomaly detectors using the values of the distance metric, to generate multiple clusters of anomaly detectors (Iverson - [Col. 6, Line 24-30]: The learning module 24 (FIG. 1) processes the training data by formatting the data into the predefined vector format and building a knowledge base containing clusters of related value ranges for the vector parameters … each cluster defines a range of allowable values for each parameter in a given vector);
detecting an anomaly using the aggregate anomaly scores (Iverson - [Col. 10, Line 31-36]: Each cluster defines one set of constraints on the values allowed for each parameter in any particular monitoring input vector. If there is no cluster in the monitoring knowledge base that contains a given input vector or is “near” that input vector, then the system may be behaving in an unexpected manner indicating a possible system anomaly).
However Iverson doesn’t explicitly teach, but Ohana discloses:
aggregating anomaly scores produced by anomaly detectors in each respective cluster of the multiple clusters of anomaly detectors, to generate a respective aggregate anomaly score (Ohana - [0101]: The values for each cluster of each metric anomaly time interval are aggregated, for example, the average of the values of each cluster is computed. The aggregation may smooth out noisy data-points).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson with Ohana so that plural values for each cluster can be aggregated. The modification would have allowed the system to smooth out noisy data-points using aggregation. 
Regarding claims 13 and 20: Iverson as modified discloses further comprising:
further aggregating the aggregate anomaly scores for the respective clusters of the multiple clusters of anomaly detectors to generate an overall aggregate anomaly score (Ohana - [0108]: The single anomalous event score is computed according to the analysis of the metric anomaly scores for the respective system level anomalous time interval. Effectively, the single anomalous event score represents an aggregation of the multiple metric anomaly scores computed for the clusters of different metrics over multiple metric anomaly time intervals falling within each respective system level anomalous time interval),
wherein detecting the anomaly uses the overall aggregate anomaly score (Ohana - [0111]: Single anomalous event scores having values above the threshold trigger the alert).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson with Ohana so that an overall score is computed based on aggregation of plural scores for clusters. The modification would have allowed the system to generate a single score from plural cluster scores for anomaly detection. 

s 6-9 are rejected under 35 U.S.C. 103 as being unpatentable over Iverson (Patent No.: US 9,336,484) in view of Ohana et al. (Pub. No.: US 2020/0073740, hereinafter Ohana) and Paturi et al. (Pub. No. US 2020/0351298 , hereinafter Paturi).
Regarding claim 6: Iverson as modified doesn’t explicitly teach but Paturi discloses wherein the distance metric is based on a conditional entropy between anomaly detectors of the plurality of anomaly detectors (Paturi - [0270]: The relative entropy (also known as KL-divergence) is a metric that returns the distance between two probability distributions).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson and Ohana with Paturi so that a metric is an relative entropy that returns the distance between two probabilities. The modification would have allowed the system to using entropy to calculate a metric. 
Regarding claim 7: Iverson as modified discloses wherein a value of the distance metric between a first anomaly detector and a second anomaly detector of the plurality of anomaly detectors is based on a first value of a conditional entropy computed for the first anomaly detector given the second anomaly detector, and a second value of a conditional entropy computed for the second anomaly detector given the first anomaly detector (Paturi - [0270]: The returned value is a real number demonstrating how similar the two distributions are; lower values indicate more similarity).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson and Ohana with Paturi so that a metric is an relative entropy that returns the distance between two probabilities. The modification would have allowed the system to using entropy to calculate a metric. 
Regarding claim 8: Iverson as modified discloses wherein the value of the distance metric between the first anomaly detector and the second anomaly detector is based on an aggregate of the first value and the second value (Ohana - [0101]: The values for each cluster of each metric anomaly time interval are aggregated, for example, the average of the values of each cluster is computed. The aggregation may smooth out noisy data-points); and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson and Ohana with Paturi so that plural values 
Regarding claim 9: Iverson as modified doesn’t explicitly teach but Paturi discloses wherein aggregating the anomaly scores produced by the anomaly detectors in the first cluster of anomaly detectors comprises using weights assigned to respective anomaly detectors in the first cluster of anomaly detectors (Paturi - [0045]: determining a likelihood of attack for each target asset based on a weighted aggregate of likelihood of exploit of all vulnerabilities within each target asset).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson and Ohana with Paturi so that each value of each target is weighted when aggregated toward to a anomaly score. The modification would have allowed the system to add weight to each contributing value. 

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Iverson (Patent No.: US 9,336,484) in view of Ohana et al. (Pub. No.: US 2020/0073740, hereinafter Ohana) and Kiefer (Pub. No.: US 2008/0104006).
Regarding claim 10: Iverson as modified discloses wherein aggregating the anomaly scores produced by the anomaly detectors in the first cluster of anomaly detectors comprises: compute a reverse aggregate score based on the reverse scores (Ohana - [0101]: The values for each cluster of each metric anomaly time interval are aggregated, for example, the average of the values of each cluster is computed. The aggregation may smooth out noisy data-points); and
The reason to combine is similar as claim 1.
However, Iverson as modified doesn’t explicitly teach but Kiefer discloses computing reverse scores based on the anomaly scores produced by the anomaly detectors in the first cluster of anomaly detectors, to produce reverse scores (Kiefer - [0241]: we first flip (i.e. reverse the scores so that the tail is to the right) the genuine scores so that the higher values represent better matching).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson and Ohana with Kiefer so that a reverse . 

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Iverson (Patent No.: US 9,336,484) in view of Ohana et al. (Pub. No.: US 2020/0073740, hereinafter Ohana) and Kiefer (Pub. No.: US 2008/0104006) and Faith et al. (Pub. No.: US 2010/0268557, hereinafter Faith).
Regarding claim 11: Iverson as modified doesn’t explicitly teach but Faith discloses wherein aggregating the anomaly scores produced by the anomaly detectors in the first cluster of anomaly detectors comprises reversing the reverse aggregate score to compute the first aggregate anomaly score (Faith - [0046]: The numerical values from all of the responses may be aggregated to produce a risk score. the risk score may be reversed, such that the higher the risk for fraud, the lower the numerical value of the assigned risk).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson and Ohana and Kiefer with Faith so that an aggregated reverse score can be produced. The modification would have allowed the system to represent score in a reversed view.  

Claims 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Iverson (Patent No.: US 9,336,484) in view of Ohana et al. (Pub. No.: US 2020/0073740, hereinafter Ohana) and Miller et al. (Pub. No.: US 2019/0188212, hereinafter Miller).
Regarding claim 14: Iverson as modified doesn’t explicitly teach but Miller discloses further comprising: discovering a dependency structure among the plurality of anomaly detectors, wherein the dependency structure is used to generate the aggregate anomaly scores (Miller - [0063]: A central anomaly detector (302) receives outlier samples, and associated contextual information, from plural local anomaly detectors (301) each located in a different station (304), each with their own portion of the unknown data-batch (partition element of the total test set, 300) generated by the station's monitored network or computing device(s) (303). The local anomaly detectors (301) may operate according to the present invention or by some other means. The central anomaly detector (302) operates according to the present invention on the union of outlier samples identified by the local anomaly detectors to identify the anomalous clusters with high statistical significance).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Iverson and Ohana with Miller so that Plural anomaly detectors are operated (i.e. common dependency) according to the invention and anomaly clusters are identified. The modification would have allowed the system to use plural anomaly detectors to identify anomalous classes.  
Regarding claim 15: Iverson as modified discloses wherein the dependency structure identifies the clusters of anomaly detectors (Miller - [0063]: The local anomaly detectors (301) may operate according to the present invention or by some other means).
The reason the combine is same as claim 14.
Regarding claim 16: Iverson as modified discloses wherein the dependency structure identifies n (n > 2) of the clusters (Miller - [0063]: The local anomaly detectors (301), Fig. 3).
The reason the combine is same as claim 14.

Allowable Subject Matter
Claims 17-18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The reason for allowance will be furnished upon allowance of the application.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437