Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-18 are presented for examination.
This is a first action on the merits based on Applicant’s claims submitted 4/16/2019.         
            
Election
Claims 19-20 withdrawn from further consideration pursuant to 37 CFR 1.142(b), as being drawn to a nonelected invention of Group 2, there being no allowable generic or linking claim. 
Applicant’s election without traverse of Group 1, claims 1-19, in the reply filed on 5/21/2021 is acknowledged.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/16/2019, 5/23/2019, 7/31/2019, and 7/16/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Applicant is respectfully reminded of the duty to disclose 37 C.F.R. 1.56 all pertinent information and material pertaining to the patentability of applicant’s claimed invention, by continuing to submitting in a timely manner PTO-1449, Information Disclosure Statement (IDS) with the filing of applicant’s application or thereafter.

Claim Objections
Claim 1-18 are objected to because of the following informalities:  Appropriate correction is required.
Applicant elected group I, however claims lack proper markings, e.g. "withdrawn".
Amendments to the claims filed on or after 5/21/2021 must comply with 37 CFR 1.121(c), which states:
          (c) Claims. Amendments to a claim must be made by rewriting the entire claim with all changes (e.g., additions and deletions) as indicated in this subsection, except when the claim is being canceled. Each amendment document that includes a change to an existing claim, cancellation of an existing claim or addition of a new claim, must include a complete listing of all claims ever presented, including the text of all pending and withdrawn claims, in the application. The claim listing, including the text of the claims, in the amendment document will serve to replace all prior versions of the claims, in the application. In the claim listing, the status of every claim must be indicated after its claim number by using one of the following identifiers in a parenthetical expression: (Original), (Currently amended), (Canceled), (Withdrawn), (Previously presented), (New), and (Not entered).

Claim Rejections - 35 USC § 101
Claim Rejections - 35 USC § 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 
The claims 1, 13 and 18 recites the limitations of “receiving time-series sensor data for each one of a group of devices; extracting a set of states for each device in the group from the time-series sensor data; constructing a state-transition graph for each of the devices, wherein each of the state-transition graphs comprises (i) nodes corresponding to each state in the set and (ii) edges corresponding to a probability of transition between the extracted states over time; identifying, for each set, a given state as one of (i) a mode, (ii) a normal state (iii) and an anomalous state based on the state-transition graph; and detecting one or more anomalous devices in the group by computing similarities between different devices in the group, based at least in part on the determined state- transition graphs;.”.  The limitations of (paraphrasing) 1) receiving time series sensor data, 2) extracting set of states for a device in the group based on time-series sensor data, 3) constructing a state-transition graph for each device, 4) identifying each state based on the state-transition graph and 5) detecting anomalous devices by computing similarities between devices based on the state-transition graph, as drafted, are processes that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  For claim limitations on claims 1, 13 and 18, that is, other than reciting “computing device”, “devices” and “sensor” nothing in the claim element precludes the steps from practically being performed in the mind. For example, in the context of this claim a person can manually take note of time-stamped sensor data provided to them.  A person can also mentally obtain (i.e. extract) the different set of states the devices could be in based on the time series data, manually construct a state table or graph and identify each state constructed to then detect or evaluate which devices are anomalous or different based on the identification of the states of the state graph mentally and manually constructed.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas.  Accordingly, the claims recite an abstract idea. 
This judicial exception is not integrated into a practical application because for  claims 1, 13 and 18, the claims only recites additional element –computing device, to perform the functions recited in the claims, as mentioned above.  The processor performing those steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of receiving, extracting, constructing, and identifying) such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  Therefore, the claims are directed to an abstract idea.  
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, as discussed above with respect to integration of the abstract idea into a practical application, the additional element of a “computing device” to perform the claimed steps amounts to no more than mere instructions to apply the exception using generic computer component. Specifically, the step of detecting anomalous devices by computing similarities between different devices, does not amount to significantly more as it does not state what similarities are computed in order to detect anomalous devices.  Additionally, since no mention is made on what information is being evaluated to detect anomalous devices, the type of anomaly or difference to be detected is also unknown, therefore, under broadest reasonable interpretation, the detecting step, as claimed, does not produce a significant outcome, specifically in the context of Security Systems.  Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.

Claim Rejections - 35 U.S.C. 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1, 13 and 18 rejected  under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 1, 13 and 18 recite a limitation reading “based at least in part on the determined state- transition graphs…”, which underlined limitation lacks proper antecedent basis.  The claim does not perform a determining step prior to referring to “the determined state-transition graphs” and therefore is unclear as to which determined state-transition graph” the inventor is referring to.  Therefore, such claim limitation renders the claim language unclear as to what the inventor regards as the invention.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.
Claims 1, 4, 10-11, 13, 16-18 rejected under 35 U.S.C. 103 as being unpatentable over Apostoloupolos et al. (US 2018/0219888 A1, hereinafter “9888”) in view of Calmon et al. (US 2020/0005096 A1, hereinafter “Calmon”).

Regarding claim 1, 9888 teaches:
1. A computer-implemented method, comprising: 
receiving time-series sensor data (i.e. underlying event data containing timing data or periodicity, see par 171) for each one of a group of devices (i.e. across the computer network, implies group of devices, see par 171) (par 171: “The anomaly data 1004, as used herein, generally refers to the entire set or a subset of the detected anomalies across the computer network... the anomaly data associated with a particular entity may include ...timing data associated with the anomalous activity (e.g. when the anomaly occurred, when a similar anomaly last occurred, or periodicity of this type of anomaly showing up for the particular entity), etc.”); 
extracting a set of states (fig. 11, 1102, anomaly models 1…N) for each device in the group from the time-series sensor data (par 170-171: “incoming event data 1002 is processed through a plurality of anomaly models 1 through N”); 
constructing a [state-transition] graph (i.e. anomaly graph, see par 171) for each of the devices (i.e. across the computer network, see par 171), wherein each of the state-transition graphs comprises (i) nodes (i.e. nodes, see par 171) [corresponding to each state in the set] and (ii) edges (i.e. edges) corresponding to a probability of transition [between the extracted states] over time (par 171: the anomaly data contains “timing data associated with the anomalous activity”) (par 171: “anomaly graph...the anomaly graph includes a plurality of vertices (nodes) representing entities associated with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices (nodes).”); 
identifying, for each set, a given state (par 172: “FIG. 11, at step 1108 the anomaly data 1004 (or at least a subset of anomaly data 1004) is processed through a plurality of threat indicator models 1 through Y,”) as one of (i) a mode (fig. 11, threat indicator model 1), (ii) a normal state (fig. 11, threat indicator model Y) (iii) and an anomalous state (fig. 11, threat indicator 2) based on the state-transition graph (fig. 11, anomaly detection from event data); and 
detecting one or more anomalous devices (i.e. identify behavioral anomalies and threats, see par 142) in the group by computing similarities (i.e. comparing events, see par 142) between different devices in the group (par 142, Examiner notes that this paragraph mentions the comparison of events between devices in order to identify threats and anomalies), based at least in part on the determined state- transition graphs (par 142, based on composite relationship graphs); 
wherein the method is carried out by at least one computing device (par 39, fig 1).  
9888 does not explicitly teach yet Calmon suggests:
The graph is a state transition one (Calmon: par 43) corresponding to each state in the set of states and between states (Calmon: par 43, i.e. data points belonging to each state)
	Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have implemented a graph that is state transitioned corresponding to each state of the set of states, as taught by Calmon, to ‘9888’s invention.  The motivation to do so would have been in order to provide for anomaly detection that employs information from multiple sets of time-series data streams generated by a similar process. The disclosed anomaly detection system detects the underlying time-series states and evaluates a likelihood with which time-series samples are associated with the detected states. In some embodiments, such likelihood is an important element in determining whether samples (e.g., observations over time) are normal or anomalous. The exemplary anomaly detection techniques are based on histograms of likelihood values and machine learning models to automatically learn thresholds to separate normal behavior from anomalous behavior (Calmon: par 19).

Regarding claim 4, 9888 and Calmon teach:
The computer-implemented method of claim 1, wherein said detecting comprises: 
computing a steady-state probability vector for each of the state-transition graphs (Calmon: par 43: “data points and the description of the states to extract the likelihood of each data point belonging to each state. For this, each state detected in the first stage above provides a substantially minimal description of the probability distribution associated with it”); and 
computing the similarities between different devices based at least in part on the steady-state probability vectors (Calmon: par 43: “probability distribution is computed through modelling a probability distribution from the samples already associated with each cluster. The mechanism needs access to all of the parameters that are sufficient to describe each one of these distributions to compose the complete distribution for each state. Then, the likelihood extraction is just a measure of how likely data points are to belong to a certain cluster”).  

Regarding claim 10, 9888 and Calmon teach:
The computer-implemented method of claim 1, wherein the time-series sensor data for a given device in the group comprise (i) a plurality of time-stamps (9888: par 44, time series data comprises of timestamp) and (ii) one or more sensor values from at least one sensor of the given device (9888: par 39; data received from sensors).  

Regarding claim 11, 9888 and Calmon teach:
The computer-implemented method of claim 1, comprising: outputting a list of the detected anomalous devices to a user (9888: par 177, blacklisted entities).  

Regarding claim 13, all claim limitations are set forth and rejected as it has been discussed in claim 1.  Furthermore, 9888 teaches the additional limitation:
A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computing device to cause the computing device to perform at least (9888: par 252)…

Regarding claim 16, all claim limitations are set forth and rejected as discussed in claim 4.

Regarding claim 17, all claim limitations are set forth and rejected as discussed in claim 11.

Regarding claim 18, all claim limitations are set forth and rejected as it has been discussed in claim 1.

Claims 2, 14 rejected under 35 U.S.C. 103 as being unpatentable over Apostoloupolos et al. (US 2018/0219888 A1, hereinafter “9888”) in view of Calmon et al. (US 2020/0005096 A1, hereinafter “Calmon”) in further view of Swanson et al. (US 2020/0287914 A1, hereinafter “Swanson”).

Regarding claim 2, 9888 and Calmon teach:
2. The computer-implemented method of claim 1, wherein said extracting comprises, for each device: 
computing similarities between the plurality of segments using said multivariate distribution (Calmon: par 49: “a data sample 420 was classified with a different, but correct, state assignment relative to nearby data samples, and is therefore associated with normal system behavior.”; Examiner notes that classification as different is a computation of similarities); and 
applying unsupervised clustering to the computed similarities to extract the set of states for the device (Calmon: par 71; unsupervised clustering of states).
9888 and Calmon do not explicitly teach yet Swanson suggests:
segmenting the time-series sensor data into a plurality of segments (Swanson: par 39-40); 
fitting a multivariate distribution to the plurality of segments (Swanson: par 39-40); 
Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have segmented time series data and fitted a multivariate distribution to the segments, as taught by Swanson, to 9888 and Calmon’s invention.  The motivation to do so would have been in order to include a graph of points representing a sample of known clean files and a target file to be scored by an anomaly score model... The points of the clean files of the sample are within dotted lines of the contour 210, illustrating that the clean files are generally similar (non-anomalous) to each other based on the characterized features. The contour 210 may represent the multivariate Gaussian distribution of the points of the sample, which is determined by the anomaly score model based on the feature scores… In this visualization of the anomaly score, a threshold of distance 250 may be the threshold at which a file is classified as anomalous (Swanson: par 39-40).

Regarding claim 14, the claim limitations are set forth and rejected as discussed in claim 2.  

Claims 7 rejected under 35 U.S.C. 103 as being unpatentable over Apostoloupolos et al. (US 2018/0219888 A1, hereinafter “9888”) in view of Calmon et al. (US 2020/0005096 A1, hereinafter “Calmon”) in further view of Triplet et al. US 2020/0082013, hereinafter “Triplet”).

Regarding claim 7, 9888 and Calmon do not teach yet Triplet suggest:
The computer-implemented method of claim 1, comprising: identifying one or more portions of the time-series sensor data for at least a first one of the devices are missing (Triplet: par 145, step 201- obtaining a multivariate time series from a network, preprocessing the multivariate times series to account for sampling intervals and missing data); and synthesizing data to fill in the one or more portions of missing data (Triplet: par 147, i.e. concatenating multivariate times series sequentially with empty readings filled by zero). 
	Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have identified missing data in the time series data received and synthesize such data to fill in the missing data, as taught by Triplet, to 9888 and Calmon’s invention.  The motivation to do so would have been to provide a new time-series, representing all PMs in the cluster as part of this process where one of the benefits of the approach described herein compared to other approaches provides a natural and intuitive representation of the similarities between the time-series, thereby enabling human experts to easily inspect, validate and/or tune the parameters of the algorithm (Triplet 0098).

Claims 12 rejected under 35 U.S.C. 103 as being unpatentable over Apostoloupolos et al. (US 2018/0219888 A1, hereinafter “9888”) in view of Calmon et al. (US 2020/0005096 A1, hereinafter “Calmon”) in further view of Shurtleff et al. (US 2020/0162503 A1, hereinafter “Shurtleff”).

Regarding claim 12, 9888 and Calmon do not teach yet Shurtleff suggests:
The computer-implemented method of claim 1, wherein the group of devices corresponds to at least a part of one or more of: (i) a heating system, (ii) a ventilation system, (iii) a cooling system and (iv) a turbine system (Shurtleff: par 3).
	Accordingly, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to have allowed group of devices to be part of heating/ventilation/cooling/turbine systems, as taught by Shurtleff, to 9888 and Calmon’s invention.  The motivation to do so would have been to, as part of an IoT management system, the system may evaluate the IoT devices with respect to device based policies or rules (e.g., operational time periods; expected ranges for network traffic volume, throughput, latency, jitter, packet loss, error, load, response times, computing resource usage, etc. (Shurtleff [0104]).

Allowable Subject Matter
Claims 3, 5-6, 8-9, 15 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Relevant art in relation to allowable subject matter:
a- Bhattacharyya et al. (WO2020180887A1 or US2020/0285997 A1) teaches a method of determining anomalous operation of a system includes: capturing a stream of data representing sensed (or determined) operating parameters of the system over a range of operating states, with a stability indicator representing whether the system was operating in a stable state when the operating parameters were sensed; determining statistical properties of the stream of data, including an amplitude-dependent parameter and a variance thereof over time parameter for an operating regime representing stable operation; determining a statistical norm for the statistical properties that distinguish between normal operation and anomalous operation of the system; responsive to detecting that normal and anomalous operation of the system can no longer be reliably distinguished, determining new statistical properties to distinguish between normal and anomalous system operation; and outputting a signal based on whether a concurrent stream of data representing sensed operating parameters of the system represent anomalous operation of the system. 
b- Muddu et al. (US 10,587,633 B2) teaches the disclosed embodiments include a method performed by a computer system. The method includes forming groups of traffic, where each group includes a subset of detected connection requests. The method further includes determining a periodicity of connection requests for each group, identifying a particular group based on whether the periodicity of connection requests of the particular group satisfies a periodicity criterion, determining a frequency of the particular group in the traffic, and identifying the particular group as an anomaly based on whether the frequency of the particular group satisfies a frequency criterion.
c- Love et al. (US 9787705 B1) teaches a process, including: obtaining a clustered graph, wherein each of the nodes has a plurality of respective node attributes other than an identifier of the node; obtaining a designation of a given node attribute from among the plurality of node attributes; identifying a first subset of nodes of the graph as having anomalous values of the given node attribute by comparing values of the given node attribute in the first subset to a distribution of the given node attribute; identifying a second subset of nodes of the graph as having representative values of the given node attribute by comparing values of the given node attribute in the second subset to the distribution of the given node attribute; and sending instructions to a client device to display a representation of the graph.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIZBETH TORRES-DIAZ whose telephone number is (571)272-178772-1787.  The examiner can normally be reached on 9:00a-4:30p.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr, can be reached on (571)272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/LIZBETH TORRES-DIAZ/Examiner, Art Unit 2495                                                                                                                                                                                                        
/3 August 2021/
/ltd/