DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 8/14/2019.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/14/2019 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Vasseur et al (US20150195296A1). Anomaly detection in a computer network using machine learning. 
Balabine et al (US20150229661A1). Detecting anomalies in computer network traffic with fewer false positives and without the need for time-consuming and unreliable historical baselines.
Claim Objections
Claims 1, 5-6, 8-15, 18-20 are objected to because of the following informalities:  
Claim 1 line 9, similarly claim 8 line 9 and claim 15 line 6, “wherein each group” should read “wherein each group of the groups”.
Claim 1 line 10, similarly claim 8 line 10, claim 15 line 7, “for each group, creating …” is suggested to read as “for the each group, creating …”.
Claims 5 line 2, claim 12 line 2, and claim 19 line 2, "selecting a portion of the groups according to the rules…” should read "selecting a portion of the groups according to the respective rules…”
Claim 5 lines 2-3, similarly claim 12 lines 2-3, claim 19 lines 2-3, “… after grouping and before filtering” may read as “… after the grouping and before the filtering” or “… after grouping the anomaly reports and before filtering the groups” or more appropriate form.
Claim 6 line 2, similarly claim 13 line 2, claim 20 line 2, “selecting the rule in the group…” may read “selecting the respective rule in the group…”.
Claim 15 recites a method. However there is no hardware device that is recited in the claim to implement the method. Applicant is suggested to positively recite at least one hardware device that implements the method step(s) in the claim.
Claim 18 line 1, claim 19 line 1, “The method of claim 3” may read as “The method of claim 17” since claim 3 recites the system of claim 1. 
Claims 9-14 line 1, each recites “The medium of claim …”. Applicant is suggested to recite “The non-transitory machine-readable storage medium of claim …”.
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  
Claim 1, similarly claims 8, 15, recites “receiving a plurality of anomaly reports…”, “extracting fields, and values for the fields…”, “grouping the anomaly reports…”, “creating a cluster…”, and “marking each cluster as a possible false positive anomaly cluster”. These would be interpreted as being analogous to concepts relating to organizing or analyzing information in a way that can be performed mentally or human mental work. Accordingly, the claim recites the abstract idea.
The limitation of receiving, extracting, grouping, creating and marking, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of relating to anomaly detection. Nothing in the claim element precludes the step from practically being performed in the mind. Accordingly, the claim recites an abstract idea.
Claims 1, 8 recite additional limitations of “hardware processor” and “non-transitory machine-readable storage medium” to perform the steps of method claims discussed above. The limitation of receiving a plurality of anomaly reports…, extracting fields, and values for the fields…, grouping the anomaly reports…, creating a cluster…, and marking each cluster as a possible false positive anomaly cluster, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “hardware processor” and “non-transitory machine-readable storage medium”, nothing in the claim element precludes the steps from practically being performed in the mind. Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the claim only recites the additional limitations of “anomaly report”, “association rule learning” and “respective rule”, which are merely used as generic and well known terminologies, and they do not amount to significantly more than the abstract idea. In addition, the claims only recite additional elements – hardware processor and non-transitory machine-readable storage medium, to perform the receiving, extracting, grouping, creating and marking steps. The hardware processor and non-transitory machine-readable storage medium in these steps are recited at a high level of generality (i.e., as a generic processor and non-transitory machine-readable storage medium performing a generic computer function of receiving, extracting, grouping, creating and marking) such that it amounts no more than mere instructions to apply the exception using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using computing system to perform the receiving, extracting, grouping, creating and marking steps amounts to no more than mere instructions to apply the exception using generic computing system. Mere instructions to apply an exception using generic computing machines cannot provide an inventive concept. The claim is not patent eligible.
                Dependent claims 2-8, 9-14, 16-20 recite additional limitations of “applying a frequency pattern growth algorithm”, “filtering the groups…”, “discarding groups…”, “selecting a portion of the groups…”, “displaying a view of … false positive anomaly clusters”, and “selecting the rule in the group…”. Viewing the elements as a combination does not add anything further than the individual elements. Further recited elements within dependent claims 2-8, 9-14, 16-20 taken individually do not amount to significantly more than just the abstract idea as previously identified above. Therefore the claims are not patent eligible.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 8-9, 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi et al (US20190149565A1, hereinafter, "Hagi"), in view of Gamble et al (US20190342307A1, hereinafter, “Gamble”).
Regarding claim 1, Hagi teaches:
A system, comprising: a hardware processor; and a non-transitory machine-readable storage medium encoded with instructions executable by the hardware processor to perform a method (Hagi, discloses anomaly detection using cognitive computing, see [Title] and [Abstract]. And [0004] Further aspects of the present disclosure are directed toward a computer system comprising a processor and a tangible, computer-readable memory for storing program instructions which, when executed by the processor, perform a method) comprising: 
receiving a plurality of anomaly reports, wherein each of the anomaly reports describes a network security anomaly (Hagi, referring to Fig. 2, Collect data. And [0048] In operation 202, the anomaly detection system collects cybersecurity data (i.e. anomaly reports).  Cybersecurity data can be collected from, for example, log files (e.g., syslogs, operating system (OS) logs, event logs, application logs, network logs, transaction logs (i.e. anomaly reports),…); 
extracting fields, and values for the fields, from each of the anomaly reports (Hagi, [0007] The method can further comprise receiving, at the feature extraction system and from the HTM network, at least one output multi-dimensional array (i.e. fields) based, at least in part, on active nodes in a respective region of the HTM network. And [0049] In operation 204, the anomaly detection system pre-processes the cybersecurity data collected in operation 202. Pre-processing the cybersecurity data can include, but is not limited to, filtering (e.g., cleansing), integrating, and/or organizing the cybersecurity data);
grouping the anomaly reports into a plurality of groups according to association rule learning, wherein each group is defined by a respective rule (Hagi, [0031] feature extraction system 126 executes any number of machine learning algorithms such as, but not limited to, decision tree learning, association rule learning, … And [0050] In operation 206, the anomaly detection system generates one or more tensors by encoding the pre-processed data into respective tensors (i.e. plurality of groups)... respective tensors can comprise clustered log features (expressed as VSM matrices) that have been categorized and processed into numerical values. Thus, the tensors can numerically represent the attributes of event data across multiple spatial bases and temporal bases. Also see Fig. 5 step 512 and [0079] machine learning can include, but is not limited to, decision tree learning, association rule learning…); 
While Hagi teaches the main concept of the invention of using rule based machine learning algorithm for anomaly detection with fewer false positives (see Hagi, [0021]), however does not expressly teach the following limitations, but in the same field of endeavor Gamble teaches:
for each group, creating a cluster based on common values for the fields (Gamble, [0010] The security events/alerts data and the related event data are combined into a multiple graph form that represents the links between events. For example, a security event between two machines would have two nodes (each machine), connected by a link that is the event (e.g. a suspicious use login). And [0041] The platform processes the graph data structures by combining similar nodes or grouping security events with common features (i.e. common values) to behaviour indicative of a single or multiple security events);
marking each cluster as a possible false positive anomaly cluster (Gamble, [0010] The security events are associated with labels having stored data values indicative of details describing the events, such as a risk rating, weighting or probability indicating how likely it is to be a false positive, and [0017] the descriptive data comprises a risk rating, a weighting or probability indicating likelihood that the security event is a false positive).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gamble in the anomaly detection of Hagi by combining similar nodes or grouping security events with common features in monitoring security attack chain for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify unique groupings of events in graph form to provide more accurate detection mechanism of intrusion (Gamble, [Abstract], and [0010-0012]).

Regarding claim 8, Hagi-Gamble combination teaches:
A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing component, the machine-readable storage medium comprising instructions to cause the hardware processor to perform a method (Hagi, [0005] Further aspects of the present disclosure are directed toward a computer program product comprising a computer readable storage medium having program instructions executable by a processor to cause the processor to perform a method) comprising: the method steps substantially similar to the method steps performed by the system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 15, Hagi-Gamble combination teaches:
A method comprising: the method steps substantially similar to the method steps performed by the system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 9, claim 16, Hagi-Gamble combination further teaches:
The system of claim 1, the medium of claim 8, the method of claim 15, wherein grouping the anomaly reports into a plurality of groups according to association rule learning comprises: applying a frequent pattern growth algorithm to the anomaly reports (Hagi, [0032] feature extraction system 126 can be configured to perform machine learning using one or more of the following example techniques: … apriori algorithms (i.e. frequent pattern growth algorithm),…).  

Claims 3, 10, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Gamble combination, further in view of Limonad et al (US20170193078A1, hereinafter, “Limonad”).
Regarding claim 3, similarly claim 10, claim 17, Hagi-Gamble combination teaches:
The system of claim 1, the medium of claim 8, the method of claim 15,
While the combination of Hagi-Gamble does not explicitly teach however in the same field of endeavor Limonad teaches:
the method further comprising: filtering the groups according to confidence values respectively associated with the groups after grouping the anomaly reports and before creating the clusters (Limonad, discloses method for anomaly classification and detection, see [Abstract] and [0001]. And referring to Fig. 2, steps 240-260, filtering the data set to perform anomaly classification based on relative density criterion (i.e. confidence values)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Limonad in the anomaly detection of Hagi-Gamble by filtering the anomaly data based on relative density for anomaly classification. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter the anomaly data set and perform anomaly classification based on relative density criterion (Limonad, [Abstract]).

Claims 4, 11, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Gamble-Limonad combination, further in view of Jain et al (US20170250954A1, hereinafter, “Jain”).
Regarding claim 4, similarly claim 11, claim 18, Hagi-Gamble-Limonad combination teaches:
The system of claim 3, the medium of claim 10, the method of claim 3,
While the combination of Hagi-Gamble-Limonad does not explicitly teach however in the same field of endeavor Jain teaches:
wherein filtering the groups according to the confidence values comprises: discarding groups having confidence values below a determined confidence threshold (Jain, discloses method for detection of anomalies or intrusions [Abstract]. And [0040] Returning to FIG. 4, the contents of the buffers are passed to counting modules 192, 194… rows with the lowest statistics are removed (i.e. discarding) from the tables periodically or as they go below a threshold rank, count, age since last update, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Jain in the anomaly detection of Hagi-Gamble-Limonad by removing rows of data with lowest statistics. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide statistically significant data for data inspection to detect anomalies (Jain, [Abstract], [0040]).

Claims 5, 12, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Gamble-Limonad combination, further in view of Puri et al (US20160371489A1, hereinafter, “Puri”).
Regarding claim 5, similarly claim 12, claim 19, Hagi-Gamble-Limonad combination teaches:
The system of claim 3, the medium of claim 10, the method of claim 3,
While the combination of Hagi-Gamble-Limonad does not explicitly teach however in the same field of endeavor Puri teaches:
the method further comprising: selecting a portion of the groups according to the rules after grouping and before filtering (Puri, discloses event anomaly analysis and prediction, see [Abstract]. In particular referring to Fig. 10, and [0138] At block 1012, the method 1000 may include identifying (e.g., by the data anomaly analyzer 116), based on an application of the plurality of rules 114 to the data 118, selected ones of the anomalies in the data 118 (i.e. a portion of the groups)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Puri in the anomaly detection of Hagi-Gamble-Limonad by selecting anomaly data from data source based on rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine anomaly from data source based on application of rules for anomaly analysis and prediction (Puri, [Abstract]).

Claims 6, 13, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Gamble combination, further in view of Xiong et al (US20160127319A1, hereinafter, “Xiong”).
Regarding claim 6, similarly claim 13, claim 20, Hagi-Gamble combination teaches:
The system of claim 1, the medium of claim 8, the method of claim 15, 
While the combination of Hagi-Gamble does not explicitly teach however in the same field of endeavor Xiong teaches:
wherein creating the cluster for each group comprises: selecting the rule in the group with the highest number of the fields (Xiong, discloses method of evaluating transactions by automatically generated rules, see [Abstract]. And [0016] The system automatically determines the number of the rules that is optimal to solve the problem that is presented.  In some embodiments, users have options to set the maximum number of rules generated).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Xiong in the anomaly detection of Hagi-Gamble by allowing users to set maximum number of rules used for screening internet transaction. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the rules configured to model data patterns in different parts of input space and combination to provide a powerful and interpretable final model to meet various predictive modeling needs (Xiong, [Abstract], [0016]).

Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Gamble combination, further in view of Aghdaie et al (US10459827B1, hereinafter, “Aghdaie”).
Regarding claim 7, similarly claim 14, Hagi-Gamble combination teaches:
The system of claim 1, the medium of claim 8, 
While the combination of Hagi-Gamble does not explicitly teach however in the same field of endeavor Aghdaie teaches:
the method further comprising: displaying a view of one of the possible false positive anomaly clusters (Aghdaie, discloses method of automated anomaly detection based on heterogeneous data sources, see [Abstract]. In particular, referring to Fig. 4A-C showing user interface 400 for the anomaly detection system 130, and Col. 18 lines 59-63, The interface can include an interface control 410 that allows for a user to input feedback associated with the anomaly event.  As indicated, a user can identify whether the anomaly is a true positive ("Issue") or a false positive ("Acceptable")).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Aghdaie in the anomaly detection of Hagi-Gamble by displaying table of results of an anomaly detection analysis using user interface. This would have been obvious because the person having ordinary skill in the art would have been motivated to automatically identify anomalous data set and display the anomaly detection result to user to allow user to feed back the information to the model generation system to update the anomaly detection model (Aghdaie, [Abstract]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/TRONG H NGUYEN/Primary Examiner, Art Unit 2436