DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/03/2019, 09/19/2019, 11/13/2019, 01/17/2020 and 07/28/2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.

Drawings
	The drawings filed on July 03, 2019 are accepted. 

Specification
	The specification filed July 03, 2019 is accepted.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-30 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 12 and 17 of U.S. Patent No. 10,389,738 B2 . Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 1-30 of the present application correspond to elements of claims 1-30 of the 738’ patent. Claims 1-30 of the present application would have been obvious over claims 1-30 of the 738’ patent because each element of the claims of the present application is anticipated by the claims of the 738’ patent. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-4, 6-12, 15-17, 19-24 and 26-30 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Wang et al. US. 8,555,388 B1 [hereinafter Wang].

As per claims 1, 29 and 30, Wang teaches a method comprising: 
receiving, by a computer system, event data associated with a communication between an internal entity within a computer network and an external entity outside the computer network, the event data including an identifier (i.e., URL, domain information etc..,) associated with a particular entity, wherein the particular entity is the internal entity or the external entity [column 7, lines 20-34];  
analyzing, by the computer system, a plurality of characters in the identifier by processing the event data [column 7, lines 47-65];  

detecting, by the computer system, an anomaly based on the feature score [column 14, lines 20-38]. 

	As per claim 2, Wang further teaches the method wherein the detected anomaly is indicative of malware communications [column 14, lines 20-38]. 
 
	As per claim 3, Wang further teaches the method wherein the feature score is representative of a quantified evaluation of risk associated with the particular entity [column 14, lines 20-38].  
 
	As per claim 4, Wang further teaches the method wherein analyzing the plurality of characters in the identifier includes: analyzing a sequencing of the plurality of characters in 
the identifier [column 7, lines 47-65].

	As per claim 6, Wang further teaches the method wherein analyzing the plurality of characters in the identifier includes: performing a lexical analysis of the identifier using 
natural language processing [column 7, lines 47-65].
 

 
	As per claim 8, Wang further teaches the method wherein detecting the anomaly includes: assigning an anomaly score based on the feature score and determining that the anomaly score satisfies a specified criterion, wherein the anomaly is detected in response to determining that the anomaly score satisfies the specified criterion [column 8, lines 34-60 and column 14, lines 20-38].  
 
	As per claim 9, Wang further teaches the method wherein detecting the anomaly includes: assigning an anomaly score based on a weighted combination of the feature score and one or more other feature scores associated with the particular entity and determining that the anomaly score satisfies a specified criterion, wherein the anomaly is detected in response to determining that the anomaly score satisfies the specified criterion [column 8, lines 34-60 and column 14, lines 20-38].  
 
	As per claim 10, Wang further teaches the method wherein assigning the feature score includes: processing the event data using a machine learning model, the machine learning 

	As per claim 11, Wang further teaches the method wherein detecting the anomaly includes: processing the feature score using an anomaly model, the anomaly model including: model processing logic defining a process for assigning an anomaly score based on the feature score, and a model state defining a set of parameters for applying the model processing logic, and assigning an anomaly score based on the processing of the feature score, and determining that the anomaly score satisfies a specified criterion, wherein the anomaly is detected in response to determining that the anomaly score satisfies the specified criterion  [column 13, lines 23-column 14, line 19].

	As per claim 12, Wang further teaches the method wherein detecting the anomaly includes: determining a volume of event data associated with the communication between the internal entity and the external entity, processing the feature score using: a first anomaly model if the volume of event data is at or above a threshold volume, or a second anomaly model if the volume of event data is below the threshold volume [column 10, lines 37-53]. 
 
		
	As per claim 15, Wang further teaches the method further comprising: annotating, by the computer system, the detected anomaly with data from an external data source external to the computer network [column 10, lines 32-54]. 

	As per claim 16, Wang further teaches the method further comprising: outputting, by the computer system, via a user interface, an indication of the detected anomaly to a user [column 12, lines 49-60]. 
 
	As per claim 17, Wang further teaches the method further comprising: outputting, by the computer system, via a user interface, in response to detecting the anomaly, an incident 
response output, the incident response output including: the identifier associated with the external or internal entity;  the feature score and a recommended response based on the feature score [column 12, lines 49-60 and column 14, line 19]. 
	
	As per claim 19, Wang further teaches the method wherein detecting the anomaly is performed in real time as the event data are received [column 7, lines 20-47]. 
 
	As per claim 20, Wang further teaches the method wherein detecting the anomaly is performed using Apache Storm or Apache Spark Streaming as a processing engine [column 7, lines 20-47]. 
 
	As per claim 21, Wang further teaches the method wherein receiving the event data includes: adaptively filtering the event data according to a dynamic whitelist [column 11, lines 41-56]. 
 

transform, and load (ETL) pipeline [column 7, lines 20-47].  
 
	As per claim 23, Wang further teaches the method wherein the event data are timestamped machine data [column 7, lines 20-47].
 
	As per claim 24, Wang further teaches the method wherein the event data include one or more of: domain name system (DNS) generated log data, firewall generated log data, or 
proxy generated log data [column 7, lines 20-47].

	As per claim 26, Wang further teaches the method wherein the feature score is one of a plurality of feature scores included in an entity profile associated with the particular entity, and wherein detecting the anomaly includes processing the entity profile using an anomaly model [column 13, line 39-column 14, line 39]. 
 
	As per claim 27, Wang further teaches the method further comprising: generating, by the computer system, an entity profile for the particular entity, the entity profile including a plurality of feature scores, the plurality of feature scores including the feature score assigned based on the analysis of the plurality of characters in the identifier, each of the plurality of feature scores assigned based on a different one of a plurality of different analyses of the 
 
	As per claim 28, Wang further teaches the method wherein the-identifier is any of: a domain name, a uniform resource locater (URL), uniform resource identifier (URI), an Internet 
Protocol (IP) address, a unique identifier (UID), a device identification, or a user identification [column 7, lines 47-55]. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 18 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. US. 8,555,388 B1 [hereinafter Wang] in view of Ranshous et al. “Anomaly detection in dynamic networks: a survey”, Volumn 7, May/June 2015; pages 223-247 [hereinafter Ranshous].

	As per claim 18, Wang teaches the method as indicated above. In the same field of endeavor, Ranshous teaches an anomaly detection graph including:  Incorporating, by the computer system, the detected anomaly into a network security graph, the network security 

	As per claim 25, Wang teaches the method as indicated above. In the same field of endeavor, Ranshous teaches an anomaly detection graph including:  storing, by the computer 
system, anomaly data indicative of the detected anomaly in an anomaly graph data structure that includes: a plurality of nodes, each of the plurality of nodes representing entities associated with the computer network, the entities including users and/or devices and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of nodes. [pages 225-226, sections Type 1: Anomalous Vertices and Type 2: Anomalous Edges]. It would have been obvious to one having ordinary skill in the art before the filing date of the application to employ the teachings of Ranshous within the system of Wang in order to enhance the security of the system by further applying graph based anomaly detection. 

Allowable Subject Matter
Claims 5, 13 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and further overcoming double patenting rejection indicated above.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847.  The examiner can normally be reached on Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access 


BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/Primary Examiner, Art Unit 2435