DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/06/2021 has been entered.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
In response to the applicant’s remarks, the examiner notes that the amended claims are further taught by a combination of Salunke (U.S. 20200351283) and Sartran (U.S.20170279694). The examiner notes that Salunke in paragraph [0034] “Statistical anomaly detectors may employ machine learning to provide a more adaptive and robust anomaly detection. One example approach is to automatically learn relationships between an independent variable and a dependent variable by fitting observed data points to a correlation-based model.” Makes mention of a machine learning model used for anomaly detection. 
The examiner further notes that Sartran further flushes out any deficiencies of Salunke. Sartran further teaches methods of utilizing machine learning to match scored traffic records to 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-8 and 11-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Salunke (U.S.20200351283) in view of Sartran (U.S. 20170279694).

Regarding claim 11, Salunke teaches a system comprising: at least one data store configured to store at least one data set (Salunke: Paragraph [00056] “Data collector 120 may store the time series data in data repository” One data store configured to store at least one data set is taught as data collector may store the time series data in a data repository.); at least one processor (Salunke: Paragraph [0166] “ a processor” At least one processor is taught as a processor.), configured to: receive at least one data set of at least one data stream from at least (Salunke: Paragraph [0056] “ Data collector 120 includes logic for aggregating sample data captured by agents 114a-j into a set of one or more time series signals or data objects. Data collector 120 may store the time series data in data repository 140 and/or provide the time series data to anomaly management services 130.” Receive at least one data set of at least one data stream from at least one data source is taught as a set of one or more time series signals or data objects that are stored in a data repository and further provided to the anomaly management service.); wherein the at least one data set comprises a plurality of time-varying data points (Salunke: Paragraph [0056] “ Data collector 120 includes logic for aggregating sample data captured by agents 114a-j into a set of one or more time series signals or data objects. Data collector 120 may store the time series data in data repository” Wherein the at least one data set comprises a plurality of time-varying data points is taught as a set of one or more time series signals or data objects.); wherein each time-varying data point of the plurality of time-varying data points comprises at least one variable of at least one dimension (Salunke: Paragraph [0076] “data points from different dimensions may be organized tabularly, such as into different columns. Thus, each column may represent a different metric or other time series signal of values collected from one or more target resources.” Wherein each time-varying data point of the plurality of time-varying data points comprises at least one variable of at least one dimension is taught as the input of data points or time series signal values that are from different dimensions are organized taburlarly. Paragraph [0134] “The trained classifiers may account for multiple variables in the incoming data.”); determine a plurality of event observations associated with at least one data point of the plurality of time-varying data points based at least in part on a detection model (Salunke: Paragraph [0130] “In response, evaluation analytic 132 compares the test data to a set of predictions generated as a function of the trained model components. The predictions may define an expected range of values for the set of test data. If an anomaly is detected, evaluation analytic 132 may output a flag and/or information about the anomaly.” Determine a plurality of event observations associated with at least one data point of the plurality of time-varying data points based at least in part on a detection model is taught as a set of predictions defining expected values for the set of test data generated as a function of the trained model.); wherein the detection model comprises at least one anomaly detection model trained (Salunke: Paragraph [0130] “Once trained, an anomaly detection model may be used to make predictions against new data to monitor for anomalies.” The detection model comprises at least one anomaly detection model trained is taught as the trained anomaly detection model.) according to a respective plurality of independent event training data sets (Salunke: Paragraph [0132] “the support vectors may include a series of points formed from a subset of the training data” According to a respective plurality of independent event training data sets is taught as the support vectors may include a series of points formed from a subset of the training data. Refer to Paragraph [0085] for teachings of using a different training set. Salunke covers the method of using multiple training data sets.) to identify types of the plurality of event observations (Salunke: Paragraph [0088] “Once trained, the training process stores the model components, including the trained classifiers and learned anomaly boundary regions, in volatile and/or non-volatile storage (operation 220). The stored components may be used to make predictions and detect anomalies” To identify types of the plurality of event observations is taught as make predictions and detect anomalies (Event observations are taught as anomalies).); wherein the types of the plurality of event observations (Salunke: Paragraph [0044] “The anomaly classifiers may be used to identify different types of anomalies and/or root causes for the anomalies.” Anomalies are taught as anomalies.) comprise at least one of: i) anomalies (Salunke: Paragraph [0044] “The anomaly classifiers may be used to identify different types of anomalies and/or root causes for the anomalies.” Anomalies are taught as anomalies.), ii) change-points, iii) patterns, or iv) outliers; 5Serial No.: 16/945,393Attorney Docket No.: 056516-506101/US generate a plurality of anomaly records in at least one event data store for the plurality of event observations (Salunke: Paragraph [0136] “generates one or more anomaly classifications or summaries (operation 708). An anomaly classification or summary may comprise information about a detected anomaly… mappings may be stored to link attributes associated with a detected anomaly to corresponding classifiers, labels or summaries for the anomalies.” Generate a plurality of anomaly records in at least one event data store based at least in part on the plurality of event observations is taught as generates one or more anomaly classifications or summaries and then storing the data for further linking use.),… utilize an association machine learning model to classify at least one event observation of the plurality of event observations as being associated with at least one particular event based at least in part on the at least one variable of the at least one dimension (Salunke: Paragraph [0034] “Statistical anomaly detectors may employ machine learning to provide a more adaptive and robust anomaly detection. One example approach is to automatically learn relationships between an independent variable and a dependent variable by fitting observed data points to a correlation-based model. The trained correlation-based model may then be used to make estimates for the dependent variable as a function of the independent variable. Estimates may be compared with observed data points to determine whether the dependent variable is experiencing anomalous behavior. This approach works well in simple systems where the behavior of one variable is highly dependent on another variable.” Utilize an association machine learning model to classify at least one event observation of the plurality of event observations is taught as anomaly detectors that employ machine learning to automatically learn relationships between an independent variable and a dependent variable by fitting observed data points to a correlation-based model. Estimates may be compared with observed data points to determine whether the dependent variable is experiencing anomalous behavior.) of each time-varying data point of each event observation (Salunke: Paragraph [0056] “Data collector 120 includes logic for aggregating sample data captured by agents 114 a-j into a set of one or more time series signals or data objects. Data collector 120 may store the time series data in data repository 140 and/or provide the time series data to anomaly management services 130.” Each time-varying data point of each event observation is taught as aggregating sample data captured by agents into a set of one or more time series signals or data objects);
Salunke does not explicitly disclose a particular anomaly record of the plurality of anomaly records corresponds to a particular observation of the plurality of event observations; … automatically generate at least one event record representing the at least one particular event, the at least one event record links at least one particular anomaly record with the at least one event observation; and automatically apply at least one change in the at least one event record of the at least one event to each event observation of the at least one event observations based on the linking of each anomaly record associated with each event observation in the at least one event observations.
Sartran further teaches a particular anomaly record of the plurality of anomaly records corresponds to a particular observation of the plurality of event observations (Sartran: Paragraph [0070] “a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies. The device sends an anomaly notification for a particular anomaly that is based on the traffic records associated with the particular anomaly.” A particular anomaly record of the plurality of anomaly records corresponds to a particular observation of the plurality of event observations is taught as matching the plurality of traffic records to one or more anomalies.); … automatically generate at least one event record representing the at least one particular event (Sartran: Paragraph [0062] “When present, RL engine 412 may enable a feed-back loop between the system and the end user, to automatically adapt the system decisions to the expectations of the user and raise anomalies that are of interest to the user (e.g., as received via a user interface of the SCA).”[0068] “The techniques herein aggregate scored traffic records that correspond to the same networking event in a robust way, thus generating anomaly messages that are meaningful and interpretable. In some aspects, an anomaly detection system may represent the network using one or more graphs and generate a traffic record of the type {source, destination, flag}, where the flag is a Boolean indicator of whether the graph edge between the source and destination is exhibiting anomalous behavior. ”Automatically generate at least one event record representing the at least one particular event is taught as automatically adapt the system decisions to the expectations of the user and raise anomalies that are of interest to the user. The system aggregates traffic records to identify the anomalous behavior in the networking event.), the at least one event record links at least one particular anomaly record with the at least one event observation (Sartran: Paragraph [0070] “a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies.” The at least one event record links at least one particular anomaly record with the at least one event observation is taught as the traffic records being uniquely associated to an anomaly in the one or more anomalies.); and automatically apply at least one change in the at least one event record of the at least one event to each event observation of the at least one event observations based on the linking of each anomaly record associated with each event observation in the at least one event observations (Sartran: Paragraph [0081] “Anomaly manager 502 may employ any number of ordering rules on the anomaly matches from event matcher 506, to uniquely associate a given record with a particular anomaly. For example, one such rule may implement total order on anomalies that match the same record. Various total orders may be defined in different implementations, but some common properties may be desirable. One such property is that if several anomalies match records R1 and R2 (e.g., event matcher 506 determines that records R1 and R2 are matched to the anomalies in the set {A1-An}), and if A1 is the preferred one for both R1 and R2, then adding R1 to A1 should not impact the ordering of {A1-An} for matching R2.” [0101] “An additional aspect of the techniques herein is a mechanism to destroy or delete an anomaly (e.g., a generated anomaly map), if the corresponding phenomenon is no longer observed.” Automatically apply at least one change in the at least one event record of the at least one event to each event observation of the at least one event observations based on the linking of each anomaly record associated with each event observation in the at least one event observations is taught as the anomaly matches from event matcher to uniquely associate a given record with a particular anomaly. The change is the matching between the given event record which is matched to the particular anomaly. The method of Sartran further teach that the system may delete an anomaly if the phenomenon is no longer observed.).
It would have been obvious to one of ordinary skill in the art before the effective
filing date of the claimed invention to have modified the anomaly detection model of Salunke with the method of associating event records with anomalies of Sartran in order to use a machine learning-based anomaly detector to output a set of records after each time interval, thereby analyzing a large number of anomalies in the event of an attack which may be to cumbersome for a user to manually assess (Sartran: Paragraph [0004] “a machine learning-based anomaly detector outputs a set of records after each time interval. However, during a network attack or other anomalous event, this may result in a large number of anomalous records, which may be too cumbersome for a user to assess.”).

Claim 1 is similarly rejected, refer to claim 11 for further analysis.
Regarding claim 2, Salunke  in view of Sartran teaches the method of claim 1, further comprising receiving, by the at least one processor, a visualization request from the at least one (Salunke: Paragraph [0140] “the interface may present visualizations, such as the example multidimensional charts described herein.” A visualization request from the at least one computing device is taught as the interface may present visualizations.) via an associated application programming interface (API) (Salunke: Paragraph [0165] “The requests are communicated through an interface, such as a client interface (such as a web browser), a program interface, or an application programming interface (API).”) target set (Salunke: Paragraph [0053] “capturing time series measurements from a corresponding target (or set of targets)” Target set is taught as set of targets.).

Regarding claim 12, Salunke in view of Sartran teaches the system of claim 11, wherein the at least one processor is further configured to receive an annotation to the event record (Salunke: Paragraph [0035] “a user may label examples of anomalous and unanomalous behavior.” Receiving an annotation is taught by a user labeling examples of anomalous and unanomalous behavior (i.e “event record” The event record is read as a groups of data either anomalous or unanomalous.) Further refer to Paragraph [0145] “the user provides a mapping of the anomaly labels and the associated probabilities.” Annotation to the event record is taught by the mapping of the anomaly labels used to generate the event records.) by a user of the at least one user from a computing device of the at least one computing device (Salunke: Paragraph [0039] “machine-assisted supervised mode includes receiving one or more user-set labels for one or more data points.” The user-set labels are inputted into the anomaly detection system that in run on a computing device. Paragraph [0186] “One or more special-purpose computing devices.” A computing device is taught as a computing device.); wherein the annotation comprises a modification to the root cause type (Salunke: Paragraph [0160] “The different labels are indicative of differing root causes for the anomalies.” The label is a modification to the root cause type because they indicate the differing root causes for anomalies.).

Claim 3 is similarly rejected, refer to claim 12 for further analysis.
  
Regarding claim 13, Salunke in view of Sartran teaches the system of claim 12, wherein the at least one processor is further configured to cause to display an indication of the respective annotation in the visualization of the set of events (Salunke: Paragraph [0140] “the interface may present visualizations, such as the example multidimensional charts described herein. The drill-down information may facilitate a quick diagnosis of the root cause of the anomaly.” Display an indication of the respective annotation in the visualization of the set of events on the screen of the at least one computing device associated with the at least one user is taught as the interactive interface that presents visualizations such as multidimensional charts that may facilitate a quick diagnosis of the root cause of the anomaly. The user may click an anomaly from a list to view the classification information (label or annotation)) on the screen of the at least one computing device associated with the at least one user (Salunke: Paragraph [0190] “Computer system 1000 may be coupled via bus 1002 to display” The screen of the computing device is taught as computer system coupled to a display.).
  
Claim 4 is similarly rejected, refer to claim 13 for further analysis.

Regarding claim 14, Salunke in view of Sartran teaches the system of claim 11, wherein the detection model comprises: 
a plurality of anomaly detection models (Salunke: Paragraph [0070] “configured to train one or more anomaly detection models.” A plurality of anomaly detection models is taught as one or more anomaly detection models), and 
a plurality of change-point detection models (Salunke: Paragraph [0070] “configured to train one or more anomaly detection models.” A plurality of change-point detection models is taught as one or more anomaly detection models.).  

Claim 5 is similarly rejected, refer to claim 14 for further analysis.

Regarding claim 15, Salunke in view of Sartran teaches the system of claim 11, wherein the at least one processor is further configured to: 80identify a set of related event observations (Salunke: Paragraph [0061] “Additionally or alternatively, evaluation analytic 132 may output a set of data that indicates which sample data points within a given time series are anomalous and/or which sample data points are un-anomalous.” Identify a set of related event observations is taught by output a set of data that indicates which sample data points within a given time series are anomalous and/or which sample data points are un-anomalous.) associated with a common event based on an association model trained to identify the common event (Salunke: Paragraph [0044] “anomaly detection system stores mappings between different respective anomaly regions and respective anomaly classifiers. During the evaluation phase, the anomaly detection system may assign anomaly classifiers to detected anomalies based on the mappings. The anomaly classifiers may be used to identify different types of anomalies and/or root causes for the anomalies.” Associated with a common event based on an association model trained to identify the common event is taught as the anomaly classifiers of the trained model which identify types of anomalies and or root causes for the anomalies. Paragraph [0035] “The trained model may be used to classify new examples as anomalous or unanomalous.”) using the at least one variable (Salunke: Paragraph: [0034] “Estimates may be compared with observed data points to determine whether the dependent variable is experiencing anomalous behavior.” Using the at least one variable is taught as determine whether the dependent variable is experiencing anomalous behavior.) and the at least one dimension of each time-varying data point associated with each event observation (Salunke: Paragraph [0070] “Training analytic 131 may receive, as input, a collection of data points in an arbitrary dimension. In some embodiments, the data may be multivariate, spanning two or more dimensions.” The at least one dimension of each time-varying data point associated with each event observation is taught as collection of data points that are multivariate spanning two or more dimensions. The data points are used by the trained model to classify anomalies.). 
 
Claim 6 is similarly rejected, refer to claim 15 for further analysis.

Regarding claim 16, Salunke in view of Sartran teaches the system of claim 11, wherein the at least one processor is further configured to: determine an anomaly classification for the set of (Salunke: Paragraph [0061] “Additionally or alternatively, evaluation analytic 132 may output a set of data that indicates which sample data points within a given time series are anomalous and/or which sample data points are un-anomalous.” Determine an anomaly classification for the set of related event observations when the set of related event observations is taught by output a set of data that indicates which sample data points within a given time series are anomalous and/or which sample data points are un-anomalous.) is identified based at least in part on a classification model trained to recognize the anomaly classification (Salunke: Paragraph [0035] “The trained model may be used to classify new examples as anomalous or unanomalous.” Identified based at least in part on a classification model trained to recognize the anomaly classification is taught as the trained model used to classify the data points as anomalous or unanomalous.) using the at least one variable (Salunke: Paragraph: [0034] “Estimates may be compared with observed data points to determine whether the dependent variable is experiencing anomalous behavior.” Using the at least one variable is taught as determine whether the dependent variable is experiencing anomalous behavior.) and the at least one dimension of each time-varying data point associated with each event observation (Salunke: Paragraph [0070] “Training analytic 131 may receive, as input, a collection of data points in an arbitrary dimension. In some embodiments, the data may be multivariate, spanning two or more dimensions.” The at least one dimension of each time-varying data point associated with each event observation is taught as collection of data points that are multivariate spanning two or more dimensions. The data points are used by the trained model to classify anomalies.). 
 
Claim 7 is similarly rejected, refer to claim 16 for further analysis.

Regarding claim 17, Salunke  in view of Sartran teaches the system of claim 16, wherein the at least one processor is further configured to: … of an event associated with the set of related event observations when the anomaly classification for the set of related event observations (Salunke: Paragraph [0061] “Additionally or alternatively, evaluation analytic 132 may output a set of data that indicates which sample data points within a given time series are anomalous and/or which sample data points are un-anomalous.” A set of related event observations when the anomaly classification for the set of related event observations is taught as out output a set of data that indicates which sample data points within a given time series are anomalous.) determine a root cause type …is determined based at least in part on a root cause model trained to recognize the root cause type using the anomaly classification of the set of related event observations (Salunke: Paragraph [0044] “anomaly detection system stores mappings between different respective anomaly regions and respective anomaly classifiers. During the evaluation phase, the anomaly detection system may assign anomaly classifiers to detected anomalies based on the mappings. The anomaly classifiers may be used to identify different types of anomalies and/or root causes for the anomalies.” Determine a root cause type of an event is taught as the trained anomaly detection model which uses classifiers to identify different types of anomalies and or root causes for the anomalies (This reads on root cause model). Paragraph [0035] “The trained model may be used to classify new examples as anomalous or unanomalous.” Determined based at least in part on a root cause model trained to recognize the root cause type using the anomaly classification of the set of related event observations is taught as the trained model that uses anomaly classifiers to identify root causes for anomalies.) and the at least one variable (Salunke: Paragraph: [0034] “Estimates may be compared with observed data points to determine whether the dependent variable is experiencing anomalous behavior.” Using the at least one variable is taught as determine whether the dependent variable is experiencing anomalous behavior.) and the at least one dimension of each time-varying data point associated with each event observation in the set of related event observations (Salunke: Paragraph [0070] “Training analytic 131 may receive, as input, a collection of data points in an arbitrary dimension. In some embodiments, the data may be multivariate, spanning two or more dimensions.” The at least one dimension of each time-varying data point associated with each event observation is taught as collection of data points that are multivariate spanning two or more dimensions. The data points are used by the trained model to classify anomalies.).
 
Claim 8 is similarly rejected, refer to claim 17 for further analysis.

Claim 9 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Salunke (U.S.20200351283) in view of Sartran (U.S. 20170279694) and Ghare (U.S.20190081876).

Regarding claim 9, Salunke in view of Sartran teaches the method of claim 1, Salunke does not explicitly disclose wherein the at least one data set comprise financial transaction data.
Ghare further teaches wherein the at least one data set comprise financial transaction data (Ghare: Paragraph [0017] “one or more other data records in the data stream (also known as outliers), may occur and provide valuable information about the behavior, performance, or operation of various entities associated with the data records, such as unusual, fraudulent, or erroneous user, system, or device behavior, in many different contexts (e.g., health metrics for computing systems, location data for applications in mobile devices, transaction information for retailers or financial institutions, etc.). ” Wherein the at least one data set comprise financial transaction data is taught as one or more data records include transaction information for financial institutions.).
	It would have been obvious to one of ordinary skill in the art before the effective
filing date of the claimed invention to have modified the combination of Salunke and Sartran with the financial transaction data records of Ghare in order to implement a method of providing valuable information about the behavior, performance or operation of various entities associated with the data records, thereby providing real time detection of anomalies to allow corrective measures to notify operators or stakeholders (Ghare: Paragraph [0017] “Corrective measures may be automatically taken, such as directing system shutdown, or enabling cooling measures, notifying operators or stakeholders.”).

Regarding claim 18, Salunke in view of Sartran teaches the system of claim 11, Saluke does not explicitly disclose wherein the at least one data set comprise transaction data representative of merchant transactions.
Ghare further teaches wherein the at least one data set comprise transaction data representative of merchant transactions (Ghare: Paragraph [0017] “one or more other data records in the data stream (also known as outliers), may occur and provide valuable information about the behavior, performance, or operation of various entities associated with the data records, such as unusual, fraudulent, or erroneous user, system, or device behavior, in many different contexts (e.g., health metrics for computing systems, location data for applications in mobile devices, transaction information for retailers or financial institutions, etc.). ” Wherein the at least one data set comprise transaction data representative of merchant transactions is taught as one or more data records include transaction information for financial institutions.).
	It would have been obvious to one of ordinary skill in the art before the effective
filing date of the claimed invention to have modified the combination of Salunke and Sartran with the financial transaction data records of Ghare in order to implement a method of providing valuable information about the behavior, performance or operation of various entities associated with the data records, thereby providing real time detection of anomalies to allow corrective measures to notify operators or stakeholders (Ghare: Paragraph [0017] “Corrective measures may be automatically taken, such as directing system shutdown, or enabling cooling measures, notifying operators or stakeholders.”).

Claim 10, 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Salunke (U.S.20200351283) in view of Sartran (U.S. 20170279694) and Muddu (U.S. 20180367551).

Regarding claim 19, Salunke in view of Sartran teaches the system claim 11, wherein the at least one processor is further configured to receive an annotation to the event record by a user of the at least one user from a computing device of the at least one computing device (Salunke: Paragraph [0035] “a user may label examples of anomalous and unanomalous behavior.” Receiving an annotation is taught by a user labeling examples of anomalous and unanomalous behavior (i.e “event record” The event record is read as a groups of data either anomalous or unanomalous.) Further refer to Paragraph [0145] “the user provides a mapping of the anomaly labels and the associated probabilities.” Annotation to the event record is taught by the mapping of the anomaly labels used to generate the event records.);…
Salunke does not explicitly disclose wherein the annotation comprises a removal of a selected event observation from the set of related event observations.
Muddu further teaches wherein the annotation comprises a removal of a selected event observation from the set of related event observations (Muddu: Paragraph [0460] “Threats Review view 4000 additionally prompts the user to take “Actions” 4010, view additional “Details” 4011, or set up a “Watchlist” 4021. By clicking on the “Actions” tab 4010, the user can select from several options, as shown in FIG. 40C. If the user determines that the threat is not a concern, the user can select “Not a Threat” 4011. By making this selection, the user instructs the network security system to delete the threat page from the Threats View and to no longer identify it as a threat.” The annotation comprises a removal of a selected event observation from the set of related event observations is taught as threat review view that prompts the user to take actions by removing an anomaly and marking it as “not a threat”(modify the event linking the one or more event observations).).
It would have been obvious to one of ordinary skill in the art before the effective
filing date of the claimed invention to have modified the combination of Salunke and Sartran with the user selection/modification of anomalies using a GUI of Muddu in order to implement a method that allows a user to view anomalies and prompts a user to selectively filter/take actions towards the listed anomalies, thereby facilitating a user's ability to understand the connections and relationships between different entities and/or instances to better understand security risks and causes of a problem (Muddu: Paragraph [0448] “facilitate a user's ability to understand the connections and relationships between different entities and/or instances to better understand security risks and causes of a problem.”).

Regarding claim 20, Salunke in view of Sartran teaches the system of claim 11, wherein the at least one processor is further configured to generate an event management graphical user interface (GUI) to enable a user (Salunke: Paragraph [0065] “a frontend interface that allows clients 150a-k and/or other system components to invoke anomaly management services 130. Presentation engine 135 may render user interface elements and receive input via user interface elements. Examples of interfaces include a GUI,” Generate an event management graphical user interface (GUI) to enable a user is taught as a front end interface (GUI) that allows clients (i.e. a user) to invoke anomaly management services.) to manage events linking one or more event observations of the plurality of event observations (Salunke: Paragraph [0067] “access anomaly management services 130 to generate, view, and navigate summaries.” Paragraph [0111] “a data point labelled as unanomalous from being assigned to the same cluster as a data point labeled anomalous by the user. However, a data point labeled (e.g., anomalous) by the user may be assigned to the same cluster as a data point automatically assigned a different label (e.g., unanomalous). Further, data points with the same user-set labels may be placed in the same cluster or in different clusters, depending on the similarity of the feature vectors.” Events linking one or more event observations of the plurality of event observations is taught as clustering the anomalous data points. The examiner notes that linking events is interpreted as clustering the anomalous data point’s together.); wherein the event management GUI comprises (Saluke: Paragraph [0065] “a frontend interface that allows clients 150a-k and/or other system components to invoke anomaly management services 130. Presentation engine 135 may render user interface elements and receive input via user interface elements. Examples of interfaces include a GUI,” Generate an event management graphical user interface (GUI) to enable a user is taught as a front end interface (GUI) that allows clients (i.e. a user) to invoke anomaly management services.):…
Salunke does not explicitly teach … an event explorer view depicting each event observations of the plurality of event observation in a time-varying representation; an event selection prompt selectable from the explorer view to enable user selection of a previously recorded event linking the one or more event observations of the plurality of event observations; and an event modification prompt selectable from the event selection prompt to modify the event linking the one or more event observations; and wherein the event modification prompt comprises user selectable event details comprising: 
an event name, 
an event description, and 
an event classification.
Muddu further teaches … an event explorer view depicting each event observations of the plurality of event observation in a time-varying representation (Muddu: Paragraph [0471] “Threat Anomalies Trend 4070. This provides a line graph indicating the number of anomalies during periods of time. With this illustration, a GUI user can quickly discern whether a large number of anomalies occurred on a particular date or time period” An event explorer view depicting each event observations of the plurality of event observation in a time-varying representation is taught as the threat anomalies trend which provides a line graph indicating the number of anomalies during periods of time.); an event selection prompt selectable from the explorer view to enable user selection of a previously recorded event (Muddu: Paragraph [0464] “additionally prompts the user to click a “View All 3 Anomalies” link. As shown in FIG. 42, clicking on this link causes the GUI to generate an Anomalies Table view 4200 that lists and provides high-level information about the three anomalies.” An event selection prompt selectable from the explorer view to enable user selection of a previously recorded event is taught as the threats review view which prompts a user to click view anomalies that were previously recorded.) linking the one or more event observations of the plurality of event observations (Muddu: Paragraph [0464] “additionally prompts the user to click a “View All 3 Anomalies” link. As shown in FIG. 42, clicking on this link causes the GUI to generate an Anomalies Table view 4200 that lists and provides high-level information about the three anomalies.” Linking the one or more event observations of the plurality of event observations is taught as viewing the 3 anomalies that are listed together in the GUI Anomalies Table view.); and an event modification prompt selectable from the event selection prompt to modify the event linking the one or more event observations (Muddu: Paragraph [0460] “Threats Review view 4000 additionally prompts the user to take “Actions” 4010, view additional “Details” 4011, or set up a “Watchlist” 4021. By clicking on the “Actions” tab 4010, the user can select from several options, as shown in FIG. 40C. If the user determines that the threat is not a concern, the user can select “Not a Threat” 4011. By making this selection, the user instructs the network security system to delete the threat page from the Threats View and to no longer identify it as a threat.” An event modification prompt selectable from the event selection prompt to modify the event linking the one or more event observations is taught as threat review view that prompts the user to take actions by removing an anomaly and marking it as “not a threat”(modify the event linking the one or more event observations).); and wherein the event modification prompt comprises user selectable event details comprising (Muddu: Paragraph [0460] “Threats Review view 4000 additionally prompts the user to take “Actions”” Wherein the event modification prompt comprises user selectable event details comprising is taught as the Threats Review prompts the user to take actions.): 
an event name (Muddu: Paragraph [0472] “ The “Details” version of the Threats Review view 4000 also includes a Threat Anomalies listing 4080. In the listing, each entry is associated with an “Anomaly Type” 4082, one or more “Participants” 4083, a “Summary” 4084, an “Event Date” 4095, and a “Score” 4086.” An event name is taught as the threat anomalies listing with the anomaly types as the event names.), 
an event description (Muddu: Paragraph [0457] “each “Threat Review” view 4000 can identify a particular threat by its type and provides a summary description” An event description is taught as a summary description of the threat.), and 
an event classification (Muddu: Paragraph [0457] “ each “Threat Review” view 4000 can identify a particular threat by its type and provides a summary description” An event classification is taught as the threat type.).

It would have been obvious to one of ordinary skill in the art before the effective
filing date of the claimed invention to have modified the combination of Salunke and Sartran with the user selection/modification of anomalies using a GUI of Muddu in order to implement a method that allows a user to view anomalies and prompts a user to selectively filter/take actions towards the listed anomalies, thereby facilitating a user's ability to understand the connections and relationships between different entities and/or instances to better understand security risks and causes of a problem (Muddu: Paragraph [0448] “facilitate a user's ability to understand the connections and relationships between different entities and/or instances to better understand security risks and causes of a problem.”).

Claim 10 is similarly rejected, refer to claim 20 for further analysis.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AHSIF A. SHEIKH whose telephone number is (571)272-2607.  The examiner can normally be reached on Mon-Fri 7:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on 571-270-3428.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/ALEXEY SHMATOV/Supervisory Patent Examiner, Art Unit 2123