DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 09/09/2021.
In the instant Amendment: Claims 1, 8, and 15 have been amended and Claims 1, 8 and 15 are independent claims. Claims 1-4, 6-11, 13-18, and 20-21 have been examined and are pending. This Action is made FINAL.          
Response to Arguments
Applicants' arguments in the instant Amendment with respect to 35 U.S.C. 101 have been fully considered but they are not persuasive.
Applicant’s Arguments: claim 1 is statutory under 35 U.S.C. 101 because the amended claim recites “analyzing a clustering behavior of the first component across the plurality of time periods” See Remarks at 9. (Emphasis original). 
Examiner's Response: Under the 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”), effective January 7, 2019, independent claims 1, 8 and 15 are rejected under 35 U.S.C. 101 because the claims are directed to an abstract idea without being integrated into a practical application nor being significantly more.  
The claims recite the limitations of “monitoring” and “clustering” statistical data regarding an performance metrics of devices, applications, or network elements, “determining a correspondence” between network usage behavior statistics (e.g., overlap of clusters representing usage behavior at different time periods), “analyzing a clustering behavior…across the plurality of time periods” are directed to an abstract idea because 
This judicial exception is not integrated into a practical application. It is noted that the claims recite additional elements of a “system” and “processor” to perform the monitoring, clustering, and determining whether the component is operating anomalously. However, such additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of monitoring, clustering, determining and analyzing data), such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are not integrated into a practical application. 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. It is noted that the claim recites some additional elements such as “metrics” of network “components.” However, these additional elements, taken individually and as a combination, do not result in the claim amounting to significantly more than the abstract idea because “component” and “metrics” are recited as performing generic computer functions routinely used in information collection, measurement, processing, and analysis (See Specification at [0001]-[0003]. Enterprise computing environments today commonly include large, complex networks of devices (e.g., a network device such as a routers or firewalls or a computing device such as a server). [In many] current anomaly detection methods, the device may be detected as being in anomalous operation if that device's operations deviate from the normal range of operating behaviors. Seto at [0002]. Computer monitoring is a wide field that may encompass any type of status reporting, alerting, or other management tools that may help maintain production computer systems. Computer monitoring may include hardware status and performance, network monitoring, software performance analysis, and many other components. Weizman [0002], [0004]. Publicly-facing web services, including web applications, generally accept connections from anywhere on the Internet. A system administrator may therefore attempt to configure their web service to identify signatures of these known vulnerability scanners and prevent the web service from responding to the known vulnerability scanners.). 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of abstract idea into a practical application, the additional element of “component” and “metrics” amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Therefore, these claims are not patent eligible. 
Applicants' arguments in the instant Amendment, filed on 09/09/2020, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant Argues: Seto in view of Weizman do not disclose “each metric of a component relating to an operation or performance of the component” and “determining whether the first cluster to which the first component is assigned and the second cluster to which the first component is assigned for the first and second adjacent time periods correspond to each other based on a number of common components” of amended claim 1. See Remarks at 12 (emphasis original). 
The examiner respectfully disagrees because these arguments are not persuasive. 
In regards to, “each metric of a component relating to an operation or performance of the component,” the Specification discloses “each component can be represented as a vector … For example, one element in the vector may correspond to a measurement for a metric (e.g., CPU load, throughput, bandwidth [memory] usage, etc.) being monitored.” See Specification ¶ [0039] (emphasis added). Similarly, Seto teaches that the input data for clustering analysis “may also include performance metrics, such as processing time, memory latency, memory consumption, peripheral operations, and other information. Each of the time series observations may be treated as a vector with many parameters.” See Seto ¶ [0044] (emphasis added). Because both the Specification and Seto teach generating vector representations computing device memory/processing performance metrics, applicant’s argument is unpersuasive. Thus, Seto teaches “each metric of a component relating to an operation or performance of the component” of amended claim 1. 
In regards to, “determining whether the first cluster to which the first component is assigned and the second cluster to which the first component is assigned for the first and second adjacent time periods correspond to each other based on a number of common components,” Applicant further alleges that Seto and Weizman fails to teach the amendment because (1) the applicant requires each cluster contains the same “first component” and is associated with a different period, and (2) based on a number of common components.” See Remarks at 15 (emphasis added). 
Contrary to applicant’s assertions, Seto explains that computing device performance metrics “such as processing time, memory latency, memory consumption, peripheral operations, and other information… may be treated as a vector with many parameters” for a time-based statistical clustering analysis. Seto ¶ [0044] (emphasis added). Furthermore, Weizman teaches “[a]ll of these feature vectors are then clustered and the resulting clusters are compared to the [previously] known vulnerability scanner clusters. In the case that a detected vector-based cluster overlaps with a vulnerability scanner cluster” an alarm/notification is generated. On the other hand, “clusters of observed traffic at a greater distance from clusters of known vulnerability scanners are ignored as regular traffic.” See Weizman ¶ [0039] (emphasis added). 
Because Seto and Weizman teach (1) generating vectors representing same or similar computing device performance metrics (e.g., common components) for different time periods and, (2) determining if these vector-based clusters for different time periods sufficiently overlaps (i.e., a number/proportion of commonality) with previously determined clusters representing known abnormal behavior, Seto and Weizman teach a statistical clustering method comprising the step of “determining whether the first cluster to which the first component is assigned and the second cluster to which the first component is assigned for the first and second adjacent time periods correspond to each other based on a number of common components” of amended claim 1. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-4, 6-11, 13-18, and 20-21 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Under the 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”), effective January 7, 2019, independent claims 1, 8 and 15 are rejected under 35 U.S.C. 101 because the claims are directed to an abstract idea without being integrated into a practical application nor being significantly more.  
The claims recite the limitations of  “determining a correspondence” between network usage behavior statistics (e.g., overlap of clusters representing usage behavior at different time periods), “analyzing a clustering behavior…across the plurality of time periods” are directed to an abstract idea because these claim limitations, under its broadest reasonable interpretation, covers processes that could be performed in the human mind. Thus, these limitations falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application.  It is noted that the claims recite additional elements of a “computing system” and “processor” to i.e., as a generic processor performing a generic computer function of monitoring, clustering, determining and analyzing data), such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are not integrated into a practical application. 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. It is noted that the claim recites some additional elements such as “detection device” receiving data and “metrics” of “components operating in a computing system.” However, these additional elements, taken individually and as a combination, do not result in the claim amounting to significantly more than the abstract idea because such “detection device” receiving data and “metrics” of “components operating in a computing system” are recited as performing generic computer functions routinely used in information collection, measurement, processing, and analysis (See Specification at [0001]-[0003]. Enterprise computing environments today commonly include large, complex networks of devices (e.g., a network device such as a routers or firewalls or a computing device such as a server). [In many] current anomaly detection methods, the device may be detected as being in anomalous operation if that device's operations deviate from the normal range of operating behaviors. Seto at [0002]. Computer monitoring is a wide field that may encompass any type of status reporting, alerting, or other management tools that may help maintain production computer systems. Computer monitoring may include hardware status and performance, network monitoring, software performance analysis, and many other components. Weizman [0002], [0004]. Publicly-facing web services, including web applications, generally accept connections from anywhere on the Internet. A system administrator may therefore attempt to configure their web service to identify signatures of these known vulnerability scanners and prevent the web service from responding to the known vulnerability scanners.). 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of abstract idea into a practical application, the additional element of “detection device” receiving data and “metrics” of “components operating in a computing system” amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Therefore, these claims are not patent eligible. 
Regarding claims 2-4, 6-7, 9-11, 13-14, 16-18, and 20-21, claims 2-4, 6-7, 9-11, 13-14, 16-18, and 20-21 are also rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims do not contain any element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. See Alice Corporation v. CLS Bank International, (S.Ct.2014). See also Intellectual Ventures LLC v. Symantec Corp. (Fed. Cir. 2016), Electric Power Group, LLC v. Alstom SA (Fed. Cir. 2016), Affinity Labs of Texas LLC v. Amazon.com Inc. (Fed. Cir. 2016).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 8, 9, 11, 15, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Seto (“Seto,” US 2015/0205692, published July 23, 2015) in view of Weizman et al. (“Weizman,” US 2019/0306178, filed Mar. 30, 2018). 
Regarding claim 1, Seto discloses a method of detecting an anomaly among a plurality of components operating in a computing system, comprising: 
communicatively coupling an anomaly detection device to the plurality of components operating in the computing system, wherein the anomaly detection device is configured to receive data from each component of the plurality of components (Seto FIGs 2, 4, ¶¶ [0100], [0107], [0135], [0139]. One or more monitored devices 240 may be connected over a network 243 to the device 202. The monitored devices 240 may collect the raw tracer data, which may be transmitted to the device 202. A time series intake 222 may collect time series data from various monitored devices and may pass the data to an event tagger 224. The event tagger 224 may tag the incoming data with any events that may be observed. The analysis system 404 [ ] may include the time series intake 222 and event tagger 224 of embodiment 200. The analysis system 404 may analyzed the time series data for events in block 416. The analysis of block 416 may include analyzing the incoming data for any anomalies.); 
at the anomaly detection device, monitoring a plurality of metrics of the plurality of components across a plurality of time periods comprising a first time period and a second time period adjacent to the first time period (Seto FIG. 2, [0027], [0029], [0032], [0044]. The observations stored in a database may be aggregations of individual observations. For example, the database may contain aggregated observations for a specific time interval such as the number, average, median, or other summary of observations taken over a period of time. The time period may be any interval, from nanoseconds, milliseconds, micro seconds, seconds, minutes, hours, to days or longer. The time series database may include observations from one or many devices. Predictions may be generated by searching a time series database to find similar historical time series segments that may be similar to a currently observed time series segment. In many cases, the time series data may also include performance metrics, such as processing time, memory latency, memory consumption, peripheral operations, and other information.), 
wherein each metric is based on the data received at the anomaly detection device from each of the components of the plurality of components operating in the computing system (Seto FIGs 2, 4, ¶¶ [0100], [0107], [0135], [0139]. One or more monitored devices 240 may be connected over a network 243 to the device 202. The monitored devices 240 may collect the raw tracer data, which may be transmitted to the device 202. A time series intake 222 may collect time series data from various monitored devices and may pass the data to an event tagger 224. The event tagger 224 may tag the incoming data with any events that may be observed. The analysis system 404 [ ] may include the time series intake 222 and event tagger 224 of embodiment 200. The analysis system 404 may analyzed the time series data for events in block 416. The analysis of block 416 may include analyzing the incoming data for any anomalies.), 
each metric of a component relating to an operation or a performance of the component during the operation of the computing system for a time period of the plurality of time periods (Seto FIG. 2, [0027], [0029], [0032], [0044]. The observations stored in a database may be aggregations of individual observations. For example, the database may contain aggregated observations for a specific time interval such as the number, average, median, or other summary of observations taken over a period of time. The time period may be any interval, from nanoseconds, milliseconds, micro seconds, seconds, minutes, hours, to days or longer. The time series database may include observations from one or many devices. Predictions may be generated by searching a time series database to find similar historical time series segments that may be similar to a currently observed time series segment. In many cases, the time series data may also include performance metrics, such as processing time, memory latency, memory consumption, peripheral operations, and other information.); 
for the first time period, clustering the plurality of components into a first plurality of clusters based on a first plurality of measurements of the components obtained in the first time period, the first plurality of measurements corresponding to the plurality of metrics monitored in the first time period, wherein a first component of the Seto FIGs 1-2, [0027], [0029], [0044], [0114] – [0115]. The observations stored in a database may be aggregations of individual observations. For example, the database may contain aggregated observations for a specific time interval such as the number, average, median, or other summary of observations taken over a period of time. The time period may be any interval, from nanoseconds, milliseconds, micro seconds, seconds, minutes, hours, to days or longer. The time series database may include observations from one or many devices. In many cases, the time series data may also include performance metrics, such as processing time, memory latency, memory consumption, peripheral operations, and other information. The time series observations may include performance and other observations for an application, which may include many tens or even hundreds of observations in each time interval. These observations may be converted to principal components, then have clustering and other analysis performed on the data.); 
for the second time period, clustering the plurality of components into a second plurality of clusters based on a second plurality of measurements of the components obtained in the second time period, the second plurality of measurements corresponding to the plurality of metrics monitored in the second time period, wherein the first component is assigned to a second cluster of the second plurality of clusters (Seto FIGs 1-2, [0027], [0029], [0044], [0114] – [0115]. The observations stored in a database may be aggregations of individual observations. For example, the database may contain aggregated observations for a specific time interval such as the number, average, median, or other summary of observations taken over a period of time. The time period may be any interval, from nanoseconds, milliseconds, micro seconds, seconds, minutes, hours, to days or longer. The time series database may include observations from one or many devices. In many cases, the time series data may also include performance metrics, such as processing time, memory latency, memory consumption, peripheral operations, and other information. The time series observations may include performance and other observations for an application, which may include many tens or even hundreds of observations in each time interval. These observations may be converted to principal components, then have clustering and other analysis performed on the data. When clustering analysis may be applied to the transformed data, many applications can be visualized as operating in several distinct modes); and
analyzing a clustering behavior of the first component across the plurality of time periods to determine whether the first component is operating anomalously, wherein analyzing the clustering behavior comprises determining whether the first and second clusters to which the first component is assigned for the first and second adjacent time periods correspond to each other [based on a number of common components determined between the first and second clusters] (Seto FIGs. 1, 12, [0027], [0054]- [0056]. The observations stored in a database may be aggregations of individual observations. The time period may be any interval , from nanoseconds, milliseconds, micro seconds, seconds, minutes, hours, to days or longer. A set of observations that define a baseline behavior of a computer application may be used to generate a dimensionality reduction analysis transformation. The transformation may be applied to the original set of observations to create a set of clusters of observations. A newly received observation may be compared to the baseline observations by transforming the new observation and comparing it to previous observations. A newly received observation may be analyzed by applying the dimensionality reduction analysis transformation, then comparing the transformed observation to any clusters of previously observed behavior. When the new observation is near or within a cluster of previously observed behavior, the new observation may be considered routine. When the new observation is outside a previously observed cluster, the new observation may indicate an anomaly.). 
Seto does not explicitly disclose: wherein analyzing the clustering behavior comprises determining whether the first cluster to which the first component is assigned and the second cluster to which the first component is assigned for the first and second adjacent time periods correspond to each other based on a number of common components determined between the first and second clusters. 
However, in an analogous art, Weizman discloses a method, comprising: wherein analyzing the clustering behavior comprises determining whether the first cluster to which the first component is assigned and the second cluster to which the first component is assigned [for the first and second adjacent time periods] correspond to each other based on a number of common components determined between the first and second clusters (Weizman FIG. 7C, [0038] – [0039], [0061]. All of these feature vectors are then clustered and the resulting clusters are compared to the known vulnerability scanner clusters. In the case that a detected cluster overlaps with a vulnerability scanner cluster, [ ] the system administrator for the corresponding web service can be notified. The client may be defined by the combination of source Internet Protocol ( IP ) address and user agent string. Finally, clusters of observed traffic at a greater distance from clusters of known vulnerability scanners are ignored as regular traffic.). 
See Weizman [0039].). 
Regarding claim 2, Seto and Weizman disclose the method of claim 1. Weizman further discloses wherein determining whether the first and second clusters correspond to each other comprises: 
computing a first proportion of components in the first cluster that are common to the second cluster; computing a second proportion of components in the second cluster that are common to the first cluster (Weizman FIG. 7C, [0038] – [0039]. Once clusters of known vulnerability scanner activity are determined, logs of HTTP requests can be analyzed for similarity to the known vulnerability scanner activity. For example, HTTP requests received by multiple web services can be analyzed and, for each client (defined by IP address and user agent) exchange with a web service, a feature vector is determined. The client - service feature vector includes [ ] how many times that feature was present in the traffic sent by the client to the web service. All of these feature vectors are then clustered and the resulting clusters are compared to the known vulnerability scanner clusters. In the case that a detected cluster overlaps with a vulnerability scanner cluster, this is an indication that the vulnerability scanner was active and the system administrator for the corresponding web service can be notified. If a cluster of observed traffic is close to a cluster of a known vulnerability scanner, this new cluster may be considered an evolution or variation of the vulnerability scanner and added to the set of vulnerability scanner clusters. The system administrator is again notified that vulnerability scanning activity has occurred. Finally, clusters of observed traffic at a greater distance from clusters of known vulnerability scanners are ignored as regular traffic.); 
and40 va-509353Docket No.: 69959-20065.00determining that the first cluster and the second cluster correspond to each other if at least one of the first proportion and the second proportion exceeds a threshold proportion (Weizman FIG. 7C, [0039], [0088]-[0089], [0093]. In the case that a detected cluster overlaps with a vulnerability scanner cluster, this is an indication that the vulnerability scanner was active and the system administrator for the corresponding web service can be notified. At 740 in FIG .7C, control loads vulnerability scanner cluster definitions. At 744, control groups vectors determined in FIG. 7B into a set of clusters, such as by using k - means clustering. At 748, control selects the first cluster of the set of clusters. At 752 , control identifies the vulnerability scanner cluster having a minimum distance to the selected cluster At 756 , control determines whether the distance between the identified cluster and the selected cluster is below a [ ] threshold. At 776, control stores the definition of the selected cluster as a potential vulnerability scanner cluster. At 796, control selectively reports the potential vulnerability scanning activity to the administrator.). 
The motivation is the same as that of claim 1 above. 
Regarding claim 4, Seto and Weizman disclose the method of claim 1. Seto further discloses wherein the plurality of metrics comprises one or more of a central processing unit (CPU) usage, a memory usage, or a throughput (Seto [0044]. In many cases, the time series data may also include performance metrics, such as processing time, memory latency, memory consumption, peripheral operations, and other information. Each of the time series observations may be treated as a vector with many parameters, sometimes as many as ten, twenty, or even a hundred or more parameters.). 
Regarding claim 8, claim 8 corresponds to a system corresponding to the method of claim 1. Claim 8 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 9, claim 9 corresponds to a system corresponding to the method of claim 2. Claim 9 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 11, claim 11 corresponds to a system corresponding to the method of claim 4. Claim 11 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Regarding claim 15, claim 15 corresponds to a non-transitory computer-readable storage medium corresponding to the method of claim 1. Claim 15 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 16, claim 16 corresponds to a non-transitory computer-readable storage medium corresponding to the method of claim 2. Claim 16 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 18, claim 18 corresponds to a non-transitory computer-readable storage medium corresponding to the method of claim 4. Claim 18 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Seto (“Seto,” US 2015/0205692, published July 23, 2015) in view of Weizman et al. (“Weizman,” US 2019/0306178, filed Mar. 30, 2018) and further in view of Cohen et al. (“Cohen,” US 2016/0344758, published Nov. 24, 2016). 
Regarding claim 3, Seto and Weizman disclose the method of claim 2. Seto and Weizman do not explicitly disclose: wherein the first proportion of components and the second proportion of components are each computed based on the determined number of common components between the first and second clusters.
However, in an analogous art, Cohen discloses wherein the first proportion of components and the second proportion of components are each computed based on the determined number of common components between the first and second clusters (Cohen [0220]-[0221], [0222]. For example, the resolver 226 may compare the data items within a cluster 252-1 to the data items within each one of the other clusters 252-2 through 252-C. If the resolver 226 finds the same data item within the cluster 252-1 and a second cluster 252-C, then the resolver 226 may merge the two clusters 252-1 and 252-C into a single larger cluster 252. For example, the cluster 252-1 and cluster 252-C may both include the same customer. The resolver 226 may compare the data items of cluster 252-1 to the data items of cluster 252-C and detect the same customer in both clusters 252. The resolver 226 may test each pair of clusters 252 to identify overlapping clusters 252. Although the larger clusters 252 may be better investigation starting points, an analyst may want to understand how the resolver 226 formed the larger clusters 252. In an embodiment, cluster merging (for example, by resolver 226) may be optionally disabled for particular types of data items, and/or particular data items. For example, when a particular data item, or type of data item, is so common that it may be included in many different clusters (for example, an institutional item Such as a bank), merging of cluster based on that common item (for example, the particular bank) or common type of item (for example, banks in general) may be disabled. In various embodiments, cluster merging may be disabled based on other criteria. For example, cluster merging between two related clusters may be disabled when one or both of the two clusters reach a particular size (for example, include a particular number of data items).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Cohen with the teachings of Seto in view of Weizman to include the step of: wherein the first proportion of components and the second proportion of components are each computed based on the determined number of common components between the first and second clusters, to provide users with a means for optimizing statistical clustering analysis through detecting common elements among clusters, analyzing the nature of See Cohen [0220]). 
Regarding claim 10, claim 10 corresponds to a system corresponding to the method of claim 3. Claim 10 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 17, claim 17 corresponds to a non-transitory computer-readable storage medium corresponding to the method of claim 3. Claim 17 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Seto (“Seto,” US 2015/0205692, published July 23, 2015) in view of Weizman et al. (“Weizman,” US 2019/0306178, filed Mar. 30, 2018) and further in view of Seow (“Seow,” 2014/0003710, published Jan. 2, 2016). 
Regarding claim 6, Seto and Weizman disclose the method of claim 1. Seto and Weizman do not explicitly disclose: wherein the clustering is performed using an unsupervised clustering algorithm that does not require a number of clusters as an input. 
However, in an analogous art, Seow discloses wherein the clustering is performed using an unsupervised clustering algorithm that does not require a number of clusters as an input (Seow [0023]. The machine-learning engine 140 may be configured to analyze the received data, cluster objects having similar visual and/or kinematic features, build semantic representations of events depicted in the video frames. Over time, the machine learning engine 140 learns expected patterns of behavior for objects that map to a given cluster. Thus, over time, the machine learning engine learns from these observed patterns to identify normal and/or abnormal events. That is, rather than having patterns, objects, object types, or activities defined in advance, the machine learning engine 140 builds its own model of what different object types have been observed (e.g., based on clusters of kinematic and or appearance features) as well as a model of expected behavior for a given object type.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Seow with the teachings of Seto and Weizman to include the step of: wherein the clustering is performed using an unsupervised clustering algorithm that does not require a number of clusters as an input, to provide users with a means for using unsupervised machine learning to recognize expected patterns of behavior through building and updating on learned patterns of received raw data. (See Seow [0023]). 
Regarding claim 13, claim 13 corresponds to a system corresponding to the method of claim 6. Claim 13 is similar in scope to claim 6 and is therefore rejected under similar rationale. 
Regarding claim 20, claim 20 corresponds to a non-transitory computer-readable storage medium corresponding to the method of claim 6. Claim 20 is similar in scope to claim 6 and is therefore rejected under similar rationale. 
Claims 7, 14, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Seto (“Seto,” US 2015/0205692, published July 23, 2015) in view of Weizman et al. . 
Regarding claim 7, Seto and Weizman disclose the method of claim 5. Seto and Weizman do not explicitly disclose: wherein the unsupervised clustering algorithm comprises density-based spatial clustering of applications with noise (DBSCAN), affinity propagation, or agglomerative clustering. 
However, in an analogous art, Morris discloses a method wherein the unsupervised clustering algorithm comprises density-based spatial clustering of applications with noise (DBSCAN), affinity propagation, or agglomerative clustering (Morris [0140]. For example, the UMLE may use a clustering technique to cluster the unsupervised feature vectors to determine whether any of the entities are exhibiting unusual behavior. The UMLE may use any clustering algorithm (e.g., K-means, affinity propagation, mean-shift, spectral clustering, Ward hierarchical clustering, agglomerative clustering, density-based spatial clustering of applications with noise (DBSCAN), Gaussian mixtures, Birch, shared nearest neighbors, etc.). The clustering algorithm may use a distance metric such as Euclidean distance, Manhattan distance, cosine distance, etc. to determine distances between unsupervised feature vectors when clustering.) . 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Morris with the teachings of Seto and Weizman to include the step of: wherein the unsupervised clustering algorithm comprises density-based spatial clustering of applications with noise (DBSCAN), affinity propagation, or agglomerative clustering, to See Morris [0140]). 
Regarding claim 14, claim 14 corresponds to a system corresponding to the method of claim 7. Claim 14 is similar in scope to claim 7 and is therefore rejected under similar rationale. 
Regarding claim 21, claim 21 corresponds to a non-transitory computer-readable storage medium corresponding to the method of claim 7. Claim 21 is similar in scope to claim 7 and is therefore rejected under similar rationale. 

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  
Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/EDWARD LONG/
Examiner, Art Unit 2439


/LUU T PHAM/               Supervisory Patent Examiner, Art Unit 2439