Detailed Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending for examination. Claims 1, 8, and 15 are independent. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/13/2017.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-3, 6-10, 13-17, and 19-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.

When considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (Step 1). If the claim does fall within one of the statutory categories, the second step in the analysis is to determine whether the claim is directed to a judicial exception (Step 2A). The Step 2A 2019 PEG for more details of the analysis.

Step 1
According to the first part of the analysis, in the instant case, claims 1-7 are directed to a method, claims 8-14 are directed to a computer program product, and claims 15-20 are directed to a system. Thus, each of the claims falls within one of the four statutory categories (i.e. process, machine, manufacture, or composition of matter).

Step 2A, Prong 1
Following the determination of whether or not the claims fall within one of the four categories (Step 1), it must be determined if the claims recite a judicial exception (e.g. 

	Regarding Claims 1, 8, and 9 recites
evaluating by a probability function the measurement metric for each event to determine when any of the value attribute, the change attribute, the streak size attribute and the streak duration attribute is above a predetermined probability threshold or below a probability threshold wherein above a probability threshold or below a probability threshold is classified as alarm data (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process and math.);
	processing the alarm data through a decision tree to determine based on historical data when the alarm data is significant or when the alarm data is not significant and to reduce the number of alarm data to a predetermined number of significant alarm data (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process and math.);
	
Regarding Claims 2, 9, and 16 recites
wherein the evaluating by the probability function includes a mean function and a standard deviation function (This step appears to be a recitation of mathematical concepts.).

Regarding Claim 3, 10, and 17 recites 
processing the alarm data through the decision tree to determine when the alarm data is significant or when the alarm data is not significant CN820170212US01 Page 22 of 28includes a probability that the alarm data is significant or that the alarm data is not significant (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process and math.)

Regarding Claim 6, 13, and 19 recites 
wherein processing the alarm data through the decision tree to determine when the alarm data is significant or when the alarm data is not significant further to determine when the alarm data is not significant but the alarm data is unusual in that an odd pattern of data emerges (This step appears to be practically implementable in the human mind and is understood to be a recitation of a mental process and math.)

Step 2A, Prong 2
Following the determination that the claims recite a judicial exception, it must be determined if the claims recite additional elements that integrate the exception into a practical application of the exception (Step 2A, Prong 2). In this case, after considering all claim elements individually and as an ordered combination, it is determined that the claims do not include additional elements that integrate the exception into a practical application of the exception as explained below.

Regarding Claims 1, 8, and 9 recites
receiving event information pertaining to events occurring with respect to a computing environment (This step appears to be directed to transmitting or receiving information, which is understood to be insignificant extra-solution activity. See MPEP 2106.05(g).);
each event having a measurement metric, the measurement metric for each event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute wherein the value attribute is the original series of measurement data over one or more measurement periods, the change attribute is the change of value at a current measurement period relative to a previous measurement period, the streak size attribute is the size of continuous change in one direction as positive, negative or flat and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).);
	displaying the predetermined number of significant alarm data to a user (This step appears to be directed displaying information, which is understood to correspond to insignificant extra-solution activity. See MPEP 2106.05(g).);
	
	Regarding Claims 7, 14, and 20 recites
	wherein the computing environment is a cloud environment (The cloud computing is understood to be generic computer equipment. See MPEP 2106.05(f).).

Step 2B
Based on the determination in Step 2A of the analysis that the claims are directed to a judicial exception, it must be determined if the claims contain any element or combination of elements sufficient to ensure that the claim amounts to significantly more than the judicial exception (Step 2B). In this case, after considering all claim elements individually and as an ordered combination, it is determined that the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception for the same reasons given above in the Step 2A, Prong 2 analysis. Furthermore, each additional element identified above as being insignificant extra-solution activity is also well-known, routine, conventional as described below.

Regarding Claims 1, 8, and 9 recites
receiving event information pertaining to events occurring with respect to a computing environment (This step appears to be directed to transmitting or receiving information, which is understood to be insignificant extra-solution activity. See MPEP 2106.05(g).);
each event having a measurement metric, the measurement metric for each event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute wherein the value attribute is the original series of measurement data over one or more measurement periods, the change attribute is the change of value at a current measurement period relative to a previous measurement period, the streak size attribute is the size of continuous change in one direction as positive, negative or flat and the streak duration attribute is the number of measurement periods of continuous (The specification of data to be stored is understood to be a field of use limitation. See MPEP 2106.05(h).);
	displaying the predetermined number of significant alarm data to a user (This step appears to be directed displaying information, which is understood to correspond to insignificant extra-solution activity. See MPEP 2106.05(g).);
	
	Regarding Claims 7, 14, and 20 recites
	wherein the computing environment is a cloud environment (The cloud computing is understood to be generic computer equipment. See MPEP 2106.05(f).).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 6-11, and 13-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brill (US 20150205856, hereinafter "Brill") in view of Muddu et al. (US 20170063889, hereinafter "Muddu").

Regarding Claim 1
Brill discloses: A method for event identification ([Para 0039 and Fig 1]) comprising: 
receiving event information pertaining to events occurring with respect to a computing environment ([Para 0034]), each event having a measurement metric ([Para 0040] “a data instance, X1,X2,...,XN represent the different attributes of the instance… Each one of sensor units 1021, 1022,..., 102N provides the data instance produced thereby (i.e., the data measured thereby) to event detector and classifier 104.” Examiner interprets the data instances X as the measurement metric.), the measurement metric for each event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute wherein the value attribute is the original series of measurement data over one or more measurement periods ([Para 0046] “Each point in the attribute space corresponds to a respective data instance and thus with respective attributes measurement values.” Examiner interprets the data instance measurement value as a value attribute and the time stamps (see para 0023) as the measurement periods.), the change attribute is the change of value at a current measurement period relative to a previous measurement period ([Para 0049] “Herein, the distance between a selected data point (i.e., with respective attributes measurement and time Stamp) TN and a respective preceding data point TN-K is denoted ‘d(K)’.” Examiner interprets the distance between selected data points as the change attribute.), the streak size attribute is the size of continuous change in one direction as positive, negative or flat ([Para 0046 and Fig 2] “The dashed line connects time consecutive attributes measurements and di, denotes the distance between the xt(i) attributes measurement and the xt(i+1) attributes measurement. In general, as described above, the trajectory of the data records in the attributes space, for a single, non-faulty un-perturbed sensor unit exhibits a RW pattern.” Examiner interprets di the distance at a trajectory (see Fig 2) as the streak size attribute and the steady state described in Para 0038 and Para 0050 as a flat direction.) and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat ([Para 0050] “When the system is in steady state, only small changes occur in the values of the attributes measurements. Thus, the value of d(K) is small due to the fact that the RW distance is small. The range of d(K) during steady state operation of the system can be learned or determined as further explained below. In FIG. 3, that range is denoted as ‘ץ’.” Examiner interprets the steady state range as the streak duration for a flat direction. Examiner also interprets the time period ti (shown in Fig 2) as also reading on the streak duration.);
 evaluating by a probability function the measurement metric for each event to determine when any of the value attribute, the change attribute, the streak size attribute and the streak duration attribute is above a predetermined probability threshold or below a probability threshold wherein above a probability threshold or below a probability threshold is classified as alarm data ([Para 0061] “if the time difference between a current event and a previous event is above or below the Mean Time Between Events (MTBE) by more than a selected number of standard deviations, then that event may be classified as an abnormal event.” Examiner interprets the Mean time between Events as the probability threshold and the classified abnormal event as alarm data.); 
processing the alarm data through a decision tree ([Para 0073-0074 and Fig 5] “decision tree, generally referenced 250, employed during classifications of the events…”) to determine based on historical data when the alarm data is significant or when the alarm data is not significant ([Para 0075-0078] “In general, event classification may include three phase, the training phase the testing phase and the monitoring phase… when the results obtained during testing phase 304 are satisfactory, the system moves to monitoring phase 306. When the results obtained during testing phase 304 are not satisfactory, the system may return to the learning phase 302” Examiner interprets the training and testing phase as producing satisfactory results (i.e. determining based on historical data significant/non-significant alarm data).) and to reduce the number of alarm data to a predetermined number of significant alarm data ([Para 0079] “During monitoring phase, the event detection and classification system classifies data instances according to that which has been learned and validated in the learning and testing phases. During this phase if an event (i.e., which is a group of related records or measurements) meets a determined criteria, an alarm may be generated.” Examiner interprets the monitoring phase as reducing the alarm data to a predetermined number of significant alarm data.); 

However, Muddu discloses in the same field of endeavor: displaying the predetermined number of significant alarm data to a user ([Para 0268] “if such event triggers an anomaly (e.g., in downstream processing), then the anomalous event can be annotated or otherwise associated with the session Id of the identified session. Such anomalies with the associated session(s) can be displayed in the user interface for review.”).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the security platform for detecting anomalies taught by Muddu. Doing so discovered unusual behavioral sequences can be presented to an administrator for actions and/or feedbacks (para 0540, Muddu).

Regarding Claim 8
Brill discloses: A computer program product for event identification, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform a method comprising: receiving event information pertaining to events occurring with respect to a computing environment, each event having a measurement metric ([Para 0040] “a data instance, X1,X2,...,XN represent the different attributes of the instance… Each one of sensor units 1021, 1022,..., 102N provides the data instance produced thereby (i.e., the data measured thereby) to event detector and classifier 104.” Examiner interprets the data instances X as the measurement metric.), the measurement metric for each event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute wherein the value attribute is the original series of measurement data over one or more measurement periods ([Para 0046] “Each point in the attribute space corresponds to a respective data instance and thus with respective attributes measurement values.” Examiner interprets the data instance measurement value as a value attribute and the time stamps (see para 0023) as the measurement periods.), the change attribute is the change of value at a current measurement period relative to a previous measurement period ([Para 0049] “Herein, the distance between a selected data point (i.e., with respective attributes measurement and time Stamp) TN and a respective preceding data point TN-K is denoted ‘d(K)’.” Examiner interprets the distance between selected data points as the change attribute.), the streak size attribute is the size of continuous change in one direction as positive, negative or flat ([Para 0046 and Fig 2] “The dashed line connects time consecutive attributes measurements and di, denotes the distance between the xt(i) attributes measurement and the xt(i+1) attributes measurement. In general, as described above, the trajectory of the data records in the attributes space, for a single, non-faulty un-perturbed sensor unit exhibits a RW pattern.” Examiner interprets di the distance at a trajectory (see Fig 2) as the streak size attribute and the steady state described in Para 0038 and Para 0050 as a flat direction.) and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat ([Para 0050] “When the system is in steady state, only small changes occur in the values of the attributes measurements. Thus, the value of d(K) is small due to the fact that the RW distance is small. The range of d(K) during steady state operation of the system can be learned or determined as further explained below. In FIG. 3, that range is denoted as ‘ץ’.” Examiner interprets the steady state range as the streak duration for the flat direction. Examiner also interprets the time period ti (shown in Fig 2) as also reading on the streak duration.); evaluating by a probability function the measurement metric for each event to determine when any of the value attribute, the change attribute, the streak size attribute and the streak duration attribute is above a predetermined probability threshold or below a probability threshold wherein above a probability threshold or below a probability threshold is classified as alarm data  ([Para 0061] “if the time difference between a current event and a previous event is above or below the Mean Time Between Events (MTBE) by more than a selected number of standard deviations, then that event may be classified as an abnormal event.” Examiner interprets the Mean time between Events as the probability threshold and the classified abnormal event as alarm data.); processing the alarm data through a decision tree  ([Para 0073-0074 and Fig 5] “decision tree, generally referenced 250, employed during classifications of the events…”) to determine based on historical data when the alarm data is significant or when the alarm data is not significant ([Para 0075-0078] “In general, event classification may include three phase, the training phase the testing phase and the monitoring phase… when the results obtained during testing phase 304 are satisfactory, the system moves to monitoring phase 306. When the results obtained during testing phase 304 are not satisfactory, the system may return to the learning phase 302” Examiner interprets the training and testing phase as producing satisfactory results (i.e. determining based on historical data significant/non-significant alarm data).) and to reduce the number of alarm data to a predetermined number of significant alarm data ([Para 0079] “During monitoring phase, the event detection and classification system classifies data instances according to that which has been learned and validated in the learning and testing phases. During this phase if an event (i.e., which is a group of related records or measurements) meets a determined criteria, an alarm may be generated.” Examiner interprets the monitoring phase as reducing the alarm data to a predetermined number of significant alarm data.); 
Brill does not explicitly discloses: displaying the predetermined number of significant alarm data to a user.
However, Muddu discloses in the same field of endeavor: displaying the predetermined number of significant alarm data to a user ([Para 0268] “if such event triggers an anomaly (e.g., in downstream processing), then the anomalous event can be annotated or otherwise associated with the session Id of the identified session. Such anomalies with the associated session(s) can be displayed in the user interface for review.”).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the security platform for detecting anomalies taught by Muddu. Doing so discovered unusual behavioral sequences can be presented to an administrator for actions and/or feedbacks (para 0540, Muddu).

Regarding Claim 15
A system for event identification comprising: an event identification module; a decision tree manager; a non-transitory storage medium that stores instructions; and a processor that executes the instructions to perform the following functions: receive by the event identification module event information pertaining to events occurring with respect to a computing environment, each event having a measurement metric ([Para 0040] “a data instance, X1,X2,...,XN represent the different attributes of the instance… Each one of sensor units 1021, 1022,..., 102N provides the data instance produced thereby (i.e., the data measured thereby) to event detector and classifier 104.” Examiner interprets the data instances X as the measurement metric.), the measurement metric for each event including a value attribute, a change attribute, a streak size attribute and a streak duration attribute wherein the value attribute is the original series of measurement data over one or more measurement periods ([Para 0046] “Each point in the attribute space corresponds to a respective data instance and thus with respective attributes measurement values.” Examiner interprets the data instance measurement value as a value attribute and the time stamps (see para 0023) as the measurement periods.), the change attribute is the change of value at a current measurement period relative to a previous measurement period ([Para 0049] “Herein, the distance between a selected data point (i.e., with respective attributes measurement and time Stamp) TN and a respective preceding data point TN-K is denoted ‘d(K)’.” Examiner interprets the distance between selected data points as the change attribute.), the streak size ([Para 0046 and Fig 2] “The dashed line connects time consecutive attributes measurements and di, denotes the distance between the xt(i) attributes measurement and the xt(i+1) attributes measurement. In general, as described above, the trajectory of the data records in the attributes space, for a single, non-faulty un-perturbed sensor unit exhibits a RW pattern.” Examiner interprets di the distance at a trajectory (see Fig 2) as the streak size attribute and the steady state described in Para 0038 and Para 0050 as a flat direction.) and the streak duration attribute is the number of measurement periods of continuous change in one direction as positive, negative or flat ([Para 0050] “When the system is in steady state, only small changes occur in the values of the attributes measurements. Thus, the value of d(K) is small due to the fact that the RW distance is small. The range of d(K) during steady state operation of the system can be learned or determined as further explained below. In FIG. 3, that range is denoted as ‘ץ’.” Examiner interprets the steady state range as the streak duration for the flat direction. Examiner also interprets the time period ti (shown in Fig 2) as also reading on the streak duration.); evaluate by a probability function in the event identification module the measurement metric for each event to determine when any of the value attribute, the change attribute, the streak size attribute and the streak duration attribute is above a predetermined probability threshold or below a probability threshold wherein above a probability threshold or below a probability threshold is classified as alarm data  ([Para 0061] “if the time difference between a current event and a previous event is above or below the Mean Time Between Events (MTBE) by more than a selected number of standard deviations, then that event may be classified as an abnormal event.” Examiner interprets the Mean time between Events as the probability threshold and the classified abnormal event as alarm data.); process the alarm data through a decision tree ([Para 0073-0074 and Fig 5] “decision tree, generally referenced 250, employed during classifications of the events…”) to determine based on historical data when the alarm data is significant or when the alarm data is not significant ([Para 0075-0078] “In general, event classification may include three phase, the training phase the testing phase and the monitoring phase… when the results obtained during testing phase 304 are satisfactory, the system moves to monitoring phase 306. When the results obtained during testing phase 304 are not satisfactory, the system may return to the learning phase 302” Examiner interprets the training and testing phase as producing satisfactory results (i.e. determining based on historical data significant/non-significant alarm data).) and to reduce the number of alarm data to a predetermined number of significant alarm data ([Para 0079] “During monitoring phase, the event detection and classification system classifies data instances according to that which has been learned and validated in the learning and testing phases. During this phase if an event (i.e., which is a group of related records or measurements) meets a determined criteria, an alarm may be generated.” Examiner interprets the monitoring phase as reducing the alarm data to a predetermined number of significant alarm data.); 
Brill does not explicitly discloses: displaying the predetermined number of significant alarm data to a user.
([Para 0268] “if such event triggers an anomaly (e.g., in downstream processing), then the anomalous event can be annotated or otherwise associated with the session Id of the identified session. Such anomalies with the associated session(s) can be displayed in the user interface for review.”).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the security platform for detecting anomalies taught by Muddu. Doing so discovered unusual behavioral sequences can be presented to an administrator for actions and/or feedbacks (para 0540, Muddu).

Regarding Claim 2
Brill in view of Muddu disclose: The method of claim 1 wherein the evaluating by the probability function includes a mean function and a standard deviation function ([Para 0061] Brill “if the time difference between a current event and a previous event is above or below the Mean Time Between Events (MTBE) by more than a selected number of standard deviations, then that event may be classified as an abnormal event.”).

Regarding Claim 3
Brill in view of Muddu disclose: The method of claim 1 wherein processing the alarm data through the decision tree to determine when the alarm data is significant or ([Para 0523 and Fig 52], Muddu “However, if the actual next symbol that appears is a "d," then because the prediction of the probability of "d" appearing is very low, this event/symbol is considered unusual, or rare. Thereafter, in some embodiments, such rare event can trigger an alert to the administrator for further analysis. As used herein, an unusual symbol (e.g., representing an event) is the actual occurrence of a symbol when the PST model predicts the probability of such symbol's occurrence is less than a threshold” Examiner interprets the probability determined from the Probabilistic Suffix Trees (PST model) for an event being unusual or rare as determining alarm data as significant/insignificant.).

Regarding Claim 4
Brill in view of Muddu disclose: The method of claim 1 further comprising training the decision tree by a training process and wherein processing the alarm data through the decision tree ([Para 0072] Brill “A classification algorithm such as decision tree may be employed to map events to the ECT.”) includes processing the alarm data through the decision tree after training the decision tree ([Para 0075] Brill “In general, event classification may include three phase, the training phase the testing phase and the monitoring phase… During the learning phase the event detection and classification system does not generate alerts.”).

Regarding Claim 6
([Para 0186], Maddu “anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected.” Examiner interprets the series of events as a pattern of data which indicates unusual alarm data when an odd pattern (i.e. series of events) is determined by the model. [Para 0523 and Fig 52], Muddu “However, if the actual next symbol that appears is a "d," then because the prediction of the probability of "d" appearing is very low, this event/symbol is considered unusual, or rare.)

Regarding Claim 7
Brill in view of Muddu disclose: The method of claim 1 wherein the computing environment is a cloud environment ([Para 0141], Muddu “In the case of cloud-based application where an organization may rely on Internet-based computer servers for data storage and data processing, at least part of the security platform can be implemented at, for example, the cloud-based servers.”).

Regarding Claim 9
(CLAIM 9 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 2 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 16
(CLAIM 16 IS A SYSTEM CLAIM THAT CORRESPONDS TO METHOD CLAIM 2 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 10
(CLAIM 10 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 3 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 17
(CLAIM 17 IS A SYSTEM CLAIM THAT CORRESPONDS TO METHOD CLAIM 3 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 11
(CLAIM 11 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 4 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 18
(CLAIM 18 IS A SYSTEM CLAIM THAT CORRESPONDS TO METHOD CLAIM 4 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 13
(CLAIM 13 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 6 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 19
(CLAIM 19 IS A SYSTEM CLAIM THAT CORRESPONDS TO METHOD CLAIM 6 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 14
(CLAIM 14 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 7 AND IS REJECTED ON THE SAME GROUND)

Regarding Claim 20
(CLAIM 20 IS A SYSTEM CLAIM THAT CORRESPONDS TO METHOD CLAIM 7 AND IS REJECTED ON THE SAME GROUND)

Claim 5 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brill (US 20150205856, hereinafter "Brill") in view of Muddu et al. (US 20170063889, hereinafter "Muddu") and Nowozin ("Improved Information Gain Estimates for Decision Tree Induction ", hereinafter "Nowozin").

Regarding Claim 5
Brill in view of Muddu disclose: The method of claim 4 wherein training the decision tree by a training process comprising: obtaining training data including a plurality of event information that triggers an alarm regardless of whether the alarm is above the predetermined probability threshold or below the probability threshold, the plurality of event information that triggers the alarm having an indication of whether the event information that triggered the alarm was a significant alarmed event ([Para 000075-0076] Brill “The records in the testing set are tagged by an expert as normal or abnormal. Furthermore, the expert may classify the event (e.g., faulty sensor, change of Supply Source). These tags and classifications are labeled as the actual classification.” Examiner interprets the labeled data as training data having an indication of whether the event information that triggered the alarm was a significant.); 
Brill in view of Muddu does not explicitly disclose: creating a root node using the training data; finding a splitting point of the value attribute, the change attribute, the streak size attribute and the streak duration attribute which makes the subset of the value attribute, the change attribute, the streak size attribute and the streak duration attribute most different; comparing the value attribute, the change attribute, the streak 
However, Nowozin discloses in the same field of endeavor: creating a root node using the training data ([Section 1.1] “we start with an empty tree with just a root node. We then sample a number of split function candidates from a fixed distribution. Each split function partitions the training set into a left and right subset by some test on each xi”); finding a splitting point of the value attribute, the change attribute, the streak size attribute and the streak duration attribute which makes the subset of the value attribute, the change attribute, the streak size attribute and the streak duration attribute most different (“Given a data set {(xi, yi)}N i=1, we start with an empty tree with just a root node. We then sample a number of split function candidates from a fixed distribution. Each split function partitions the training set into a left and right subset by some test on each xi .” Examiner interprets the split function as finding a splitting point of an attribute x.); comparing the value attribute, the change attribute, the streak size attribute and the streak duration attribute and choosing the attribute as a split node that results in the biggest difference between significant alarmed event and an insignificant alarmed event ([Section 1.1 and Algorithm 1] “When we use the information gain criterion for recursive tree growing, we execute Algorithm 1 at each node in the decision tree, testing T candidate splits sequentially and keeping the one that achieves the highest estimated information gain” Examiner interprets Algorithm 1 as comparing the left or right nodes of the decision tree with the predicative output that results in the biggest difference from the input/output (see line 8 in Algorithm 1).); splitting the root node using the chosen attribute as the split node and new node to the decision tree ([Section 1.1 and Algorithm 1] “When we use the information gain criterion for recursive tree growing, we execute Algorithm 1 at each node in the decision tree, testing T candidate splits sequentially and keeping the one that achieves the highest estimated information gain”); and repeat finding the splitting node, comparing the value attribute and splitting the splitting node until all nodes terminate splitting ([Section 1.1 and Algorithm 1] “This procedure is applied recursively until some stopping conditions such as a maximum tree depth or minimum sample size are reached.”).
It would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the method for abnormality detection taught by Brill with the security platform for detecting anomalies taught by Muddu and the method for decision tree induction taught by Nowozin. Doing so can improve predictive performance of a decision tree (Abstract, Nowozin).

Regarding Claim 12
(CLAIM 12 IS A COMPUTER PROGRAM PRODUCT CLAIM THAT CORRESPONDS TO METHOD CLAIM 5 AND IS REJECTED ON THE SAME GROUND)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Gopalakrishnan et al. (US 2015/0333998) similarly describes traversing a decision tree and determining probabilities of decision nodes that indicate an event which is an anomaly (See Para 005 and Fig 15). 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TEWODROS E MENGISTU whose telephone number is (571)270-7714.  The examiner can normally be reached on Mon-Fri 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li Zhen can be reached on (571)2723768.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 






/TEWODROS E MENGISTU/           Examiner, Art Unit 2121    





/Li B. Zhen/           Supervisory Patent Examiner, Art Unit 2121