Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1, 3, 5 – 8, 10, 12 – 15, 17, 19 and 21 – 24 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Almurayh, Abdullah (US 20160205123), hereafter Alm and Zorlular et al (US 20180183827), hereafter Zor have been fully considered and are persuasive. Claim(s) 2, 4, 9, 11, 16, 18 and 20 is/are cancelled.
Note: The attorney had presented the following limitation: determining that the anomaly occurred in the network in response to the rate of change meeting or exceeding the predefined threshold; 
On careful and thorough review of specification there is nowhere it is recited “exceeding or greater or higher or above” a predefined threshold. In fact the word “threshold” appears only twice. It is recited in para. [0053] as “IF the change meets the predefined threshold then the behavior is anomalous” only. Therefore corresponding amendment to remove “or exceeding” was made by the examiner so that the independent claims are within scope of the claimed and supported subject matter.

Allowable Subject Matter
1.	Amended claims 1, 3, 5 – 8, 10, 12 – 15, 17, 19 and 21 – 24 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment

1. 	(Currently Amended) A system comprising:
a processing device; and
a memory device including instructions that are executable by the processing device for causing the processing device to:
	receive network information relating to a network that includes a plurality of network devices, the network information indicating a rate at which topological configurations of the plurality of network devices changed over a timespan;
provide the network information as input to one or more machine-learning models to receive as output from the one or more machine-learning models an indication of whether an anomaly occurred in the network, wherein the one or more machine-learning models are configured to determine whether the anomaly occurred in the network based on the rate at which the topological configurations of the plurality of network devices changed over the timespan by:
determining a rate of change between the topological configurations;
comparing the rate of change to a predefined threshold; and
determining that the anomaly occurred in the network in response to the rate of change meeting the predefined threshold;
receive an indication from the one or more machine-learning models that the anomaly occurred in the network; and
in response to receiving the indication, execute one or more operations configured to assist in counteracting the anomaly.

2. 	(Canceled)

3. 	(Currently Amended) The system of claim 1, wherein the one or more machine-learning s among the plurality of network devices.

4. 	(Canceled)

5. 	(Original) The system of claim 1, wherein the one or more machine-learning models are further configured to output the machine-learning model's level of certainty that the anomaly occurred in the network.

6. 	(Currently Amended) The system of claim 1, wherein the memory device further includes instructions that are executable by the processing device for causing the processing device to generate an 

7. 	(Original) The system of claim 1, wherein the memory device further comprises instructions executable by the processing device for causing the processing device to modify a network parameter based on the indication from the one or more machine-learning models to counteract the anomaly.

8. 	(Currently Amended) A method comprising:
receiving, by a processor device, network information relating to a network that includes a plurality of network devices, the network information indicating a rate at which topological configurations of the plurality of network devices changed over a timespan;
providing, by the processing device, the network information as input to one or more machine-learning models to receive as output from the one or more machine-learning models an indication of whether an anomaly occurred in the network, wherein the one or more machine-learning models are configured to determine whether the anomaly occurred in the network based on the rate at which the topological configurations of the plurality of network devices changed over the timespan by:
determining a rate of change between the topological configurations;
comparing the rate of change to a predefined threshold; and
determining that the anomaly occurred in the network in response to the rate of change meeting the predefined threshold;
receiving, by the processing device, an indication from the one or more machine-learning models that the anomaly occurred in the network; and
in response to receiving the indication, executing, by the processing device, one or more operations configured to assist in counteracting the anomaly.

9. 	(Canceled)

10. 	(Currently Amended) The method of claim 8, wherein the one or more machine-learning models are further configured to determine that the anomaly occurred in the network in response to detecting a change in a correlation between at least two network devices among the plurality of network devices.

11. 	(Canceled)

12. 	(Original) The method of claim 8, wherein the one or more machine-learning models are further configured to output the machine-learning model's level of certainty that the anomaly occurred in the network.

13. 	(Previously Presented) The method of claim 8, further comprising generating an output that identifies which network configuration change in a set of network configuration changes is anomalous.

14. 	(Original) The method of claim 8, further comprising modifying, by the processing device, a network parameter based on the indication from the one or more machine-learning models to counteract the anomaly.

15. 	(Currently Amended) A non-transitory computer readable medium including instructions that are executable by a processing device for causing the processing device to:

provide the network information as input to one or more machine-learning models to receive as output from the one or more machine-learning models an indication of whether an anomaly occurred in the network, wherein the one or more machine-learning models are configured to determine whether the anomaly occurred in the network based on the rate at which the topological configurations of the plurality of network devices changed over the timespan by:
determining a rate of change between the topological configurations;
comparing the rate of change to a predefined threshold; and
determining that the anomaly occurred in the network in response to the rate of change meeting the predefined threshold;
receive an indication from the one or more machine-learning models that the anomaly occurred in the network; and
in response to receiving the indication, execute one or more operations configured to assist in counteracting the anomaly.

16. 	(Canceled)

17. 	(Currently Amended) The non-transitory computer readable medium of claim 15, wherein the one or more machine-learning models are further configured to determine that the anomaly occurred in the network in response to detecting a change in a correlation between at least two network devices among the plurality of network devices.

18. 	(Canceled)

19. 	(Original) The non-transitory computer readable medium of claim 15, wherein the one or more machine-learning models are further configured to output the machine-learning model's level of certainty that the anomaly occurred in the network.

20. 	(Canceled)

21.	(Previously Presented) The system of claim 1, wherein the one or more machine-learning models are configured to determine that the anomaly occurred in the network based on a configuration change in the network, the configuration change including at least one change to a subnet, a pathway, or a network interface associated with the network.

22.	(Previously Presented) The system of claim 1, wherein the memory device further includes instructions that are executable by the processing device for causing the processing device to receive the network information from a software controller configured to control a topology of the network by interfacing with the plurality of network devices.

23.	(Previously Presented) The system of claim 22, wherein:
the software controller is a software-defined network (SDN) controller of a software-defined networking system; and
the software-defined networking system includes a physical layer and a control layer, the physical layer including the plurality of network devices, and the control layer including the SDN controller.

24.	(Previously Presented) The system of claim 1, wherein the one or more operations are configured to output a notification to a user of the anomaly.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Alm teaches [0046, Fig. 4A] a learner module of the smart home anomaly detector (SHAD) records appliance data for the smart appliance(s). [0051] the learner module ([0034] using machine learning techniques) analyzes the security settings, network communication speed, network configuration, and the like of the at least one smart appliance and outputs after [0029] determining whether the change in status of 

Further, a second prior art of record Zor teaches [0010] the full extent of activity of a cyber attack is recognized when multiple different indicators are reviewed and brought into context; [0080] the warning system accesses contextual data associated with the resource such as information about what users are permitted to access the resource,... physical location of the resource, the location of the resource within the organization's network topology, the value of the resource etc. Accesses indicators of a potential cyber attack related to the resource from an intrusion detection system, anti-malware system, gateway or router logs.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: a system automatically detects anomalous network-activity using a machine-learning model that analyzes how network topological configurations change over time. The machine-learning model detects anomalies by comparing current and expected rates of change and/or types of topological changes in the network and comparing to a threshold. In response to determination that the measured rate of topological changes exceed threshold, countermeasures are deployed.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 9 and 15 mutatis mutandis.  Claim(s) 2, 4, 9, 11, 16, 18 and 20 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.