Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application claims the benefit of U.S. provisional patent application No. 62/212,541 filed on Aug. 31, 2015, and titled “Network Security System,” which is incorporated by reference herein in its entirety.
DETAILED ACTION
This office action is in response to an amendment application received on 08/19/2021. In the amendment, applicant has amended independent claims 1, 25 and 28. Claims 9-10 and 17-18 remain cancelled. Claims 2-8, 11-16, 19-24 and 26-31 remain original. No new claim has been added.
For this office action, claims 1-8, 11-16 and 19-31 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections under 35 U.S.C. § 103
	After carefully reviewing applicant’s remarks regarding rejection of claims under 35 U.S.C. § 103, remarks have been summarized as follows:
Raugas fails to disclose or suggest that in a real-time detection mode, the real-time anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to event-by-event, and in a batch-detection mode, causing the batch anomaly decision engine to set the variable time slice associated with a time period length that is greater than event-by-event (See Page # 12). 
Shumpert does not disclose or suggest that the model state of a machine learning (ML) anomaly model is shared between a real- time anomaly decision engine and a batch anomaly decision engine, where the real- time anomaly decision engine performs detection in a real-time detection mode and the batch anomaly decision engine performs detection in a batch detection mode (See Page # 13).
Examiner’s Response
	Regarding remark # 1, that Raugas fails to disclose or suggest that in a real-time detection mode the real-time anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to event-by-event, and in a batch-detection mode, causing the batch anomaly decision engine to set the variable time slice associated with the machine learning anomaly model to a time period length that is greater than event-by-event, examiner respectfully disagrees. 
	Raugas extensively discloses monitoring sampled network traffic [which is construed as batch data from network devices] from devices during ‘time configurable time interval’ using machine learning models in real-time which is equivalent to claimed ‘variable time slice’. Raugas teaches system and method which provide tools for real-time and for a given time window detection and classification of malware in the system to detect threats and create defensive response (See Raugas Abstract: A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic; [0006] Systems and methods are described to detect malware in a computer network using supervised machine learning techniques. Network traffic may be sampled for a configurable time window. Features may be extracted from the network traffic samples. One or more machine learning models may be applied to the features generating a score representing some probability that malware exists on a particular networked device in the network; [0020] A system, method, medium, or computer based product may provide tools for real-time detection and classification of advanced malware using supervised machine learning applied specifically to network-observable features associated with malicious behavior, including Command & Control, data exfiltration, and beaconing. This may reduce the time window between threat identification and defensive response; [0027] Network traffic may be monitored by monitoring device 135 during a time configurable time interval. The time interval may be specified in a configuration file, by an administrator, or by a user, and may correspond to the window over which feature vectors are constructed).
	Raugas further discloses monitoring the network traffic data using machine learning models in real-time and when captured for certain time interval (See Raguas: [0028] Features 120 may be extracted from the sampled network traffic in block 140. The features may be configured and handled as individual items, as a part of feature sets, or any combination thereof. Features may include any or several network statistics. In one or more embodiments, features may comprise only a subset of monitored or examined network data computed during the configurable time interval (“window”)).
	Besides Raugas teachings, primary reference of Engel clearly discloses detection of anomalous network actions using online or batch modes (See Engel: Abstract, [0021] & [0051]). 
Regarding remark # 2, that Shumpert does not disclose or suggest that the model state of a machine learning (ML) anomaly model is shared between a real-time anomaly decision engine and a batch anomaly decision engine, where the real-time anomaly decision engine performs detection in a real-time detection mode and the batch anomaly decision engine performs detection in a batch detection mode, examiner respectfully disagrees. 
	Shumpert clearly discloses sharing models in real-time [which is unsupervised prediction technique] and in batch mode [which is sharing model to human administrator for review] to detect and provide guidance for repeat problems (See Shumpert: [0031] Certain example embodiments also assume that the data source (e.g., sensor data) is always live and, thus, it is assumed that there is never an offline period for performing traditional batch machine learning. Therefore, certain example embodiments begin with unlabeled data only and learn the labels as they go, with the incremental help of human experts. As seen in FIG. 3, certain example embodiments begin reading live engine sensor data right away (step S302) and train a shared model incrementally (step S304), thus avoiding the delayed response typical of prior and current systems. The resulting model is able to detect and recognize repeat problems (step S306), while still discovering new problems and routing them to domain experts for review (step S308) and knowledge capture (step S310). And the model may adapt to changing operating conditions automatically as the engine ages. Over time, the initially empty knowledgebase may grow to cover additional (and potentially all) possible engine issues, and the need for a domain expert, as required by unsupervised learning approaches of prior and current systems, accordingly may fade away; [0057] Thus, the supervised prediction technique will quickly begin detecting and providing guidance for repeat problems, while the unsupervised prediction technique will continue to be on the lookout for new problems. The complementary nature of the two predictive methods using a shared model is a technical advantage of certain example embodiments because it improves detection performance and accuracy while reducing development time. Indeed, it will be appreciated that it can be quite difficult to define a single model that can support both modes of prediction in a continuous, incremental learning approach without any batch training data; [0116] the shared model of certain example embodiments—the clusters and their classes—blends both unsupervised techniques (steps 2 a, 3 a, and 3 d) and supervised techniques (steps 3 b and 3 c) at the same time with each new instance of sensor data).        
	Based on above explanation and interpretation, examiner believe that combination of cited references would render similar results as being claimed in the instant application, therefore rejection has been maintained. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention 

Claims 1-8, 11-16, 20, 22 and 24-31 are rejected under 35 U.S.C. 103 as being unpatentable over Engel et al., (US20140165207A1) in view of Raugas et al., (US20150128263A1) and further in view of Shumpert et al., (US20160342903A1).
Regarding claim 1, Engel discloses:
	A method comprising: 
in a real-time detection mode: 
inputting, to a real-time (See [0021] i.e. online detection of anomalous network) anomaly decision engine ([0012] FIG. 6 illustrates an anomaly detection module), feature sets of event data (See [0082] i.e. sensors 110), the feature sets of event data produced based on first raw event data ([0088] the anomaly detection module 200 may receive raw data from one or more sensors) originating from a plurality of data sources on a computer network ([0014] The present invention discloses a method for detecting anomalous action within a computer network. The method comprises the steps of: [0021] online or batch detection of anomalous network actions associated with entities based on the statistical models; [0082] the sensors 110 may collect data from several places in the computer network 100 and after analysis of the collected data the sensors 110 may send the data to an anomaly detection module 175; [0088] the anomaly detection module 200 may receive raw data from one or more sensors); 
causing the real-time anomaly decision engine to detect a first network security anomaly, based on the feature sets of event data, in real time as the feature sets of event data are produced based on the raw event data ([0099] the anomaly detection module 270 receives information regarding actions in the computer network and identifies anomalous behavior by comparing actual network actions with the statistical model); and 
training, based on the feature sets of event data ([0100] According to some embodiments of the present invention, a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period. The training process continues until a statistically significant stabilization of the statistical model is reached); 
in a batch detection mode: 
inputting, to a batch anomaly decision engine (See [0021] i.e. batch detection of anomalous network actions), stored feature sets of event data, the stored feature sets of event data based on second raw event data originating from the plurality of data sources on the computer network ([0014] The present invention discloses a method for detecting anomalous action within a computer network. The method comprises the steps of: [0021] online or batch detection of anomalous network actions associated with entities based on the statistical models; [0103] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network which have similar functionality, or finding actions that differ from the majority of actions in their characteristics. This method works on a batch of data and detects the anomalies rather than compare a specific action to a model; [0128] According to some embodiments of the present invention, statistical modeling module may begin with receiving detailed entities actions related data including identity of entity over time from the association module activity (stage 510); [0150] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network, or finding actions that differ from the majority of actions in their characteristics and their associated entities (stage 630). This method works on a batch of data and detects the anomalies between entities or actions rather than compare a specific action to a model); 
causing the batch anomaly decision engine to detect a second network security anomaly, by using the machine learning anomaly model, based on the stored feature sets of event data ([0099] the anomaly detection module 270 receives information regarding actions in the computer network and identifies anomalous behavior by comparing actual network actions with the statistical model); and 
training based on the stored feature sets of event data ([0100] According to some embodiments of the present invention, a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period. The training process continues until a statistically significant stabilization of the statistical model is reached); 
outputting, to a threat decision engine, anomaly data indicative of the first 
network security anomaly and the second network security anomaly ([0099] The anomalies may be sent to a decision engine 280. The purpose of the decision engine 280 is to aggregate relevant anomalies together and create incidents); 
causing the threat decision engine to detect, based on the anomaly data, a 
network security threat ([0104] According to other embodiments of the present invention, the decision engine 280, may analyze several anomaly actions and generate incidents/alerts based on identified anomalies according to predefined rules); and 
[0101] The notifications 285 may be sent to a manual inspection 297. The manual inspection 297 may determine if an action is false positive or not and the feedback (299) of the manual inspection may be sent to the statistical models database 265);
wherein detecting the first network security anomaly, detecting the second network security anomaly or detecting the network security threat is performed by using a task-parallel distributed processing engine (see FIG. 7; [0152] According to some embodiments of the present invention, the decision engine module receives specific information on anomalies in the computer network (stage 710). Next, the decision engine module may be creating incidents by aggregating and clustering related anomalies based on specified parameters (stage 715) and then analyzing and ranking the incidents (stage 720)). 
Engel fails to disclose:
	wherein the batch anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to a time period length that is greater than event-by-event; using a machine learning anomaly model to train; wherein the machine learning anomaly model is configured to process a variable time slice of data to produce a score indicative of a detected anomaly, and wherein the real-time anomaly decision engine set the variable time slice parameter associated with the machine learning anomaly model to event-by-event; data source associated with the machine learning anomaly model to a time period length that is greater than event-by-event; wherein the threat decision engine comprises a plurality of machine learning threat models, each including logic to detect a different type of 
However, Raugas discloses:
wherein the batch [sample network traffic] anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to a time period length that is greater than event-by-event (Abstract: A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic; [0006] Systems and methods are described to detect malware in a computer network using supervised machine learning techniques. Network traffic may be sampled for a configurable time window. Features may be extracted from the network traffic samples. One or more machine learning models may be applied to the features generating a score representing some probability that malware exists on a particular networked device in the network; [0027] Network traffic may be monitored by monitoring device 135 during a time configurable time interval. The time interval may be specified in a configuration file, by an administrator, or by a user, and may correspond to the window over which feature vectors are constructed; [0028] Features 120 may be extracted from the sampled network traffic [this is construed as batch data] in block 140. The features may be configured and handled as individual items, as a part of feature sets, or any combination thereof. Features may include any or several network statistics. In one or more embodiments, features may comprise only a subset of monitored or examined network data computed during the configurable time interval (“window”));
using a machine learning anomaly model to train ([0020] A system, method, medium, or computer based product may provide tools for real-time detection and classification of advanced malware using supervised machine learning; [0022] Using one or more methods of feature extraction, the network samples may be prepared for scoring. Subsequently, a specific machine learning algorithm may use models trained a priori against specific and/or known classes of malware; [0065] In one embodiment of this invention, the training process may include generation of statistics associated with the accuracy and performance of the Machine Learning Model wherein the statistics may include the statistical means of the predicted output scores for positive and negative samples; [0067] At least one machine learning model 125 is applied to the features 145, thereby generating score 130, wherein the score indicates the likelihood of malware being present in a host or network device in network 10);
wherein the machine learning anomaly model is configured to process a variable time slice of data to produce a score indicative of a detected anomaly, and wherein the real-time anomaly decision engine set the variable time slice parameter associated with the machine learning anomaly model to event-by-event (See Abstract: Methods, system, and media for detecting malware are disclosed. A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic; [0027] Network traffic may be monitored by monitoring device 135 during a time configurable time interval. The time interval may be specified in a configuration file, by an administrator, or by a user, and may correspond to the window over which feature vectors are constructed; [0028] In one or more embodiments, features may comprise only a subset of monitored or examined network data computed during the configurable time interval (“window”); Raugas further teaches “event-by-event” claim element as “feature set” which are disclosed through paragraphs [0029-0063] in 
data source associated with the machine learning anomaly model to a time period length that is greater than event-by-event ([0067] At least one machine learning model 125 is applied to the features 145 … scoring network traffic based on similarity to malicious behavior associated with specific classes of malware; and combining the scores from multiple concurrent models to produce a normalized, comparable score associated with the time interval using support vector machines and Bayesian networks);
wherein the threat decision engine comprises a plurality of machine learning threat models, each including logic to detect a different type of threat ([0068] In one embodiment, a machine learning model 125 may include a set of supervised learning algorithms, such as Boosted Decision Trees, Support Vector Machines, and Gaussian Mixture Models. One or more of a plurality of machine learning models may be specified as part of a predefined configuration or may be specified by a user; [0071] FIG. 2 depicts a block diagram of an exemplary system 200 in accordance with one or more embodiments, in which a plurality of machine learning models are applied to features from system 100 … Block 210 depicts features, such as those discussed with respect to system 100. Blocks 225, 226, 227, and 228 depict one or more machine learning models from a plurality of machine learning models being applied to the features 210).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Engel and deploy machine learning models techniques to detect anomalies and malware, as disclosed by Raugas.

The combination of Engle and Raugas fails to disclose:
wherein training the machine learning anomaly model updates a model state of the machine learning anomaly model, and wherein the model state of the machine learning anomaly model is shared  between the real-time anomaly decision engine and the batch 
anomaly decision engine.
However, Shumpert discloses:
	wherein training the machine learning anomaly model updates a model state of the machine learning anomaly model, and wherein the model state of the machine learning anomaly model is shared  between the real-time anomaly decision engine (See [0057] i.e. unsupervised learning approaches) and the batch anomaly decision engine (See [0057] i.e. supervised learning approaches) ([0031] Certain example embodiments also assume that the data source (e.g., sensor data) is always live and, thus, it is assumed that there is never an offline period for performing traditional batch machine learning. Therefore, certain example embodiments begin with unlabeled data only and learn the labels as they go, with the incremental help of human experts. As seen in FIG. 3, certain example embodiments begin reading live engine sensor data right away (step S302) and train a shared model incrementally (step S304), thus avoiding the delayed response typical of prior and current systems. The resulting model is able to detect and recognize repeat problems (step S306), while still discovering new problems and routing them to domain experts for review (step S308) and knowledge capture (step S310). And the model may adapt to changing operating conditions automatically as the engine ages. Over time, the initially empty knowledgebase may grow to cover additional (and potentially all) possible engine issues, and the need for a domain expert, as required by unsupervised learning approaches of prior and current systems, accordingly may fade away; [0057] Thus, the supervised prediction technique will quickly begin detecting and providing guidance for repeat problems, while the unsupervised prediction technique will continue to be on the lookout for new problems. The complementary nature of the two predictive methods using a shared model is a technical advantage of certain example embodiments because it improves detection performance and accuracy while reducing development time. Indeed, it will be appreciated that it can be quite difficult to define a single model that can support both modes of prediction in a continuous, incremental learning approach without any batch training data; [0116] the shared model of certain example embodiments—the clusters and their classes—blends both unsupervised techniques (steps 2 a, 3 a, and 3 d) and supervised techniques (steps 3 b and 3 c) at the same time with each new instance of sensor data).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Engel and Raugas and include shared anomaly detection model, as disclosed by Shumpert.
	The motivation to include shared anomaly detection model is to train the machine learning model with updated features from online and batch monitoring of feature sets and increase the knowledgebase of anomaly decision engine. 
  Regarding claim 2, the combination of Engel, Raugas and Shumpert discloses:
Engel: [0074] In the following application the term “raw data” relates to packets, traffic data, flow data, logs, queries and network protocols; [0086] passive sensors such as network sensors 210 may collect and record network packets from the computer network 100 in FIG. 1. The network sensors 210 may extract relevant data for detecting attacks from the collected data; [0091] The network analyzer may parse received packets to extract relevant data in a structured format for each action such as: IP addresses, names of files, dates and the like; [0092] the condenser and duplication eliminator module 240 may transmit structured data (245) regarding actions to an association module 250. The association module 250 may associate the received structured data regarding actions in the computer network to an entity; [0095] a statistical modeling module 260 may receive structured data (255) regarding actions with associated entities for continuously building a statistical model of the computer network).
Regarding claim 3, the combination of Engel, Raugas and Shumpert discloses:
	The method as recited in claim 1, further comprising, prior to inputting the feature sets of event data to the real-time anomaly decision engine: receiving the first raw event data; and processing the first raw event data through an extract-transform-load (ETL) process to produce the feature sets of event data; wherein the detecting of the first network security anomaly is performed in real time as the raw event data are received by the ETL process (Engel: [0074] In the following application the term “raw data” relates to packets, traffic data, flow data, logs, queries and network protocols; [0086] passive sensors such as network sensors 210 may collect and record network packets from the computer network 100 in FIG. 1. The network sensors 210 may extract relevant data for detecting attacks from the collected data; [0091] The network analyzer may parse received packets to extract relevant data in a structured format for each action such as: IP addresses, names of files, dates and the like; [0092] the condenser and duplication eliminator module 240 may transmit structured data (245) regarding actions to an association module 250. The association module 250 may associate the received structured data regarding actions in the computer network to an entity; [0095] a statistical modeling module 260 may receive structured data (255) regarding actions with associated entities for continuously building a statistical model of the computer network; [0102] the anomalies are identified by one of the following: (i) comparing a single action in the computer network to the statistical model; and (ii) comparing a group of actions in the computer network to the statistical model).
Regarding claim 4, the combination of Engel, Raugas and Shumpert discloses:
	The method as recited in claim 1, further comprising continuously training the threat decision engine based on the anomaly data, concurrently with detecting the first network security anomaly or the second network security anomaly (Engel: [0095] a statistical modeling module 260 may receive structured data (255) regarding actions with associated entities for continuously building a statistical model of the computer network).
Regarding claim 5, the combination of Engel, Raugas and Shumpert discloses:
Engel: [0124] the system may use machine learning algorithms to build a model for each user or service. The statistical model describes the normal behavior in generalized/aggregated terms; [0132] Statistical models may be built over time based on parameters of actions in the computer network or based on groups of parameters of actions in the computer network. The system may continuously receive data and may continuously update the statistical model quantitatively as well as qualitatively).
Regarding claim 6, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein the first raw event data or second raw event data comprise timestamped machine data (Engel: [0132] Statistical models may be built over time based on parameters of actions in the computer network or based on groups of parameters of actions in the computer network. The system may continuously receive data and may continuously update the statistical model quantitatively as well as qualitatively; [0133] the statistical modeling module may maintain statistics of protocol and entities usage/pattern behavior over multiple time periods for each entity (stage 525). For example over the last hour, over the last day, last week, last month, or last year).
Regarding claim 7, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, further comprising: outputting at least a portion of the anomaly data via the user interface (Engel: [0101] According to other embodiments of the present invention, at least part of the training process may be performed manually. The notifications 285 may be sent to a manual inspection 297. The manual inspection 297 may determine if an action is false positive or not and the feedback (299) of the manual inspection may be sent to the statistical models database 265).
Regarding claim 8, the combination of Engel, Raugas and Shumpert discloses:
	The method as recited in claim 1, wherein the threat decision engine comprises a plurality of threat models (Engel: [0124] the system may use machine learning algorithms to build a model for each user or service. The statistical model describes the normal behavior in generalized/aggregated terms; [0132] Statistical models may be built over time based on parameters of actions in the computer network or based on groups of parameters of actions in the computer network. The system may continuously receive data and may continuously update the statistical model quantitatively as well as qualitatively).
Regarding claim 11, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein the machine learning anomaly model includes processing logic defining a process for assigning an anomaly score based on the processing of the feature sets of event data or stored feature sets of event data, the anomaly score indicative of a particular category of anomalous activity on the computer network, the processing logic for the machine learning anomaly model configured based on the state of the machine learning anomaly model (Raugas: [0071] FIG. 2 depicts a block diagram of an exemplary system 200 in accordance with one or more embodiments, in which a plurality of machine learning models are applied to features from system 100. The scores from the machine learning models may be submitted to a fuser which generates a combined score. Block 210 depicts features, such as those discussed with respect to system 100. Blocks 225, 226, 227, and 228 depict one or more machine learning models from a plurality of machine learning models being applied to the features 210 and generating a set of scores, 235, 236, 237 and 238; [0072] scores from one or more machine learning models 225, 226, 227 and 228, or one or more fusers 240, may be combined and compared. The aforementioned combining of scores may comprise ranking the relative magnitude of the scores. For example, if score a>score a′, the computing resource associated with score a is more likely to host a malicious software program and/or more likely to host a malicious software program of a specific class).
Regarding claim 12, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein detecting of the network security threat is performed in real time as the raw event data are received from the plurality of data sources (Engel: [0051] an anomaly detection module for online or batch detection of anomalies of actions associated with entities based on the statistical model).
Regarding claim 13, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein the stored feature sets of event data are stored in a persistent storage system (Raugas: [0080] FIG. 5 depicts an exemplary architecture for implementing a computing device 500 in accordance with one or more embodiments, which may be used to implement any of the computing devices, or any other computer system or computing device component thereof; [0082] Storage device 550 may include a magnetic disk and/or optical disk and its corresponding drive for storing information and/or instructions).
Regarding claim 14, the combination of Engel, Raugas and Shumpert discloses:
Engel: [0103] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network which have similar functionality, or finding actions that differ from the majority of actions in their characteristics. This method works on a batch of data and detects the anomalies rather than compare a specific action to a model).
Regarding claim 15, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein the machine learning anomaly model includes processing logic configured to detect lateral movement, communication by blacklisted entities, malware communications, and/or beacon activity (Raugas: [0028] Features 120 may be extracted from the sampled network traffic in block 140; See Feature set A through feature Q for teachings of lateral movement, communication by blacklisted entities and etc.).
Regarding claim 16, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein: in the real-time processing mode: the machine learning anomaly model is continually trained as additional feature sets of event data are produced based on additional raw event data originating from the plurality of data sources on the computer network; and in the batch processing mode: the machine learning anomaly model is continually trained as additional feature  sets of event data are stored (Engel: [0100] a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period; [0103] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network which have similar functionality, or finding actions that differ from the majority of actions in their characteristics. This method works on a batch of data and detects the anomalies rather than compare a specific action to a model).
Regarding claim 20, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein the detecting of the first network security anomaly, the detecting of the second network security anomaly, or the detecting of the network security threat are performed by using a data- parallel distributed processing engine (Engel: [0152] the decision engine module receives specific information on anomalies in the computer network (stage 710). Next, the decision engine module may be creating incidents by aggregating and clustering related anomalies based on specified parameters (stage 715); [0153] the decision engine module collects assisting information from people, software agents and/or based on company policy and predefined rules, for determining the ranking and severity of incidents (stage 725)).
Regarding claim 22, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein the stored feature sets of event data are stored in a distributed file system (Engel: [0098] Data of the statistical models may be stored in a statistical models database 265).
Regarding claim 24, the combination of Engel, Raugas and Shumpert discloses:
Engel: [0098] The model may include actions behavior pattern for different time periods in different levels of detail; [0100] a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period. The training process continues until a statistically significant stabilization of the statistical model is reached).
Regarding claim 25, Engel discloses:
A computer system comprising: 
a processor; and a memory having instructions stored thereon, which when executed by the processor cause the system to:
in a real-time detection mode: 
input, to a real-time (See [0021] i.e. online detection of anomalous network) anomaly decision engine ([0012] FIG. 6 illustrates an anomaly detection module), feature sets of event data (See [0082] i.e. sensors 110), the feature sets of event data produced based on first raw event data ([0088] the anomaly detection module 200 may receive raw data from one or more sensors) originating from a plurality of data sources on a computer network ([0014] The present invention discloses a method for detecting anomalous action within a computer network. The method comprises the steps of: [0021] online or batch detection of anomalous network actions associated with entities based on the statistical models; [0082] the sensors 110 may collect data from several places in the computer network 100 and after analysis of the collected data the sensors 110 may send the data to an anomaly detection module 175; [0088] the anomaly detection module 200 may receive raw data from one or more sensors); 
cause the real-time anomaly decision engine to detect a first network security anomaly, based on the feature sets of event data, in real time as the feature sets of event data are produced based on the raw event data ([0099] the anomaly detection module 270 receives information regarding actions in the computer network and identifies anomalous behavior by comparing actual network actions with the statistical model); and 
train, based on the feature sets of event data ([0100] According to some embodiments of the present invention, a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period. The training process continues until a statistically significant stabilization of the statistical model is reached); 
in a batch detection mode: 
input, to a batch anomaly decision engine (See [0021] i.e. batch detection of anomalous network actions), stored feature sets of event data, the stored feature sets of event data based on second raw event data originating from the plurality of data sources on the computer network ([0014] The present invention discloses a method for detecting anomalous action within a computer network. The method comprises the steps of: [0021] online or batch detection of anomalous network actions associated with entities based on the statistical models; [0103] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network which have similar functionality, or finding actions that differ from the majority of actions in their characteristics. This method works on a batch of data and detects the anomalies rather than compare a specific action to a model; [0128] According to some embodiments of the present invention, statistical modeling module may begin with receiving detailed entities actions related data including identity of entity over time from the association module activity (stage 510); [0150] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network, or finding actions that differ from the majority of actions in their characteristics and their associated entities (stage 630). This method works on a batch of data and detects the anomalies between entities or actions rather than compare a specific action to a model); 
cause the batch anomaly decision engine to detect a second network security anomaly, by using the machine learning anomaly model, based on the stored feature sets of event data ([0099] the anomaly detection module 270 receives information regarding actions in the computer network and identifies anomalous behavior by comparing actual network actions with the statistical model); and 
train based on the stored feature sets of event data ([0100] According to some embodiments of the present invention, a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period. The training process continues until a statistically significant stabilization of the statistical model is reached); 
output, to a threat decision engine, anomaly data indicative of the first 
network security anomaly and the second network security anomaly ([0099] The anomalies may be sent to a decision engine 280. The purpose of the decision engine 280 is to aggregate relevant anomalies together and create incidents); 

network security threat ([0104] According to other embodiments of the present invention, the decision engine 280, may analyze several anomaly actions and generate incidents/alerts based on identified anomalies according to predefined rules); and 
cause output, via a user interface, of threat data indicative of the network security threat ([0101] The notifications 285 may be sent to a manual inspection 297. The manual inspection 297 may determine if an action is false positive or not and the feedback (299) of the manual inspection may be sent to the statistical models database 265);
wherein detecting the first network security anomaly, detecting the second network security anomaly or detecting the network security threat is performed by using a task-parallel distributed processing engine (see FIG. 7; [0152] According to some embodiments of the present invention, the decision engine module receives specific information on anomalies in the computer network (stage 710). Next, the decision engine module may be creating incidents by aggregating and clustering related anomalies based on specified parameters (stage 715) and then analyzing and ranking the incidents (stage 720)). 
Engel fails to disclose:
	wherein the batch anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to a time period length that is greater than event-by-event; using a machine learning anomaly model to train; wherein the machine learning anomaly model is configured to process a variable time slice of data to produce a score indicative of a detected anomaly, and wherein the real-time anomaly decision engine set the variable time slice parameter associated with the machine learning anomaly model to event-by-
However, Raugas discloses:
wherein the batch [sample network traffic] anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to a time period length that is greater than event-by-event (Abstract: A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic; [0006] Systems and methods are described to detect malware in a computer network using supervised machine learning techniques. Network traffic may be sampled for a configurable time window. Features may be extracted from the network traffic samples. One or more machine learning models may be applied to the features generating a score representing some probability that malware exists on a particular networked device in the network; [0027] Network traffic may be monitored by monitoring device 135 during a time configurable time interval. The time interval may be specified in a configuration file, by an administrator, or by a user, and may correspond to the window over which feature vectors are constructed; [0028] Features 120 may be extracted from the sampled network traffic [this is construed as batch data] in block 140. The features may be configured and handled as individual items, as a part of feature sets, or any combination thereof. Features may include any or several network statistics. In one or more embodiments, features may comprise only a subset of monitored or examined network data computed during the configurable time interval (“window”));
using a machine learning anomaly model to train ([0020] A system, method, medium, or computer based product may provide tools for real-time detection and classification of advanced malware using supervised machine learning; [0022] Using one or more methods of feature extraction, the network samples may be prepared for scoring. Subsequently, a specific machine learning algorithm may use models trained a priori against specific and/or known classes of malware; [0065] In one embodiment of this invention, the training process may include generation of statistics associated with the accuracy and performance of the Machine Learning Model wherein the statistics may include the statistical means of the predicted output scores for positive and negative samples; [0067] At least one machine learning model 125 is applied to the features 145, thereby generating score 130, wherein the score indicates the likelihood of malware being present in a host or network device in network 10);
wherein the machine learning anomaly model is configured to process a variable time slice of data to produce a score indicative of a detected anomaly, and wherein the real-time anomaly decision engine set the variable time slice parameter associated with the machine learning anomaly model to event-by-event (See Abstract: Methods, system, and media for detecting malware are disclosed. A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic; [0027] Network traffic may be monitored by monitoring device 135 during a time configurable time interval. The time interval may be specified in a configuration file, by an administrator, or by a user, and may correspond to the window over which feature vectors are constructed; [0028] In one or more embodiments, features may comprise only a subset of monitored or examined network data computed during the configurable time interval (“window”); Raugas further teaches “event-by-event” claim element as “feature set” which are disclosed through paragraphs [0029-0063] in which different features of network data is extracted by machine learning models to produce scores);
data source associated with the machine learning anomaly model to a time period length that is greater than event-by-event ([0067] At least one machine learning model 125 is applied to the features 145 … scoring network traffic based on similarity to malicious behavior associated with specific classes of malware; and combining the scores from multiple concurrent models to produce a normalized, comparable score associated with the time interval using support vector machines and Bayesian networks);
wherein the threat decision engine comprises a plurality of machine learning threat models, each including logic to detect a different type of threat ([0068] In one embodiment, a machine learning model 125 may include a set of supervised learning algorithms, such as Boosted Decision Trees, Support Vector Machines, and Gaussian Mixture Models. One or more of a plurality of machine learning models may be specified as part of a predefined configuration or may be specified by a user; [0071] FIG. 2 depicts a block diagram of an exemplary system 200 in accordance with one or more embodiments, in which a plurality of machine learning models are applied to features from system 100 … Block 210 depicts features, such as those discussed with respect to system 100. Blocks 225, 226, 227, and 228 depict one or more machine learning models from a plurality of machine learning models being applied to the features 210).

	The motivation to detect anomalies and malware through machine learning models is to efficiently evaluate and analyze data from different aspects. 
The combination of Engle and Raugas fails to disclose:
wherein training the machine learning anomaly model updates a model state of the machine learning anomaly model, and wherein the model state of the machine learning anomaly model is shared  between the real-time anomaly decision engine and the batch 
anomaly decision engine.
However, Shumpert discloses:
	wherein training the machine learning anomaly model updates a model state of the machine learning anomaly model, and wherein the model state of the machine learning anomaly model is shared  between the real-time anomaly decision engine (See [0057] i.e. unsupervised learning approaches) and the batch anomaly decision engine (See [0057] i.e. supervised learning approaches) ([0031] Certain example embodiments also assume that the data source (e.g., sensor data) is always live and, thus, it is assumed that there is never an offline period for performing traditional batch machine learning. Therefore, certain example embodiments begin with unlabeled data only and learn the labels as they go, with the incremental help of human experts. As seen in FIG. 3, certain example embodiments begin reading live engine sensor data right away (step S302) and train a shared model incrementally (step S304), thus avoiding the delayed response typical of prior and current systems. The resulting model is able to detect and recognize repeat problems (step S306), while still discovering new problems and routing them to domain experts for review (step S308) and knowledge capture (step S310). And the model may adapt to changing operating conditions automatically as the engine ages. Over time, the initially empty knowledgebase may grow to cover additional (and potentially all) possible engine issues, and the need for a domain expert, as required by unsupervised learning approaches of prior and current systems, accordingly may fade away; [0057] Thus, the supervised prediction technique will quickly begin detecting and providing guidance for repeat problems, while the unsupervised prediction technique will continue to be on the lookout for new problems. The complementary nature of the two predictive methods using a shared model is a technical advantage of certain example embodiments because it improves detection performance and accuracy while reducing development time. Indeed, it will be appreciated that it can be quite difficult to define a single model that can support both modes of prediction in a continuous, incremental learning approach without any batch training data; [0116] the shared model of certain example embodiments—the clusters and their classes—blends both unsupervised techniques (steps 2 a, 3 a, and 3 d) and supervised techniques (steps 3 b and 3 c) at the same time with each new instance of sensor data).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Engel and Raugas and include shared anomaly detection model, as disclosed by Shumpert.

Regarding claim 26, the combination of Engel, Raugas and Shumpert discloses:
The computer system as recited in claim 25: wherein the threat decision engine comprises a plurality of threat models (Engel: [0124] the system may use machine learning algorithms to build a model for each user or service. The statistical model describes the normal behavior in generalized/aggregated terms; [0132] Statistical models may be built over time based on parameters of actions in the computer network or based on groups of parameters of actions in the computer network. The system may continuously receive data and may continuously update the statistical model quantitatively as well as qualitatively).
Regarding claim 27, the combination of Engel, Raugas and Shumpert discloses:
The computer system as recited in claim 25, wherein the machine learning anomaly model includes processing logic configured to detect lateral movement, communication by blacklisted entities, malware communications, and/or beacon activity (Raugas: [0028] Features 120 may be extracted from the sampled network traffic in block 140; See Feature set A through feature Q for teachings of lateral movement, communication by blacklisted entities and etc.).
Regarding claim 28, Engel discloses:
A non-transitory machine-readable storage medium for use in a processing system, the non-transitory machine-readable storage medium storing instructions, an execution of which in the processing system causes the processing system to perform operations comprising:

	inputting, to a real-time (See [0021] i.e. online detection of anomalous network) anomaly decision engine ([0012] FIG. 6 illustrates an anomaly detection module), feature sets of event data (See [0082] i.e. sensors 110), the feature sets of event data produced based on first raw event data ([0088] the anomaly detection module 200 may receive raw data from one or more sensors) originating from a plurality of data sources on a computer network ([0014] The present invention discloses a method for detecting anomalous action within a computer network. The method comprises the steps of: [0021] online or batch detection of anomalous network actions associated with entities based on the statistical models; [0082] the sensors 110 may collect data from several places in the computer network 100 and after analysis of the collected data the sensors 110 may send the data to an anomaly detection module 175; [0088] the anomaly detection module 200 may receive raw data from one or more sensors); 
causing the real-time anomaly decision engine to detect a first network security anomaly, based on the feature sets of event data, in real time as the feature sets of event data are produced based on the raw event data ([0099] the anomaly detection module 270 receives information regarding actions in the computer network and identifies anomalous behavior by comparing actual network actions with the statistical model); and 
training, based on the feature sets of event data ([0100] According to some embodiments of the present invention, a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period. The training process continues until a statistically significant stabilization of the statistical model is reached); 
in a batch detection mode: 
inputting, to a batch anomaly decision engine (See [0021] i.e. batch detection of anomalous network actions), stored feature sets of event data, the stored feature sets of event data based on second raw event data originating from the plurality of data sources on the computer network ([0014] The present invention discloses a method for detecting anomalous action within a computer network. The method comprises the steps of: [0021] online or batch detection of anomalous network actions associated with entities based on the statistical models; [0103] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network which have similar functionality, or finding actions that differ from the majority of actions in their characteristics. This method works on a batch of data and detects the anomalies rather than compare a specific action to a model; [0128] According to some embodiments of the present invention, statistical modeling module may begin with receiving detailed entities actions related data including identity of entity over time from the association module activity (stage 510); [0150] anomalies can be detected by finding specific entities that differ in their behavior from the majority of other entities in the computer network, or finding actions that differ from the majority of actions in their characteristics and their associated entities (stage 630). This method works on a batch of data and detects the anomalies between entities or actions rather than compare a specific action to a model); 
[0099] the anomaly detection module 270 receives information regarding actions in the computer network and identifies anomalous behavior by comparing actual network actions with the statistical model); and 
training based on the stored feature sets of event data ([0100] According to some embodiments of the present invention, a training process is performed automatically over multiple time periods, preforming statistical analysis of network actions at each period. The training process continues until a statistically significant stabilization of the statistical model is reached); 
outputting, to a threat decision engine, anomaly data indicative of the first 
network security anomaly and the second network security anomaly ([0099] The anomalies may be sent to a decision engine 280. The purpose of the decision engine 280 is to aggregate relevant anomalies together and create incidents); 
causing the threat decision engine to detect, based on the anomaly data, a 
network security threat ([0104] According to other embodiments of the present invention, the decision engine 280, may analyze several anomaly actions and generate incidents/alerts based on identified anomalies according to predefined rules); and 
causing output, via a user interface, of threat data indicative of the network security threat ([0101] The notifications 285 may be sent to a manual inspection 297. The manual inspection 297 may determine if an action is false positive or not and the feedback (299) of the manual inspection may be sent to the statistical models database 265);
see FIG. 7; [0152] According to some embodiments of the present invention, the decision engine module receives specific information on anomalies in the computer network (stage 710). Next, the decision engine module may be creating incidents by aggregating and clustering related anomalies based on specified parameters (stage 715) and then analyzing and ranking the incidents (stage 720)). 
Engel fails to disclose:
	wherein the batch anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to a time period length that is greater than event-by-event; using a machine learning anomaly model to train; wherein the machine learning anomaly model is configured to process a variable time slice of data to produce a score indicative of a detected anomaly, and wherein the real-time anomaly decision engine set the variable time slice parameter associated with the machine learning anomaly model to event-by-event; data source associated with the machine learning anomaly model to a time period length that is greater than event-by-event; wherein the threat decision engine comprises a plurality of machine learning threat models, each including logic to detect a different type of threat, wherein the threat decision engine comprises a plurality of machine learning threat models, each including logic to detect a different type of threat.
However, Raugas discloses:
wherein the batch [sample network traffic] anomaly decision engine sets the variable time slice parameter associated with the machine learning anomaly model to a time period Abstract: A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic; [0006] Systems and methods are described to detect malware in a computer network using supervised machine learning techniques. Network traffic may be sampled for a configurable time window. Features may be extracted from the network traffic samples. One or more machine learning models may be applied to the features generating a score representing some probability that malware exists on a particular networked device in the network; [0027] Network traffic may be monitored by monitoring device 135 during a time configurable time interval. The time interval may be specified in a configuration file, by an administrator, or by a user, and may correspond to the window over which feature vectors are constructed; [0028] Features 120 may be extracted from the sampled network traffic [this is construed as batch data] in block 140. The features may be configured and handled as individual items, as a part of feature sets, or any combination thereof. Features may include any or several network statistics. In one or more embodiments, features may comprise only a subset of monitored or examined network data computed during the configurable time interval (“window”));
using a machine learning anomaly model to train ([0020] A system, method, medium, or computer based product may provide tools for real-time detection and classification of advanced malware using supervised machine learning; [0022] Using one or more methods of feature extraction, the network samples may be prepared for scoring. Subsequently, a specific machine learning algorithm may use models trained a priori against specific and/or known classes of malware; [0065] In one embodiment of this invention, the training process may include generation of statistics associated with the accuracy and performance of the Machine Learning Model wherein the statistics may include the statistical means of the predicted output scores for positive and negative samples; [0067] At least one machine learning model 125 is applied to the features 145, thereby generating score 130, wherein the score indicates the likelihood of malware being present in a host or network device in network 10);
wherein the machine learning anomaly model is configured to process a variable time slice of data to produce a score indicative of a detected anomaly, and wherein the real-time anomaly decision engine set the variable time slice parameter associated with the machine learning anomaly model to event-by-event (See Abstract: Methods, system, and media for detecting malware are disclosed. A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic; [0027] Network traffic may be monitored by monitoring device 135 during a time configurable time interval. The time interval may be specified in a configuration file, by an administrator, or by a user, and may correspond to the window over which feature vectors are constructed; [0028] In one or more embodiments, features may comprise only a subset of monitored or examined network data computed during the configurable time interval (“window”); Raugas further teaches “event-by-event” claim element as “feature set” which are disclosed through paragraphs [0029-0063] in which different features of network data is extracted by machine learning models to produce scores);
data source associated with the machine learning anomaly model to a time period length that is greater than event-by-event ([0067] At least one machine learning model 125 is applied to the features 145 … scoring network traffic based on similarity to malicious behavior associated with specific classes of malware; and combining the scores from multiple concurrent models to produce a normalized, comparable score associated with the time interval using support vector machines and Bayesian networks);
wherein the threat decision engine comprises a plurality of machine learning threat models, each including logic to detect a different type of threat ([0068] In one embodiment, a machine learning model 125 may include a set of supervised learning algorithms, such as Boosted Decision Trees, Support Vector Machines, and Gaussian Mixture Models. One or more of a plurality of machine learning models may be specified as part of a predefined configuration or may be specified by a user; [0071] FIG. 2 depicts a block diagram of an exemplary system 200 in accordance with one or more embodiments, in which a plurality of machine learning models are applied to features from system 100 … Block 210 depicts features, such as those discussed with respect to system 100. Blocks 225, 226, 227, and 228 depict one or more machine learning models from a plurality of machine learning models being applied to the features 210).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Engel and deploy machine learning models techniques to detect anomalies and malware, as disclosed by Raugas.
	The motivation to detect anomalies and malware through machine learning models is to efficiently evaluate and analyze data from different aspects. 
The combination of Engle and Raugas fails to disclose:
wherein training the machine learning anomaly model updates a model state of the machine learning anomaly model, and wherein the model state of the machine learning anomaly model is shared  between the real-time anomaly decision engine and the batch 
anomaly decision engine.
However, Shumpert discloses:
	wherein training the machine learning anomaly model updates a model state of the machine learning anomaly model, and wherein the model state of the machine learning anomaly model is shared  between the real-time anomaly decision engine (See [0057] i.e. unsupervised learning approaches) and the batch anomaly decision engine (See [0057] i.e. supervised learning approaches) ([0031] Certain example embodiments also assume that the data source (e.g., sensor data) is always live and, thus, it is assumed that there is never an offline period for performing traditional batch machine learning. Therefore, certain example embodiments begin with unlabeled data only and learn the labels as they go, with the incremental help of human experts. As seen in FIG. 3, certain example embodiments begin reading live engine sensor data right away (step S302) and train a shared model incrementally (step S304), thus avoiding the delayed response typical of prior and current systems. The resulting model is able to detect and recognize repeat problems (step S306), while still discovering new problems and routing them to domain experts for review (step S308) and knowledge capture (step S310). And the model may adapt to changing operating conditions automatically as the engine ages. Over time, the initially empty knowledgebase may grow to cover additional (and potentially all) possible engine issues, and the need for a domain expert, as required by unsupervised learning approaches of prior and current systems, accordingly may fade away; [0057] Thus, the supervised prediction technique will quickly begin detecting and providing guidance for repeat problems, while the unsupervised prediction technique will continue to be on the lookout for new problems. The complementary nature of the two predictive methods using a shared model is a technical advantage of certain example embodiments because it improves detection performance and accuracy while reducing development time. Indeed, it will be appreciated that it can be quite difficult to define a single model that can support both modes of prediction in a continuous, incremental learning approach without any batch training data; [0116] the shared model of certain example embodiments—the clusters and their classes—blends both unsupervised techniques (steps 2 a, 3 a, and 3 d) and supervised techniques (steps 3 b and 3 c) at the same time with each new instance of sensor data).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Engel and Raugas and include shared anomaly detection model, as disclosed by Shumpert.
	The motivation to include shared anomaly detection model is to train the machine learning model with updated features from online and batch monitoring of feature sets and increase the knowledgebase of anomaly decision engine.
Regarding claim 29, the combination of Engel, Raugas and Shumpert discloses:
The non-transitory machine-readable storage medium as recited in claim 28: wherein the threat decision engine comprises a plurality of threat models (Engel: [0124] the system may use machine learning algorithms to build a model for each user or service. The statistical model describes the normal behavior in generalized/aggregated terms; [0132] Statistical models may be built over time based on parameters of actions in the computer network or based on groups of parameters of actions in the computer network. The system may continuously receive data and may continuously update the statistical model quantitatively as well as qualitatively).
Regarding claim 30, the combination of Engel, Raugas and Shumpert discloses:
Raugas: [0028] Features 120 may be extracted from the sampled network traffic in block 140; See Feature set A through feature Q for teachings of lateral movement, communication by blacklisted entities and etc.).
Regarding claim 31, the combination of Engel, Raugas and Shumpert discloses:
The method as recited in claim 1, wherein the stored feature sets of event data are stored in a persistent storage system (Raugas: [0080] FIG. 5 depicts an exemplary architecture for implementing a computing device 500 in accordance with one or more embodiments, which may be used to implement any of the computing devices, or any other computer system or computing device component thereof; [0082] Storage device 550 may include a magnetic disk and/or optical disk and its corresponding drive for storing information and/or instructions).

Claims 19, 21 and 23 are rejected under 35 U.S.C. § 103 as being unpatentable over Engel et al., (US20140165207A1) in view of Raugas et al., (US20150128263A1) in view of Shumpert et al., (US20160342903A1) and further in view of Cohen et al., (US20150273693A1).
Regarding claim 19, the combination of Engel, Raugas & Shumpert fails to disclose:
	The method as recited in claim 1, wherein the detecting of the first network security anomaly, the detecting of the second network security anomaly, and/or the detecting of the network security threat are performed by using Apache Storm or Apache Spark Streaming.
However, Cohen discloses:
	wherein the detecting of the first network security anomaly, the detecting of the second network security anomaly, and/or the detecting of the network security threat are performed by using Apache Storm or Apache Spark Streaming ([0052] In some embodiments of the invention, clients 330 or servers 320 (or both) may make use of one or more specialized services or appliances that may be deployed locally or remotely across one or more networks 310. For example, one or more databases 340 may be used or referred to by one or more embodiments of the invention. It should be understood by one having ordinary skill in the art that databases 340 may be arranged in a wide variety of architectures and using a wide variety of data access and manipulation means. For example, in various embodiments one or more databases 340 may comprise a relational database system using a structured query language (SQL), while others may comprise an alternative data storage technology such as those referred to in the art as “NoSQL” (for example, Hadoop/HDFS, Apache Spark, hBase, MongoDB, Cassandra, Google BIGTABLE™, and so forth)).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system and method of Engel, Raugas & Shumpert and utilize Apache Spark or Hadoop Distributed File System (HDFS) to achieve faster database access in order to detect and prevent anomalies and threat in computer network, as taught by Cohen.

Regarding claim 21, the combination of Engel, Raugas & Shumpert fails to disclose:
	The method as recited in claim 1, wherein the detecting of the first network security anomaly, the detecting of the second network security anomaly, and/or the detecting of the network security threat are performed by using Apache Spark.
However, Cohen discloses:
the detecting of the first network security anomaly, the detecting of the second network security anomaly, and/or the detecting of the network security threat are performed by using Apache Spark ([0052] various embodiments one or more databases 340 may comprise a relational database system using a structured query language (SQL), while others may comprise an alternative data storage technology such as those referred to in the art as “NoSQL” (for example, Hadoop/HDFS, Apache Spark, hBase, MongoDB, Cassandra, Google BIGTABLE™, and so forth)).
Regarding claim 23, the combination of Engel, Raugas & Shumpert fails to disclose:
	The method as recited in claim 1, wherein the event feature set is stored feature sets of event data are stored in a Hadoop Distributed File System (HDFS).
However, Cohen discloses:
[0052] various embodiments one or more databases 340 may comprise a relational database system using a structured query language (SQL), while others may comprise an alternative data storage technology such as those referred to in the art as “NoSQL” (for example, Hadoop/HDFS, Apache Spark, hBase, MongoDB, Cassandra, Google BIGTABLE™, and so forth)).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
                                                                                                                                                                                         Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./Patent Examiner, Art Unit 2432