Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 7-13, 15, 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 2017/0063894) in view of Murthy (US 2009/0259664) and Chari (US 2017/0061322).
Muddu discloses
1, 10,11. A method for validating unsupervised machine learning models, (“the models used to generate the anomaly scores are machine-learning (both supervised and unsupervised”, 0618) comprising: 
analyzing, via unsupervised machine learning, a plurality of sensory inputs associated with a machine (sensing electrical signals, packet data or machine data, “machine data can be more than mere logs--it can include configurations, data from APIs, sensor data from industrial systems”, 0189;
“Examples of components that may generate machine data from which events can be derived include: web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., which are indicative of performance or operation of a computing system in an information technology environment”, 0135), wherein the unsupervised machine learning outputs at least one normal behavior pattern of the machine (anomalies are rare and normal good data is common, “hundreds of millions of packets of incoming event data from various data sources may be analyzed to yield 100 anomalies, which may be further analyzed to yield 10 threat indicators, which may again be further analyzed to yield one or two threats”, 0149;
“FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous”, 0130; “If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected. The comparison may be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour), machine learning, or graphical analysis (e.g., in the case of security graphs or security graph projections). Preferably, this detection is performed by various machine learning mod”, 0186); 
Generating (does not specify who or what performs the generating), based on the at least one normal behavior pattern, at least one artificial anomaly, wherein each artificial anomaly deviates from the at least one normal behavior pattern; 
injecting the at least one artificial (see below) anomaly into the plurality of sensory inputs to create an artificial dataset (machines, processors, and/or humans can create anomalies and inject/input them, either unintentionally or as testing/training data “As shown in FIG. 32A, anomaly 1 is detected based on processing of event data 2302 through anomaly model 1. Anomaly 1 is then input into anomaly model 2 for processing”, 0392); and 
analyzing the artificial dataset to determine whether a candidate model is a valid representation of operation of the machine, wherein analyzing the artificial dataset further comprises running the candidate model using the artificial dataset as an input (data and models are analyzed and compared against thresholds “FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous”, 0130; deliberating, “model deliberation process thread generates a security-related conclusion based on the score. The security-related conclusion can identify the event or the sequence of events corresponding to the time slice as a security-related anomaly, threat indicator or threat. In one example, the model deliberation process compares the score against a constant threshold and makes the security-related conclusion based on the comparison. In another example, the model deliberation process compares the score against a dynamically updated baseline (e.g., statistical baseline) and makes the security-related conclusion based on the comparison”, 0317; using scoring 0361 and thresholds 0365).
Rather than argue that a “artificial anomaly” merely reads on any anomaly or e.g., a false positive anomaly, the examiner takes the position that Muddu fails to particularly call for injecting the at least one artificial anomaly as well as validating unsupervised machine learning models.
Chari teaches generating artificial anomalies (“Because anomalous samples are not readily available as input samples for developing the classifier for the target user 110, the present invention will utilize at least some of the normal data samples from other users 120, 130 who also access and use the same anomalous samples”, 0014, 0063).
Murthy teaches validating unsupervised machine learning models (“model validation tool and a model execution tool”, abstract; “Model deployment may occur in what is called the production environment and involves testing the accuracy of the model against customer data to determine if the model contains any bugs and if the model achieves the expected results. Model deployment may involve actual customer scoring”, 0032).
It would have been obvious to combine the references before the effective filing date because they are in the same field of endeavor and injecting both good and bad test data or anomaly data allows to score a model on both normal and abnormal data.2, 12. The method of claim 1, further comprising: determining, based on the analysis of the artificial dataset, a score representing an accuracy of the candidate model in detecting anomalies, wherein the candidate model is valid when the determined score is above a predetermined threshold (data and models are analyzed and compared against thresholds “FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous”, 0130; 0365).3, 13. The method of claim 1, further comprising: selecting a new model, when it is determined that the candidate model is not valid (reads on training an retraining models because as model is retrained it can be said to be different model, “the model training process thread continuously retrains the model state as the group-specific data stream provides additional event feature sets”, 0314; “The ML-based CEP engine 1500 can implement multiple machine learning models of the same model type. For example, a model type can define a workflow for entity-specific models to be trained and applied. In this example, the ML-based CEP engine 1500 trains as many models of the model type as there are known entities.”, 0291; “One or more model states stored in the model store 1532 represent the machine learning model 1600. If the ML-based CEP engine 1500 trains and applies a single version of the machine learning model 1600, then a single model state represents the machine learning model 1600”, 0294;
“The model state is representative of a machine learning model or at least a version of a machine learning model (when there are multiple versions).”, 0296).5. The method of claim 1, wherein the analysis of the artificial dataset includes unsupervised machine learning, wherein the unsupervised machine learning analysis of the artificial dataset outputs at least one detected anomaly, wherein determining whether the candidate model is valid further comprises: determining whether the at least one detected anomaly includes the at least one artificial anomaly. Rather than argue that a “artificial anomaly” merely reads on any anomaly or e.g., a false positive anomaly, the examiner takes the position that Muddu fails to particularly call for artificial anomaly.
Barbadian teaches test data can be injected (“process test data to determine whether the test data represents anomalous or non -anomalous network traffic. As shown in FIG. 7B, the test data can first be subjected to a feature extraction and preprocessing process”, 0284).7, 17. The method of claim 1, further comprising: generating, based on the at least one normal behavior pattern, at least one adaptive threshold, wherein each artificial anomaly does not meet at least one of the at least one adaptive threshold (both anomalies and models are scored, Muddu: “If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, 0186, 0320, 0361, 0378;
Baradaran: “The network anomaly detector 730 can be designed, configured or constructed to detect an anomaly in network traffic by comparing the feature values determined by the feature value identifier 715 with the predetermined threshold anomaly detection profile”, 0281).8, 18. The method of claim 7, wherein each adaptive threshold includes at least one threshold value, wherein the at least one threshold value varies over time (both anomalies and models are scored over time, Muddu: “if the particular value has occurred enough times, e.g., exceeds the anomaly count threshold, in a specified time interval, the anomaly detection module 8040 may determine that the particular value is no longer considered an anomaly and may, therefore, dynamically adjust the rarity criterion, e.g., the score threshold and/or the anomaly count threshold, to minimize and/or stop identifying the particular value as corresponding to an anomaly.”, 0719, 0634;
“If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, 0186, 0320, 0361, 0378;
Baradaran: “The network anomaly detector 730 can be designed, configured or constructed to detect an anomaly in network traffic by comparing the feature values determined by the feature value identifier 715 with the predetermined threshold values of the detection features in the anomaly detection profile”, 0281).9, 19. The method of claim 1, wherein the plurality of sensory inputs associated with the machine are captured by at least one sensor in proximity to the machine, wherein each proximate sensor is within a predetermined distance of the machine (data can be from sensors or various types of machines/equipment; “In general, " machine data" can include performance data, diagnostic information and/or any of various other types of data indicative of performance or operation of equipment (e.g., an action such as upload, delete, or log-in) in a computing system, as described further below. In general, " machine data" as used herein includes timestamped event data, as discussed further below. Examples of components that may generate machine data from which events can be derived include: web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., which are indicative of performance or operation of a computing system in an information technology environment”, 0135;  Applicant is reminded that shifting the location of parts does not make an invention patentable.  See In re Japikse, 86 USPQ 70 (CCPA 1950); In re Larson, 144 USPQ 347 (CCPA 1965); and Nerwin v. Erlichman, 168 USPQ 177).).
Allowable Subject Matter
Claims 4, 6, 14, 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Baradaran (US 2017/0126718) teaches test data can be injected (“process test data to determine whether the test data represents anomalous or non -anomalous network traffic. As shown in FIG. 7B, the test data can first be subjected to a feature extraction and preprocessing process”, 0284).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID R VINCENT whose telephone number is (571)272-3080. The examiner can normally be reached ~Mon-Fri 12-8:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on 5712703428. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DAVID R VINCENT/Primary Examiner, Art Unit 2123