DETAILED ACTION
Claims 1-15, 21-22, and 25-27 are pending.  It is noted that not all of the changes in claim 1 were properly indicated as required by MPEP 714.  Examination was done based on indicated changes and the one change discovered by Examiner (i.e. “the two or more entity probability models being” in lines 7-8).  Unindicated and undiscovered changes are not entered in the record.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-15, 21-22  is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (hereinafter Muddu), U.S. Patent Application Publication 2017/0063905 in view of Wang, U.S. Patent Application Publication 2015/0373039.
Regarding Claim 1, Muddu discloses a computer-implemented method for real time detection of cyber threats, the method comprising: 
receiving by a processor from a network, in real time, entity data including two or more attributes for an entity (para [0147] - "real-time processing path is configured to continuously monitor and analyze the incoming event data"; para [0167] – “correlate between one attribute with another attribute in the event data or an external attribute”; para [0250] – “a number of fields to access certain attributes of an event”), wherein one of the two or more attributes is a categorical attribute [¶148 – “can also refer to the underlying activity itself”; ¶253 – “determine the event category based on the type of machine that generated the event”; ¶253 – “Other example event categories include authentication, network, entity acquisition, and so forth.”] and one of the two or more attributes is an numerical attribute [¶148 – “a discrete set of machine data that represents or corresponds to a specific network activity”]; 
computing by a processor, in real time, two or more entity probability models for each of the two or more attributes of the entity from the entity data (para [0232]-(0235] - "the identity resolution module 812 can utilize a machine learning model to generate and track a probability of association between a user and a machine identifier''; Note: a model for each user would have two or more models); 
selecting, by the processor, based on a number of shared attributes, a portion of a population of entities that are similar to the entity (para [0140], [0184]-(0187] - 
computing by the processor two or more population probability models associated with each attribute from entity data gathered for at least a portion of a population of entities, the two or more population probability models being indicative of behaviors associated with the two or more attributes for the population of entities (para [0140], [0184]-(0187] - "behavioral analytics can be based on include machine learning, behavior modeling, peer group analysis, classification, statistical models, and graph analysis"; ''The security platform 300 can create a behavior baseline for any type of entity (for example, a user, a group of users, a device, a group of devices)"; para [0182] – “one or more machine-learning models”); 
comparing by the processor, in real time, at least a portion of the entity data or at least a portion of the two or more entity probability model to the two or more population probability models associated with each of the two or more attribute to identify an anomaly between the at least a portion of the entity data or the at least a portion of two or more entity probability models and the two or more population probability models, the anomaly comprising two or more anomalous differences (para [0184]-(0187], [0278]-(0280] - "anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data 
in response to the anomaly being identified, alerting, in real time, a system administrator of the cyber threat(para [0542]-(0544] - "an unusual behavioral sequence discovered can be presented to an administrator for actions and/or feedbacks"; "the PST model can enable the security platform to discover behavioral anomalies by determining whether a given sequence of events as associated with an entity deviates from an generally anticipated behavioral baseline, even though each event individually may well be considered not malicious. Also, the security platform provides intuitive ways for the administrator to receive alert").
However, Muddu fails to explicitly disclose the two or more entity probability models being self-referential and computed using only the entity data that corresponds to the entity; 
Wang discloses the two or more entity probability models being self-referential and computed using only the entity data that corresponds to the entity [“an entity risk model that takes as input only data that is known locally” ¶86; Fig. 5].

Given the advantage of obtaining models specific to each entity for better accuracy, one having ordinary skill in the art would have been motivated to make this obvious modification.

Regarding Claim 2, Muddu and Wang disclose the method of claim 1.  Muddu further discloses wherein comparing by the processor the two or more entity probability models to the two or more population probability models further comprises comparing by the process the two or more attributes of the entity with associated attributes of the population of entities (para [0399], [0404], [0521] – “underlying event data”; “comparing particular entity data” “comparing the subset of the threat indicator data” “signature comparison”]).

Regarding Claim 3, Muddu and Wang disclose the method of claim 1.  Muddu further discloses wherein the comparing by the processor further comprises applying by the processor a probabilistic threshold for each attribute, and wherein, if at least one attribute of the two or more entity probability models has a value that exceeds the probabilistic threshold for the least one attribute, the at least one attribute is categorized by the processor as being the anomaly (para [0317], [0362] – “In one example, the model deliberation process compares the score against a constant threshold and makes 

Regarding Claim 4, Muddu and Wang disclose the method of claim 3.  Muddu further discloses further comprising determining by the processor if the anomaly is indicative of the entity being associated with malicious behavior by identifying by the processor additional anomalies linked to the anomaly (para. [0521] – “discover behavioral anomalies by determining whether a given sequence of events as associated with an entity deviates from an anticipated behavioral baseline”; Note: the claim defines malicious behavior as a series of anomalous events as oppose to a lone anomalous event.  Muddu discloses a sequence of events as anomalous in the above cited paragraph, which satisfy the claim’s definition of malicious.  Keep in mind, removing an in-claim definition of malicious may result in a 35 U.S.C. 112(b) rejection for a relative term.).

Regarding Claim 5, Muddu and Wang disclose the method of claim 4.  Muddu further discloses wherein identifying by the processor additional anomalies comprises locating by the processor additional attributes that are anomalous (para [0520]-[0526] – “detect behavioral deviations from such baselines as potentially indicative of malicious activities”).



Regarding Claim 7, Muddu and Wang disclose the method of claim 1.  Muddu further discloses wherein the entity and the population of entities have at least a portion of their attributes in common with one another such that a comparison between the entity and the population of entities can be obtained by the processor (para [0278]-(0280], [0534]-[0540], [0671]-[0677] – e.g. “entity-specific behavioral analysis, time series analysis of event sequences, graph correlation analysis of entity activities, peer group analysis of entities, or any combination thereof”; “compare sequences and determine similarity”; “compares the beacon data 7470 with any of the known group types (also referred to as "beacon types")”).

Regarding Claim 8, Muddu and Wang disclose the method of claim 7.  Muddu further discloses further comprising: performing the steps of claim 1 for additional entities (para [0140], [0147], [0184]-[0187], [0232]-[0235], [0435]-[0438], [0542]-[0544] – These sections discuss performing the steps for several entities.); and grouping by the processor the entity with a portion of the additional entities that are determined to have 

Regarding Claim 9, Muddu and Wang disclose the method of claim 1.  Muddu further discloses wherein the two or more entity probability models for each of the attributes and the two or more population probability models are created by the processor over a period of time (para [0161]-[0162], [0232]-[0235], [0671]-[0677] – “batch analyzer”; “different phases”; “machine generated traffic”)

Regarding Claim 10, Muddu and Wang disclose the method of claim 1.  Muddu further discloses wherein the entity comprises any of a process, a service, a computing device, a network, an end user, a host, and any combinations thereof (para [0232] - "the identity resolution module 812 can utilize a machine learning model to generate and track a probability of association between a user and a machine identifier").

Regarding Claim 11, Muddu and Wang disclose the method of claim 1.  Muddu further discloses further comprising creating by the processor a peer group from the population of entities, wherein the peer group comprises entities that have similar anomalies to one another (para [0278]-[0280], [0435]-[0438], [0671]-[0677] - "peer group analysis of entities"; "identified set of anomaly nodes represent a set of related anomalies").



Regarding Claim 13, Muddu and Wang disclose the method of claim 1.  Muddu further discloses further comprising: determining by the processor a set of anomalies for the entity, the set of anomalies comprising the anomaly and additional anomalies for the entity; and calculating by the processor an overall probability for the set of anomalies to determine if the entity is malicious (para [0278]-[0280], [0317]-[0319], [0435]-[0438], [0538]-[0542], [0671]-[0677] – e.g. “a set of anomaly nodes”; “time series analysis of event sequences include Bayesian time-series statistical foundation for discrete time-series data”; “the model deliberation process compares the score against a dynamically updated baseline ( e.g., statistical baseline)”).

Regarding Claim 14, Muddu and Wang disclose the method of claim 12.  Muddu further discloses further comprising normalizing by the processor the overall probability 

Regarding Claim 15, Muddu and Wang disclose the method of claim 1.  Muddu further discloses further comprising generating by the processor a plurality of population probability models for subsets of entities that share a specific attribute with one another (para [0278]-[0280], [0316]-[0319], [0435]-[0438], [0534]-[0542], [0671]-[0677]  - e.g. “machine learning models in the ML-based CEP engine can correspond to an event, a sequence of events, an entity, a group of entities”).

Regarding Claim 21, Muddu discloses a system for real time detection of cyber threats, comprising: 
a processor; and a memory for storing executable instructions (para [0745] - "one or more processor(s) 8510, memory"), the processor executing the instructions to: 
receive from a network, in real time, entity data including two or more attributes for an entity within a population of entities in real time (para [0147], [0167], [0250]), wherein one of the two or more attributes is a categorical attribute and one of the two or more attributes is a numerical attribute (¶148, 253); 
compute by a processor two or more entity probability models of the entity from the entity data (para [0232]-[0235]); 
select, by the processor, based on a number of shared attributes, a portion of a population of entities that are similar to the entity (para [0140], [0184]-(0187] - "behavioral analytics can be based on include machine learning, behavior modeling, 
compute by a processor two or more population probability models from entity data gathered for at least a portion of the population of entities, the two or more population probability models being indicative of average behavior for the population of entities (para [0140], [0182], [0184]-[0187], [0435] - "machine learning model can further identify a group of anomaly nodes within the identified plurality of anomaly nodes, wherein the group of anomaly nodes have timestamps that satisfy a specific closeness criterion. For example, the timestamps may have an average time gap less than a threshold value"); 
compare, by a processor, the two or more entity probability model to the two or more population probability models to identify one or more anomalous differences between the two or more entity probability models and the two or more population probability models (para [0184]-[0187], [0278]-[0280], [0435]-[0438]); and 
in response to identification by the processor of the two or more anomalous differences, alert a system administrator (para [0542]-[0544]); and 
in response to the two or more anomalous differences, alerting, in real time, a system administrator of a cyber threat (para [0542]-(0544]).
However, Muddu fails to explicitly disclose the two or more entity probability models being self-referential and computed using only the entity data that corresponds to the entity; 

It would have been obvious to one having ordinary skill in the art, having the teachings of Muddu and Wang before him before the effective filing date of the claimed invention, to modify the anomaly detection method of Muddu to incorporate the self-referential models of Wang.
Given the advantage of obtaining models specific to each entity for better accuracy, one having ordinary skill in the art would have been motivated to make this obvious modification.

Regarding Claim 22, Muddu and Wang disclose the method of claim 1.  Muddu further discloses wherein the two or more attributes are associated with direct behaviors (para [0447] – “identify anomalies from expected or authorized network activity or behavior”).

Claim 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu and Wang, in view of Erenrich et al. (hereinafter Erenrich), U.S. Patent Application Publication 2018/0330280.
Regarding Claim 25, Muddu and Wang disclose the system of claim 21.
However, Muddu fails to explicitly disclose wherein the processor is configured to map probabilities computed to an anomaly factor that ranges from 0 to 100, by applying 
Erenrich discloses wherein the processor is configured to map probabilities computed to an anomaly factor that ranges from 0 to 100, by applying a function that changes more rapidly for the probabilities greater than a specified cutoff probability as compared to the probabilities that are smaller [“a probability, measured from 0 to 100 percent” ¶97; “exponential” ¶97].
It would have been obvious to one having ordinary skill in the art, having the teachings of Muddu, Wang, and Erenrich before him before the effective filing date of the claimed invention, to modify the combination to incorporate the probability scores using an exponential function.
Given the advantage of using an exponential function which adjusts sensitivity for less likely values and more likely values to get a better result, one having ordinary skill in the art would have been motivated to make this obvious modification.

Allowable Subject Matter
Claims 26 and 27 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.  Specifically, claim 26 recites obtaining an overall probability to create a threat score by computing a fixed sized sketch data structure that can be queried for quantiles of historical anomaly factors up to an error related to memory used by the fixed sized sketch data structure.  

Examiner’s Note
The Examiner respectfully requests of the Applicant in preparing responses, to fully consider the entirety of the reference(s) as potentially teaching all or part of the claimed invention.  It is noted, REFERENCES ARE RELEVANT AS PRIOR ART FOR ALL THEY CONTAIN.  “The use of patents as references is not limited to what the patentees describe as their own inventions or to the problems with which they are concerned.  They are part of the literature of the art, relevant for all they contain.”  In re Heck, 699 F.2d 1331, 1332-33, 216 USPQ 1038, 1039 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006, 1009, 158 USPQ 275, 277 (CCPA 1968)).  A reference may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art, including non-preferred embodiments (see MPEP 2123).  The Examiner has cited particular locations in the reference(s) as applied to the claim(s) above for the convenience of the Applicant.  Although the specified citations are representative of the teachings of the art and are applied to the specific limitations within the individual claim(s), typically other passages and figures will apply as well.

Response to Arguments
Applicant’s arguments with respect to the claims have been considered but are moot because the arguments do not apply to the references being used in the current rejection.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT H BEJCEK II whose telephone number is (571)270-3610. The examiner can normally be reached Monday - Friday: 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/R.B./            Examiner, Art Unit 2123                                                                                                                                                                                            

/ALEXEY SHMATOV/          Supervisory Patent Examiner, Art Unit 2123