DETAILED ACTION

Response to Arguments
Applicant's arguments (“REMARKS”) filed on October 18, 2021 have been fully considered but they are moot in view of a new ground of rejection.
Claims 1-20 are currently pending. Claims 1, 8, and 15 were amended.

Re: RESPONSE TO CLAIM REJECTIONS UNDER 35 U.S.C. § 103
Applicant argues that the cited prior arts of the 103 rejection fail to disclose the currently amended features in the independent claims. However, this argument is now moot in view of a new ground of rejection. See Claim Rejections - 35 USC § 103 below for details.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

	Claims 1-3, 5-10, 12-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Malkov et al. (hereinafter, “Malkov”) US 2020/0159624 in view of Matselyukh (hereinafter, “Matselyukh”) US 2019/0124099 and in further view of Hutchinson et al. (hereinafter, “Hutchinson”) US 2007/0050777.
As per claim 1: Malkov discloses: A method for detecting abnormal activity occurring on a computing system, the method comprising (“systems, methods and processes” designed to “learn and establish baseline parameters of routine, normal and non-compromised behavior and activity of virtual machines” (VMs, running on a host machine 80) and to “detect and recognize anomalous events” [Malkov: par. 3, Figs. 1 & 3]); gathering historical information describing activity occurring on a computing system during a learning period; determining, from the historical information, normal ranges that are associated with the activity over the learning period (“Module 200 utilizes machine learning in compiling and processing data from network, host machine and/or instance activity registered in the system and events logs of instance firewalls, web application firewalls and other system and performance logs of instance 60 and host machine 80.  Such data is mined, ingested, compiled, processed and analyzed by module 200 to establish one or more baseline system parameters that define routine, normal and non-compromised activity, i.e., "typical" activity or behavior, in instance 60.  With increased operations of instance 60 and System 100 operative thereon, in terms of time and volume of inbound and outbound data traffic, machine learning logic module 200 is able to continually learn from the continuous data flow and establish more refined and accurate system parameter baselines (normal ranges) indicative of normal, routine and non-compromised operations of the respective instance.  In embodiments, various baseline parameters (normal ranges) are established and programmed into machine learning logic module 200 prior to launch of System 100 and serve as starting points for module 200” [Malkov: par. 115]). During the anomaly detection phase, the anomaly detection engine 300A “monitors and analyzes…that same data as that data [that] is generated from systems logs…and normal ranges] established by the machine learning module 200”; anomalous activity is detected when “activity [is] outside of the baseline parameters [normal ranges] established in machine learning module/process 200 (atypical activity)” [Malkov: par. 116, 119]); monitoring, by the at least one processor, activity occurring on the computing system  (The “anomaly detection engine 300A works in conjunction with machine learning module 200 to continuously and in real time monitor system and event logs and compare with established baseline parameters, as are continuously refined by machine learning logic module 200, to detect anomalous events”, when the monitored activity falls outside the normal range (Malkov par. 116, ; Fig. 3, 5; and as outlined above));  (“the quantized events compiled by AI anomaly detection engine 300A may be interactively visualized on a computer monitor” [Malkov: par. 156; Fig. 5]); 
Malkov does not disclose “dividing” and monitoring in “fixed intervals” of the “selected monitoring period”. However, Matselyukh is directed to analogous art of detecting anomalies in data streams [Matselyukh: par. 1]. Matselyukh discloses collecting a data stream (“a selected monitoring period”) and dividing the collected data stream into a plurality of time intervals (“fixed intervals”) [Matselyukh: par. 14, 36-37]. For each time interval, a value for a parameter 
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to enable monitoring for anomalous behavior in Malkov at fixed intervals. As stated in [Matselyukh: par. 17], the detection of anomalies in a data stream is improved using the disclosed method. Furthermore, the number of false positive detection is reduced.
Furthermore, Malkov discloses providing alerts to users when anomalies are detected [Malkov: par. 165]. Furthermore, Matselyukh similarly discloses providing notifications in response to detecting an anomaly in a particular time interval [Matselyukh: par. 87-88]. However, Malkov and Matselyukh do not disclose: merge information gathered during the fixed intervals into a report that summarizes activity that occurred across the fixed intervals, including a first time that specific activity that fell outside the normal ranged occurred during the fixed intervals. Hutchinson is directed to analogous art of monitoring the security of a system in an industrial application with alarm conditions/thresholds [Hutchinson: Abstract]. Hutchinson discloses: merge information gathered during the fixed intervals into a report that summarizes activity that occurred across the fixed intervals, including a first time that specific activity that fell outside the normal ranged occurred during the fixed intervals (“An agent, such as one of the first class executing in the industrial network 14, may report attack summaries at fixed intervals to conserve network resources. For example, an agent 132a-132d may report the occurrence of a first suspicious event and then report a summary at the end of a merged”)).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to incorporate a summarization of the notifications of Matselyukh, such as the summary report disclosed in Hutchinson, to conserve network resources. The notifications of detected anomalies in the time intervals of Matselyukh would have been aggregated into a summary report that is sent out on a periodical basis. This modification would have an advantage over sending just a single notification to an administrator for each detected anomaly, which would have been inefficient when monitoring large amounts of network data. 

Regarding claims 2-3 and 5-7, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein.
As per claim 2: Malkov in view of Matselyukh and Hutchinson disclose: further comprising notifying a user when any activity on the computing system fell outside the normal ranges during the respective fixed interval (When anomalies and threat events are detected, i.e. “activity outside of the baseline parameters”, “alerting authorized, pre-determined (designated) users” of the anomalous activity, via e.g. “Simple Notification Service ("SNS"), email, voice call and text message” [Malkov: par. 10, 116; Fig. 3]).

As per claim 3: Malkov in view of Matselyukh and Hutchinson disclose: wherein gathering the historical information comprise gathering the historical information from system logs (machine learning logic module processes system and event logs to determine typical activity or behavior [Malkov: par. 115]).

As per claim 5: Malkov in view of Matselyukh and Hutchinson disclose: further comprising, when activity is detected on the computing system which fell outside the normal ranges during the respective fixed interval, compiling information about the activity from multiple sources ([Malkov par. 115, 119]; and as outlined for the rejection of claim 1).

As per claim 6: Malkov in view of Matselyukh and Hutchinson disclose: further comprising presenting, to a user, a report that documents activity that fell outside the normal ranges during the respective fixed interval ([Malkov: par. 149-150, 156, Fig. 5]; where the documented activity includes anomalous activity).

As per claim 7: Malkov in view of Matselyukh and Hutchinson: wherein the report documents events occurring in association with the activity that fell outside the normal ranges during the respective fixed interval ([Malkov: par. 149-150, 156, Fig. 5]; where the documented activity includes anomalous activity).

Regarding claims 8-10 and 12-14, they correspond to claims 1-3 and 5-7 respectively, and claims 8-10 and 12-14 do not disclose beyond the features of claims 1-3 and 5-7. Therefore, 

Regarding claims 15-17 and 19-20, they correspond to claims 1-3 and 5-6 respectively, and claims 15-17 and 19-20 do not disclose beyond the features of claims 1-3 and 5-6. Therefore, claims 15-17 and 19-20 are rejected under 35 U.S.C 103, as being unpatentable over Malkov in view of Matselyukh for the same reasons outlined for the rejection of claims 1-3 and 5-6.

Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Malkov in view of Matselyukh, Hutchinson, and further in view of Masser et al. (hereinafter “Masser”) US 2012/0179936 A1.
Malkov as modified by Matselyukh and Hutchinson do not expressly disclose the features of similar claims 4, 11 and 18. However, Masser discloses:
(Claims 4, 11 and 18) further comprising, when activity is detected on the computing system which fell outside the normal ranges during the respective fixed interval, gathering additional information about the activity ([Masser: par. 35, 40-44]; when activity falls outside the standard deviation (normal ranges), i.e. an anomaly is detected, additional data is collected to further characterize the detected anomaly, and to determine whether the detected anomaly is or is not caused by an actual threat). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Malkov as modified above with Masser. One would . 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
WO 2010/105843 A1: Network traffic data is divided into defined time intervals, wherein a Tsallis entropy value is determined for each time interval. Network traffic anomalies are detected based on a divergence of the entropy value from a reference value. See Abstract.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        1-03-2022