Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to an amendment application received on 10/12/2021. In the amendment, applicant has amended claims 1, 9-10, 18-19 and 22-23. Claims 4, 7-8, 13 and 16-17 have been cancelled. Claims 2-3, 5-6 and 11-15 remain original. Claims 25-26 have been added as new claims.
For this office action, claims 1-3, 5-6, 11-12, 14-15 and 18-26 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections under 35 U.S.C. § 112
	Applicant’s amendments have been reviewed by the examiner and overcomes the previously issued 112(a) rejection. However, upon further review, new 112(a) issues have been raised. See below Office Action for details.
Claim Rejections under 35 U.S.C. § 103
Applicant’s arguments, filed 10/12/2021, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of new amendments to the claims.


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-3, 5-6, 11-12, 14-15 and 18-26 rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Independent claims 1, 10 and 19 first limitation recites, “directly after one of being initially fielded and being upgraded”. Examiner consulted the instant specification and noticed that only paragraph [0029] has support for this language however paragraph [0029] recites 
“For example, the baseline event data can be obtained from the target systems directly after they initially fielded or directly after being upgraded such that no APT has had an opportunity to infiltrate the target systems”. 
Therefore, first limitation is not supported by the above mentioned section from paragraph [0029] because the paragraph clearly recites “initially fielded or directly after being upgraded” instead of as recited in claim “being initially fielded and being upgraded”. 
Independent claims 1, 10 and 19 eighth limitation recites “determining, by the processor, an operational cumulative trajectory of each of the plurality of operational event clusters by partitioning each of the plurality of operational event clusters into a plurality of second discrete time intervals within a second time period that is longer than the expected length of the reconnaissance phase of the cyber-attack”. Examiner consulted the instant specification and noticed that only paragraph [0033] has support for “baseline cumulative trajectories” and not for “operational cumulative trajectories” language. Paragraph [0033] recites 
“At 215, a trajectory module (e.g., trajectory module 153) determines baseline cumulative trajectories for each cluster determined at 211. That is, the trajectory module partitions each cluster into discrete time intervals (X, e.g., a week) within a time period that is longer than the expected length of an APT reconnaissance phase (e.g., longer than three months)”.
Therefore, eighth limitation does not have support for “determining an operational cumulative trajectory … a second time period that is longer than the expected length” phrase in the specification and specifically paragraph [0033].
Dependent claims inherit this deficiency.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 9-12, 14, 18-19, 21-23 and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Schimert (US20090216393A1) e.f.d. of 02/27/2008 in view of Wang et al., (US8910188B1) e.f.d. of 03/23/2012 in view of Singla et al., (US20170187730A1) e.f.d. of 07/21/2014 in view of Giordano et al., (US9686173B1) e.f.d. of 10/27/2014 and further in view of Bandholz (US20060265158A1) e.f.d. of 05/09/2005.
Regarding claim 1, Schimert discloses:
A method comprising: 
receiving, by a processor, baseline event data during operation of a plurality of target systems ([0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0031] Anomalies, faults or other conditions may be detected to permit correction prior to any flight deck effect; [0036] In block 110 the monitoring results from block 108 may be fused or consolidated to produce a consensus decision, i.e. alert/normal on whether an anomaly is likely to occur); 
see [0042] i.e. cluster of normal operating conditions (NOC) such as sensor data from various aircraft systems) using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that correspond to activities performed during the alert condition ([0042] Sensor data 210 from various aircraft systems, e.g. flight control systems or environmental control systems may be collected. In block 212, selected parameters of interest that are to be monitored or observed may be specified; [0057] In block 310, a determination may be made if an observation belongs to a cluster of NOC); 
determining, by the processor, a baseline cumulative trajectory (see [0052] i.e. dashed diagonally straight line 406 in FIG. 4 which is construed as baseline cumulative trajectory) of each of the plurality of baseline event clusters by partitioning the each of the plurality of baseline event clusters into a plurality of first discrete time intervals (see FIG. 2; i.e. timeline) within a first time period ([0041] In block 206, a timeline of flight deck effects 204 of interest may be determined from the observed training data; [0044] In block 218, additional criteria may be applied to further extract data to produce the initial training data 220 based substantially on normal operating conditions. Examples of criteria may include extracting by a single aircraft rather than all aircraft; or for only certain flight phases, such as take off, cruise, or landing; [0048] In block 228, models are fit to the final training data to generate NOC or baseline models 230; [0052] The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers) that is longer than an expected length of the alert condition (See FIG. 8; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
receiving, by the processor and from the plurality of the target systems (see FIG. 5; [0058] In block 502, new sensor data in contrast to initial training data may be collected; [0061] In block 510 monitoring results may be fused or consolidated to form a single consensus result, alert/no alert; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert); 
determining, by the processor, a plurality of operational event clusters (i.e. sensor data from flight control) using the operational event data (i.e. new sensor data) by determining one or more pairs of complementary operational events recorded (see FIG. 5; i.e. collected new data) in the operational event data that correspond to activities performed during the alert condition; ([0059] In block 504, the new data may be projected onto models of NOC, such as models 230 developed in FIG. 2B; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516); 2Application No. :14/839,327Attorney Docket No.: 15-0849-US-NP/0192.0034
determining, by the processor, an operational cumulative trajectory (see [0033] i.e. exceeds the limit) of each of the plurality of operational event clusters by partitioning each of the plurality of operational event clusters into a plurality of second discrete time intervals (see FIG. 8; i.e. respective date, set of dates) within a second time period ([0059] In block 506, quantities to be monitored may be calculated … One type of quantity represents a distance of a parameter observation to a center within a space spanned by a chosen number of components. Another type of quantity is a residual or an orthogonal distance of the parameter observation to the model space. Thus the two types of quantities measure closeness of an observation to NOC according to what the NOC model describes, and in addition measures any left over distance that the model does not describe. These quantities can be compared to their corresponding limit determined earlier using baseline data. At any time point, if the quantity exceeds the limit, an alert is generated; [0063] FIG. 8 illustrates an example of a contribution plot 800 including a trellis of four contribution plots or sub-charts 802 a-802 d. Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence) that is longer than an expected length of the alert condition (See FIG. 8 for observing data for various length of time; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
detecting, by the processor, the alert condition occurring within the plurality of target systems by comparing the baseline cumulative trajectories of the plurality of baseline event clusters with the operational cumulative trajectories of the plurality of operational event clusters and determining that the baseline cumulative trajectories and the operational [0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0034] In block 106, parameters collected from sensors coupled to the various systems may be monitored by calculating quantities from the collected parameter data and NOC models and comparing with NOC limits established in block 104 for NOC data; [0039] In block 118, which parameter or parameters are most likely to have caused the alert may be determined from the contribution plot or plots. This is done by comparing each parameter contribution to the monitored quantity, relative to the parameter contribution under baseline or normal operation conditions); and 
outputting, by the processor, an indication regarding the detected alert condition ([0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516; [0063] In block 516, contribution plots may be generated and presented to allow further exploring why an alert occurred).
Schimert fails to disclose:
	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems; detected alert condition is a cyber-attack; the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete 
However, Wang discloses:	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems (Col. 2, Line # 34-53; Methods can further include the actions of receiving, by the first computing group that performs operations of a first processing stage, the first event batch; processing event data for the events that belong to first event batch; determining that processing of the first event batch has been completed; and logging first results of the first processing stage to a data store. Determining that processing of the first batch has been completed can include the action of determining that a threshold number of event bundles from the first batch has been processed. Methods can further include the actions of receiving, by a second computing group that performs operations of a second processing stage, the first event batch; preventing the first event batch from being processed by the second computing group until the first results have been logged; determining that the first results have been logged; and processing the first results and event data for the events that belong to the first event batch, the processing including performing the operations of the second processing stage; and logging second results of the second processing stage; Col. 4; Line # 34-42; Deterministic processing refers to processing that produces a matching result (e.g., a same result) even if the processing is repeated by a same or different data processing apparatus. Deterministic processing of events in a distributed (or parallel) computing environment is achieved by creating batches of events based on timestamps (e.g., indicative of a time at which the event occurred) associated with the events, and specifying operations that must occur in order for processing of the events to continue at a next processing stage).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert reference and include deterministic data processing system for processing event data, as disclosed by Wang.
	The motivation to include deterministic data processing system for processing event data is to ensure that event data processed by the deterministic system contains no randomness when data is retrieved in the development of future states of the system (See Wang: Col. 3; Line # 60-67 – Col. 4; Line # 1-8).
The combination of Schimert and Wang fails to disclose:
	detected alert condition is a cyber-attack; the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining 
However, Singla discloses:
detected alert condition is a cyber-attack ([0013] According to examples, the apparatus and method disclosed herein may include a pattern mining module to parse input data that is used to determine a sequence of steps that are involved in an attack. The attack may include, for example, a cyber-attack. The sequence of steps may include, for example, reconnaissance, perimeter infiltration, internal network zone infiltration, discovery, capture, exfiltration, and/or payload installation; [0042] At block 206, the method may include receiving a security indicator that is related to a potential attack. For example, referring to FIG. 1, the user interface 110 may be used to enter (and thus receive) a security indicator 112 that is related to a potential attack).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert and Wang references and include a device for detecting cyber-attack, as disclosed by Singla. 
The motivation to include a device for detecting a cyber-attack is to rapidly and accurately detect various forms of cyber-attacks by monitoring and analyzing events generated in a real time (See Singla: [0012]).
The combination of Schimert, Wang and Singla fails to disclose:
	the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second 
However, Giordano discloses:
	the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: 
determining a first centroid (See FIG. 3C; 121 a) of the baseline event data at the each of the plurality of first discrete time intervals (Col. 12, Line #66-67 – Col. 13, Line # 1-5; the point may be the centroid or a geometric center of the cluster. Accordingly, the clusters are represented by their centroids or geometric centers, thus forming a hyper-map to represent the server groups of the CDN; Col. 15; Line # 58-61; The collection of points representing the feature vectors of all servers of the CDN form a hyper-map in this 5-dimensional hyperspace, such as the hyper-map A (121 a) shown in FIG. 3C), and 
determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330);

determining a second centroid (See FIG. 3C; 122 a) of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330); Col. 16, Line # 9-20; To track the evolution of a clustering (i.e., a collection of clusters) over time, two clusterings C(i) and C(i+1) are generated from two snapshots X(i) and X(i+1), one subsequent to another. In particular, X(i) and C(i) correspond to the hyper-map A (212 a) and hyper-map (212 b), respectively, shown in FIG. 3C. In addition, the subsequent hyper-map A (122 a) and subsequent hyper-map B (122 b) are evolved versions of the hyper-map A (212 a) and hyper-map (212 b), respectively, that correspond to a subsequent snapshot (referred to as snapshot i+1) of the network traffic flows captured from the CDN shown in FIG. 3A).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang and Singla and detect a centroid of clusters of collected data, as disclosed by Giordano.
See Giordano: 60-67).
The combination of Schimert, Wang, Singla and Giordano fails to disclose the concept:
	wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Bandholz discloses:
	wherein receiving baseline event data is a data which contains initial computer system configuration ([0035] FET controller 203 and on-resistance sensor 205 operate under the control of microprocessor 209 which implements the logic to be described relative to the flowcharts in the figures which follow. Microprocessor 209 has NVRAM 207 at its disposal for storing on-resistance values and other parameters across power-on power-off cycles of the computer system. As will be seen, values stored in NVRAM 207 include values which are used to establish baseline on-resistance values and other values for particular FETs installed in the system for an initial computer system configuration and for subsequent predictive failure conditions. Values include initial on-resistance values measured for the MOSFET 202 while in use at the time the system and/or the MOSFET was initially configured, or presumed initial values; and values which deviate from the initial on-resistance values and for which a predictive failure report is to be generated).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert, Wang, Singla and Giordano references and receive baseline data which contains initial state of a system, as disclosed by Bandholz.
See Bandholz: [0035]).
Regarding claim 2, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The method of claim 1, wherein:
the plurality of deterministic target systems include a plurality of types, and the plurality of types include a plurality of configurations (Schimert: [0072] A data collection unit 1010 may collect sensor data from multiple sensors 1012 associated with various systems 1014 or subsystems forming an apparatus, such as an aircraft or other equipment; [0044] Examples of criteria may include extracting by a single aircraft rather than all aircraft; or for only certain flight phases, such as take off, cruise, or landing);
the baseline event data includes a plurality of records that associate baseline events, respectively, with a timestamp, one of the plurality of types, and one of the plurality of configurations (Schimert: [0032] In block 104, NOC models or baseline models may be fit to NOC data or baseline data. Principal component analysis (PCA) and independent component analysis (ICA) are known techniques that may be used to reduce the dimension of NOC or baseline data. PCA and ICA are described in more detail below. A NOC model represents data under normal operating conditions. Monitoring quantities are calculated at each time by applying NOC models to the data collected at that time);
the operational event data includes a plurality of records that associate operational events, respectively, with a timestamp, one of the plurality of types, and one of the plurality of configurations (Schimert: [0043] In block 214, a determination may be made as to whether any collected sensor data corresponding to a parameter of interest occurred within a predetermined time period of a flight deck effect 204. Any sensor data or parameter observations within the predetermined time period or number of days of a flight deck effect 204 are rejected in block 216 because this period of time is considered not under normal operating conditions).
Regarding claim 3, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
	The method of claim 2, wherein: the plurality of types comprise a plurality of aircraft fleets; and the plurality of configurations comprise configurations of data processing systems in the plurality of aircraft fleets (Schimert: [0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits).
Regarding claim 5, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
	The method of claim 2, further comprising: determining a number of configurations included in the plurality of types (Schimert: [0004] In accordance with another embodiment of the present invention, a method for data-driven anomaly detection may include statistically analyzing performance data from a plurality of aircraft systems in relation to previously collected baseline performance data from the plurality of aircraft systems. The method may also include detecting any anomalies based on the statistical analysis to permit correction prior to any flight deck effect);
(Schimert: [0005] The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters); and
	determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits. At any time, if the baseline limit is exceeded, an alert is generated. Otherwise the observation is considered normal; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters).
Regarding claim 9, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The method of claim 1, wherein comparing the baseline cumulative trajectory with operational cumulative trajectory comprises plotting a graph comparing the first centroid for a cumulative rolling wave over the plurality of discrete time intervals with the second centroid for the cumulative rolling wave over the plurality of discrete time intervals (Schimert: [0052] FIG. 4 displays this graphically. FIG. 4 is an example of a chart 400 displaying an output or results of calculating the robust and usual fits to detect outliers in accordance with an embodiment of the present invention. In the results, robust distances 402 are plotted against usual distances 404. The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers. Both scattered outlying observations 408 and a cluster of outlying observations 410 are illustrated in FIG. 4).
Regarding claim 10, Schimert discloses:
A system detecting a cyber-attacks comprising: a processor; a computer-readable hardware storage device; program instructions stored on the computer-readable hardware storage device for execution by the processor that control the system to perform operations comprising:
receiving, by a processor, baseline event data during operation of a plurality of target systems ([0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0031] Anomalies, faults or other conditions may be detected to permit correction prior to any flight deck effect; [0036] In block 110 the monitoring results from block 108 may be fused or consolidated to produce a consensus decision, i.e. alert/normal on whether an anomaly is likely to occur); 
determining, by the processor, a plurality of baseline event clusters (see [0042] i.e. cluster of normal operating conditions (NOC) such as sensor data from various aircraft systems) using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that correspond to activities performed during the alert condition ([0042] Sensor data 210 from various aircraft systems, e.g. flight control systems or environmental control systems may be collected. In block 212, selected parameters of interest that are to be monitored or observed may be specified; [0057] In block 310, a determination may be made if an observation belongs to a cluster of NOC); 
determining, by the processor, a baseline cumulative trajectory (see [0052] i.e. dashed diagonally straight line 406 in FIG. 4 which is construed as baseline cumulative trajectory) of each of the plurality of baseline event clusters by partitioning the each of the plurality of baseline event clusters into a plurality of first discrete time intervals (see FIG. 2; i.e. timeline) within a first time period ([0041] In block 206, a timeline of flight deck effects 204 of interest may be determined from the observed training data; [0044] In block 218, additional criteria may be applied to further extract data to produce the initial training data 220 based substantially on normal operating conditions. Examples of criteria may include extracting by a single aircraft rather than all aircraft; or for only certain flight phases, such as take off, cruise, or landing; [0048] In block 228, models are fit to the final training data to generate NOC or baseline models 230; [0052] The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers) that is longer than an expected length of the alert condition (See FIG. 8; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
receiving, by the processor and from the plurality of the target systems (see FIG. 5; [0058] In block 502, new sensor data in contrast to initial training data may be collected; [0061] In block 510 monitoring results may be fused or consolidated to form a single consensus result, alert/no alert; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert); 
determining, by the processor, a plurality of operational event clusters (i.e. sensor data from flight control) using the operational event data (i.e. new sensor data) by determining one or more pairs of complementary operational events recorded (see FIG. 5; i.e. collected new data) in the operational event data that correspond to activities performed during the alert condition; ([0059] In block 504, the new data may be projected onto models of NOC, such as models 230 developed in FIG. 2B; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516); 2Application No. :14/839,327Attorney Docket No.: 15-0849-US-NP/0192.0034
determining, by the processor, an operational cumulative trajectory (see [0033] i.e. exceeds the limit) of each of the plurality of operational event clusters by partitioning each of the plurality of operational event clusters into a plurality of second discrete time intervals (see FIG. 8; i.e. respective date, set of dates) within a second time period ([0059] In block 506, quantities to be monitored may be calculated … One type of quantity represents a distance of a parameter observation to a center within a space spanned by a chosen number of components. Another type of quantity is a residual or an orthogonal distance of the parameter observation to the model space. Thus the two types of quantities measure closeness of an observation to NOC according to what the NOC model describes, and in addition measures any left over distance that the model does not describe. These quantities can be compared to their corresponding limit determined earlier using baseline data. At any time point, if the quantity exceeds the limit, an alert is generated; [0063] FIG. 8 illustrates an example of a contribution plot 800 including a trellis of four contribution plots or sub-charts 802 a-802 d. Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence) that is longer than an expected length of the alert condition (See FIG. 8 for observing data for various length of time; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
detecting, by the processor, the alert condition occurring within the plurality of target systems by comparing the baseline cumulative trajectories of the plurality of baseline event clusters with the operational cumulative trajectories of the plurality of operational event clusters and determining that the baseline cumulative trajectories and the operational cumulative trajectories diverge by more than a predetermined distance ([0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0034] In block 106, parameters collected from sensors coupled to the various systems may be monitored by calculating quantities from the collected parameter data and NOC models and comparing with NOC limits established in block 104 for NOC data; [0039] In block 118, which parameter or parameters are most likely to have caused the alert may be determined from the contribution plot or plots. This is done by comparing each parameter contribution to the monitored quantity, relative to the parameter contribution under baseline or normal operation conditions); and 
outputting, by the processor, an indication regarding the detected alert condition ([0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516; [0063] In block 516, contribution plots may be generated and presented to allow further exploring why an alert occurred).
Schimert fails to disclose:
[baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems; detected alert condition is a cyber-attack; the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals; and wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Wang discloses:	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems (Col. 2, Line # 34-53; Methods can further include the actions of receiving, by the first computing group that performs operations of a first processing stage, the first event batch; processing event data for the events that belong to first event batch; determining that processing of the first event batch has been completed; and logging first results of the first processing stage to a data store. Determining that processing of the first batch has been completed can include the action of determining that a threshold number of event bundles from the first batch has been processed. Methods can further include the actions of receiving, by a second computing group that performs operations of a second processing stage, the first event batch; preventing the first event batch from being processed by the second computing group until the first results have been logged; determining that the first results have been logged; and processing the first results and event data for the events that belong to the first event batch, the processing including performing the operations of the second processing stage; and logging second results of the second processing stage; Col. 4; Line # 34-42; Deterministic processing refers to processing that produces a matching result (e.g., a same result) even if the processing is repeated by a same or different data processing apparatus. Deterministic processing of events in a distributed (or parallel) computing environment is achieved by creating batches of events based on timestamps (e.g., indicative of a time at which the event occurred) associated with the events, and specifying operations that must occur in order for processing of the events to continue at a next processing stage).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert reference and include deterministic data processing system for processing event data, as disclosed by Wang.
See Wang: Col. 3; Line # 60-67 – Col. 4; Line # 1-8).
The combination of Schimert and Wang fails to disclose:
detected alert condition is a cyber-attack; the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals; and wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Singla discloses:
[0013] According to examples, the apparatus and method disclosed herein may include a pattern mining module to parse input data that is used to determine a sequence of steps that are involved in an attack. The attack may include, for example, a cyber-attack. The sequence of steps may include, for example, reconnaissance, perimeter infiltration, internal network zone infiltration, discovery, capture, exfiltration, and/or payload installation; [0042] At block 206, the method may include receiving a security indicator that is related to a potential attack. For example, referring to FIG. 1, the user interface 110 may be used to enter (and thus receive) a security indicator 112 that is related to a potential attack).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert and Wang references and include a device for detecting cyber-attack, as disclosed by Singla. 
The motivation to include a device for detecting a cyber-attack is to rapidly and accurately detect various forms of cyber-attacks by monitoring and analyzing events generated in a real time (See Singla: [0012]).
The combination of Schimert, Wang and Singla fails to disclose:
the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the 
However, Giordano discloses:
the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: 
determining a first centroid (See FIG. 3C; 121 a) of the baseline event data at the each of the plurality of first discrete time intervals (Col. 12, Line #66-67 – Col. 13, Line # 1-5; the point may be the centroid or a geometric center of the cluster. Accordingly, the clusters are represented by their centroids or geometric centers, thus forming a hyper-map to represent the server groups of the CDN; Col. 15; Line # 58-61; The collection of points representing the feature vectors of all servers of the CDN form a hyper-map in this 5-dimensional hyperspace, such as the hyper-map A (121 a) shown in FIG. 3C), and 
determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330);
the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: 
determining a second centroid (See FIG. 3C; 122 a) of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330); Col. 16, Line # 9-20; To track the evolution of a clustering (i.e., a collection of clusters) over time, two clusterings C(i) and C(i+1) are generated from two snapshots X(i) and X(i+1), one subsequent to another. In particular, X(i) and C(i) correspond to the hyper-map A (212 a) and hyper-map (212 b), respectively, shown in FIG. 3C. In addition, the subsequent hyper-map A (122 a) and subsequent hyper-map B (122 b) are evolved versions of the hyper-map A (212 a) and hyper-map (212 b), respectively, that correspond to a subsequent snapshot (referred to as snapshot i+1) of the network traffic flows captured from the CDN shown in FIG. 3A).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang and Singla and detect a centroid of clusters of collected data, as disclosed by Giordano.
The motivation to detect a centroid of clusters of collected data is to find a mean position of collected data and display that in the form a graph (See Giordano: 60-67).
The combination of Schimert, Wang, Singla and Giordano fails to disclose the concept:
wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Bandholz discloses:
wherein receiving baseline event data is a data which contains initial computer system configuration ([0035] FET controller 203 and on-resistance sensor 205 operate under the control of microprocessor 209 which implements the logic to be described relative to the flowcharts in the figures which follow. Microprocessor 209 has NVRAM 207 at its disposal for storing on-resistance values and other parameters across power-on power-off cycles of the computer system. As will be seen, values stored in NVRAM 207 include values which are used to establish baseline on-resistance values and other values for particular FETs installed in the system for an initial computer system configuration and for subsequent predictive failure conditions. Values include initial on-resistance values measured for the MOSFET 202 while in use at the time the system and/or the MOSFET was initially configured, or presumed initial values; and values which deviate from the initial on-resistance values and for which a predictive failure report is to be generated).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert, Wang, Singla and Giordano references and receive baseline data which contains initial state of a system, as disclosed by Bandholz.
The motivation to receive baseline data which contains initial state of the system is to establish baseline for particular system (See Bandholz: [0035]).
Regarding claim 11, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The system of claim 10, wherein: the plurality of deterministic target systems include a plurality of types, and the plurality of types include one or more configurations; the baseline event data includes a plurality of records that associate baseline events, respectively, with a timestamp, one of the plurality of types, and one of a plurality of configurations; and the operational event data includes a plurality of records that associate operational events, respectively, with a timestamp, one of the plurality of types and one of the plurality of configurations (Schimert: [0043] In block 214, a determination may be made as to whether any collected sensor data corresponding to a parameter of interest occurred within a predetermined time period of a flight deck effect 204. Any sensor data or parameter observations within the predetermined time period or number of days of a flight deck effect 204 are rejected in block 216 because this period of time is considered not under normal operating conditions
Regarding claim 12, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The system of claim 11, wherein: the plurality of types comprise a plurality of aircraft fleets; and the plurality of configurations comprise configurations of data processing systems in the plurality of aircraft fleets (Schimert: [0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits).
Regarding claim 14, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The system of claim 12, further comprising: determining a number of configurations included in the plurality of types; and determining initial baseline event clusters by partitioning pairs of complementary baseline events into a first plurality of sets corresponding to the number of configurations; and determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0004] In accordance with another embodiment of the present invention, a method for data-driven anomaly detection may include statistically analyzing performance data from a plurality of aircraft systems in relation to previously collected baseline performance data from the plurality of aircraft systems. The method may also include detecting any anomalies based on the statistical analysis to permit correction prior to any flight deck effect; [0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits. At any time, if the baseline limit is exceeded, an alert is generated. Otherwise the observation is considered normal; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters).
Regarding claim 18, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
	The system of claim 10, wherein comparing the baseline cumulative trajectories with the operational cumulative trajectories comprises plotting a graph comparing the first centroid for a cumulative rolling wave over the plurality of discrete time intervals with the second centroid for the cumulative rolling wave over the plurality of discrete time intervals (Schimert: [0052] FIG. 4 displays this graphically. FIG. 4 is an example of a chart 400 displaying an output or results of calculating the robust and usual fits to detect outliers in accordance with an embodiment of the present invention. In the results, robust distances 402 are plotted against usual distances 404. The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers. Both scattered outlying observations 408 and a cluster of outlying observations 410 are illustrated in FIG. 4).
Regarding claim 19, Schimert discloses:

receiving, by a processor, baseline event data during operation of a plurality of target systems ([0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0031] Anomalies, faults or other conditions may be detected to permit correction prior to any flight deck effect; [0036] In block 110 the monitoring results from block 108 may be fused or consolidated to produce a consensus decision, i.e. alert/normal on whether an anomaly is likely to occur); 
determining, by the processor, a plurality of baseline event clusters (see [0042] i.e. cluster of normal operating conditions (NOC) such as sensor data from various aircraft systems) using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that correspond to activities performed during the alert condition ([0042] Sensor data 210 from various aircraft systems, e.g. flight control systems or environmental control systems may be collected. In block 212, selected parameters of interest that are to be monitored or observed may be specified; [0057] In block 310, a determination may be made if an observation belongs to a cluster of NOC); 
see [0052] i.e. dashed diagonally straight line 406 in FIG. 4 which is construed as baseline cumulative trajectory) of each of the plurality of baseline event clusters by partitioning the each of the plurality of baseline event clusters into a plurality of first discrete time intervals (see FIG. 2; i.e. timeline) within a first time period ([0041] In block 206, a timeline of flight deck effects 204 of interest may be determined from the observed training data; [0044] In block 218, additional criteria may be applied to further extract data to produce the initial training data 220 based substantially on normal operating conditions. Examples of criteria may include extracting by a single aircraft rather than all aircraft; or for only certain flight phases, such as take off, cruise, or landing; [0048] In block 228, models are fit to the final training data to generate NOC or baseline models 230; [0052] The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers) that is longer than an expected length of the alert condition (See FIG. 8; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
receiving, by the processor and from the plurality of the target systems (see FIG. 5; [0058] In block 502, new sensor data in contrast to initial training data may be collected; [0061] In block 510 monitoring results may be fused or consolidated to form a single consensus result, alert/no alert; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert); 
determining, by the processor, a plurality of operational event clusters (i.e. sensor data from flight control) using the operational event data (i.e. new sensor data) by determining one or more pairs of complementary operational events recorded (see FIG. 5; i.e. collected new data) in the operational event data that correspond to activities performed during the alert condition; ([0059] In block 504, the new data may be projected onto models of NOC, such as models 230 developed in FIG. 2B; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516); 2Application No. :14/839,327Attorney Docket No.: 15-0849-US-NP/0192.0034
determining, by the processor, an operational cumulative trajectory (see [0033] i.e. exceeds the limit) of each of the plurality of operational event clusters by partitioning each of the plurality of operational event clusters into a plurality of second discrete time intervals (see FIG. 8; i.e. respective date, set of dates) within a second time period ([0059] In block 506, quantities to be monitored may be calculated … One type of quantity represents a distance of a parameter observation to a center within a space spanned by a chosen number of components. Another type of quantity is a residual or an orthogonal distance of the parameter observation to the model space. Thus the two types of quantities measure closeness of an observation to NOC according to what the NOC model describes, and in addition measures any left over distance that the model does not describe. These quantities can be compared to their corresponding limit determined earlier using baseline data. At any time point, if the quantity exceeds the limit, an alert is generated; [0063] FIG. 8 illustrates an example of a contribution plot 800 including a trellis of four contribution plots or sub-charts 802 a-802 d. Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence) that is longer than an expected length of the alert condition (See FIG. 8 for observing data for various length of time; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
detecting, by the processor, the alert condition occurring within the plurality of target systems by comparing the baseline cumulative trajectories of the plurality of baseline event clusters with the operational cumulative trajectories of the plurality of operational event clusters and determining that the baseline cumulative trajectories and the operational cumulative trajectories diverge by more than a predetermined distance ([0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0034] In block 106, parameters collected from sensors coupled to the various systems may be monitored by calculating quantities from the collected parameter data and NOC models and comparing with NOC limits established in block 104 for NOC data; [0039] In block 118, which parameter or parameters are most likely to have caused the alert may be determined from the contribution plot or plots. This is done by comparing each parameter contribution to the monitored quantity, relative to the parameter contribution under baseline or normal operation conditions); and 
outputting, by the processor, an indication regarding the detected alert condition ([0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516; [0063] In block 516, contribution plots may be generated and presented to allow further exploring why an alert occurred).
Schimert fails to disclose:
receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems; detected alert condition is a cyber-attack; the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time 
However, Wang discloses:	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems (Col. 2, Line # 34-53; Methods can further include the actions of receiving, by the first computing group that performs operations of a first processing stage, the first event batch; processing event data for the events that belong to first event batch; determining that processing of the first event batch has been completed; and logging first results of the first processing stage to a data store. Determining that processing of the first batch has been completed can include the action of determining that a threshold number of event bundles from the first batch has been processed. Methods can further include the actions of receiving, by a second computing group that performs operations of a second processing stage, the first event batch; preventing the first event batch from being processed by the second computing group until the first results have been logged; determining that the first results have been logged; and processing the first results and event data for the events that belong to the first event batch, the processing including performing the operations of the second processing stage; and logging second results of the second processing stage; Col. 4; Line # 34-42; Deterministic processing refers to processing that produces a matching result (e.g., a same result) even if the processing is repeated by a same or different data processing apparatus. Deterministic processing of events in a distributed (or parallel) computing environment is achieved by creating batches of events based on timestamps (e.g., indicative of a time at which the event occurred) associated with the events, and specifying operations that must occur in order for processing of the events to continue at a next processing stage).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert reference and include deterministic data processing system for processing event data, as disclosed by Wang.
	The motivation to include deterministic data processing system for processing event data is to ensure that event data processed by the deterministic system contains no randomness when data is retrieved in the development of future states of the system (See Wang: Col. 3; Line # 60-67 – Col. 4; Line # 1-8).
The combination of Schimert and Wang fails to disclose:
detected alert condition is a cyber-attack; the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the 
However, Singla discloses:
detected alert condition is a cyber-attack ([0013] According to examples, the apparatus and method disclosed herein may include a pattern mining module to parse input data that is used to determine a sequence of steps that are involved in an attack. The attack may include, for example, a cyber-attack. The sequence of steps may include, for example, reconnaissance, perimeter infiltration, internal network zone infiltration, discovery, capture, exfiltration, and/or payload installation; [0042] At block 206, the method may include receiving a security indicator that is related to a potential attack. For example, referring to FIG. 1, the user interface 110 may be used to enter (and thus receive) a security indicator 112 that is related to a potential attack).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert and Wang references and include a device for detecting cyber-attack, as disclosed by Singla. 
The motivation to include a device for detecting a cyber-attack is to rapidly and accurately detect various forms of cyber-attacks by monitoring and analyzing events generated in a real time (See Singla: [0012]).
The combination of Schimert, Wang and Singla fails to disclose:
the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals; and wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Giordano discloses:
the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: 
determining a first centroid (See FIG. 3C; 121 a) of the baseline event data at the each of the plurality of first discrete time intervals (Col. 12, Line #66-67 – Col. 13, Line # 1-5; the point may be the centroid or a geometric center of the cluster. Accordingly, the clusters are represented by their centroids or geometric centers, thus forming a hyper-map to represent the server groups of the CDN; Col. 15; Line # 58-61; The collection of points representing the feature vectors of all servers of the CDN form a hyper-map in this 5-dimensional hyperspace, such as the hyper-map A (121 a) shown in FIG. 3C), and 
determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330);
the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: 
determining a second centroid (See FIG. 3C; 122 a) of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330); Col. 16, Line # 9-20; To track the evolution of a clustering (i.e., a collection of clusters) over time, two clusterings C(i) and C(i+1) are generated from two snapshots X(i) and X(i+1), one subsequent to another. In particular, X(i) and C(i) correspond to the hyper-map A (212 a) and hyper-map (212 b), respectively, shown in FIG. 3C. In addition, the subsequent hyper-map A (122 a) and subsequent hyper-map B (122 b) are evolved versions of the hyper-map A (212 a) and hyper-map (212 b), respectively, that correspond to a subsequent snapshot (referred to as snapshot i+1) of the network traffic flows captured from the CDN shown in FIG. 3A).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang and Singla and detect a centroid of clusters of collected data, as disclosed by Giordano.
The motivation to detect a centroid of clusters of collected data is to find a mean position of collected data and display that in the form a graph (See Giordano: 60-67).
The combination of Schimert, Wang, Singla and Giordano fails to disclose the concept:
wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Bandholz discloses:
wherein receiving baseline event data is a data which contains initial computer system configuration ([0035] FET controller 203 and on-resistance sensor 205 operate under the control of microprocessor 209 which implements the logic to be described relative to the flowcharts in the figures which follow. Microprocessor 209 has NVRAM 207 at its disposal for storing on-resistance values and other parameters across power-on power-off cycles of the computer system. As will be seen, values stored in NVRAM 207 include values which are used to establish baseline on-resistance values and other values for particular FETs installed in the system for an initial computer system configuration and for subsequent predictive failure conditions. Values include initial on-resistance values measured for the MOSFET 202 while in use at the time the system and/or the MOSFET was initially configured, or presumed initial values; and values which deviate from the initial on-resistance values and for which a predictive failure report is to be generated).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert, Wang, Singla and Giordano references and receive baseline data which contains initial state of a system, as disclosed by Bandholz.
The motivation to receive baseline data which contains initial state of the system is to establish baseline for particular system (See Bandholz: [0035]).
Regarding claim 21, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The method of claim 1, wherein: 
the cyber-attack comprises an advanced persistent threat cyber-attack; and the operational event data includes activities of the advanced persistent threat cyber-attack that determine network information of the target systems (Singla: [0009] A typical attack, such as a cyber-attack, may include a plurality of phases that utilize different machines and thus different security indicators. For example, a typical attack may include a reconnaissance phase that utilizes a first set of entities, machines, or logic, and an infiltration phase that utilizes another set of entities, machines, or logic; Also See [0031]).
Regarding claim 22, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The method of claim 1, wherein the baseline event data and the operational event data consist of information describing the deterministic target systems and event data generated by the deterministic target systems (Schimert: [0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits. The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0031] Data representing normal operating conditions (NOC) may also be extracted or collected in block 102.  As described in more detail with reference to FIGS. 2A and 2B, sensor data from the various systems, such as flight control systems and environmental systems associated with an aircraft, may be collected and processed to generate training data sets of sensor data corresponding to a baseline or normal operating conditions (NOC) for specific parameters of interest).
Regarding claim 23, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:

The plurality of target systems include a plurality of target system types (Schimert: [0072] A data collection unit 1010 may collect sensor data from multiple sensors 1012 associated with various systems 1014 or subsystems forming an apparatus, such as an aircraft or other equipment; [0044] Examples of criteria may include extracting by a single aircraft rather than all aircraft; or for only certain flight phases, such as take off, cruise, or landing);
the plurality of target system types include one or more target system configurations (Schimert: [0032] In block 104, NOC models or baseline models may be fit to NOC data or baseline data. Principal component analysis (PCA) and independent component analysis (ICA) are known techniques that may be used to reduce the dimension of NOC or baseline data. PCA and ICA are described in more detail below. A NOC model represents data under normal operating conditions. Monitoring quantities are calculated at each time by applying NOC models to the data collected at that time);
the baseline event data and the operational event data associate the activities of the advanced persistent threat cyber-attack with the plurality of the target system types, the one more target system configurations, and timestamps (Schimert: [0043] In block 214, a determination may be made as to whether any collected sensor data corresponding to a parameter of interest occurred within a predetermined time period of a flight deck effect 204. Any sensor data or parameter observations within the predetermined time period or number of days of a flight deck effect 204 are rejected in block 216 because this period of time is considered not under normal operating conditions).

Regarding claim 25, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The system of claim 10, wherein: 
the cyber-attack comprises an advanced persistent threat cyber-attack; and the operational event data includes activities of the advanced persistent threat cyber-attack that determine network information of the target systems (Singla: [0009] A typical attack, such as a cyber-attack, may include a plurality of phases that utilize different machines and thus different security indicators. For example, a typical attack may include a reconnaissance phase that utilizes a first set of entities, machines, or logic, and an infiltration phase that utilizes another set of entities, machines, or logic; Also See [0031]).
Regarding claim 26, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The system of claim 10 wherein the baseline event data and the operational event data include information describing the target systems and event data generated by the target systems (Schimert: [0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits. The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0031] Data representing normal operating conditions (NOC) may also be extracted or collected in block 102.  As described in more detail with reference to FIGS. 2A and 2B, sensor data from the various systems, such as flight control systems and environmental systems associated with an aircraft, may be collected and processed to generate training data sets of sensor data corresponding to a baseline or normal operating conditions (NOC) for specific parameters of interest).

Claims 6, 15, 20 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Schimert (US20090216393A1) e.f.d. of 02/27/2008 in view of Wang et al., (US8910188B1) e.f.d. of 03/23/2012 in view of Singla et al., (US20170187730A1) e.f.d. of 07/21/2014 in view of Giordano et al., (US9686173B1) e.f.d. of 10/27/2014 in view of Bandholz (US20060265158A1) e.f.d. of 05/09/2005 and further in view of Amit et al., (US20140283026A1).
Regarding claim 6, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
	The method of claim 5, wherein: 
determining, using the initial baseline event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision);
(Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision).
The combination of Schimert, Wang, Singla, Giordano & Bandholz fails to disclose:
	using a K-means clustering algorithm.
However, Amit discloses:
	using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Singla, Giordano & Bandholz and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data and prevent cyber-attacks from happening, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building event graphs (See Amit: [0081]
Regarding claim 15, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The system of claim 14, wherein: determining, using the initial baseline event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision);
and determining, using the initial operational event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision).
The combination of Schimert, Wang, Singla, Giordano & Bandholz fails to disclose:
	using a K-means clustering algorithm.
However, Amit discloses:
	using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Singla, Giordano & Bandholz and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data and prevent cyber-attacks from happening, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building event graphs (See Amit: [0081]).
Regarding claim 20, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The computer program product of claim 19, wherein the operations further comprise:
determining a number of configurations included in the plurality of deterministic target systems (Schimert: [0004] In accordance with another embodiment of the present invention, a method for data-driven anomaly detection may include statistically analyzing performance data from a plurality of aircraft systems in relation to previously collected baseline performance data from the plurality of aircraft systems. The method may also include detecting any anomalies based on the statistical analysis to permit correction prior to any flight deck effect);		
determining initial baseline event clusters by partitioning pairs of complementary baseline events into a first plurality of sets corresponding to the number of configurations (Schimert: [0005] The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters);
	determining, using the initial baseline event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision);
	determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits. At any time, if the baseline limit is exceeded, an alert is generated. Otherwise the observation is considered normal; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters);
	and determining, using the initial operational event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision).
The combination of Schimert, Wang, Singla, Giordano & Bandholz fails to disclose:
the plurality of baseline event clusters using a K-means clustering algorithm; the plurality of operational event clusters using the K-means clustering algorithm. 
However Amit discloses:
	the plurality of baseline event clusters using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others);
	the plurality of operational event clusters using the K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Singla, Giordano & Bandholz and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data and prevent cyber-attacks from happening, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building event graphs (See Amit: [0081]).
Regarding claim 24, the combination of Schimert, Wang, Singla, Giordano & Bandholz discloses:
The method of claim 23, further comprising
determining a number of configurations included in the plurality of deterministic target systems (Schimert: [0004] In accordance with another embodiment of the present invention, a method for data-driven anomaly detection may include statistically analyzing performance data from a plurality of aircraft systems in relation to previously collected baseline performance data from the plurality of aircraft systems. The method may also include detecting any anomalies based on the statistical analysis to permit correction prior to any flight deck effect);		
determining initial baseline event clusters by partitioning pairs of complementary baseline events into a first plurality of sets corresponding to the number of configurations (Schimert: [0005] The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters);
	determining, using the initial baseline event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision);
	determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits. At any time, if the baseline limit is exceeded, an alert is generated. Otherwise the observation is considered normal; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters);
	and determining, using the initial operational event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision).
The combination of Schimert, Wang, Singla, Giordano & Bandholz fails to disclose:
the plurality of baseline event clusters using a K-means clustering algorithm; the plurality of operational event clusters using the K-means clustering algorithm. 
However Amit discloses:
	the plurality of baseline event clusters using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others);
	the plurality of operational event clusters using the K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Singla, Giordano & Bandholz and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data and prevent cyber-attacks from happening, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building event graphs (See Amit: [0081]).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432