DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Preliminary Amendment filed 19 May 2020 has been received and considered.
Claims 28-47 are pending.
This Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 19 May 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 28-37, 39-44, 46, and 47 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav et al. (US 20160359695) in view of Muddu et al. (US 20170063912).

using data sampled from network traffic by a network traffic monitoring system in the network computing system (see paragraphs [0074]-[0075] the network data collected by the sensors); 
modelling a distribution of values of two or more network metrics i) for each device in the network computing system as well as ii) for one or more users in the network computing system in order to create a model of behavior per device in the network computing system as well as for the one or more users in the network computing system (see paragraphs [0048]-[0049], [0073], and [0076]-[0080] where sensors collect data from each device and user associated with the devices and this data is used to model the behavior to detect whether there are anomalies within the network); 
where the two or more network metrics come from the data sampled by the network traffic monitoring system, where one or more network metrics under analysis are selected from the group comprising 1) total volume of data flowing from a first device in the network in a given time interval; 2) total volume of data flowing to the first device in the given time interval; 3) number of connections from the first device to other devices on the network in the given time interval; 4) number of connections to the first device from other devices on the network in the given time interval; 5) number of connections from the first device to other devices outside the network in the given time interval; 6) number of connections to the first device from other devices outside the network in the given time interval; 7) number of domain name system (DNS) requests made by the first device in the given time interval; 8) number of multicasts made by the first device in the given time interval; 9) number of broadcasts made by the first device in the given time interval; 10) number of attempts made by the first device to connect to closed ports on other devices in the given time interval; 11) number of server message block (SMB) read requests made by the first device in the given time interval; 12) number of SMB write requests 
applying one or more anomaly detection algorithms to a subset of data from the two or more network metrics under analysis based upon the model of behavior for the first device in the network; analyzing the subset of data from the two or more network metrics under analysis in light of the model of behavior for the first device in the network or for the model of behavior for the first user in the network with one or more machine learning algorithms to determine what is considered to be normal behavior for the first device in the network or for a first user in the network, where historical values of the metrics for that specific device are utilized by the anomalous behavior detection system for training; and utilizing an anomaly alert system that generates a notification when, at least one of the first device and the first user, is determined by the anomalous behavior detection system to have behaved anomalously (see paragraphs [0081]-[0082] where the system uses the collected data which is cleansed, modeled and used to detect and provide an indication of the anomaly).
While the Yadav et al. system generally teaches a system that uses different metrics to model behavior as part of anomaly detection, there lacks an explicit teaching of the two or more network metrics come from the data sampled by the network traffic monitoring system, where the two or more network metrics under analysis are selected from the group comprising 1) total volume of data flowing from a first device in the network in a given time interval; 2) total volume of data flowing to the first device in the given time interval; 3) number of connections from the first device to other devices on the network in the given time interval; 4) number of connections to the first device from other devices on the network in the given time interval; 5) number of connections from the first device to other devices outside the network in the given time interval; 6) number of connections to the first device from other 
However, Muddu et al. teaches a system that uses data from each user and each device within the network to detect an anomaly (see paragraph [0569]), where the two or more network metrics come from the data sampled by the network traffic monitoring system, where the two or more network metrics under analysis are selected from the group comprising 1) total volume of data flowing from a first device in the network in a given time interval; 2) total volume of data flowing to the first device in the given time interval; 3) number of connections from the first device to other devices on the network in the given time interval; 4) number of connections to the first device from other devices on the network in the given time interval; 5) number of connections from the first device to other devices outside the network in the given time interval; 6) number of connections to the first device from other devices outside the network in the given time interval; 7) number of domain name system (DNS) requests made by the first device in the given time interval; 8) number of multicasts made by the first device in the given time interval; 9) number of broadcasts made by the first device in the given time interval; 10) number of attempts made by the first device to connect to closed ports on other devices in the given time interval; 11) number of server message block (SMB) read requests made by the first device in the given time interval; 12) number of SMB write requests made by the first device in the given 
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the use of the data in the Muddu et al. system to model the behaviors in the Yadav et al. system.
Motivation, as recognized by one of ordinary skill in the art to do so, would have been to enhance the model by using the additional data thereby improving the anomaly detection.
While the modified Yadav et al. and Muddu et al. system teaches various metrics in the claimed group, there lacks an explicit teaching of each and only each of the elements within the group.  However, Official Notice is taken that at a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to use the group of metrics in the modified Yadav et al. and Muddu et al. system as these are common and well-known network metrics readily available and using this group of metrics would have the predictable result of an anomaly detection model using common network metrics.
As per claims 29-32 and 40-43, the modified Yadav et al. and Muddu et al. system discloses the use of various subsets of the collected data to detect the anomalies (see Yadav et al. paragraphs [0077]-[0081] which teaches the use of different subsets of metrics to detect anomalies and as put forth above to show the various different metrics being used).
As per claims 33 and 44, the modified Yadav et al. and Muddu et al. system discloses the anomalous behavior detection system computes how anomalous the value of each network metric under analysis is, and where individual computed values of how anomalousness of the behavioral metrics under analysis associated with the first device are factored in a combination of these values to 
As per claims 34 and 46, the modified Yadav et al. and Muddu et al. system discloses he subset of data from the two or more network metrics under analysis in light of the model of behavior for the first device are the number of connections from the first device to other devices in the given time interval (see Muddu et al. paragraphs [0644]-[0646]), but fails to explicitly disclose that this is monitored in light of a number of attempts made by the first device to connect to closed ports on other devices in the given time interval.  However, Official Notice is taken that at a time before the effective filing date of the invention, it would have been obvious to model the behavior in light of attempts to connect to closed ports.  Motivation to do so would have been that attempts to connect to closed ports is a known and common method used by malicious actors.
As per claim 35, the modified Yadav et al. and Muddu et al. system discloses a probability and the distribution of the values of the network metrics are used by the model of what is considered to be normal behavior for that device to determine whether the first device is behaving anomalously, wherein the probability is used to determine whether the first device is behaving anomalously (see Yadav et al. paragraphs [0079]-[0080]).
As per claims 36 and 47, the modified Yadav et al. and Muddu et al. system discloses maintaining one or more mathematical models to build and maintain dynamic, ever-changing models of a normal behavior of each device monitored by the anomalous behavior detection system, based on a comparison of metrics associated with a corresponding device, where two or more devices, including the first device, are monitored by the anomalous behavior detection system, where the anomalous behavior detection system is configured to use the one or more mathematical models to determine whether each corresponding device is behaving anomalously, where each model of a normal behavior of 
As per claim 37, the modified Yadav et al. and Muddu et al. system discloses using a framework of ranking different levels of anomalousness to provide a way for a user to specify and control a rate of generating false alerts that should not be brought to an attention of the user (see Muddu et al. paragraph [0470]).
Claims 38 and 45 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Yadav et al. and Muddu et al. system as applied to claims 28 and 39 above, and further in view of Rathod et al. (US 20160241576).
While the modified Yadav et al. and Muddu et al. system discloses different measures of anomalousness (see Yadav et al. paragraphs [0079]-[0080]), there lacks an explicit teaching of
However, Rathod et al. teaches (see paragraphs [0049]-[0063]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art include the measure of anomalousness of Rathod et al. in the modified Yadav et al. and Muddu et al. system with the predictable result of using different statistical evaluations to determine anomalousness.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to anomaly detection systems.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Michael Pyzocha/               Primary Examiner, Art Unit 2419