DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	This office action is in reply to amendment filed on October 14, 2021. Claims 1, 2, 6-8 and 15-30 have been amended. Claims 1-30 are pending. 

Response to Arguments
Applicant's arguments filed October 14, 2021 have been fully considered but they are not persuasive.
Examiner would point out that, Awad US 2017/0192872 A1 teaches determining a rarity score based on the probability of occurrence of a particular value of a particular field (i.e., determining a rarity score based on probability of occurrence of input data representing click stream of an internet traffic (paragraph 0032) and/or occurrence of input data representing system identifiers (paragraph 0027)). Examiner would point out that the prior art on record teaches the claim limitations and therefore the rejections are respectfully maintained. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
s 1-30 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-29 of U.S. Patent No. 10,038,707 B2 (hereinafter 707’ patent). Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 1-30 of the present application correspond to elements of claims 1-29 of the 707’ patent. Claims 1-30 of the present application would have been obvious over claims 1-29 of the 707’ patent because each element of the claims of the present application is anticipated by the claims of the 707’ patent.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-30 are rejected under 35 U.S.C. 103 as being unpatentable over Awad et al. US 2017/0192872 A1 [hereinafter Awad] in view of Coates et al. US 2013/0318604 A1 [hereinafter Coates].

As per claims 1, 26 and 29, Awad teaches a method comprising: 
receiving, by a computer system, event data representative of data traffic on a computer network to identify a field of the data traffic, the data traffic including a plurality of 
determining, by the computer system, a set of the values of the field whose probability of occurrence does not exceed a probability of occurrence of a particular value of the plurality of values of the field, the set of the values being those values of the field that have occurred not more than a threshold number of times [paragraphs 0044, 0048 and 0111-0113];  
determining, by the computer system, a rarity score for the particular value as a function of the probability of occurrence of the set of the values [paragraphs 0044, 0048 and 0111-0113];  and 
detecting, by the computer system, that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value of the field corresponds to an anomaly, based on the rarity score [paragraphs 0044, 0048 and 0111-0113].  
In the same filed of endeavor, Coates teaches a method/system comprising: receiving, by a computer system, event data representative of data traffic on a computer network, the event data including a plurality of events, wherein each event of the plurality of events includes a plurality of fields and corresponding values for the plurality of fields (i.e., security events and plurality of field values of the security events, paragraphs 0037-0038). It would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to employ the teachings of Coates within the system of Awad in order to enhance the security of the system by analyzing and detecting malware within security event fields of data traffic.


 
	As per claim 3, Awad further teaches the method wherein determining the rarity score of the particular value is performed as part of execution of a machine learning model executing at the computer system [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 4, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly is performed as part of execution of a machine learning 
model executing at the computer system [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 5, Awad further teaches the method wherein determining the rarity score of the particular value and determining the occurrence of the particular value as an anomaly are performed as part of execution of a machine learning model executing at the computer system [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 6, Awad further teaches the method wherein receiving the data traffic of the device includes receiving the data traffic in real-time [paragraphs 0044, 0048 and 0111-0113]. 

	As per claims 7, 27 and 30, Awad further teaches the method wherein determining the rarity score of the particular value includes determining the rarity score as a function of a number of occurrences of the particular value and a number of occurrences of each value of the set of the values [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 8, Awad further teaches the method wherein determining the rarity score of the particular value includes: determining a rarity of the particular value as a function of a number of occurrences of the particular value and the set of the values, and determining the rarity score for the particular value based on a confidence interval for the rarity [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 9, Awad further teaches the method wherein determining the rarity score of the particular value includes: determining a rarity of the particular value as a sum of a probability of occurrence of the particular value and the set of the values, and determining the rarity score of the particular value based on a confidence interval for the rarity [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 10, Awad further teaches the method wherein the rarity score is a tuple including a score threshold and a count threshold, the count threshold indicative of a number of times the particular value can be indicated as an anomaly [paragraphs 0044, 0048 and 0111-
 
	As per claim 11, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes incrementing a count of a number of times the particular value is indicated as an anomaly [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 12, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes determining that the rarity score of the particular value is less than a score threshold and that a count of a number of times the particular value is indicated as an anomaly is less than a count threshold [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 13, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes: determining that the occurrence of the particular value is not an anomaly if a count of a number of times the particular value is indicated as an anomaly exceeds a count threshold [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 14, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes determining the particular value as an anomaly based on a score threshold and a count threshold [paragraphs 0044, 0048 and 0111-0113]; the method further comprising: dynamically adjusting the score threshold and the count threshold 
 
	As per claim 15, Awad further teaches the method wherein receiving the data traffic includes: obtaining information regarding the data traffic from a log, the log representing the plurality of events of the data traffic [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 16, Awad further teaches the method wherein determining the rarity score of the particular value includes determining the rarity score of the particular value when a first value of a field of the plurality of fields [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 17, Awad further teaches the method wherein determining the rarity score includes: determining the rarity score for a pair of fields, the pair of fields including a first field, the determining including determining the rarity score for the occurrence of the particular value of the first field when a particular value occurs in the second field [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 18, Awad further teaches the method further comprising: determining that an event of the plurality of events is as an anomaly based on a rarity score for at least 
some values of fields in the event and a number of fields whose rarity scores do not satisfy a the threshold number of times for the event [paragraphs 0044, 0048 and 0111-0113]. 
 

 
	As per claim 20, Awad further teaches the method further comprising: determining an event of the plurality of events  as an anomaly based on whether a particular field of the 
plurality of fields of the event is determined as anomalous [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 21, Awad further teaches the method further comprising: determining an event of the plurality of events as an anomaly based on whether a particular field of the plurality of fields of the event is determined as anomalous [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 22, Awad further teaches the method wherein determining the occurrence of the particular value as an anomaly includes: determining an event of the plurality of events as an anomaly based on at least one of (i) a number of fields of the event that are determined as anomalous, (ii) whether a particular field of the plurality of field is determined as 
 
	As per claim 23, Awad further teaches the method further comprising: determining an event of the plurality of events as an anomaly based on a plurality of thresholds, the 
thresholds being dynamically adjusted by the computer system based on a number of times the event is identified as an anomaly in a predefined period [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 24, Awad further teaches the method wherein analyzing the data traffic includes: tracking each occurrences of the particular value of the field, and storing a count of occurrences of the particular value [paragraphs 0044, 0048 and 0111-0113]. 
 
	As per claim 25, Awad further teaches the method wherein analyzing the data traffic includes: determining an occurrence of a pair of fields, the pair of fields including a first field and a second field, wherein the first field is the field, tracking each occurrence of the particular value for the first field when a first value occurs for the second field and storing a count of the occurrences of the particular value [paragraphs 0044, 0048 and 0111-0113]. 

	As per claim 28, Awad further teaches the medium 28, wherein determining the rarity score of the particular value comprises: determining the rarity score of the particular value based on a confidence interval for a first parameter and a second parameter, the first . 

Conclusion
 THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847. The examiner can normally be reached Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/Primary Examiner, Art Unit 2435