DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
Applicant's amendment filed on 11/16/2021 has been entered. Claims 1, 5-6, 8-15, 18-20 are currently amended claims. Claims 1-20 are pending in the application. 
The objection of claims 1, 5-6, 8-15, 18-20 due to informalities have been withdrawn in light of applicant’s amendment to the claims and applicant’s argument being persuasive.
The rejection of claims 1-20 under 35 USC 101 directed to an abstract idea without significantly more has been withdrawn in light of applicant’s amendment to independent claims and applicant’s argument being persuasive. 
Response to Arguments
The Applicant's arguments (see pages 10-13 of the Remarks filed on 11/16/2021) with respect to claim rejection under 35 USC 103 over prior arts of record have been fully considered and asserted not persuasive as shown below, and further moot in view of claim rejection with newly applied prior art in the current office action.
Regarding independent claims 1, similarly claim 8 and 15, applicant’s main arguments are 1) Hagi does not explain how or whether each tensor may be defined by a respective rule and Hagi does not teach the use of a suffix tree to create rules; and 2) Gamble does not teach limitations “for each group of the plurality of groups, automatically creating a cluster based on common values for the fields; and marking each cluster as a possible false positive anomaly cluster”. See pages 10-11 of the Remarks. Examiner respectively disagrees.

	Regarding argument 2) above, applicant first argued Gamble’s teaching of clustering of security events based on common features is “distinct from the teachings of Gamble, events within a cluster may be unrelated in the sense that they are not connected events in a chain constituting a single attack” (page 10 of the Remarks). Examiner respectively disagrees since nowhere in the claim recites single or plurality of attacks, rather a plurality of anomaly reports. What matters is clustering of the plurality of anomaly reports not clustering of the plurality of attacks. Applicant further argued Gamble does not teach “creating a cluster based on common values for the fields”. First, the claim does not define (or limit) what is the field and what is the value of the fields is referring to. The value of the field can be interpreted with BRI as features that are associated with security events as taught by Gamble. Applicant further argued Gamble also does not teach “marking each cluster as a possible false positive anomaly cluster” as required by claim 1. Examiner respectively disagrees, since Gamble clearly suggest label(ing, ed) the security events indicating a false positive, see para. [64].

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 8-9, 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi et al (US20190149565A1, hereinafter, "Hagi"), in view of Cherepanov et al (US20120209592A1, hereinafter, “Cherepanov”) and in further review of Gamble et al (US20190342307A1, hereinafter, “Gamble”).
Regarding claim 1, Hagi teaches:
A system, comprising: a hardware processor; and a non-transitory machine-readable storage medium encoded with instructions executable by the hardware processor to perform a method (Hagi, discloses anomaly detection using cognitive computing, see [Title] and [Abstract]. And [0004] Further aspects of the present disclosure are directed toward a computer system comprising a processor and a tangible, computer-readable memory for storing program instructions which, when executed by the processor, perform a method) comprising: 
receiving a plurality of anomaly reports, wherein each of the anomaly reports describes a network security anomaly (Hagi, referring to Fig. 2, Collect data. And [0048] In operation 202, the anomaly detection system collects cybersecurity data (i.e. anomaly reports).  Cybersecurity data can be collected from, for example, log files (e.g., syslogs, operating system (OS) logs, event logs, application logs, network logs, transaction logs (i.e. anomaly reports),…); 
extracting fields, and values for the fields, from each of the anomaly reports (Hagi, [0007] The method can further comprise receiving, at the feature extraction system and from the HTM network, at least one output multi-dimensional array (i.e. fields) based, at least in part, on active nodes in a respective region of the HTM network. And [0049] In operation 204, the anomaly detection system pre-processes the cybersecurity data collected in operation 202. Pre-processing the cybersecurity data can include, but is not limited to, filtering (e.g., cleansing), integrating, and/or organizing the cybersecurity data);
grouping the anomaly reports into a plurality of groups according to association rule learning, wherein each group of the plurality of groups is defined by a respective rule (Hagi, [0031] feature extraction system 126 executes any number of machine learning algorithms such as, but not limited to, decision tree learning, association rule learning, … And [0050] In operation 206, the anomaly detection system generates one or more tensors by encoding the pre-processed data into respective tensors (i.e. plurality of groups)... respective tensors can comprise clustered log features (expressed as VSM matrices) (i.e. tensor defined by vector space models, i.e. rules) that have been categorized and processed into numerical values. Thus, the tensors can numerically represent the attributes of event data across multiple spatial bases and temporal bases. Also see Fig. 5 step 512 and [0079] machine learning can include, but is not limited to, decision tree learning, association rule learning…) [and each respective rule is created using a suffix tree] (see Cherepanov below for limitation in bracket); 
While Hagi teaches the main concept of the invention of using rule based machine learning algorithm for anomaly detection, however, Hagi does not expressly teach each respective rule is created using a suffix tree, but in the similar field of endeavor Cherepanov teaches:
each respective rule is created using a suffix tree (Cherepanov, discloses methods, systems, and apparatus, … for generating suffix rewriting rules, see [Abstract]. And [0011] Generating a suffix-rewriting rule for a node in the minimum colored subset with a valid status can include determining a confidence measure for the rule, wherein the confidence measure is derived from confidence measures of valid leaves below the node in the suffix tree);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Cherepanov in the anomaly detection of Hagi by generating final suffix-rewriting rules based on canonical suffix-rewriting rules associated with words where minimum colored subset of nodes and leaves in suffix tree can be selected. This would have been obvious because the person having ordinary skill in the art would have been motivated to define rules for the purpose of grouping anomaly reports as associating words using suffix tree as applied in search queries (Cherepanov, [Abstract])
While the combination of Hagi-Cherepanov teaches the main concept of the invention of using rule based machine learning algorithm for anomaly detection with fewer false positives (see Hagi, [0021]), however does not expressly teach the following limitations, but in the same field of endeavor Gamble teaches:
for each group, of the plurality of groups, automatically creating a cluster based on common values for the fields (Gamble, [0010] The security events/alerts data and the related event data are combined into a multiple graph form that represents the links between events. For example, a security event between two machines would have two nodes (each machine), connected by a link that is the event (e.g. a suspicious use login). And [0041] The platform processes the graph data structures by combining similar nodes or grouping security events with common features (i.e. common values) to behaviour indicative of a single or multiple security events. Examiner notes automatically is interpreted as: the action of creating is done by a system such as the platform of Gamble of Fig. 1, rather than by human operation);
marking each cluster as a possible false positive anomaly cluster (Gamble, [0010] The security events are associated with labels having stored data values indicative of details describing the events, such as a risk rating, weighting or probability indicating how likely it is to be a false positive, and [0064] The security events are labeled (i.e. marking) with appropriate details describing the events, such as a risk rating, weighting or probability indicating how likely it is to be a false positive…).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gamble in the anomaly detection of Hagi-Cherepanov by combining similar nodes or grouping security events with common features in monitoring security attack chain for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify unique groupings of events in graph form to provide more accurate detection mechanism of intrusion (Gamble, [Abstract], and [0010-0012]).

Regarding claim 8, Hagi-Cherepanov-Gamble combination teaches:
A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing component, the machine-readable storage medium comprising instructions to cause the hardware processor to perform a method (Hagi, [0005] Further aspects of the present disclosure are directed toward a computer program product comprising a computer readable storage medium having program instructions executable by a processor to cause the processor to perform a method) comprising: the method steps substantially similar to the method steps performed by the system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 15, Hagi-Cherepanov-Gamble combination teaches:
A method comprising: the method steps substantially similar to the method steps performed by the system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 9, claim 16, Hagi-Cherepanov-Gamble combination further teaches:
The system of claim 1, the non-transitory machine-readable storage medium of claim 8, the method of claim 15, wherein grouping the anomaly reports into a plurality of groups according to association rule learning comprises: applying a frequent pattern growth algorithm to the anomaly reports (Hagi, [0032] feature extraction system 126 can be configured to perform machine learning using one or more of the following example techniques: … apriori algorithms (i.e. frequent pattern growth algorithm),…).  

Claims 3, 10, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Cherepanov-Gamble combination, in further view of Limonad et al (US20170193078A1, hereinafter, “Limonad”).
Regarding claim 3, similarly claim 10, claim 17, Hagi-Cherepanov-Gamble combination teaches:
The system of claim 1, the non-transitory machine-readable storage medium of claim 8, the method of claim 15,
While the combination of Hagi-Cherepanov-Gamble does not explicitly teach however in the same field of endeavor Limonad teaches:
the method further comprising: filtering the groups according to confidence values respectively associated with the groups after grouping the anomaly reports and before creating the clusters (Limonad, discloses method for anomaly classification and detection, see [Abstract] and [0001]. And referring to Fig. 2, steps 240-260, filtering the data set to perform anomaly classification based on relative density criterion (i.e. confidence values)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Limonad in the anomaly detection of Hagi-Cherepanov-Gamble by filtering the anomaly data based on relative density for anomaly classification. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter the anomaly data set and perform anomaly classification based on relative density criterion (Limonad, [Abstract]).

Claims 4, 11, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Cherepanov-Gamble-Limonad combination, in further view of Jain et al (US20170250954A1, hereinafter, “Jain”).
Regarding claim 4, similarly claim 11, claim 18, Hagi-Cherepanov-Gamble-Limonad combination teaches:
The system of claim 3, the non-transitory machine-readable storage medium of claim 10, the method of claim 3,
While the combination of Hagi-Cherepanov-Gamble-Limonad does not explicitly teach however in the same field of endeavor Jain teaches:
wherein filtering the groups according to the confidence values comprises: discarding groups having confidence values below a determined confidence threshold (Jain, discloses method for detection of anomalies or intrusions [Abstract]. And [0040] Returning to FIG. 4, the contents of the buffers are passed to counting modules 192, 194… rows with the lowest statistics are removed (i.e. discarding) from the tables periodically or as they go below a threshold rank, count, age since last update, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Jain in the anomaly detection of Hagi-Cherepanov-Gamble-Limonad by removing rows of data with lowest statistics. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide statistically significant data for data inspection to detect anomalies (Jain, [Abstract], [0040]).

Claims 5, 12, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Cherepanov-Gamble-Limonad combination, in further view of Puri et al (US20160371489A1, hereinafter, “Puri”).
Regarding claim 5, similarly claim 12, claim 19, Hagi-Cherepanov-Gamble-Limonad combination teaches:
The system of claim 3, the non-transitory machine-readable storage medium of claim 10, the method of claim 3,
While the combination of Hagi-Cherepanov-Gamble-Limonad does not explicitly teach however in the same field of endeavor Puri teaches:
the method further comprising: selecting a portion of the groups according to the respective rules after grouping the anomaly reports and before filtering the groups (Puri, discloses event anomaly analysis and prediction, see [Abstract]. In particular referring to Fig. 10, and [0138] At block 1012, the method 1000 may include identifying (e.g., by the data anomaly analyzer 116), based on an application of the plurality of rules 114 to the data 118, selected ones of the anomalies in the data 118 (i.e. a portion of the groups)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Puri in the anomaly detection of Hagi-Cherepanov-Gamble-Limonad by selecting anomaly data from data source based on rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine anomaly from data source based on application of rules for anomaly analysis and prediction (Puri, [Abstract]).

Claims 6, 13, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Cherepanov-Gamble combination, in further view of Xiong et al (US20160127319A1, hereinafter, “Xiong”).
Regarding claim 6, similarly claim 13, claim 20, Hagi-Cherepanov-Gamble combination teaches:
The system of claim 1, the non-transitory machine-readable storage medium of claim 8, the method of claim 15, 
While the combination of Hagi-Cherepanov-Gamble does not explicitly teach however in the same field of endeavor Xiong teaches:
wherein creating the cluster for each group comprises: selecting the respective rule in the group with the highest number of the fields (Xiong, discloses method of evaluating transactions by automatically generated rules, see [Abstract]. And [0016] The system automatically determines the number of the rules that is optimal to solve the problem that is presented.  In some embodiments, users have options to set the maximum number of rules generated).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Xiong in the anomaly detection of Hagi-Cherepanov-Gamble by allowing users to set maximum number of rules used for screening internet transaction. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the rules configured to model data patterns in different parts of input space and combination to provide a powerful and interpretable final model to meet various predictive modeling needs (Xiong, [Abstract], [0016]).

Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Hagi-Cherepanov-Gamble combination, in further view of Aghdaie et al (US10459827B1, hereinafter, “Aghdaie”).
Regarding claim 7, similarly claim 14, Hagi-Cherepanov-Gamble combination teaches:
The system of claim 1, the non-transitory machine-readable storage medium of claim 8, 
While the combination of Hagi-Cherepanov-Gamble does not explicitly teach however in the same field of endeavor Aghdaie teaches:
the method further comprising: displaying a view of one of the possible false positive anomaly clusters (Aghdaie, discloses method of automated anomaly detection based on heterogeneous data sources, see [Abstract]. In particular, referring to Fig. 4A-C showing user interface 400 for the anomaly detection system 130, and [Col. 18 lines 59-63] The interface can include an interface control 410 that allows for a user to input feedback associated with the anomaly event.  As indicated, a user can identify whether the anomaly is a true positive ("Issue") or a false positive ("Acceptable")).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Aghdaie in the anomaly detection of Hagi-Cherepanov-Gamble by displaying table of results of an anomaly detection analysis using user interface. This would have been obvious because the person having ordinary skill in the art would have been motivated to automatically identify anomalous data set and display the anomaly detection result to user to allow user to feed back the information to the model generation system to update the anomaly detection model (Aghdaie, [Abstract]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Kirti et al (US20180375886A1). Discloses method for monitoring and management of security for cloud services using automated techniques with activity logs to identify privileged users using Behavioral analysis engine.
Kursun (US20200167785A1). Discloses analyzing anomaly data using dynamic graph network flow based on association rule learning.
Muddu et al (US20170063887A1). Discloses method to detect security related anomalies and threats in a computer network environment using probabilistic suffix trees.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436                                                                                                                                                                                                        


/MICHAEL M LEE/Examiner, Art Unit 2436