DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 3 is objected to because of the following informalities: Claim 3 mentions the anomaly selection node. There is no previous mention of an anomaly selection node.  Appropriate correction is required.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 9, 10 and 12 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

With regards to claim 9, the formula describes 	gamma (s)_f, gamma, #s. It is not clear what these symbols represent

With regards to claim 10, the claims describes n and beta. It is not clear what these symbols represent. 

With regards to claim 12, the claim describes c(n) and h_t(x). It is not clear what these symbols represent. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-8, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bisht, patent number: US 11 057 409 in view of Nori, publication number: US 2018/0260719.

As per claims 1, 17, 18 and 20, Bisht teaches a method for creating a model for detecting anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network, the method comprising:

training the model for detecting anomalies on the collected feature samples using a plurality of anomaly detection, AD, trees (training models, col. 2, lines 36-47); 
wherein training comprises creating the plurality of AD trees using respective subsets of the collected feature samples, at least some of the AD tree comprising subspace selection nodes and anomaly-catching nodes, and wherein each subspace selection node is arranged to bisect a set of feature samples reaching the subspace selection node to at least one anomaly-catching node when a number of feature samples leaving the subspace selection node for the at least one anomaly-catching node is below a predetermined threshold (trees having internal and terminating nodes, training a decision model by splitting attributes until a criteria is met, col. 18, lines 58-col. 19, lines 13). 

Bisht does not teach the training process having trees with predetermined depth limit D.
In an analogous art, Nori teach training process having trees with predetermined depth limit D (learning process with predetermined tree depth, [0054][0056]).



As per claim 2, the combination teaches wherein each anomaly-catching node is arranged to be immediately followed by a terminating node (Nori: 332, [0042]). 

As per claim 3, the combination teaches wherein each anomaly-catching node is arranged to bisect the set of samples reaching the anomaly selection node to the terminating node and to a subspace selection node or to an anomaly-catching node, and wherein the set of feature samples reaching the anomaly selection node are passed to the subspace selection node or the anomaly selection node (Nori: splitting, [0056]). 
As per claim 4, the combination teaches wherein each anomaly-catching node is followed by one or more further anomaly-catching nodes until reaching the AD tree depth limit D (Nori: splitting, [0056]).



As per claim 6, the combination teaches wherein the predetermined threshold represents a fraction determined from the number of feature samples leaving the subspace selection node for the at least one anomaly-catching node and the respective subset of collected feature samples (Nori: threshold, [0056]). 

As per claim 7, the combination teaches wherein each subspace selection node is arranged to bisect the set of feature samples reaching the subspace selection node into two immediately following subspace selection nodes, when the size of the set of feature samples reaching the subspace selection node is on or above the predetermined threshold (Splitting, Nori: [0056], Bisht: col. 18, lines 58-col. 19, lines 13). 
As per claim 8, the combination teaches wherein the set of feature samples reaching the subspace selection node is bisected to two immediately following subspace selection nodes under a size constraint e (Nori: threshold, [0056])


Claims 11, 13-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bisht, patent number: US 11 057 409 in view of Nori, publication number: US 2018/0260719 in further view of Bernstein, publication number: US 2015/0304349.

As per claims 11 and 19, the combination of Bisht and Nori teaches retrieving network data samples. 
The combination does not teach determining an anomaly score using an Anomaly Detection Forest, ADF, by determining an expected path length in the ADF of the network traffic; and detecting anomalies in the network data traffic sample based on the determined anomaly score. 
In an analogous art, Bernstein teaches determining an anomaly score using an Anomaly Detection Forest, ADF, by determining an expected path length in the ADF of the network traffic; and detecting anomalies in the network data traffic sample based on the determined anomaly score (calculating anomaly scores based on values assigned to paths in a tree, [0003][0010], determining anomalies based on score deviation, [0015]).

Therefore, it would have been obvious to one of ordinary skill in the art to modify the combination of Bisht and Nori to include the step of comparing scores to an abnormality score as described in Bernstein’s anomaly detection system for the advantage of reducing false positives/negatives. 



As per claim 14, the combination teaches further comprising selecting at least one threshold value for detecting anomalies according to one or more previously observed limits for abnormality (Bernstein: abnormality score, [0015][0033]). 

As per claim 15, the combination teaches further comprising activating an alarm based on a comparison between the determined anomaly score and a predetermined threshold (Bernstein: alert, [0068]). 

As per claim 16, the combination teaches further comprising providing the alarm to a network function configured to control anomaly event handling in the network flow from one or more network devices in an external network to one or more network devices in an internal network (Bernstein: alert, [0068]). 


Conclusion





Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.