DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Acknowledgement is made of Applicant’s claim amendments on 10/12/2021. The claim amendments are entered. Presently, claims 1-3, 5-12, and 14-20 remain pending. Claims 1, 10, and 13 have been amended and claims 4 and 13 are cancelled.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 10, and 19 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

Claim 1, 10, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Coutinho et al. (US-20170206238-A1) in view of Zhang et al. (US-20170075978-A1), and Yajima et al. (US 20180228129 A1).
Regarding Claim 1,
Coutinho et al. (20170206238) teaches a method comprising: 
identifying, by a device, a new data source of characteristic data (para [0163] The first mobile AP 802, in addition to receiving and forwarding the data or information from other sensors and APs (e.g., sensor A 801 and second mobile AP 803) to a fixed AP such as the fixed AP 804, may also include such data from their own operation (e.g., hardware and software debug logs, traffic counters/measurements, etc.)) for a monitored network (para [0054] An additional example component (e.g., a DevCenter component) may, for example, provide network monitoring and/or management functionality); 
…initiating, by the device, a quarantine period for the characteristic data from the new data source, wherein the characteristic data from the new data source is quarantined from input to the machine learning-based analyzer during the quarantine period (para [0192] In accordance with various aspects of the present disclosure, the number of different approaches to be used in validating data integrity may be determined from, for example, the frequency or percentage of occurrence of errors that is acceptable, which may be different for each type of data. In some situations, the subset of different approaches to be used in validating data integrity may be based upon the number or percentage of errors that typically occur at a particular location or during a particular period of time And Fig. 9; step 912-916 and para [0198]. Examiner note: The claim does not define the quarantine period. Examiner interprets the quarantine period as steps 912-916 of figure 9 which defines a period for validating data received from a data source. In addition, para [0168] discloses an “end of day” data verification which specifies a timeframe for data verification, see also para [0205]);
when it is determined that the characteristic data from the new data source is reliable, configuring, by the device and after the quarantine period, the machine learning-based analyzer according to the characteristic data from the new data source by providing the characteristic data from the new data source as input to the machine learning-based analyzer (para [0215] By employing the techniques and approaches described in the present disclosure, reliable and consistent data is collected and stored, and only valid information may be selected as input for complex analytic systems that may include "Big Data" clustering and machine learning, where information reliability is crucial for the correct training of such machine learning mechanisms.).
Coutinho et al. does not explicitly disclose 
performing, by the device, a lookup in a data source characterization database for an entry matching one or more properties of the new data source, the data source characterization database storing information characterizing data provided by a plurality of data sources as input to a machine learning-based analyzer, wherein the machine learning-based analyzer includes one or more machine learning models configured to 
modeling, by the device, the characteristic data from the new data source during the quarantine period, to determine whether the characteristic data from the new data source is reliable for input to the machine learning-based analyzer based at least on the indication from the user interface as to whether the characteristic data is reliable; and 
in response to a determination that that no entry matching the one or more properties of the new data source exists in the data source characterization database, initiating, by the device, a quarantine period for the characteristic data from the new data source, wherein the characteristic data from the new data source is quarantined from input to the machine learning-based analyzer during the quarantine period
sending, by the device, the characteristic data from the new data source to a user interface; 
receiving, at the device, an indication from the user interface as to whether the characteristic data is reliable; 
Yajima teaches 
performing, by the device, a lookup in a data source characterization database for an entry matching one or more properties of the new data source (para [0294] Alternatively, if the input information includes the information about the identifier, the matching unit 113 performs matching of that identifier against the identifier included in the registration information. Specifically, the matching unit 113 determines whether or not the identifier included in the input information corresponds to or is identical to the identifier included in the registration information. If it is determined that the identifier included in the input information corresponds to or is identical to the identifier included in the registration information, the matching unit 113 performs matching between them. And para [0293].), the data source characterization database storing information characterizing data provided by a plurality of data sources as input to a machine learning-based analyzer (para [0129] The registration information storage unit 109 stores an image and ID database (DB) D1 for storing the identifier (ID) and the image data. Newly registered identifier and image data are stored in this image and ID database D1. And para [0269] Further, the registration information storage unit 109 of the server apparatus 3 stores a feature data and ID database D2. The feature data and ID database D2 is capable of storing the feature data extracted from the image data and an identifier corresponding to that image data in association with each other.), wherein the machine learning-based analyzer includes one or more machine learning models configured to perform one or more machine learning techniques for analyzing data in the monitored network (para [0427] In this case, the control unit 31 generates the feature data. At this time, supervised machine learning using a neural network may be employed.); 
in response to a determination that that no entry matching the one or more properties of the new data source exists in the data source characterization database, initiating, by the device, a quarantine period for the characteristic data from the new data source, wherein the characteristic data from the new data source is quarantined from input to the machine learning-based analyzer during the quarantine period (para [0338] On the other hand, if the user determines that the livestock animal captured in the image data of the input information is different from the livestock animal associated with the matching result, an 
 data and the actual data and is not accumulated as the teaching data. If the user rejects the match (i.e. there is no match) the data is not inputted into the machine learning algorithm. Para [0307] With the supervised machine learning, this algorithm is generated by referring to teaching data.); 
It would have been obvious to one of ordinary skill in the art before the effective filing date to combine Coutinho’s method of filtering data to build a machine learning algorithm (para [0216] In addition, a network of moving things according to the present disclosure enables the use of sophisticated statistic-related methods to filter data, a very important factor when building machine learning algorithms.) with Yajima’s method of filtering data to build a machine learning algorithm (para [0307] With the supervised machine learning, this algorithm is generated by referring to teaching data.). 
Doing so would allow for implementing supervised or unsupervised training (para [0306] The predetermined algorithm is generated by, for example, machine learning and stored in the storage unit 32 of the server apparatus 3. The machine learning may be supervised machine learning or may be unsupervised learning such as deep learning.).
	Zhang et al. (US 20170075978 A1) teaches
	sending, by the device, the characteristic data from the new data source to a user interface (para [0059] The classification system may also obtain a validated subset 316 of the second set of relevance tags 304 and provide validated subset 316 as additional training data 310 to statistical model 206. Validated subset 316 may include manual changes to the second set of relevance tags 304. For example, the classification system may display the second set of content items 308 and the second set of relevance tags 304 within a GUI to a number of domain experts and/or other users that can judge and/or verify the relevance of the second set of content items 308 to topics 300.); 
receiving, at the device, an indication from the user interface as to whether the characteristic data is reliable (para [0059] The users may use the GUI to confirm and/or change some or all of the second set of relevance tags 304, and the validated and/or changed tags may be added to validated subset 316 in training data 310.); 
modeling, by the device, the characteristic data from the new data source during the quarantine period (para [0059] The classification system may also obtain a validated subset 316 of the second set of relevance tags 304 and provide validated subset 316 as additional training data 310 to statistical model 206), to determine whether the characteristic data from the new data source is reliable for input to the machine learning-based analyzer based at least on the indication from the user interface as to whether the characteristic data is reliable (para [0059] The users may use the GUI to confirm and/or change some or all of the second set of relevance tags 304, and the validated and/or changed tags may be added to validated subset 316 in training data 310.); and 

	Doing so would allow for data to be validated by a user. Validating input data would help improve the method of Coutinho because it would increase the accuracy of the data (para [0060] Because validated subset 316 may be more accurate than the second set of relevance tags 304 and/or training data 310, additional training of statistical model 206 may increase the accuracy of statistical model 206 in classifying the relevance of additional sets of content items.).
Regarding Claim 10,
Clam 10 is the apparatus corresponding to the method of claim 1. Claim 11 is substantially similar to claim 1 and is rejected on the same grounds. 
Regarding Claim 19,
Claim 19 is computer readable medium corresponding to the method of claim 1. Claim 19 is substantially similar to claim 1 and is rejected on the same grounds.

Claims 8, 9, 17, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Coutinho et al. (US-20170206238-A1) in view of Zhang et al. (US-20170075978-A1), Yajima et al. (US 20180228129 A1), and Livadas et al. (“Using Machine Learning Techniques to Identify Botnet Traffic”).
Regarding Claim 8,
Coutinho et al. Zhang, and Yajima et al. teach the method as in claim 1. 

3 associating, by the device, one or more properties of the first data source with the determination that the characteristic data from the first data source is reliable (pg. 969 section 4.1; Table 1 summarizes the flow characteristics that we collected for each of the flows in the traffic traces we used in our work. These include the cumulative application payload size, the IP protocol type (TCP), the IP source and destination addresses, the source and destination ports, and TCP flags.); and  27PATENT 0141000.U CPOL 1007855-US 01 
s determining, by the device, that characteristic data for the monitored network 6 from a second data source is reliable by matching one or more properties of the second 7 data source to the one or more properties of the first data source (pg. 969 section 4.1; Table 1 summarizes the flow characteristics that we collected for each of the flows in the traffic traces we used in our work. These include the cumulative application payload size, the IP protocol type (TCP), the IP source and destination addresses, the source and destination ports, and TCP flags.).
It would have been obvious to persons’ having ordinary skill in the art before the effective filing date to combine the method of data validation period of Coutinho et al. with the data filtering period of Livadas et al.
Doing so would allow for filtering relevant data to be inputted into the machine learning model (pg. 970 section 4.2; This elimination is more significant for the nonchat subset of flows and serves to focus subsequent machine learning modeling techniques on the more important area of overlap between either IRC and non-IR, or botnet and real IRC flows.).
Regarding Claim 9,
Coutinho et al. Yajima, and Zhang et al. teach the method as in claim 1. Livadas et al. further teaches wherein the characteristic data for the monitored network 2 comprises data regarding traffic in the monitored network (pg. 969 section 3.1; We use a set of network traffic traces collected from Dartmouth's wireless campus network [3].).
It would have been obvious to persons’ having ordinary skill in the art before the effective filing date to combine the method of data validation period of Coutinho et al. with the data filtering period of Livadas et al.
Doing so would allow for filtering relevant data to be inputted into the machine learning model (pg. 970 section 4.2; This elimination is more significant for the nonchat subset of flows and serves to focus subsequent machine learning modeling techniques on the more important area of overlap between either IRC and non-IR, or botnet and real IRC flows.).
Regarding Claim 17,
Clam 17 is the apparatus corresponding to the method of claim 1. Claim 17 is substantially similar to claim 8 and is rejected on the same grounds. 
Regarding Claim 18,
Clam 18 is the apparatus corresponding to the method of claim 1. Claim 18 is substantially similar to claim 9 and is rejected on the same grounds. 
Regarding Claim 20,
Claim 20 is computer readable medium corresponding to the method of claim 1. Claim 20 is substantially similar to claim 9 and is rejected on the same grounds.

Claims 2, 5, 11, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Coutinho et al. (US-20170206238-A1) in view of Zhang et al. (US-20170075978-A1), Yajima et al. (US 20180228129 A1), and Faigon et al. (US-20170353477-A1).
Regarding Claim 2,
Coutinho et al. Yajima, and Zhang et al. teach the method as in claim 1.
Coutinho et al. Yajima, and Zhang et al. do not explicitly disclose
wherein initiating the quarantine period for the 2 characteristic data from the new data source comprises:  
3 determining, by the device, that a model does not exist for the new data source 4 based on one or more properties of the data source.
However, Faigon et al. (US 20170353477 A1) teaches 
3 determining, by the device, that a model does not exist for the new data source 4 based on one or more properties of the data source (para [0040] OML instance 216 then uses its classifier 208 to determine whether a model exists for a given tenant and/or user associated with the received security-related events 102.).
It would have been obvious to persons’ having ordinary skill in the art before the effective filing date to combine the method of monitoring network traffic of Coutinho et al. with the method of monitoring traffic of Faigon et al.
Doing so would allow for statistical analysis of network traffic (para [0169] In yet another implementation, it can use statistical analysis that includes the calculation of statistical indicators that identify transmission types (e.g. media files, instant messages, or content transfer), including mean, median, and variation of values collected as part of the behavioral analysis.).
Regarding Claim 5, 
Coutinho et al. Yajima, and Zhang et al. teach the method as in claim 1.
	Coutinho et al. Yajima, and Zhang et al. do not explicitly disclose
Wherein the configuring of the machine learning-based analyzer comprises:  
2 configuring, by the device, the machine learning-based analyzer to weight the 3 characteristic data based on a degree of reliability associated with 4 the characteristic data.
However, Faigon et al. teaches
2 configuring, by the device, the machine learning-based analyzer to weight the 3 characteristic data based on a degree of reliability associated with 4 the characteristic data (para [0056] To distinguish between users that are seen for the first time, i.e., for whom the associated behavioral features are new and real breaches/compromises generated by events with previously unseen feature-value pairs, the technology disclosed uses a so-called standard candle feature. And para [0057] In one implementation, new or unseasoned users have lower weights and established or seasoned users have weights that are close to the target threshold (0.1 in the example shown in FIG. 3).
It would have been obvious to persons’ having ordinary skill in the art before the effective filing date to combine the method of monitoring network traffic of Livadas et al. with the method of monitoring traffic of Faigon et al.
Doing so would allow for statistical analysis of network traffic (para [0169] In yet another implementation, it can use statistical analysis that includes the calculation of statistical indicators that identify transmission types (e.g. media files, instant messages, or content transfer), including mean, median, and variation of values collected as part of the behavioral analysis.).
Regarding Claim 11,
Clam 11 is the apparatus corresponding to the method of claim 1. Claim 11 is substantially similar to claim 2 and is rejected on the same grounds. 
Regarding Claim 14,
Clam 14 is the apparatus corresponding to the method of claim 1. Claim 14 is substantially similar to claim 5 and is rejected on the same grounds. 

Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Coutinho et al. (US-20170206238-A1) in view of Zhang et al. (US-20170075978-A1), Yajima et al. (US 20180228129 A1), and Choffnes et al. (US-20170048698-A1).
Regarding Claim 6,
Coutinho et al. Yajima, and Zhang et al. teach the method as in claim 1.
	Coutinho et al. Yajima, and Zhang et al. do not explicitly disclose
further comprising:  
2 determining whether the characteristic data from the new data source is reliable 3 for input to the machine learning-based analyzer using a range of values for the 4 characteristic data that is deemed reliable.
However, Choffnes et al. (US 20170048698 A1) teaches
determining whether the characteristic data from the new data source is reliable 3 for input to the machine learning-based analyzer using a range of values for the 4 characteristic data that is deemed reliable (para [0037] Accordingly, embodiments may employ a word frequency threshold filter to remove a feature if the frequency of the feature is below a word frequency threshold. In some embodiments, the word frequency threshold may be 1, 2, 3, 4, 5, 10, 15, 20, 50, 100, and/or any value or range between any two of these values. In some embodiments, the frequency threshold may be 20.).
It would have been obvious to persons’ having ordinary skill in the art before the effective filing date to combine the method of classifying network flows of Livadas et al. with the method of classifying network flows of Choffnes et al. 
Doing so would allow for detecting network information leaks (para [0023] In some embodiments, as described in more detail below, methods and systems may use network trace analysis, machine learning, crowdsourcing, and/or user feedback to generate models for detecting information leaks and/or to manage detected information leaks.).
Regarding Claim 15,
Clam 15 is the apparatus corresponding to the method of claim 1. Claim 15 is substantially similar to claim 6 and is rejected on the same grounds. 

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Coutinho et al. (US-20170206238-A1) in view of Zhang et al. (US-20170075978-A1), Averbuch et al. (US-10509695-B1), and Yajima et al. (US 20180228129 A1).
Regarding Claim 7,
Coutinho et al. Yajima, and Zhang et al. teach the method as in claim 1. 
Col. 9 lines 43-46; Methods, processes and/or operations for detecting anomalies may be implemented by an anomaly detection engine 150 comprised in anomaly detection system 100. The term "engine" as used herein may also relate to and/or include a module and/or a computerized application.).
It would have been obvious to one of ordinary skill in the art before the effective filing date to combine Countinho’s method of monitoring data from data sources (abs. Different types of data from different data sources may be monitored, and various approaches to validating such data may be employed using expected data characteristics, alternate data sources, and historical information to help maximize the likelihood that data destined for a particular destination is available when needed, and is found to be valid and reliable.) with Averbuch’s method of monitoring data (Col. 10 lines 5-9; Source data 55 and/or Audited data 57 may herein be collectively referred to as " input data" 58 which may be input to anomaly detection systems 100. In some embodiments, input data may not include audit data 57.)
Doing so would allow for identifying data abnormalities (Col. 2 lines 4-19; In this description, the terms "anomaly", "abnormality", "malfunction", "operational malfunction", "outlier", "deviation", "peculiarity" and "intrusion" may be used interchangeably. "Anomaly detection" refers to a process that identifies in a given dataset patterns that do not conform to established or expected normal behavior. The detected anomaly patterns often translate into critical and actionable information in many different application domains, such as cyber protection, operational malfunctions, performance monitoring, financial transactions, industrial data, healthcare, aviation, monitoring or process control. It is therefore clear that anomaly detection has huge practical commercial, security and safety implications, to name a few.)
Regarding Claim 16,
Clam 16 is the apparatus corresponding to the method of claim 1. Claim 16 is substantially similar to claim 7 and is rejected on the same grounds. 

Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Coutinho et al. (US-20170206238-A1) in view of Zhang et al. (US-20170075978-A1), Yajima et al. (US 20180228129 A1), Averbuch et al. (US-10509695-B1), and Faigon et al. (US-20170353477-A1).
Regarding Claim 3,
Coutinho et al., Yajima, Zhang, and Faigon et al. teach the method as in claim 2. Averbuch et al. further teaches wherein the one or more properties of the data source 2 comprise at least one of: 
a hardware version of the data source, a software version of the 3 data source, a protocol used by the data source, a data field exported by the data source as 4 part of the characteristic data for the monitored network (Col. 5 lines 28-55).
abs. Different types of data from different data sources may be monitored, and various approaches to validating such data may be employed using expected data characteristics, alternate data sources, and historical information to help maximize the likelihood that data destined for a particular destination is available when needed, and is found to be valid and reliable.) with Averbuch’s method of monitoring data (Col. 10 lines 5-9; Source data 55 and/or Audited data 57 may herein be collectively referred to as " input data" 58 which may be input to anomaly detection systems 100. In some embodiments, input data may not include audit data 57.)
Doing so would allow for identifying data abnormalities (Col. 2 lines 4-19; In this description, the terms "anomaly", "abnormality", "malfunction", "operational malfunction", "outlier", "deviation", "peculiarity" and "intrusion" may be used interchangeably. "Anomaly detection" refers to a process that identifies in a given dataset patterns that do not conform to established or expected normal behavior. The detected anomaly patterns often translate into critical and actionable information in many different application domains, such as cyber protection, operational malfunctions, performance monitoring, financial transactions, industrial data, healthcare, aviation, monitoring or process control. It is therefore clear that anomaly detection has huge practical commercial, security and safety implications, to name a few.)
Regarding Claim 12,
. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Seow et al. (US 20170286863 A1) ANOMALY SCORE ADJUSTMENT ACROSS ANOMALY GENERATORS discloses a machine learning method for anomaly detection.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY K NGUYEN whose telephone number is (571)272-0217. The examiner can normally be reached Mon - Fri 7:00am-4:30pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li B Zhen can be reached on 5712723768. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/H.N./Examiner, Art Unit 2121                                                                                                                                                                                                        

/Li B. Zhen/Supervisory Patent Examiner, Art Unit 2121