Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) was submitted on [ 9/16/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities:
In paragraph [022], line 6, “independent” should be read as “independently”
In paragraph [034], line 5, “microphone being” should be read as “microphone is being”
In paragraph [040], line 1, “such as for cache” should be read as “such as cache”
In paragraph [044], line 6, “map 216 turn” should be read as “map 216 turns”
In paragraph [046], line 2, “data analyzer 102” should be read as “the data analyzer 102”
In paragraph [057], line 2, “processor 410 direct” should be read as “processor 410 directs”
In paragraph [066], line 1, “example a threat” should be read as “example of a threat”
In paragraph [079], line 9, “or change” should be read as “or changing”
In paragraph [093], line 3, “data has” should be read as “data have”
In paragraph [108], line 3, “data analyzer 820” should be read as “the data analyzer 820” 
In paragraph [111], line 10, “may be on” should be read as “may be in” 
In paragraph [115], line 6, “data analyzer” should be read as “a data analyzer” 
In paragraph [135], line 9, “subconfigurations” should be read as “sub configurations”
Appropriate correction is required.

Claim Rejections - 35 USC § 103
Claim(s) (1-3, 7, 8, 10-13, 15, 16, 18, and 19) is/are rejected under 35 U.S.C. 103 as being anticipated by SCHAT et al. (US-20190377868-A1, SCHAT referred to as " SCHAT”) and in view of HERSHEY et al. (US-5414833-A, HERSHEY referred to as " HERSHEY”).

Regarding claim 1, SCHAT teaches, Analytics processing circuitry, (SCHAT, par. [0037]) “FIG. 1 illustrates an apparatus 107 for intrusion detection”) comprising:
a data scavenger comprising selection circuitry, wherein the data scavenger collects data from at least one element of interest of a plurality of elements of interest of an integrated circuit (IC), (SCHAT, par. [0041]) “integrated circuit 101-4 may supervise the data traffic on the wired communications bus 105 and report a suspected attack”) wherein the at least one element of interest is selected according to a configuration signal to the selection circuitry; (SCHAT, (par. [0041]) “the wired communications bus 105 and report a suspected attack.”) ; and
a data analyzer coupled to receive the data from the data scavenger, (SCHAT, par. (SCHAT, (par. [0041]) “integrated circuit 101-4 may supervise the data traffic on the wired communications bus 105 and report a suspected attack. The supervision or “watchdog” functionality of integrated circuit 101-4 can be a main or additional functionality of integrated circuit 101-4. In some example embodiments, the first integrated circuit (e.g., integrated circuit 101-6 in the above illustration) and the second integrated circuit (e.g., integrated circuit 101-4 in the above illustration) respectively correspond to two separate chipsets, each being connected to the wired communications bus 105 and each configured and arranged to operate independent of the other of the separate chipset.”) wherein the data analyzer identifies patterns in the data from the data scavenger [over a time frame or for a snapshot of time based on a predefined metric], (SCHAT, (par. [0043]) “integrated circuit 101-4 (or 103, as the case may be) can be configured and arranged to identify scan patterns which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs 101 and obtain protected information. As such, integrated circuit 101-4 may supervise the data stream over the wired communications bus 105, and check the scan packets sent. Data that contains scan test patterns corresponding with known attack modes are identified and flagged.” (par. [0040])  “integrated circuit 101-6 may perform a legitimate scan test, e.g. during start-up, before power down or in intervals”) wherein the data analyzer receives updates to the predefined metric. (SCHAT, (par. [0049]) ”If a pattern or data access is detected by the integrated circuit, the method continues to step 312 with checking (via the particular integrated circuit) the legitimacy of the detected pattern or access. For instance, at 314, the method includes comparing (via the particular integrated circuit) the detected pattern to a list of accepted and/or not-accepted data patterns”, (par. [0053]) “At 318, the method can optionally include updating lists of data patterns or accesses.”).
SCHAT as disclosed above teaches a test scan during start up before power down, however SCHAT does not clearly teach a time frame or for a snapshot of time based on a predefined metric in association with identifying patterns.
HERSHEY teaches the data analyzer identifies patterns in the data from the data scavenger over a time frame or for a snapshot of time based on a predefined metric (HERSHEY ([col 21, line 57]) “active monitor 100 of FIG. 4 is configured as an intrusion detector and responder 300 is designed to produce and transmit a security alert message whenever the number of detected pattern alarms of a particular type in a given interval of time”).

SCHAT and HERSHEY are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of SCHAT and HERSHEY where he or her citing the structure of  an Analytics processing circuitry which contains a data scavenger that collect a data from different elements, selecting the element of interest according to a configuration signal to the selection circuitry also it contain a data analyzer to receive the data from the data scavenger to analyze it based on patterns, however, SCHAT failed to explain explicitly identifies patterns in the data over a predetermined time frame, generates and sends security alert messages whenever the number of detected pattern alarms is of a particular type at a particular time interval of HERSHEY. The suggestion and/or motivation to select the element of interest and collect the data and detect the patterns over a time frame based on a predefined metric to identify malicious activities and enhance security.


Referring to claim 2, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1, as discussed above. 
However, SCHAT teaches, the analytics processing circuitry of claim 1, wherein the at least one element of interest comprises a counter or a sensor on the IC. (SCHAT, (par. [0049) “the method includes comparing (via the particular integrated circuit) the detected pattern to a list of accepted and/or not-accepted data patterns.”)


However, SCHAT teaches, the analytics processing circuitry of claim 1, wherein the at least one element of interest comprises a source outside the IC, wherein the source outside the IC is a second IC. (SCHAT, (par. [0041]) “The supervision or “watchdog” functionality of integrated circuit 101-4 can be a main or additional functionality of integrated circuit 101-4. In some example embodiments, the first integrated circuit (e.g., integrated circuit 101-6 in the above illustration) and the second integrated circuit (e.g., integrated circuit 101-4 in the above illustration) respectively correspond to two separate chipsets, each being connected to the wired communications bus 105 and each configured and arranged to operate independent of the other of the separate chipset.”) 

Referring to claim 7, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1, as discussed above. 
However, SCHAT teaches, the analytics processing circuitry of claim 1, wherein the predefined metric comprises core metrics, structural metrics, a probability-based metrics, time-/frequency-based metrics, unstructured/irregular metrics, or a combination thereof. (SCHAT, (par. [0053]) “At 318, the method can optionally include updating lists of data patterns or accesses. For instance the plurality of integrated circuits can be configured and arranged to operate in a controlled circuit-modification mode. In such circuit-modification mode, the particular integrated circuit or another of the plurality of integrated circuits can be configured and arranged to self-learn the certain data patterns by modifying the certain data patterns in response to user-provided instructions indicating acceptance or compliance. As such, the method may optionally include, at 320, user interface input indicating acceptance of compliance by a user, as may be the case when a new system component is inserted and the system needs to learn that this is an accepted addition to the network.”)

Referring to claim 8, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1, as discussed above. 
However, SCHAT teaches, the analytics processing circuitry of claim 1, wherein the data analyzer receives the updates to the predefined metric from a moderator. (SCHAT, (par. [0049]) “If a pattern or data access is detected by the integrated circuit, the method continues to step 312 with checking (via the particular integrated circuit) the legitimacy of the detected pattern or access. For instance, at 314, the method includes comparing (via the particular integrated circuit) the detected pattern to a list of accepted and/or not-accepted data patterns. For instance, integrated circuit 202-3 illustrated in FIG. 2 can detect a legitimate access mode for testing the ADC that includes transferring the ADC's response into scan flip-flops and shifting out their contents.”, (par. [0050]) ” Additionally and/or alternatively, at 316, the method includes comparing (via the particular integrated circuit) the detected data access to a list of accepted or not-accepted data accesses. For instance, the particular integrated circuit (e.g., 101-4 illustrated in FIGS. 1 and 202-3 illustrated in FIG. 2) can be configured and arranged to identify patterns of scan read/write access which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs and obtain protected information.”)

Referring to claim 10, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1, as discussed above. 
However, SCHAT teaches, the analytics processing circuitry of claim 1, wherein the data analyzer provides the configuration signal to the selection circuitry.  (SCHAT, (par. [0023]) “The apparatus includes a wired communications bus configured and arranged to carry data, and a plurality of integrated circuits, each configured and arranged to interface with the wired communications bus”)

Referring to claim 11, SCHAT-HERSHEY suggest all the limitations and motivation of claim 1, as discussed above. 
However, SCHAT teaches, the analytics processing circuitry of claim 1, further comprising a risk predictor coupled to receive an output of the data analyzer, wherein the risk predictor generates a probabilistic report of risky behavior synthesized based on the output of the data analyzer and a behavioral model for the IC.  (SCHAT, (par. [0050]) “Additionally and/or alternatively, at 316, the method includes comparing (via the particular integrated circuit) the detected data access to a list of accepted or not-accepted data accesses. For instance, the particular integrated circuit (e.g., 101-4 illustrated in FIGS. 1 and 202-3 illustrated in FIG. 2) can be configured and arranged to identify patterns of scan read/write access which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs and obtain protected information”, (par. [0051]) “At 322, the method includes performing security actions. For instance, an action-responsive circuit (such as 101-5 illustrated in FIGS. 1 and 202-4 illustrated in FIG. 2) can be configured and arranged to respond to a communication from a supervisory circuit (such as 101-4 illustrated in FIGS. 1 and 202-3 illustrated in FIG. 2) by performing a security action to mitigate the suspect illegitimate action and therein lessen risk ensuing from a malicious access.”)

Referring to claim 12, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1 and claim 11, as discussed above. 
However, SCHAT teaches, the analytics processing circuitry of claim 11, wherein the behavioral model for the IC comprises use-case-specific information based on a hardware configuration of the IC and a device application of the IC. (SCHAT, (par. [0030]) “the second integrated circuit may be configured and arranged to identify patterns of scan read/write access which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs and obtain protected information. As an illustration, the second integrated circuit can be configured and arranged to operate in the mission mode by detecting an illegitimately access to the plurality of integrated circuits by multiple write-type accesses to a common location of circuitry of the same data pattern followed by a read-type access. Multiple write access of the same pattern to the same location followed by read access is typical for an attack to check if any obfuscating behavior of the scan mechanism is present”) 

Referring to claim 13, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1, as discussed above. 
However, SCHAT teaches, the analytics processing circuitry of claim 1, wherein the data analyzer is coupled to receive signals from an operating system. (SCHAT, (par. [0041]) “integrated circuit 101-4 may supervise the data traffic on the wired communications bus 105 and report a suspected attack. The supervision or “watchdog” functionality of integrated circuit 101-4 can be a main or additional functionality of integrated circuit 101-4. In some example embodiments, the first integrated circuit (e.g., integrated circuit 101-6 in the above illustration) and the second integrated circuit (e.g., integrated circuit 101-4 in the above illustration) respectively correspond to two separate chipsets, each being connected to the wired communications bus 105 and each configured and arranged to operate independent of the other of the separate chipset.”)

Regarding claim 15, SCHAT teaches, A method for mitigating attacks against computing systems, (SCHAT, (par. [0047]) “FIG. 3 illustrates a method for intrusion detection among a plurality of integrated circuits in accordance with the present disclosure”) comprising: 
collecting operational data from at least one element of interest of a plurality of elements of interest of an integrated circuit (IC); (SCHAT, (par. [0053]) “At 318, the method can optionally include updating lists of data patterns or accesses. For instance the plurality of integrated circuits can be configured and arranged to operate in a controlled circuit-modification mode. In such circuit-modification mode, the particular integrated circuit or another of the plurality of integrated circuits can be configured and arranged to self-learn the certain data patterns by modifying the certain data patterns in response to user-provided instructions indicating acceptance or compliance”)
identifying patterns in the operational data over [a time frame or for a snapshot of time based on a predefined metric]; (SCHAT, (par. [0043]) “integrated circuit 101-4 (or 103, as the case may be) can be configured and arranged to identify scan patterns which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs 101 and obtain protected information. As such, integrated circuit 101-4 may supervise the data stream over the wired communications bus 105, and check the scan packets sent. Data that contains scan test patterns corresponding with known attack modes are identified and flagged.”, (par. [0040])  “integrated circuit 101-6 may perform a legitimate scan test, e.g. during start-up, before power down or in intervals”)
generating a risk assessment regarding whether the operational data is indicative of normal behavior or abnormal behavior based on the identified patterns in the operational data and a behavioral model for the IC (par. [0050]) “at 316, the method includes comparing (via the particular integrated circuit) the detected data access to a list of accepted or not-accepted data accesses”; and
performing a threat response based on the risk assessment. (par. [0051]) “At 322, the method includes performing security actions. For instance, an action-responsive circuit (such as 101-5 illustrated in FIGS. 1 and 202-4 illustrated in FIG. 2) can be configured and arranged to respond to a communication from a supervisory circuit (such as 101-4 illustrated in FIGS. 1 and 202-3 illustrated in FIG. 2) by performing a security action to mitigate the suspect illegitimate action and therein lessen risk ensuing from a malicious access”).
SCHAT as disclosed above teaches test scan during start up before power down, however SCHAT does not clearly teach [a time frame or for a snapshot of time based on a predefined metric].

HERSHEY teaches a time frame or for a snapshot of time based on a predefined metric (HERSHEY ([col 21, line 57]) “active monitor 100 of FIG. 4 is configured as an intrusion detector and responder 300 is designed to produce and transmit a security alert message whenever the number of detected pattern alarms of a particular type in a given interval of time”).
[HERSHEY teaches clearly the time period or time intervals. HERSHEY invention monitors and responds to a detected security event in a data communications network by generating and forwarding a security alert message of detecting patterns in a predetermined time frame].

SCHAT and HERSHEY are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of SCHAT and HERSHEY where he or her citing the method of mitigation attack after collecting the data from different elements, selecting the element of interest of an integrated circuit (IC), then generating risk assessment whether Indicates normal or abnormal behavior based on operational data and patterns identified in the IC behavior model of SCHAT, however, SCHAT failed to explain explicitly identifies patterns in the data over a predetermined time frame, generates and sends security alert messages whenever the number of detected pattern alarms is of a particular type at a particular time interval of HERSHEY. The suggestion and/or motivation to select the analyze the data and detect any suspicious abnormal behavior the mitigate the attack if exist.


Referring to claim 16, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 15, as discussed above. 
However, SCHAT teaches, the method of claim 15, wherein the behavioral model for the IC comprises use--case-specific information based on a hardware configuration of the IC and a device application of the IC. (SCHAT, (par. [0030]) “the second integrated circuit may be configured and arranged to identify patterns of scan read/write access which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs and obtain protected information. As an illustration, the second integrated circuit can be configured and arranged to operate in the mission mode by detecting an illegitimately access to the plurality of integrated circuits by multiple write-type accesses to a common location of circuitry of the same data pattern followed by a read-type access. Multiple write access of the same pattern to the same location followed by read access is typical for an attack to check if any obfuscating behavior of the scan mechanism is present”)  

Referring to claim 18, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 15, as discussed above. 
(SCHAT, (par. [0049]) ”If a pattern or data access is detected by the integrated circuit, the method continues to step 312 with checking (via the particular integrated circuit) the legitimacy of the detected pattern or access. For instance, at 314, the method includes comparing (via the particular integrated circuit) the detected pattern to a list of accepted and/or not-accepted data patterns”, (par. [0053]) “At 318, the method can optionally include updating lists of data patterns or accesses.”); and
identifying patterns in the operational data based on the updated predefined metric. (SCHAT, (par. [0049]) “integrated circuit 101-4 (or 103, as the case may be) can be configured and arranged to identify scan patterns which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs 101 and obtain protected information.”)

Referring to claim 19, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 15, as discussed above. 
However, SCHAT teaches, the method of claim 15, further comprising:
receiving an updated behavioral model for the IC (SCHAT, (par. [0030]) “the second integrated circuit can be configured and arranged to operate in the mission mode by detecting an illegitimately access to the plurality of integrated circuits by multiple write-type accesses to a common location of circuitry of the same data pattern followed by a read-type access. Multiple write access of the same pattern to the same location followed by read access is typical for an attack to check if any obfuscating behavior of the scan mechanism is present”), (par. [0050]) “Additionally and/or alternatively, at 316, the method includes comparing (via the particular integrated circuit) the detected data access to a list of accepted or not-accepted data accesses. For instance, the particular integrated circuit (e.g., 101-4 illustrated in FIGS. 1 and 202-3 illustrated in FIG. 2) can be configured and arranged to identify patterns of scan read/write access which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs and obtain protected information"; and
generating a second risk assessment regarding whether the operational data is indicative of normal behavior or abnormal behavior based on the identified patterns in the operational data and the updated behavioral model for the IC. (SCHAT, (par. [0050]) “Additionally and/or alternatively, at 316, the method includes comparing (via the particular integrated circuit) the detected data access to a list of accepted or not-accepted data accesses. For instance, the particular integrated circuit (e.g., 101-4 illustrated in FIGS. 1 and 202-3 illustrated in FIG. 2) can be configured and arranged to identify patterns of scan read/write access which are untypical for a standard scan test, but typical for attempts to get illegitimate access to the ICs and obtain protected information.”, (par. [0051]) “At 322, the method includes performing security actions. For instance, an action-responsive circuit (such as 101-5 illustrated in FIGS. 1 and 202-4 illustrated in FIG. 2) can be configured and arranged to respond to a communication from a supervisory circuit (such as 101-4 illustrated in FIGS. 1 and 202-3 illustrated in FIG. 2) by performing a security action to mitigate the suspect illegitimate action and therein lessen risk ensuing from a malicious access.”)


Claims (4-6, 9, 14, 17 and 20) is/are rejected under 35 U.S.C. 103 as being unpatentable over SCHAT et al. (US-20190377868-A1, SCHAT referred to as " SCHAT”) and in view of HERSHEY et al. (US-5414833-A, HERSHEY referred to as " HERSHEY”) and further view of CHEN et al. (US-20170076116-A1, CHEN referred to as " CHEN”).

Referring to claim 4, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1, as discussed above. 
However, the combination of (SCHAT-HERSHEY) does not explicitly teach wherein the selection circuitry of the data scavenger comprises a memory device storing a memory map as the configuration signal indicating the at least one element of interest of the plurality of elements of interest to collect data from.
	However, CHEN teaches wherein the selection circuitry of the data scavenger comprises a memory device storing a memory map as the configuration signal indicating the at least one element of interest of the plurality of elements of interest to collect data from. (CHEN, par. [0031], FIG. 5) “the runtime detector 506 is connected to receive selected signals 512, and may also be connected to the SVM model to receive a plurality of support vectors as input parameters which were formed by applying a training set of a plurality of feature vectors extracted from pre-silicon verification simulation traces to SVM training engine”,  (CHEN, (par. [0034]) “Using a training engine that is executed as an application software on-chip, the monitored signals from on-chip memory are retrieved and applied as training data to update the SVM model”)
(SCHAT-HERSHEY) and CHEN are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of (SCHAT-HERSHEY) and CHEN where he or her citing the structure of  an Analytics processing circuitry which contains a data scavenger that collect a data from different elements, selecting the element of interest according to a configuration signal to the selection circuitry also it contain a data analyzer to receive the data from the data scavenger to analyze it based on patterns of (SCHAT-HERSHEY), however, (SCHAT-HERSHEY) failed to explain explicitly cite selection circuitry with more details, the selection circuitry of the data scavenger contains a memory device used to store a memory map as the configuration signal work to indicate the at least one element of interest of the plurality of elements of interest to collect data of CHEN. The suggestion and/or motivation to select the element of interest and collect the data for this element.

Referring to claim 5, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 1, as discussed above. 
However, the combination of (SCHAT-HERSHEY) does not explicitly teach wherein the configuration signal is received in response to a trigger.
Wherein CHEN teaches wherein the configuration signal is received in response to a trigger. (CHEN, (par. [0029]) “the classifier could be implemented in software running on the processor with hardware support to send an interrupt trigger and corresponding extracted signal traces to the processor and return the classification results from the processor “)
(SCHAT-HERSHEY) and CHEN are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of (SCHAT-HERSHEY) and CHEN where he or her citing the structure of  an Analytics processing circuitry which contains a data scavenger that collect a data from different elements, selecting the element of interest according to a configuration signal to the selection circuitry also it contain a data analyzer to receive the data from the data scavenger to analyze it based on patterns of (SCHAT-HERSHEY), however, (SCHAT-HERSHEY) failed to explain explicitly cite selection circuitry with more details, the selection circuitry of the data scavenger contains a memory device used to store a memory map as the configuration signal work to indicate the at least one element of interest of the plurality of elements of interest to collect data of CHEN. The suggestion and/or motivation to select the element of interest and collect the data for this element.

Regarding claim 6, the combination of (SCHAT-HERSHEY-CHEN) teaches, the analytics processing circuitry of claim 5 
(SCHAT, (par. [0041]) “The apparatus 107 may also include a second integrated circuit configured and arranged to operate in a mission mode during which the second integrated circuit supervises data traffic by monitoring communications including data patterns and accesses on the wired communications bus 105. The second integrated circuit may detect a suspect illegitimate data communication, and in response, perform a security action to mitigate a suspect illegitimate action in the plurality of integrated circuits 101. For instance, integrated circuit 101-4 may supervise the data traffic on the wired communications bus 105 and report a suspected attack. The supervision or “watchdog” functionality of integrated circuit 101-4 can be a main or additional functionality of integrated circuit 101-4.”)
 
Referring to claim 9, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 8, as discussed above. 
However, the combination of (SCHAT-HERSHEY) does not explicitly teach wherein the data scavenger receives the configuration signal to the selection circuitry from the moderator. 
Wherein CHEN teaches wherein the data scavenger receives the configuration signal to the selection circuitry from the moderator. (CHEN, (par. [0025], FIG. 2) “In selected embodiments, a user input selection control 206 may be provided to the feature extraction process 211 to specify which input/output signal traces 204, 205 are captured”) 
(SCHAT-HERSHEY) and CHEN are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of (SCHAT-HERSHEY) and CHEN where he or her citing the structure of the data analyzer receives the updates to the predefined metric from a moderator of (SCHAT-HERSHEY), however, (SCHAT-HERSHEY) failed to explain explicitly cite receiving the configuration signal by data scavenger, the data scavenger receives the configuration signal to the selection circuitry from the moderator of CHEN. The suggestion and/or motivation to select the interested element based on configuration signal after data analyzer receives the updates to the predefined metric from a moderator.

Referring to claim 14, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 13, as discussed above. 

Wherein CHEN teaches wherein the data analyzer is configured to receive a status signal from the operating system regarding a status of a device and compare the status signal from the operating system with operational data regarding the device that is received from the data scavenger. (CHEN, (par. [0031]) “To protect against such situations and other improper operations or attacks, the SVM security model wrapper 501 may be included in the SOC 500 to monitor the input/output behavior of the security policy decision point module 507 and security policy enforcement point module 508 to prevent execution of insecure inputs and/or to block insecure output.”)
(SCHAT-HERSHEY) and CHEN are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of (SCHAT-HERSHEY) and CHEN where he or her citing the data analyzer is coupled to receive signals from an operating system of (SCHAT-HERSHEY), however, (SCHAT-HERSHEY) failed to explain explicitly cite the data analyzer  receive a status signal from the operating system regarding a status of a device then compare the status signal from the operating system with operational data, the data analyzer is configured to receive a status signal from the operating system based on the status of a device and compare the status signal from the operating system with operational data regarding the device that is received from the data scavenger of CHEN. The suggestion and/or motivation so data analyzer receives and the status signal from the operating system with operational data regarding the device that is received from the data scavenger.

Referring to claim 17, the combination of (SCHAT-HERSHEY) suggest all the limitations and motivation of claim 15, as discussed above. 
However, the combination of (SCHAT-HERSHEY) does not explicitly teach further comprising: receiving a configuration signal identifying elements of interest, the configuration signal adjusting which elements of the plurality of elements of interest to collect data from; and subsequently collecting operational data from the elements of interest identified by the configuration signal.
Wherein CHEN teaches further comprising: receiving a configuration signal identifying elements of interest, the configuration signal adjusting which elements of the plurality of elements of interest to collect data from; (CHEN, par. [0031], FIG. 5) “the runtime detector 506 is connected to receive selected signals 512, and may also be connected to the SVM model to receive a plurality of support vectors as input parameters which were formed by applying a training set of a plurality of feature vectors extracted from pre-silicon verification simulation traces to SVM training engine”)
and subsequently collecting operational data from the elements of interest identified by the configuration signal. (CHEN, par. [0031], FIG. 5) “the SVM model may be used to classify a set of signal vectors 512 that reveals the issue in the security policy decision point module 507 by computing an outlier measure to identify the offending vector and indicate to the security monitor 502 that an anomaly occurred with signal 514.”)
(SCHAT-HERSHEY) and CHEN are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of (SCHAT-HERSHEY) and CHEN where he or her collecting operational data from at least one element of interest of a plurality, identify patterns in the operational data over a time frame or for a snapshot of time based on a predefined metric, generating a risk assessment regarding whether the operational data is indicative of normal behavior or abnormal behavior (SCHAT-HERSHEY), however, (SCHAT-HERSHEY)failed to explain explicitly cite receive a configuration signal identifying elements of interest, receive a configuration signal to identify the elements of interest, the configuration signal adjusting which elements of the plurality of elements of interest to collect data from and collect the operational data from the elements of interest identified by the configuration signal of CHEN. The suggestion and/or motivation collect the data from element of interest that selected based of configuration register.

Referring to claim 20, the combination of (SCHAT-HERSHEY) and CHEN teaches the method of claim 15.
CHEN further teaches a method comprising receiving a signal from an operating system regarding status of a device, (CHEN, (par. [0031]) “The SVM model includes the important samples on the boundary (noted as support vectors) with associated weights, and may be used to create a runtime classifier that monitors circuit behavior and flags patterns of bad behaviors by computing an outlier measure which identifies behavior that departs from the boundary by a specified threshold..”)
wherein identifying the patterns in the operational data comprises: comparing the signal from the operating system regarding status of the device to operational data regarding the device from the at least one element of interest; (CHEN, (par. 0025]) “the user input selection control 206 allows the internal signals or output signals of the security block to be monitored and selected to improve learning resolution of the learning engine 210.”)
and indicating any conflicts identified by the comparing. (CHEN, (par. 0026]) “the resulting model 214 effectively captures or defines the security-adhering behavior of the security block 202. By comparing the “good behavior” model 214 with monitored circuit behavior of the security block 202 during chip operation, insecure behavior of the security block 202 can be detected. To enable this comparison, the model 214 may be used by a runtime classifier that monitors circuit behavior and flags patterns of bad behaviors. “)
(SCHAT-HERSHEY) and CHEN are analogous art because they are from the same field of endeavor in security and user validation. Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teaching of (SCHAT-HERSHEY) and CHEN where he or her collecting operational data from at least one element of interest of a plurality, identify patterns in the operational data over a time frame or for a snapshot of time based on a predefined metric, generating a risk assessment regarding whether the operational data is indicative of normal behavior or abnormal behavior of (SCHAT-HERSHEY), however, (SCHAT-HERSHEY) failed to explain explicitly cite receiving a signal from an operating system regarding status of a device and identify the patterns in the operational data then indicate the conflicts, comparing the signal from the operating system regarding status of the device to operational data regarding the device from the at least one element of interest, and indicate any conflicts identified by the comparing of CHEN. The suggestion and/or motivation compare the patterns to indicate the conflicts.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. MUNRO et al. (US-20180020015-A1, MUNRO referred to as " MUNRO”) suggests (par. [0016]) “The present invention involves the construction of behavioral patterns for each network instance and real time comparison between these patterns and patterns for each network instance based on sequentially-collected data.”)
Any inquiry concerning this communication or earlier communications from the
examiner should be directed to AHMED HUMADI whose telephone number is (571)272-2066.

Examiner interviews are available via telephone, in-person, and video conferencing using
a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is
encouraged to use the USPTO Automated Interview Request (AIR) at
http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s
supervisor, Eleni Shiferaw, can be reached on (571) 272-3867. The fax phone number for the
organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be
obtained from Patent Center. Unpublished application information in Patent Center is available
to registered users. To file and manage patent submissions in Patent Center, visit:
https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more
information about Patent Center and https://www.uspto.gov/patents/docx for information about
filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC)
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service
Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AHMED HUMADI/               Examiner, Art Unit 2497                                                                                                                                                                                         
/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497