DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Allowable Subject Matter

Claim 3, 5, 7-8, 10, 13, 15, 17-18, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and all intervening claims.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-2  and 11-12 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 8, and 10-12 of copending Application No. 16/278,991 and claims 1, 11, and 16-17 of copending Application No. 15/501,135. Although the claims at issue are not identical, they are not patentably distinct from each other because all these inventions describe a methods of cyber threat detection systems that analyze and compare metrics of models of normal behavior.

This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/10/2019 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 1-2, 4, 11-12, and 14 are objected to because of the following informalities:  
Claim 1, lines 12 and 16: replace and revise term: “being;” limitations should positively recite. 
Claim 2, line 6: replace and revise term: “being;” limitations should positively recite. 
Claim 4, lines 5 and 8: replace and revise term: “being;” limitations should positively recite. 
Claim 11, lines 12 and 16: replace and revise term: “being;” limitations should positively recite. 
Claim 12, line 6: replace and revise term: “being;” limitations should positively recite. 
Claim 13, line 1: appears to have a typographical error; revise “claim 1” to “claim 11”. Appropriate correction is required.
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “...one or more modules... a cloud module... a cyber threat module... an autonomous response module” in claims 1-2, 5-6, 11-12, and 15-16.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
	
Claim Rejections - 35 USC § 112
Claims 1-2, 5-6, and 8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim limitations “...one or more modules... cloud infrastructure elements... a cloud module... a cyber threat module... an autonomous response module” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. "Because at most figures 1 to 3 and show the modules of the claimed system; there is no association between the structure and the function can be found in the specification. At most, in para 172 of the specification describes the contents of the: "Many functions performed by electronic hardware components can be duplicated by software emulation. Thus, a software program written to accomplish those same functions can emulate the functionality of the hardware components in input-output circuitry. The functionality performed by one or modules may be combined into a single module, where logically possible, and a module’s functionality may be split into multiple modules." The body of the claim does not positively recite any hardware embodiment." Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claims 2-10 are rejected under 35 USC 112 2nd for their dependency upon claim 1.
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. In Fig. 4, there is system 100 depicted with a cyber security appliance interfaced to a set of probes –
a box indicating “Probes – SaaS connector” coupled to a SaaS product cloud; there is also a box indicating “Probes” coupled to a (generic) cloud. How does one skilled in the art know how or what are “relevant” change(s) or “relevant” behavior(s)? How should the information about making relevant changes impact the cloud infrastructure environment?
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 6, 9, 11-12, 16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Lines et al, hereinafter (“Lines”), European Patent Application (EP3262815 B1), in view of Stockdale et al, hereinafter (“Stockdale”), US PG Publication (20170220801 A1), was submitted in 05/10/2019 IDS.
Regarding claims 1 and 11, Lines teaches a cyber security appliance, comprising and a method for a cyber security appliance: 
one or more modules that utilize probes to interact with entities in a cloud infrastructure environment that include one or more cloud infrastructure elements reliant on packet transmission, whether by API interaction, accessing logging tools, observing virtualized network traffic, and/or making relevant requests, and that use the probes to feed information about relevant changes in the cloud infrastructure environment back to the modules in a central location of the cyber-security appliance; [Lines, ¶¶0009, 0011, 0014, 0018, 0026-0027, and 0033: A cloud security fabric (CSF 100) allows an enterprise to discover sensitive data, apply policies and automation actions configurations/users/data, and ensures regulated data compliance. A plurality of connector APIs interface the fabric may discover information about entities relating to the information security of the enterprise computing environment by obtaining information from the interfaces of a plurality of cloud platforms. Other things include discover and manage third party applications on dealing interfaces (including APIs): SaaS-to-SaaS interfaces, etc. Various modules of the CSF 100 can evaluate a given object or event and consider not only the metadata that is discovered by the CSF 100 but also data relevant to the other policies. Connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including content analysis services 110 (referred to in various embodiments as CCS, CaaS, and the like) and content classification services 146 (which analyze documents, files, and objects to find specific information based on patterns, rules, frequency, proximity, weights, fingerprints, dictionaries, etc. (e.g. credit card information, social security numbers) in real time); context analysis services 112 (which analyze documents, files or objects for sensitive information based on metadata criteria such as file ownership, sharing and access patterns, etc.); user behavior monitoring services 114 (which monitor and analyze user activity to detect potential anomalies and significant changes that may suggest malicious behavior); encryption as a service 122 (referred to in some cases as encryption management), behavioral analysis 114 (referred to in some cases as user behavior monitoring, but applicable to behavior of users, of applications, of services and of devices), behavior analytics 150 (referred to in some cases as user behavior analytics (UBA), also applicable to users, applications, services and devices), connectivity services, and policy management 116 (including policy creation and automated policy management, also referred to herein as context allows as a policy automation engine 116); and threat intelligence 121 (including feeds of threat information that can be provided from the CSF 100 and accessed by APIs from various other systems, which include threat information identified within the CSF 100 and other capabilities described throughout this disclosure, as well as threat information obtained from external systems); community trust rating services 160 (including the ability for the community of users of the CSF 100 to tag, rate, and share information about risks, risk management, security configurations, and other topics); incident management services 120 (which centrally manage and investigate incidents across an organization's portfolio of platforms and applications); encryption and key management services 122 (which empower end users to selectively encrypt sensitive information based on individual files or fully automated policy escalations); security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms). The CSF 100 may have other services such as an applications firewall service 148 or Application Firewall (AFW) 300.]
a cloud module configured to 1) use the information about relevant changes in the cloud infrastructure environment fed from the probes, and 2) use one or more [Lines, ¶¶0018 and 0031: Behavior analytics 150 (referred to in some cases as user behavior analytics (UBA); the CSF 100 can use application connection APIs to pull down information from the connector into the CSF 100; ¶0033: detect significant changes; ¶0041: Fig. 5, user behavior analysis, such as performed on or in connection with a platform 500, which in turn may be associated with an overall cyber intelligence platform 6500 and with various other capabilities of the CSF 100 as described throughout this disclosure (including the user behavior monitoring 114 and user behavior analysis (UBA) 150). ¶0057: identifying sensitive content of the organization, such as, machine learning, so that an operator of the UBA platform 500 can focus behavior analysis over sensitive data more specifically. ¶0113-0114: Anomaly detection 640 detects behavioral patterns may be abnormal related to baseline, defined by threshold-based rules or machine learning. A pre-trained model may be applied to machine learning model application activities 642. ¶0091: The platform 500 may include various capabilities, such as collection and retention, online detection, offline analysis, forensics and DLP/scanning support.] and 
an autonomous response module, rather than a human taking an action, configured to cause one or more actions to be taken to counter the cyber threat, identified by the cyber threat module, within an organization's portion of the cloud infrastructure environment when a cyber-threat risk parameter is indicative of a Lines, ¶0012: global policy creation and policy automation (such as enabling management of work flows and implementing various rules, such as enabled by a rules engine, about taking action in the enterprise environment (including any cloud) with automated actions taking place in response to the policy engine); ¶0023: As the enterprise continuously updates its policies, the APIs 104 can access the updates and implement a workflow to automatically update policies, including policies implemented by the policy automation engine 116 of the CSF 100. ¶0046: Rules based features may detect indicators of compromise based on rules. ¶0056: Behavior may also be used for detecting an advanced threat (such as a more sophisticated threat) such as by correlating, comparing, and otherwise identifying patterns and irregularities in activities, such as comparing across various users, groups and enterprises. This can be important since a very small level of activity may not be detected in a context of one user, but if the system sees small patterns repeating in a wide range of users, it might be an indicator of compromise. ¶0068: In embodiments, an abnormally excessive activity task, which may be a statistical task, may trigger an incident when a type of event is performed over an automatically determined threshold for a user, an organization, an application, or the like, where the threshold is determined by calculating a baseline activity and a statistical measure is used to distinguish abnormal from baseline levels of activity. ¶0098: Configuration and control may allow each tenant to select which detection policy to apply for the processing of the data of the tenant, as well as allow each tenant to configure thresholds and other input parameters to be applied to the policies of the tenant. Detection policy selection may also be configurable per source. ¶0225: A crawler/bot activity use case may detect non-human activity performed, such as via an API or via a non-API interface. A crawler/bot activity use case may include scenarios such as a non-API activity performed by a script or other non-human source scenario]
 While Lines teaches a cyber threat module configured to use one or more machine learning models trained on cyber threats in the cloud infrastructure environment and examine at least the behaviors [Lines, ¶¶0013-14: user behavior analysis and modeling; access patterns for behavior anomaly; ¶¶0033: detect significant changes; ¶0114: Machine learning model application activities 642 may apply a pre-trained model to the incoming events and flag when a model indicates a problem.]; however, a cyber threat module configured to use one or more machine learning models trained on cyber threats in the cloud infrastructure environment and examine at least the behaviors of the first entity falling outside of the normal pattern of life to determine 'what is a likelihood of 'a chain of unusual behaviors under analysis that fall outside of being the normal behavior' is a cyber threat; [Stockdale, ¶0012: attack chain; ¶¶0013-0019: method and system disclosed herein enable automatic probabilistic real-time detection of cyber threat or compromise to computers and/or networks through changes in the computers and/or networks' behavior; normal behavior and falling outside normal;]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a 
Regarding claims 2 and 12, the combination of Lines and Stockdale teach claim 1 as described above.
Lines teaches where the cyber threat module is further configured to use the information about relevant changes in the cloud infrastructure environment from the probes and then contextualize i) this information with ii) physical network traffic information and, if any exists, iii) relevant behavior of the first entity outside the cloud infrastructure environment from the probes, to analyze what is the likelihood the chain of unusual behaviors under analysis that fall outside of being the normal behavior being malicious activity; and thus, is the cyber threat. [Lines, ¶0012: contextual analysis; ¶0027: native APIs of heterogeneous cloud platform integrate relevant work flows for the various modules of the CSF 100, including user behavior analysis. ¶0033: CSF 100 interfaced to connector APIs 108 allow to use context analysis services 112 (which analyze documents, files or objects for sensitive information based on metadata criteria such as file ownership, sharing and access patterns, etc.) and significant changes identified from user behavior monitoring services 114.  It is through the threat intelligence 121 (including feeds of threat information that can be provided from the CSF 100 and accessed by APIs from various other systems, which include threat information identified within the CSF 100 and other capabilities described throughout this disclosure, as well as threat information obtained from external systems).

Regarding claims 6 and 16, the combination of Lines and Stockdale teach claim 1 as described above.
Lines teaches where the cloud module and the one or more machine learning models trained on the cloud infrastructure environment, examine at least the behaviors of i) administrative changes in the cloud infrastructure environment, ii) traffic that flows between the two or more cloud infrastructure elements reliant on packet transmission in a virtual environment, and iii) virtual traffic that leaves the virtual environment in the cloud infrastructure environment and then travels over a physical network, as captured and fed back to the modules over a secure connection by the probes. [Lines, ¶0014: Deployed CSF 100 interface various resources used in the cloud; cloud-to-cloud interfaces, SaaS-to-SaaS interfaces, and interfaces of conventional networks to cloud resources, including SaaS applications. ¶0019: an administrator, service provider or vendor for an enterprise may use the enterprise APIs 104 to take various actions, such as to open a service ticket related to a security-related event, send a page to a security administrator, or undertake various activities that make security activities more operational. Examiner interprets these various actions as administrative changes occurring in the cloud enterprise/infrastructure. ¶0038: The CSF 100 may be cloud-to-cloud, instantly available, and highly scalable and may provide multi-cloud visibility and control. The CSF 100 may require no installation, traffic routing, and loss of functionality of applications or platforms, or performance impact. ¶0242: The overall deployment of the CSF 100 may also contain additional components such as the Backoffice 818, which may comprise the central administration system for the CSF 10... In addition, the deployment of the CSF 100 may be configured in such a way where subsystems are separated into different virtual networks (e.g., using AWS VPC™) and external access may be routed via NAT and Web servers (e.g., Nginx™). ¶0469: To be more incident responsive focusing on continuous monitoring, the architecture can deal with network packets, flows, OS activities, user behaviors, application transactions, among other factors. ¶0114: Machine learning model application activities 642 may apply a pre-trained model to the incoming events and flag when a model indicates a problem. Machine learning may include any method in which a model may built based on large amounts of data and later applied to new data to reach some conclusion.]

Regarding claims 9 and 19, the combination of Lines and Stockdale teach claim 1 as described above.
Lines teaches where the cloud module is further configured to take a varied list of events and metrics from the probes and then organize them into one of several distinct granular categories, in which logic in the cloud module deems a most appropriate category. [Lines, ¶0061: UBA may be used as a path to advanced analytics, use cases may include excessive download or any activity category or type and inactive user detection or any activity category or type. ¶0064: a UBA unified policy task may consolidate policies, such as a whitelist policy and a sensitive user activity policy, to allow the refinement of sensitive user activities so that they trigger only according to a policy, such as during defined time periods or at defined locations]

Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Lines et al, hereinafter (“Lines”), European Patent Application (EP3262815 B1), in view of Stockdale et al, hereinafter (“Stockdale”), US PG Publication (20170220801 A1), was submitted in 05/10/2019 IDS, in view of Cote et al, hereinafter (“Cote”), US PG Publication (20180248905 A1).

Regarding claims 4 and 14, the combination of Lines and Stockdale teach claim 1 as described above.
However, the combination of Lines and Stockdale fail to explicitly teach but Cote teaches where the one or more machine learning models trained on the cloud system examine at least the behaviors of the entities of devices, containers, users, and traffic patterns falling outside of the normal pattern of life and what is the likelihood of the chain of unusual behaviors from these devices, containers, users, and traffic patterns that fall outside of being the normal behavior correspond to a malicious behavior associated with the cyber threat, where the models trained on the cloud system use unsupervised machine learning and Artificial Intelligence algorithms to understand and ¶0017: FIG. 8 is a flow diagram of the unsupervised learning methodology. ¶0031: Variously, the software application can automatically detect abnormal behaviors in packet or optical networks by analyzing performance monitoring metrics with Machine Learning (ML) techniques; artificial Neural Networks to detect anomalies in networks. Fig. 1 and ¶0038: The anomaly detection system 100 includes a computer cluster 110 executing the software application (“anomaly detection software”). Performance monitoring (PM) data can be collected from a network 120. The network 120 can include various physical or virtual network elements and can operate at any of the layers and/or protocols described herein. The data collection can optionally happen via a Network Management System (NMS) 130, a Software Defined Networking (SDN) controller, etc. The anomaly detection software is executed on the computer cluster 110. ¶0054: In order to better understand the behavior of the optical network 120 under normal conditions, performance monitoring metrics can be sampled from live or test optical networks in a controlled environment using relevant metrics above. Collecting metrics from a well-defined network ensures the integrity of the metrics and provides a baseline for normal/expected behavior. Once there is sufficient data for a baseline, controlled errors can be introduced into the network 120 to measure the change in metrics induced by these errors. ¶0093: The anomaly detection software in this unsupervised mode simplifies the work of telecom experts considerably, removing the classifying steps. The experts only need to ensure that the network data is being collected consistently. Global likelihood conveys a multi-dimensional analysis that is typically much more accurate than any one-dimensional thresholding.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a Lines and Stockdale before him or her by including the teachings of systems and methods to detect abnormal behavior in networks of Cote. The motivation/suggestion would have been obvious to try to unsupervised approach can operate on-demand, batch, streaming, or embedded on a consistent basis to ensure a decouple processor intensive trained model identifying changes to baseline metrics [Stockdale, ¶¶0052 and 0092-0093].   
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Weith (10,498,605 B2) discloses cloud based systems and methods for determining and visualizing security risks.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Sakinah White Taylor/Examiner, Art Unit 2497