Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 12/21/2021. Claims 1-20 are pending. This Office Action is Final.

Response to Arguments
	A) Amendments and arguments regarding 35 USC 101 for being an abstract idea have been considered and deemed not persuasive.  Because at least the determining and comparing amount to a mental process that can practically be performed in the mind, so it would under Yes of Step 2A, Prong One of the eligibility analysis.  Turning to Prong Two and the question of whether the additional elements amount to significantly more, the mere generation of the alert is enough to overcome the rejection, because it amounts to insignificant extra-solution activity (MPEP 2106.05(g)). 
	Further, the claim is not limited to computer implementation—that is, nothing in the claim actually requires a computer to perform the claimed steps. As explained in MPEP 2106.05(a), “It is important to note that in order for a method claim to improve computer functionality, the broadest reasonable interpretation of the claim must be limited to computer implementation. That is, a claim whose entire scope can be performed mentally, cannot be said to improve computer technology.” For at least this reason, I believe that the claim even as amended remains ineligible.  As a result these claim rejections under 35 USC 101 Stand.


Claim Rejections - 35 USC § 101
	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claims 1, 10 and 13, the claim is directed to an abstract idea as reciting the limitations “receive a flow,” “determine one or more similarities,” “determine a max similarity,” “compare a max,” “generating an alert” and “generating a new flow.”   The aforementioned steps are “mental process” as broadly interpreted said steps could be performed in the human mind. Therefore, the claim recites an abstract idea.  
Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize determination result into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing system).  However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of detecting or determining operation etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Applications 2013/0254535, 2015/0156194 and 2011/0154027.  As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component.  Therefore, the claim is directed to non-statutory subject matter.
Regarding claims 2-9, 11,12 and 14-20; the dependent claims are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea without being integrated into a practical application or significantly more.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.




Claims 1, 3-5, 8, 9, 11-13 and 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Su et al. (US 2021/0344569) in view of Staniford (US 2017/0289186).

	As per claim 1, Su teaches a method for detecting an anomaly in a network device, the method comprising: receiving a flow vector corresponding to a flow associated with the network device (Su, Paragraph 0009 recites “acquiring network data traffic in a target network, and determining each data packet contained in the network data traffic as a node of a complete graph, to construct a data complete graph;”);
	determining one or more similarity values between the flow vector and one or more flow clusters associated with the network device; determining a maximum similarity value as a maximum of the one or more similarity values (Su, Paragraph 0031 recites “calculating a first cosine similarity between a target data element and any one of the data elements in the data element set corresponding to the target cluster center, and a second cosine similarity between the target data element and any one of data elements in a data element set corresponding to an object cluster center, in a case that a first distance between the target data element and the target cluster center, and a second distance between the target data element and the object cluster center are both less than the radius value”);
	comparing the maximum similarity value to a threshold (Su, Paragraph 0090 recites “In step S205, it is determined whether ratios of the intra-cluster distance to the inter-cluster distance of all the data element sets are less than a preset first threshold. Proceed to step S207, in response to a positive determination; or, proceed to step S206, in response to a negative determination.”);
	in response to the maximum similarity value being equal to or greater than the threshold, updating a flow cluster associated with the maximum similarity value by combining the flow cluster associated with the maximum similarity value with the flow vector (Su, Paragraph 0091 recites “In step S206, each cluster center is updated according to an objective formula, and proceed to step S203.”); 
	and in response to the maximum similarity measure being less than the threshold,  detecting the anomaly in the network device (Su, Paragraphs 0092-0094 recites “In step S207, a function value of an objective function is calculated. In step S208, it is determined whether a difference between the calculated function value and an initial function value is less than a preset second threshold. Proceed to step S209, in response to a positive determination; or, proceed to step S210, in response to a negative determination. in step S209, an anomaly behavior in the target network is determined based on a type of each of the data element sets.”).
	But fails to teach generating an alert message based on the detected anomaly and generating a new flow cluster based on the flow vector.
	However, in an analogous art Staniford teaches generating an alert message based on the detected anomaly (Staniford, Paragraph 0152 recites “Anomaly analyzer 40 may be alerted.”);
	and generating a new flow cluster based on the flow vector (Staniford, Paragraph 0143 recites “These processing requests could then be used to adaptively update the logic and thresholds of the anomaly analyzer 40 for "normal" traffic, to ensure that the anomaly analyzer 40 has a current profile of the baseline traffic, which will depend on a number of factors, including website content, world events, and the like.”).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Staniford’s system and method to protect a webserver against application exploits and attacks with Su’s method, apparatus, and device for determining network anomaly behavior, and readable storage medium because the use of updating the cluster data and vectors, helps to ensure more accurate detection in the future.  
	
	As per claim 3, Su in combination with Staniford teaches the method of claim 1, Staniford further teaches associating a timestamp with the new flow cluster, the timestamp indicating a time that the new flow cluster is generated (Staniford, Paragraph 0143 recites “These processing requests could then be used to adaptively update the logic and thresholds of the anomaly analyzer 40 for "normal" traffic, to ensure that the anomaly analyzer 40 has a current profile of the baseline traffic, which will depend on a number of factors, including website content, world events, and the like.” A timestamp is a piece of data, that one of ordinary skill in the art, to incorporate in updated data.).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Staniford’s system and method to protect a webserver against application exploits and attacks with Su’s method, apparatus, and device for determining network anomaly behavior, and readable storage medium because the use of updating the cluster data and vectors, helps to ensure more accurate detection in the future.   

	As per claim 4, Su in combination with Staniford teaches the method of claim 1, Su further teaches wherein the determining the one or more similarity values comprises applying a cosine similarity measure to the one or more similarity values (Su, Paragraph 0031 recites “calculating a first cosine similarity between a target data element and any one of the data elements in the data element set corresponding to the target cluster center, and a second cosine similarity between the target data element and any one of data elements in a data element set corresponding to an object cluster center, in a case that a first distance between the target data element and the target cluster center, and a second distance between the target data element and the object cluster center are both less than the radius value”).

	As per claim 5, Su in combination with Staniford teaches the method of claim 1, Su further teaches receiving a first initial flow vector corresponding to a first flow associated with the network device; receiving a second initial flow vector corresponding to a second flow associated with the network device; determining a similarity value between the first initial flow vector and the second initial flow vector (Su, Paragraph 0031 recites “calculating a first cosine similarity between a target data element and any one of the data elements in the data element set corresponding to the target cluster center, and a second cosine similarity between the target data element and any one of data elements in a data element set corresponding to an object cluster center, in a case that a first distance between the target data element and the target cluster center, and a second distance between the target data element and the object cluster center are both less than the radius value”);
	comparing the similarity value to a similarity threshold; and in response to the similarity value being equal to or greater than the similarity threshold, generating the flow vector (Su, Paragraph 0090 recites “In step S205, it is determined whether ratios of the intra-cluster distance to the inter-cluster distance of all the data element sets are less than a preset first threshold. Proceed to step S207, in response to a positive determination; or, proceed to step S206, in response to a negative determination.”).

	As per claim 8, Su in combination with Staniford teaches the method of claim 1, Su further teaches receiving the threshold used for detecting the anomaly in the network device (Su, Paragraph 0090 recites “In step S205, it is determined whether ratios of the intra-cluster distance to the inter-cluster distance of all the data element sets are less than a preset first threshold. Proceed to step S207, in response to a positive determination; or, proceed to step S206, in response to a negative determination.”).

	As per claim 9, Su in combination with Staniford teaches the method of claim 1, Staniford further teaches dynamically updating the threshold based on at least one of the flow associated with the network device or a behavior of the network device (Staniford, Paragraph 0143 recites “These processing requests could then be used to adaptively update the logic and thresholds of the anomaly analyzer 40 for "normal" traffic, to ensure that the anomaly analyzer 40 has a current profile of the baseline traffic, which will depend on a number of factors, including website content, world events, and the like.”).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Staniford’s system and method to protect a webserver against application exploits and attacks with Su’s method, apparatus, and device for determining network anomaly behavior, and readable storage medium because the use of updating the cluster data and vectors, helps to ensure more accurate detection in the future.  

Regarding claims 10 and 13, claims 10 and 13 are directed to method and a system associated with the method of claim 1. Claims 10 and 13 are of similar scope to claim 1, and are therefore rejected under similar rationale.

	As per claim 11, Su in combination with Staniford teaches the method of claim 10, Staniford further teaches updating a timestamp associated with the updated flow cluster, wherein the updated timestamp indicates a time that the one of the one or more flow clusters is updated (Staniford, Paragraph 0143 recites “These processing requests could then be used to adaptively update the logic and thresholds of the anomaly analyzer 40 for "normal" traffic, to ensure that the anomaly analyzer 40 has a current profile of the baseline traffic, which will depend on a number of factors, including website content, world events, and the like.” A timestamp is a piece of data, that one of ordinary skill in the art, to incorporate in updated data.).


	Regarding claims 12 and 15, claims 12 and 15 are directed to method and a system associated with the method of claim 3. Claims 12 and 15 are of similar scope to claim 3, and are therefore rejected under similar rationale.


	As per claim 16, Su in combination with Staniford teaches the system of claim 13, Staniford further teaches wherein the at least one processor is further configured to dynamically update the threshold based on at least one of the flow associated with the network device or a behavior of the network device (Staniford, Paragraph 0143 recites “These processing requests could then be used to adaptively update the logic and thresholds of the anomaly analyzer 40 for "normal" traffic, to ensure that the anomaly analyzer 40 has a current profile of the baseline traffic, which will depend on a number of factors, including website content, world events, and the like.”).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Staniford’s system and method to protect a webserver against application exploits and attacks with Su’s method, apparatus, and device for 

	Regarding claim 17, claim 17 is directed to a similar system associated with the method of claim 4 respectively. Claim 17 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. 

	As per claim 18, Su in combination with Staniford teaches the system of claim 13, Staniford further teaches wherein the at least one processor is further configured to dynamically update the threshold based on the flow associated with the network device (Staniford, Paragraph 0143 recites “These processing requests could then be used to adaptively update the logic and thresholds of the anomaly analyzer 40 for "normal" traffic, to ensure that the anomaly analyzer 40 has a current profile of the baseline traffic, which will depend on a number of factors, including website content, world events, and the like.”).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Staniford’s system and method to protect a webserver against application exploits and attacks with Su’s method, apparatus, and device for determining network anomaly behavior, and readable storage medium because the use of updating the cluster data and vectors, helps to ensure more accurate detection in the future.  

	Regarding claim 19, claim 19 is directed to a similar system associated with the method of claim 5 respectively. Claim 19 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale. 


Claims 2, 6, 14 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Su et al. (US 2021/0344569) and Staniford (US 2017/0289186) and in further view of Chen et al. (US 2017/0024660).

	As per claim 2, Su in combination with Staniford teaches the method of claim 1, Staniford further teaches wherein the combining the flow cluster associated with the maximum similarity value with the flow vector comprises: and updating a timestamp associated with the flow cluster associated with the maximum similarity value, wherein the updated timestamp indicates a time that the flow cluster associated with the maximum similarity value is updated (Staniford, Paragraph 0143 recites “These processing requests could then be used to adaptively update the logic and thresholds of the anomaly analyzer 40 for "normal" traffic, to ensure that the anomaly analyzer 40 has a current profile of the baseline traffic, which will depend on a number of factors, including website content, world events, and the like.” A timestamp is a piece of data, that one of ordinary skill in the art, to incorporate in updated data.  See timestamps used in Giaconi Paragraph 0008).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Staniford’s system and method to protect a webserver against 
	But fails to teach determining an exponentially weighted moving average between the flow vector and the flow cluster associated with the maximum similarity value.
	However, in an analogous art Chen teaches determining an exponentially weighted moving average between the flow vector and the flow cluster associated with the maximum similarity value (Chen, Paragraph 0042 recites “The computing device may be configured to determine that a behavior (or behavior vector) is " suspicious" when it cannot classify a behavior with a sufficiently high degree of confidence as being either "benign" or "non-benign," such as when the value of the computed weighted average is below the high threshold and above the low threshold value. For example, the computing device may determine that a behavior (or behavior vector) is " suspicious" when the computed weighted average is 0.50, the upper threshold value is 0.95, lower threshold value is 0.20. In response to determining that the behavior is suspicious, the computing device may select a stronger (e.g., less lean, more focused, etc.) classifier model and repeat any or all of the above-described operations to generate additional or different analysis results. The computing device may use this new or additional analysis information to determine whether the suspicious behavior (e.g., the behavior vector and/or the activities characterized by the vector) may be classified as either benign or non-benign with a high degree of confidence. If not, the computing device may repeatedly or continuously perform the-above described operations until it determines that the behavior (or behavior vector) can be classified as benign or non-benign with a high degree of confidence (e.g., until the weighted average is above the high threshold or below the low threshold, etc.), until a processing or battery consumption threshold is reached, or until the computing device determines that the cause or source of the suspicious behavior cannot be identified from the use of stronger classifier models, larger behavior vectors, or changes in observation granularity.”).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chen’s Methods and Systems for Using an Expectation-Maximization (EM) Machine Learning Framework for Behavior-Based Analysis of Device Behaviors with Su’s method, apparatus, and device for determining network anomaly behavior, and readable storage medium because the use of doing weighted averages is a more accurate way of comparing similarities.   

	As per claim 6, Su in combination with Staniford teaches the method of claim 5, but fails to teach wherein the generating the flow vector comprises creating a weighted average of the first initial flow vector and the second initial flow vector.
	However, in an analogous art Chen teaches wherein the generating the flow vector comprises creating a weighted average of the first initial flow vector and the second initial flow vector (Chen, Paragraph 0042 recites “The computing device may be configured to determine that a behavior (or behavior vector) is " suspicious" when it cannot classify a behavior with a sufficiently high degree of confidence as being either "benign" or "non-benign," such as when the value of the computed weighted average is below the high threshold and above the low threshold value. For example, the computing device may determine that a behavior (or behavior vector) is " suspicious" when the computed weighted average is 0.50, the upper threshold value is 0.95, lower threshold value is 0.20. In response to determining that the behavior is suspicious, the computing device may select a stronger (e.g., less lean, more focused, etc.) classifier model and repeat any or all of the above-described operations to generate additional or different analysis results. The computing device may use this new or additional analysis information to determine whether the suspicious behavior (e.g., the behavior vector and/or the activities characterized by the vector) may be classified as either benign or non-benign with a high degree of confidence. If not, the computing device may repeatedly or continuously perform the-above described operations until it determines that the behavior (or behavior vector) can be classified as benign or non-benign with a high degree of confidence (e.g., until the weighted average is above the high threshold or below the low threshold, etc.), until a processing or battery consumption threshold is reached, or until the computing device determines that the cause or source of the suspicious behavior cannot be identified from the use of stronger classifier models, larger behavior vectors, or changes in observation granularity.”).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chen’s Methods and Systems for Using an Expectation-Maximization (EM) Machine Learning Framework for Behavior-Based Analysis of Device Behaviors with Su’s method, apparatus, and device for determining network 

	Regarding claim 14, claim 14 is directed to a similar system associated with the method of claim 2 respectively. Claim 14 is similar in scope to claim 2, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 20, claim 20 is directed to a similar system associated with the method of claim 6 respectively. Claim 20 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale. 


Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over in view of Su et al. (US 2021/0344569) and Staniford (US 2017/0289186) and in further view of Giaconi (US 2020/0175161).

	As per claim 7, Giaconi in combination with Staniford teaches the method of claim 5, fails to teach wherein the first and second initial flow vectors are stored in contiguous memory spaces.
	However, in an analogous art Giaconi teaches wherein the first and second initial flow vectors are stored in contiguous memory spaces (Giaconi, Paragraph 0038 recites “At 516 the vector embeddings 214 for each value in the corpus of attribute values are stored for the current time period t. At 518 the method iterates for all time periods. Subsequently, at 520, the anomaly detector 216 compares generations of vector representation embeddings 214, e.g. using a vector similarity function such as cosine similarity. At 522 detected anomalies lead to 524 at which protective measures are deployed.”).
	It would have obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Giaconi’s multi factor network anomaly detection with Su’s method, apparatus, and device for determining network anomaly behavior, and readable storage medium because the use of storage for data will be good for future analysis












	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439