Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant’s arguments, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Wang  US 2010/0034102



Claim Rejections - 35 USC § 103


The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

Claims 1-6, 8-13, 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Grayson US 10,375,100 in view of Sampath US 2020/0304393 in view of Wang US 2010/0034102

As per claims 1, 8, 15 Grayson teaches A method implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method comprising: collecting, at the computer system, a plurality of messages to and from at least one device; extracting, at the computer system, metadata features from the collected plurality of messages; generating, at the computer system, a time window; determining, at the computer system, additional features based on the extracted metadata features present during the time window; detecting, at the computer system, behavioral patterns of the at least one device based on the collected plurality of messages; Grayson teaches detecting, at the computer system, at least one anomaly or type of anomaly using the clustered determined additional features and the detected behavioral patterns.  (Column 3 lines 21-30; lines 60-67; Column 7 lines 6-40; Column 8 lines 16-30; Column 9 line 1to Column 10 line 5  ; Claim 7)  (teaches generation of characteristics/typical behavior including device IDs and types of devices, communication direction of messages, frequency of messages, throughput over a period of time) 


It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the histogram of Sampath with the prior art because it provides a more comprehensive and accurate analysis of network behavior. 

Wang additionally teaches building a mixed normal distribution model of message patterns and using said model to determine anomalies. [0013][0014][0017] (creating a network model including distribution and classification by K means and Bayesian means, using to detect anomalies, including traffic, time, size, etc)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the model of Wang with the previous combination because it increases anomaly detection and thereby increases security.

As per claims 2, 9, 16  Grayson teaches The method of claim 1, wherein the extracted metadata features comprise at least one of an ID of the at least one device associated with each message, a message size of each message, a communication direction of each message, and communication time of each message and the additional features comprise at least one of temporal aspects, including at least one of intervals or frequencies with which a device sends messages and average periods or frequencies of messages, temporal hierarchies, including at least one of day of week, time of day, and part of hour, sequences of messages, including at least one of patterns of message length, message type, device IDs of specific devices, type of device, and class of device. (Column 3 lines 21-30; lines 60-67; Column 7 lines 6-40; Column 8 lines 16-30; Column 9 lines 1-10; Claim 7)  (teaches generation of characteristics including device IDs and types of devices, communication direction of messages, frequency of messages, throughput over a period of time) As per claims 3, 10 Sampath teaches The method of claim 2, wherein a size of the time window is selected based on a frequency of communication of the at least one message, and to allow large messages to be collected in single time window. [0054]  (teaches collecting a plurality of 
As per claims 5, 12, 19 Sampath teaches The method of claim 3, wherein determining extracted metadata features present during the time window comprises at least one of counting a number of messages to and from the at least one device during the time window and generating a histogram of different message sizes during the time window. [0054] (Figure 2)   (teaches a historgram of message length and frequency over a time period)

As per claims 6, 13 Sampath teaches The method of claim 5, wherein the clustering comprise at least one of K-means clustering and hierarchical clustering. [0016][0033][0047] (teaches 



Allowable Subject Matter
Claims 7, 14, 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439