Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1        Claims 1 - 20 are pending.  Claims 1, 10, 20 have been amended.  Claims 1, 10, 20 are independent.  File date is 1-31-2019.  This action is in response to application amendments filed on 12-15-2021. 

Claim Rejections - 35 USC § 103  
2.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3.        Claims 1 - 3, 9 - 12, 18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Deardorff et al. (US PGPUB No. 20200195670) in view of Ayyagari et al. (US PGPUB No. 20130305357) and further in view of Wildberger (US PGPUB No. 20180047065).     	
 
Regarding Claims 1, 10, 20, Deardorff discloses a method for detecting anomalous network activity in a cloud-based compute environment and a system for detecting anomalous network activity in a based compute environment and a non-transitory computer readable medium having stored thereon instructions for causing processing circuitry to perform a process for 
a)  receiving configuration data and network activity observations for a set of virtual entities hosted in the cloud-based compute environment; (Deardorff ¶ 058, ll 1-7: configured to analyze multiple outputs in order to process received network activity generated by an automated process; ¶ 035, ll 1-9: network analysis techniques are autonomous; wide distribution of virtual security appliances across multiple cloud environments; distribution of virtual security appliances across multiple cloud environments (i.e. by definition a virtual entity is hosted upon a portion or an entire physical machine)) and
d)  determining whether anomalies have been detected in the set of virtual entities based on the profiles of the virtual entities and the virtual entity group profile. (Deardorff ¶ 036, ll 6-10: issue alerts (i.e. reports) to inform user of anomalous activity; review data associated with alert(s) and perform any appropriate action; ¶ 087, ll 1-9: detect anomalies upon entity exhibiting behavior (i.e. profile information) that is unexpected and based on its assigned behavioral profile)    

    Furthermore, Deardorff discloses for b): creating a profile for each virtual entity in the set of virtual entities, when the virtual entity does not already have an associated profile (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding the created profiles stored in one or more databases; ¶ 070, ll 1-7: profile may be previously defined (i.e. profiles may not be previously defined, created)); ¶ 068, ll 1-
    And, Deardorff discloses for d): dynamically updating the profile of each virtual entity and the virtual entity group profile with the respective network activity observations of the virtual entity. (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in activity data actions across a variety of tool sets and systems; patterns observed upon one or more networks; profile the intent and predict possible future activity based on observed behavior and recognized intent (i.e. unobserved behavior); ¶ 068, ll 1-5: profile module groups instances of similar network activity data together; assign a label indicative of the type of behavior exhibited; (member of a group); ¶ 069, ll 1-5: data regarding the created profiles stored in one or more databases)

Deardorff does not explicitly discloses for b): creating a profile for an entity based on configuration data, and for d): dynamically updating profile of an entity with respective network activity observations. 
However, Ayyagari discloses: 
b)  creating a profile for each entity based on the configuration data; (Ayyagari ¶ 115, ll 1-6: dynamic development of context aware personalized profiles for end user/embedded device, enabling tailored anomaly behavior monitoring, detection, and mitigation; ¶ 115, 15-18: dynamic development of profiles of network configuration (i.e. configuration data) for router or other network type devices (network nodes, computing nodes), to enable tailored anomaly behavior monitoring, detection, and mitigation) and     

        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff for b): creating a profile for an entity based on configuration data, and for d): dynamically updating profile of an entity with respective network activity observations as taught by Ayyagari.  One of ordinary skill in the art would have been motivated to employ the teachings of Ayyagari for the benefits achieved from a system that enables the flexibility of the usage of dynamically generated user behavior profiles in the detection and management of anomalous behavior in a network environment.   (Ayyagari ¶ 071, ll 5-14) 

Furthermore, Deardorff-Ayyagari does not explicitly disclose for c): creating a virtual entity group profile for a group of virtual entities having a same expected network behavior. 
However, Wildberger discloses wherein for c): creating a virtual entity group profile for a group of the virtual entities having a same expected network behavior. (Wildberger ¶ 050, ll 1-21: digital profile contains some quantified metrics describing client's expected behavior, desires, and moods, among others; predictions generated on a probabilistic basis, and include contextual factors, such as time of day, season, weather, traffic conditions; platform expected behavior (e.g., going to the gym), desires (e.g., desires coffee in the morning), or moods (e.g., in a rush, angry), and these representations are stored (e.g., appended) onto digital profile)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff-Ayyagari for c): creating a virtual entity group profile for a group of virtual entities having a same expected network behavior as taught by Wildberger.  One of ordinary skill in the art would have been motivated to employ the teachings of Wildberger for the benefits achieved from the flexibility of a system that enables a wide variety of factors in the generation of profile information. (Wildberger ¶ 050, ll 1-21)  

Furthermore for Claim 10, Deardorff discloses wherein processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuity, configure the system to perform operations. (Deardorff ¶ 029, ll 1-14: general purpose computer activated by a computer program stored in a computer readable storage medium for performing operations; ¶ 012, ll 4-5: processor executing instructions stored on a memory (i.e. storage media) to classify network activity data)    

Regarding Claims 2, 11, Deardorff-Ayyagari-Wildberger discloses the method of claim 1 and the system of claim 10, wherein the set of virtual entities includes one or more virtual machines or containers hosted on one or more physical machines. (Deardorff ¶ 035, ll 1-9: network analysis techniques are implemented and autonomous; wide distribution of virtual security appliances 

Regarding Claims 3, 12, Deardorff-Ayyagari-Wildberger discloses the method of claim 1 and the system of claim 10, wherein creating the profile further comprises: creating a connections group when a virtual entity in the set of virtual entities is identified as having similar network behavior with the connections group. (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity behavior; ¶ 069, ll 1-5: data regarding created profiles stored in one or more databases; ¶ 068, ll 1-5: profile module groups instances of similar network activity data together; assign a label indicative of the type of behavior exhibited; (i.e. member of a group))   

Regarding Claims 9, 18, Deardorff-Ayyagari-Wildberger discloses the method of claim 1 and the system of claim 10, further comprising:
a)  reporting the anomaly, when an anomaly has been detected; and 
b)  taking a mitigating activity, when an anomaly has been detected. (Deardorff ¶ 036, ll 6-10: issue alerts (i.e. reporting the anomaly) to inform user of anomalous activity; review any data associated with alert and perform any appropriate action (i.e. mitigating activity); ¶ 087, ll 1-9: detect anomalies upon entity exhibiting behavior that is unexpected based on its assigned behavioral profile)    

s 4, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Ayyagari and further in view of Wildberger and Baumard (US PGPUB No. 20160078365). 

Regarding Claims 4, 13, Deardorff-Ayyagari-Wildberger discloses the method of claim 3 and the system of claim 12. 
Deardorff-Ayyagari-Wildberger does not explicitly disclose a set of probabilistic distributions over values of a large set of factors. 
However, Baumard discloses wherein creating the profile further comprises: including a set of probabilistic distributions over values of a large set of factors, wherein the factors represent an aspect of the behavior of the virtual entity. (Baumard ¶ 023, ll 12-23: compares probability distribution of a normal system over time with the frequency distribution of incoming behaviors; modelling data distributions and then estimating probability of a deviation from known probabilities of distribution associated with these behaviors; efficient for recognition of known entities within large data sets)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff-Ayyagari-Wildberger for a set of probabilistic distributions over values of a large set of factors as taught by Phan. One of ordinary skill in the art would have been motivated to employ the teachings of Phan for the benefits achieved from a system that enables the utilization of an extensive set of anomaly detection methods.  (Baumard ¶ 023, ll 12-23)    

s 5 - 8, 14 - 17 is rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Ayyagari and further in view of Wildberger and Baumard and Phan et al. (US PGPUB No. 20200057956). 

Regarding Claims 5, 14, Deardorff-Ayyagari-Wildberger-Baumard discloses the method of claim 4 and the system of claim 13, wherein the factors of the large set of factors include observable and unobservable factors, and the factors may be learned from observable factors. (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in activity actions across a variety of tool sets and systems, and patterns observed upon one or more networks; profile the intent and predict possible future activity based on observed behavior and recognized intent (i.e. unobserved behavior))   
Deardorff-Ayyagari-Wildberger-Baumard does not explicitly disclose factors learned from probabilistic dependencies.
However, Phan discloses wherein factors may be learned from the probabilistic dependencies. (Phan ¶ 017, ll 1-7: anomaly detection via dependency graph; identify behavior outside of a defined norm that constitutes normal behavior; anomaly detection algorithm is based on probabilistic model and detects anomalies with higher accuracy and fewer false alarms)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Deardorff-Ayyagari-Wildberger-Baumard for factors learned from probabilistic dependencies as taught by Phan.  One of ordinary skill in the art would have been motivated to employ the teachings of Phan for the benefits achieved from a system that enables the determination of anomalies utilizing an extensive set of anomaly detection mechanisms.  (Phan ¶ 017, ll 1-7)  

Regarding Claims 6, 15, Deardorff-Ayyagari-Wildberger-Baumard discloses the method of claim 5 and the system of claim 14, wherein the aggregated learned distribution of values of all the factors represents a modeled baseline of the virtual entity’s observed behavior or internal state. (Deardorff ¶ 071, ll 3-12: through modelling processes, system can issue alerts based on activity or behavior that deviates from what is expected; (model indicates a specific behavior pattern))    

Regarding Claims 7, 16, Deardorff-Ayyagari-Wildberger-Baumard discloses the method of claim 6 and the system of claim 15, wherein determining whether anomalies have been detected further comprises: checking the updated profiles to determine if significant deviations in values exceed a threshold of normal virtual entity behavior. (Deardorff ¶ 100, ll 1-6: a statement that a value exceeds a threshold in the resolution of a relevant system; (i.e. indicated action completed when threshold value is exceed); ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity (i.e. threshold exceeded); review any data associated with alert and perform any appropriate action)

Regarding Claims 8, 17, Deardorff-Ayyagari-Wildberger-Baumard discloses the method of claim 7 and the system of claim 16, wherein checking whether the significance of the deviations takes into account both the difference between the expected and actual numeric values of a factor, and the uncertainty in the expected values and the uncertainty in the measurement of the actual observation. (Deardorff ¶ 034, ll 1-10: observing, tracking, and identifying patterns in   

6.        Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of Ayyagari and further in view of Wildberger and Liisberg et al. (US PGPUB No. 20170262325). 

Regarding Claim 19, Deardorff-Ayyagari-Wildberger discloses the system of claim 18, wherein the system is further configured to: include a virtual entity associated with an anomaly. (Deardorff ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity; review any data associated with alert and perform any appropriate action; ¶ 036, ll 6-10: issue alerts to inform user of anomalous activity; review any data associated with alert and perform any appropriate action)
Deardorff-Ayyagari-Wildberger does not specifically disclose blocking a virtual entity associated with an anomaly.
However, Liisberg discloses wherein block a virtual entity associated with an anomaly. (Liisberg ¶ 033, ll 1-9: if an anomaly is detected, sending a signal which ensures that communication associated with processes is disrupted (i.e. communication blocked))    
  

Response to Arguments
8.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 12-15-2021, with respect to the rejection(s) under Deardorff in view of Ayyagari have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Deardorff in view of Ayyagari and further in view of Wildberger. 

A.  Applicant argues on page 7 of Remarks:    ...   The cited reference does not teach or suggest the claim elements “creating a virtual entity group profile for a group of the virtual entities having a same expected network behavior,”   ...   . 

    The Examiner respectfully disagrees.  Deardorff discloses the capability to generate groups that have similar characteristics (i.e. based on claim language at that time) for virtual entities.  (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity (or multiple entities) behavior; ¶ 069, ll 1-5: data regarding created profiles stored in one or more 
    And, Wildberger discloses the capability to generate groups for entities (i.e. virtual entities) that are “expected” to have the same characteristics (i.e. amended claim language). (Wildberger ¶ 050, ll 1-21: digital profile contains some quantified metrics describing client's expected behavior, desires, and moods, among others; predictions generated on a probabilistic basis, and include contextual factors, such as time of day, season, weather, traffic conditions; platform configured to extract, data representations (e.g., vectors, variables, scores) based on client's expected behavior (e.g., going to the gym), desires (e.g., desires coffee in the morning), or moods (e.g., in a rush, angry), and these representations are stored (e.g., appended) onto digital profile)   

B.  Applicant argues on page 8 of Remarks:    ...   Deardorff is not describing creating a profile for a group of “virtual entities.”   ...   . 

    The Examiner respectfully disagrees.  Deardorff discloses the generation of profile information associated with a set of network entities. (Deardorff ¶ 067, ll 1-7: behavioral profile module tasked with creating or otherwise defining profiles; behavioral profile module analyzes network activity data in manner to create profiles that represent entity behavior; ¶ 069, ll 1-5: data regarding created profiles is stored in the one or more databases; stored includes behavior or behavioral patterns that are exhibited by entities (multiple network virtual entities) associated with a particular profile; (profile information 
    And, Deardorff discloses a network environment comprising a set of virtual entities.  By definition, a virtual entity (i.e. virtual computing instance) is hosted by a portion or an entire physical computing system in order to enable execution. (Deardorff ¶ 058, ll 1-7: configured to analyze multiple outputs to determine whether received network activity is generated by an automated process; ¶ 035, ll 1-9: network analysis techniques are autonomous; wide distribution of virtual security appliances across multiple cloud environments; distribution of virtual security appliances across multiple cloud environments (i.e. by definition a virtual entity is hosted upon a portion or an entire physical machine))

C.  Applicant argues on page 8 of Remarks:    ...   The “behavior profile” in Deardorff does not correspond to an actual group of entities.

    The Examiner respectfully disagrees.  Deardorff discloses the generation of profile information associated with a set of network entities. (Deardorff ¶ 067, ll 1-7: behavioral profile module tasked with creating or otherwise defining profiles; behavioral profile module analyzes network activity data in manner to create profiles that represent entity behavior; ¶ 069, ll 1-5: data regarding created profiles is stored in the one or more databases; stored includes behavior or behavioral patterns that are exhibited by entities (multiple network virtual entities) associated with a particular profile; (profile information associated with multiple entities)) 

D.  Applicant argues on page 8 of Remarks:    ...   the grouping in Deardorff is made based on actually observed network activity data, whereas the grouping of “virtual entities” in the claim is made based on the “expected network behavior” of the entities.

    The Examiner respectfully disagrees.  Deardorff discloses the capability to generate groups that have similar characteristics (i.e. based on claim language for the previous Office Action) for virtual entities.  (Deardorff ¶ 067, ll 1-7: behavioral profile module creating or defining profiles; analyzes network activity data in order to create profiles representing entity (or multiple entities) behavior; ¶ 069, ll 1-5: data regarding created profiles stored in one or more databases; ¶ 070, ll 1-7: profile may be previously defined (i.e. profiles may not be previously defined, created)); ¶ 068, ll 1-5: profile module groups instances of similar network activity data together; (member of a group)
    And, Wildberger discloses the capability to generate groups for entities (i.e. virtual entities) that are “expected” to have the same characteristics (i.e. amended claim language). (Wildberger ¶ 050, ll 1-21: digital profile contains some quantified metrics describing client's expected behavior, desires, and moods, among others; predictions generated on a probabilistic basis, and include contextual factors, such as time of day, season, weather, traffic conditions; platform configured to extract, data representations (e.g., vectors, variables, scores) based on client's expected behavior (e.g., going to the gym), desires (e.g., desires coffee in the morning), or moods (e.g., in a rush, angry), and these representations are stored (e.g., appended) onto digital profile)   

E.  Applicant argues on page 8 of Remarks: The cited references also do not teach or suggest the claim elements “create a virtual entity group profile for a group of the virtual entities having a same expected network behavior” in amended claim 10 and “creating a virtual entity group profile for a group of the virtual entities having a same expected network behavior” in amended claim 20. 

    Responses to arguments against independent claim 1 also answer arguments against independent claims 10 and 20, which have similar limitations as independent claim 1.    

F.  Applicant argues on page 8 of Remarks: The Dependent Claims Are Patentable over the Cited References.  

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.    

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KYUNG H SHIN/                                                                                                   2-17-2022Primary Examiner, Art Unit 2452