Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Regarding claims 1, 8, and 15, “In response to determining that the anomaly impacts…exceed” is indefinite.  With respect to the instant specification one of ordinary skill in the art would not be able to determine an anomaly impact or how it related to an alerting threshold.  An anomaly impact is not a term that would be readily recognized by one of ordinary skill in the art.  In the interest of further examination an anomaly impact is interpreted as any value related to the anomaly.

The remaining claims are rejected with respect to their dependence on the rejected claims.

Claim Rejections - 35 USC § 101
101 Rejection
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter.

Regarding Claim 1:  Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 Analysis: Claim 1 is directed to method, which is directed to a process, one of the statutory categories.
Step 2A Prong One Analysis:  Claim 1 recites a computer implemented method of anomaly detection, which, under its broadest reasonable interpretation is a series of mental processes.  For example, but for the generic computer components language, the above limitations in the context of this claim encompass neural network processing, including the following: 
Clustering…operational data reported from a network into a plurality of anomalies organized into geographic clusters, topological clusters, and call flow clusters (observation, evaluation, and judgement),
 correlating…alerts received from devices in the network according to the geographic clusters, the topological clusters, and the call flow clusters (observation, evaluation, and judgement)
Determining…anomaly impacts in the geographic clusters, the topological clusters, and the call flow clusters from the alerts (observation, evaluation, and judgement)
identifying a first shared node in the first cluster (observation, evaluation, and judgement)
identifying a second cluster including a second shared node matching the first shared node that has not been determined to exceed the alerting threshold (observation, evaluation, and judgement)
Therefore, claim 1 recites an abstract idea which is a judicial exception.
Step 2A Prong Two Analysis:  Claim 1 recites additional elements “neural network”. However, these additional features are computer components recited at a high-level of generality, such that they amount to no more than mere instructions to apply the judicial exception using a generic computer component.  An additional element that merely recites the words “apply it” (or an equivalent) with the judicial exception, or merely includes instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, does not integrate the judicial exception into a practical application.  Claim 1 also recites additional insignificant extra-solution activity “transmitting an alert for the first cluster and the second cluster” which amounts to outputting data.  Claim 1 also recites additional elements “updating, via the second neural network, the first neural network” which amounts to generally linking the judicial exception to a particular technology or field of use.  Therefore, claim 1 is directed to a judicial exception.
Step 2B Analysis:  Claim 1 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the lack of integration of the abstract idea into a practical application, the additional elements recited in claim 1 amount to no more than mere instructions to apply the judicial exception using a generic computer component.
For the reasons above, claim 1 is rejected as being directed to non-patentable subject matter under §101. This rejection applies equally to independent claims 8 and 15, which recite a system and a computer program product, respectively, as well as to dependent claims 2-7, 9-14, and 16-20. The additional limitations of the dependent claims are addressed briefly below:
Dependent claims 2, 9, and 16 recite additional insignificant extra-solution activity of gathering and outputting data “wherein the operational data is gathered via data pipelines defined in the network for associated Key Performance Indicators that store the operational data in a data lake accessible to the first neural network for a predetermined length of time”
Dependent claims 3, 10, and 17 recite additional observation, evaluation, and judgement “wherein a device represented by the first shared node in the first cluster is also included as a non-shared node in a third cluster, wherein the alert does not include the third cluster
Dependent claims 4, 11, and 18 recite additional observation, evaluation, and judgement “normalizing the operational data by removing outliers from the operational data”, and “smoothing the operational data by adding predicted data points to represent data points missing from the operational data”.
Dependent claims 5, 12, and 19 recite additional insignificant extra-solution activity of gathering and outputting data “transmitting the response to at least one device included in the first cluster.”
Dependent claims 6, 13, and 20 recite additional observation, evaluation, and judgement “wherein the alerting threshold is dynamically adjusted based on a number of end users affected by a given alert.”
Dependent claims 7 and 14 recite additional insignificant extra-solution activity “wherein the call flow clusters group devices connected to the network together based on characteristics selected from a group comprising: operating system type; application identifiers; device type; and mode of operation.” which amounts to selection of a data type.

Therefore, when considering the elements separately and in combination, they do not do not add significantly more to the inventive concept. Accordingly, claims 1-20 are rejected under 35 U.S.C. § 101. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-5, 7-8, 11-12, 14-15, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Liu (“Generative Adversarial Active Learning for Unsupervised Outlier Detection”, 2018) and in view of Mestha (US 20180159879 A1). 

Regarding claim 1, Liu teaches in response to determining that the anomaly impacts for a first cluster exceed an alerting threshold: ([p. 3 Col. 2 Sec. 3.1] "Our goal is to find a division boundary that can separate outliers from normal data effectively. To describe this boundary, we construct a scoring function ζ(x) ∈ (0, 1)" Scoring function interpreted as synonymous with anomaly impact.  Threshold tao interpreted as synonymous with alerting threshold.).
identifying a first shared node in the first cluster; ([p. 3 Col. 2 Sec. 3.1] "when xi is drawn from X").
identifying a second cluster including a second shared node matching the first shared node that has not been determined to exceed the alerting threshold; and ([p. 3 Col. 2 Sec. 3.1] "We generate n data points from the reference distribution µ as the potential outliers (shown with grey dots in Fig.1(b)); and then introduce a classifier C(x) ∈ (0, 1) to distinguish them from the original dataset X where yi is labeled as 1 or 0 when xi is drawn from X or µ, respectively" Liu teaches that data points are generated from second cluster but in the case they do not exceed the alerting threshold then they match the first shared node from the first cluster.).
transmitting an alert for the first cluster and the second cluster; and ([p. 3 Col. 2 Sec. 3.1] "classifier C(x) ∈ (0, 1) to distinguish them from the original dataset X where yi is labeled as 1 or 0 when xi is drawn from X or µ, respectively" ).
in response to receiving a response to the alert, updating, via the second neural network, the first neural network. ([p. 2 Col. 1] “In this paper, we firstly propose a novel outlier detection method based on the recent generative adversarial learning framework [25], which we call Single-Objective Generative Adversarial Active Learning (SO-GAAL). Specifically, it performs a mini-max game between two adversarial components — a generator and a discriminator, which can also be considered as an active learning process in our models” [p. 7 Col. 1 Algorithm 1] Generator is updated via the Discriminator in response to receiving subset of alerts. Generator interpreted as synonymous with first neural network, discriminator interpreted as synonymous with second neural network. Generative Adversarial Networks by definition involve two neural networks which train competitively against one another. [p. 4 Col. 2] “The network structure and detection process of SO-GAAL can be illustrated in Fig. 3, where both generator G and discriminator D are multi-layer neural network.”). 
However, Liu does not explicitly teach A method, comprising: clustering, via a first neural network, operational data reported from a network into a plurality of anomalies organized into geographic clusters, topological clusters, and call flow clusters; 
correlating, via the first neural network, alerts received from devices in the network according to the geographic clusters, the topological clusters, and the call flow clusters; 
determining, via a second neural network, anomaly impacts in the geographic clusters, the topological clusters, and the call flow clusters from the alerts;  

Mestha, in the same field of endeavor of anomaly detection teaches A method, comprising: clustering, via a first neural network, operational data reported from a network into a plurality of anomalies organized into geographic clusters, topological clusters, and call flow clusters; ([Abstract] "At least some received monitoring node values may be processed with a deep learning model to determine parameters of the deep learning model" [¶0036] "Note that many different types of features may be utilized in accordance with any of the embodiments described herein...include deep learning features... include logical features (with semantic abstractions such as “yes” and “no”), geographic/position locations, and interaction features (mathematical combinations of signals from multiple threat nodes and specific locations)" Interaction feature location identification interpreted as synonymous with topological clustering, interaction feature signal identification interpreted as synonymous with call flow clustering.).
correlating, via the first neural network, alerts received from devices in the network according to the geographic clusters, the topological clusters, and the call flow clusters; ([¶0036] “Embodiments may also be associated with time series analysis features, such as cross-correlations, auto-correlations…... include logical features (with semantic abstractions such as “yes” and “no”), geographic/position locations, and interaction features (mathematical combinations of signals from multiple threat nodes and specific locations)" Interaction feature location identification interpreted as synonymous with topological clustering, interaction feature signal identification interpreted as synonymous with call flow clustering.).
determining, via a second neural network, anomaly impacts in the geographic clusters, the topological clusters, and the call flow clusters from the alerts; ([¶0039] "A real-time threat detection platform 750 may receive the boundaries along with streams of data from the monitoring nodes. The platform 750 may include a feature extraction on each monitoring node element 752 and a normalcy decision 754 with an algorithm to detect attacks in individual signals using sensor specific decision boundaries, as well rationalize attacks on multiple signals, to declare which signals were attacked, and which became anomalous due to a previous attack on the system via a localization module 756. An accommodation element 758 may generate outputs 770, such as an anomaly detection indication" [¶0069] "At S1430, the system may use the decision boundary to classify whether a feature vector of new data corresponds to “normal” or “attack” data. Note that a preprocessing step might be performed prior to S1410 to get the data into a proper form for the autoencoder." [¶0071] "As used herein, the term “autoencoder” may refer to a feedforward artificial neural network" Mestha explicitly teaches that the autoencoder performs the algorithm for threat determination and that the autoencoder may refer to a neural network, therefore the algorithm is interpreted as synonymous with a second neural network.). 

Liu and Mestha are both directed towards using a neural network for classification.  It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have combined the teachings of Liu with the teachings in Mestha by implementing the specialized characterization described in Mestha with the detailed GAN implementation described in Liu. Liu teaches a generative adversarial network utilizing clustering for anomaly detection, and Mestha teaches a method for anomaly detection specialized for a particular field which more closely resembles that of the instant.  Mestha explicitly teaches using a neural network with featurization of the specific categories mentioned in the instant. Liu describes the benefit of this neural network implementation ([p. 3 Col. 1 Sec. 2.3] “the representations learned by GAN and its improved models can achieve state-of-the-art performance in a variety of applications, e.g., image synthesis, superresolution, visual sequence prediction and semantic image inpainting. Therefore, increasing attention in the field of outlier detection is focused on this emerging technique. Schlegl et al. [8] propose a deep convolutional generative adversarial network (AnoGAN) that evaluates the posterior probability of test samples generated by the same generative model to discover abnormal marker in medical images...However, they all consider GAN as a feature extractor or re-constructor, which is quite different from our models. Moreover, to deal with the mode collapsing problem, for the GAN-based models, we also extend the model from a single generator (SO-GAAL) to multiple generators with different objectives (MO-GAAL)”).

Regarding claim 4, the combination of Liu, and Mestha teaches The method of claim 1, further comprising: prior to clustering the operational data: normalizing the operational data by removing outliers from the operational data; and (Mestha [¶0087] "Note that the feature-based approaches described herein may allow for extended feature vectors and/or incorporate new features into existing vectors as new earnings and alternate sources of data become available.  As a result, embodiments may detect a relatively wide range of cyber-threats (e.g., stealth, replay, covert, injection attacks, etc.) as the systems learn more about their characteristics. Embodiments may also reduce false positive rates as systems incorporate useful key new features and remove ones that are…less important" Mestha does not teach clustering the operational data, therefore removing outliers from the data is interpreted as explicitly synonymous with removing outliers from operational data prior to clustering.).
smoothing the operational data by adding predicted data points to represent data points missing from the operational data. (Mestha [¶0032] "multiple algorithmic methods (e.g., support vector machines or machine learning techniques) may be used to generate decision boundaries. Since boundaries may be driven by measured data (or data generated from high fidelity models), defined boundary margins may help to create a threat zone in a multi-dimensional feature space" Generating decision boundaries driven by measured data is interpreted as synonymous with smoothing the data by adding predicted data points.). 

Regarding claim 5, the combination of Liu, and Mestha teaches The method of claim 1, wherein the second neural network generates the response to the alert without user input, further comprising: (Liu [p. 3 Col. 2 Sec. 3.1] "classifier C(x) ∈ (0, 1) to distinguish them from the original dataset X where yi is labeled as 1 or 0 when xi is drawn from X or µ, respectively" Sorting sample into subset relative to cluster is interpreted as synonymous with transmitting an alert.  Alert in Liu is sent without user input.).
transmitting the response to at least one device included in the first cluster. (Mestha [¶0024] "calculate at least one “feature” for each monitoring node based on the received data, and “automatically” output a threat alert signal to one or more remote monitoring devices 150 when appropriate (e.g., for display to a user)"). 

Regarding claim 7, the combination of Liu, and Mestha teaches The method of claim 1, wherein the call flow clusters group devices connected to the network together based on characteristics selected from a group comprising: mode of operation. (Mestha [¶0036] "Note that many different types of features may be utilized in accordance with any of the embodiments described herein, including...interaction features (mathematical combinations of signals from multiple threat nodes and specific locations)" Featurizing based on signals from multiple threat nodes interpreted as synonymous with clustering based on mode of operation.). 

Regarding claim 8, claim 8 effectively mirrors claim 1 and is therefore rejected under a similar interpretation.

Regarding claim 11, claim 11 effectively mirrors claim 4 and is therefore rejected under a similar interpretation.

Regarding claim 12, claim 12 effectively mirrors claim 5 and is therefore rejected under a similar interpretation.
Regarding claim 14 claim 14 effectively mirrors claim 7 and is therefore rejected under a similar interpretation.
Regarding claim 15, claim 15 effectively mirrors claim 1 and is therefore rejected under a similar interpretation.

Regarding claim 18, claim 18 effectively mirrors claim 4 and is therefore rejected under a similar interpretation.

Regarding claim 19, claim 19 effectively mirrors claim 5 and is therefore rejected under a similar interpretation.

Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Liu, and Mestha and in further view of Scherger (US 20200112489 A1).

Regarding claim 2, the combination of Liu and Mestha teaches The method of claim 1. However, the combination of Liu and Mestha does not explicitly teach wherein the operational data is gathered via data pipelines defined in the network for associated Key Performance Indicators that store the operational data in a data lake accessible to the first neural network for a predetermined length of time.  

Scherger, in the same field of endeavor of anomaly detection teaches wherein the operational data is gathered via data pipelines defined in the network for associated Key Performance Indicators that store the operational data in a data lake accessible to the first neural network for a predetermined length of time. ([¶0041] "Data collected from the network elements 215 by the collector 220 may be provided to a processing system 225 for further pre-processing before delivery to the ML system 230. For example, in various embodiments, the processing system 225 may be configured to perform sorting, organizing, and other data processing of the data obtained by the collector 220. In some embodiments, the processing system 225 may be configured to obtain, from a data lake compiled by the collector 220, various KPIs considered by the ML system 230 to predict failures in individual network elements" Storing data as disclosed in Scherger without an expected storage life is interpreted as anticipating an infinite storage length.). 

It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Liu, Mestha, and Scherger by implementing a data lake for storage. Mestha teaches as motivation ([¶0063] “An operating mode database may then be used to store the normalization function and/or normalized signals at S1230”).  The disclosure of Scherger would then make it obvious to one of ordinary skill in the art that the operational data to be used in the neural network for the anomaly detection may be stored in a data lake, and gathered via a data collection pipeline. Scherger explains the benefit to this would be ([¶0041] “to predict failures in individual network elements”) which is consistent with the interpreted intent of the instant.

Regarding claim 9, claim 9 effectively mirrors claim 2 and is therefore rejected under a similar interpretation.

Regarding claim 16, claim 16 effectively mirrors claim 2 and is therefore rejected under a similar interpretation.

Claims 3, 6, 10, 13, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Liu, and Mestha and in further view of Leibman (US20200007563A1). 

Regarding claim 3, the combination of Liu and Mestha teaches The method of claim 1, wherein the alert does not include the third cluster. (Mestha [¶0039] "The platform 750 may include a feature extraction on each monitoring node element 752 and a normalcy decision 754 with an algorithm to detect attacks in individual signals using sensor specific decision boundaries, as well rationalize attacks on multiple signals, to declare which signals were attacked, and which became anomalous due to a previous attack on the system via a localization module 756. An accommodation element 758 may generate outputs 770, such as an anomaly detection indication (e.g., threat alert signal)" Mestha explicitly teaches that threat alerts may be output in response to nodes relative to a decision boundary.  While Mestha does not explicitly teach wherein the alert does not include the third cluster, it would be obvious to one of ordinary skill in the art that Mestha implicitly teaches not alerting relative to a decision boundary, and that this would lead to a predictable and expected outcome.).  However, the combination of Liu and Mestha does not explicitly teach wherein a device represented by the first shared node in the first cluster is also included as a non-shared node in a third cluster. 

Leibman, in the same field of endeavor of anomaly detection teaches wherein a device represented by the first shared node in the first cluster is also included as a non-shared node in a third cluster, (See FIG. 2 Element 218B is a first shared node in a first cluster in 200A which is also included as a non-shared node in a third cluster in 200B). 

It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the third cluster in Leibman with the methods in Mestha and Liu. Liu teaches that the anomaly detection is dependent on multiple categorical cluster boundaries similar to Leibman.  Mestha further teaches that the anomaly detection involves sending alerts to a monitoring device similar to Leibman.  It would therefore be implied and obvious that a device represented by the first shared node could be a non-shared node in a third cluster.  The combination of Leibman is included to reinforce and explicitly teach the node being a non-shared node in a third cluster.

Regarding claim 6, the combination of Liu and Mestha teaches The method of claim 1. However, the combination of Liu and Mestha does not explicitly teach wherein the alerting threshold is dynamically adjusted based on a number of end users affected by a given alert.  

Leibman, in the same field of endeavor of anomaly detection teaches wherein the alerting threshold is dynamically adjusted based on a number of end users affected by a given alert. ([¶0029] " In some embodiments, components 130-134 can represent a plurality of user accounts operating within a social media network (i.e., an example of system 120)"[¶0038] "a parameter may include a size of the cluster (i.e., a number of grouped components)" [¶0046] "clustering unit 108 groups components 211A-219A into one or more clusters 202 based on the analyzed measurement information where each of clusters 202 includes at least a threshold number of components. This threshold number may be input by a user or a default parameter as set by a clustering algorithm" See also ¶0028 for a detailed explanation of the effect of users on anomaly perception.). 

It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to add the user population based dynamic threshold adjustment in Leibman with the threshold taught in Liu. Leibman teaches as motivation ([¶0028] “The users' typical demand for video may vary widely from day-to-day depending on new content being released, breaking news announcements, or other factors that cannot be anticipated. For example, on days with breaking news, the streaming servers may experience higher network traffic not because any one server is operating anomalously per se; rather more users are streaming video due to external events (e.g., breaking news).”).  

Regarding claim 10, claim 10 effectively mirrors claim 3 and is therefore rejected under a similar interpretation.

Regarding claim 13, claim 13 effectively mirrors claim 6 and is therefore rejected under a similar interpretation.

Regarding claim 17, claim 17 effectively mirrors claim 3 and is therefore rejected under a similar interpretation.

Regarding claim 20, claim 20 effectively mirrors claim 6 and is therefore rejected under a similar interpretation.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Abbaszadeh (US 10805324 B2), Vasseur (US 2016/0219066A1).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIDNEY VINCENT BOSTWICK whose telephone number is (571)272-4720.  The examiner can normally be reached on M-F 7:30am-5:00pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang can be reached on (571)270-7092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SB/Examiner, Art Unit 2124                                                                                                                                                                                                        


/MIRANDA M HUANG/Supervisory Patent Examiner, Art Unit 2124