Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The previous NFOA mailed on 02-18-2022 is hereby withdrawn and is replaced with this supplemental NFOA with modified election/restriction form paragraphs and replaces the previous NFOA.

Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1 – 12 and 16 – 20, system for identify process profiles based on the determined process identifier’s activity and evaluating the determined process identifier’s activities to the identified process profiles’ activities and determining abnormality if any, classified under H04L63/1416/1425 {Event detection, e.g. attack signature detection}; {Traffic logging, e.g. anomaly detection} respectively.
II. claim(s) 13 – 15, drawn to determining a classification type based on hierarchical scope of classification of normal activities being described classified under G06N3/0463; G06N20/00; H04L63/102: {Machine learning}; {Neocognitrons}; {Entity profiles} respectively.
The inventions are independent or distinct, each from the other because: they contain non-obvious variations regarding methods for detecting abnormalities based on normal activity profiles and the other involves: classification of normal activity profiles hierarchically. The related inventions are distinct if: (1) the inventions as claimed are either not capable of use together or can have a materially different design, mode of operation, function, or effect; (2) the inventions do not overlap in scope, i.e., are mutually exclusive; and (3) the inventions as claimed 
A telephone call was made to Attorney of record Steven Gilliam on February 15, 2022 to request an oral election to the above restriction requirement, and elected, claims 1 – 12 and 16 – 20 for the purposes of consideration and examination and claims 13 – 15 were withdrawn from consideration. Applicant may submit evidence or identify such evidence now of record showing the inventions to be obvious variants or clearly admit on the record that this is the case.  Where such evidence or admission is provided by applicant, if the examiner finds one of the inventions unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103(a) of the other invention.
Applicant is reminded that upon the cancellation of claims to a non-elected invention, the inventorship must be corrected in compliance with  37 CFR 1.48(a) if one or more of the currently named inventors is no longer an inventor of at least one claim remaining in the application. A request to correct inventorship under 37 CFR 1.48(a) must be accompanied by an application data sheet in accordance with 37 CFR 1.76 that identifies each inventor by his or her legal name and by the processing fee required under 37 CFR 1.17(i).
The examiner has required restriction between product or apparatus claims and process claims. Where applicant elects claims directed to the product/apparatus, and all 




Information Disclosure Statement
The information disclosure statement (IDS) submitted were in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


The term “within at least one scope that includes the first endpoint;” and “a scope greater than” in claims 1 and 5 respectively is a relative term which renders the claim indefinite. The term “scope” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. The term in claim 5 also lacks antecedent basis as it is not clear if it refers to the term used in claim 1 or a new one. Therefore the dependent claims 2 – 12 are rejected for the same rationale.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 7, 10 – 12 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites determine process and endpoint identifier, identify process profiles based on the determined process identifier’s activity and evaluating the determined process identifier’s activities to the identified process profiles’ activities and determining abnormality if any.
Step 1: The claims 1 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1 recites: determine process and endpoint identifier, identify process profiles based on the determined process identifier’s activity and evaluating the determined process identifier’s activities to the identified process profiles’ activities and determining abnormality if any, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper without a generic computer. There is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper. For example, checking a student’s activity profile based on his/her identity and activities compared to other students in class or group, in any office or campus can also be perceived to be done manually by human in an orderly fashion. In the context of these claims encompasses determining abnormality likelihood using trained model accordingly. 
Dependent claims 2 – 7, 10 – 12 which in turn recite detecting the event information from monitoring the first process, determining the event information from an alarm, marking the alarm as a false positive, determining whether a first of the set of process profiles includes an entry that indicates a combination of an activity type indicated in the event information and a first path that at least partially matches a second path indicated in the event information, normalizing the second path indicated in the event information is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in a human mind but for the recitation of generic computer components, then it falls within the 
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: determine process and endpoint identifier, identify process profiles based on the determined process identifier’s activity and evaluating the determined process identifier’s activities to the identified process profiles’ activities and determining abnormality if any. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. [0034]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, determine process and endpoint identifier, identify process profiles based on the determined process identifier’s activity and evaluating the determined process identifier’s activities to the identified process profiles’ activities and determining abnormality if any, amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 1 – 7, 10 – 12 are also rejected for the same rationale.
Note: Claims 8 and 9 are not rejected under this statute as they are considered significantly more and therefore statutory. Claims 8 and 9 recite about synthesizing path elements where synthesis happens on single or multiple bucket(s) and such synthesis done using a machine learning based modeling shall not be done by a human mind.

Claim Rejections - 35 USC § 101 (Non-Statutory)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claimed invention is directed to non-statutory subject matter.  The claim(s) 16 does/do not fall within at least one of the four categories of patent eligible subject matter because Claim 16 is directed to “An apparatus comprising: a processor; and a machine-readable medium having instructions” (software per se) a non-statutory subject matter.  The claim(s) 16 does/do not fall within at least one of the four categories of patent eligible subject matter because computer-readable medium is non-statutory and does not fall in any of the four categories of process, manufacture, machine or composition – as it does not provide any hardware or tangible structure to the claim(s). Therefore all corresponding dependent claims 17 – 20 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 12 and 16 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schiappa et al (US 20160080419), hereafter Sch and Wang (US 10122818), hereafter Wan.
Claim 1: Sch teaches a method comprising: determining, from event information, a first process identifier of a first process and an endpoint identifier of a first endpoint; ([0006] includes monitoring actions of the object in a device and determining a descriptor for each of the plurality of actions [0023] descriptor includes a specific identifier of the object and [0027] an identifier of a process);
identifying a set of one or more process profiles from a plurality of process profiles based, at least in part, on the process identifier and the endpoint identifier, ([0009] collecting a plurality of behaviors of data on an endpoint using a monitoring facility thereby forming a plurality of collected behaviors; processing the plurality of collected behaviors to obtain a baseline of known behaviors [0014-15] based on processes executing on endpoints);
wherein the set of process profiles indicates process activity of the first process determined to be statistically normal with respect to process activity of the first process on a plurality of endpoints within at least one scope that includes the first endpoint; ([0031] normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action, creating an observation for the normalized action that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action and collecting a plurality of observations for the endpoint and a relationship among the plurality of observations);
evaluating the event information against the set of process profiles to determine whether the event information conforms to at least a first of the set of process profiles; ([0012, 161] apply a rule in response to the specific behavior to detect a reportable event, the rule including a comparison to the baseline of known behaviors or [0147, 149] the rule compares at least one of the plurality of descriptors to a known or expected descriptor to identify an inconsistency);
Sch silent on and based on a determination that the event information does not conform to at least a first of the set of process profiles, indicating that the event information corresponds to an abnormality for the first process.
Analogous art Wang teaches and based on a determination that the event information does not conform to at least a first of the set of process profiles, indicating that the event information corresponds to an abnormality for the first process. (C11L23-30: device profile including at least one atypical or abnormal data point outside of the control limits such that the device profile is atypical or abnormal in comparison with the population profile (C2L4-6 population profile configured to define normal digital behavior and a normal operating range of the population), which provides a statistical conclusion that the device defining the device profile is behaving outside the normal behavior pattern or normal range of the population);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sch to include the idea of detecting and indicating abnormality of process as taught by Wang thus avoiding user inconvenience, downtime, etc. (C6L41-42).
Claim 16: Sch teaches an apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to (Figs. 1, 2 and 10), identify a serialized plurality of processes from the plurality of processes based, at least in part, on an abnormal causality chain of processes indicated in event information for the plurality of processes; determine, based on inputting an indication of the serialized plurality of processes into a trained detection model, a likelihood that activity of the serialized ([0152] when certain colored objects include actions that interact/communicate/engage with other colored objects, the chain of events are monitored and patterns that are of interest are observed, detected, and reported, [266] collecting chains of observable actions performed by such threats it is possible to identify threats; [0006] includes monitoring actions of the object in a device and determining a descriptor for each of the plurality of actions [0023] descriptor includes a specific identifier of the object and [0027] an identifier of a process; [0009] collecting a plurality of behaviors of data on an endpoint using a monitoring facility thereby forming a plurality of collected behaviors; processing the plurality of collected behaviors to obtain a baseline of known behaviors [0014-15] based on processes executing on endpoints; [0031] normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action, creating an observation for the normalized action that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action and collecting a plurality of observations for the endpoint and a relationship among the plurality of observations; [296] rules utilize machine learning, where a rules engine learns the typical behaviors for processes, [0012, 161] apply a rule in response to the specific behavior to detect a reportable event, the rule including a comparison to the baseline of known behaviors or [0147, 149] the rule compares at least one of the plurality of descriptors to a known or expected descriptor to identify an inconsistency);

Analogous art Wang teaches determine a plurality of processes that do not conform to a plurality process profiles corresponding to the plurality of processes; (C11L23-30: device profile including at least one atypical or abnormal data point outside of the control limits such that the device profile is atypical or abnormal in comparison with the population profile (C2L4-6 population profile configured to define normal digital behavior and a normal operating range of the population), which provides a statistical conclusion that the device defining the device profile is behaving outside the normal behavior pattern or normal range of the population);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sch to include the idea of detecting and indicating abnormality of process as taught by Wang thus avoiding user inconvenience, downtime, etc. (C6L41-42).
Claim 2: the combination of Sch and Wang teaches the method of claim 1 further comprising detecting the event information from monitoring the first process on the first endpoint. (Sch: [0006] monitoring actions by a device, thereby providing a plurality of actions; determining a descriptor for each of the plurality of actions, thereby providing a plurality of descriptors).
Claim 3: the combination of Sch and Wang teaches the method of claim 1 further comprising determining the event information from an alarm. (Sch: [0005] applying a rule dependent on the descriptor in response to a second observed action of the object to detect a reportable event; and transmitting information to a threat management facility about the reportable event).
Claim 4: the combination of Sch and Wang teaches the method of claim 3 further comprising marking the alarm as a false positive based on a determination that the event information at least conforms to a first of the set of processes. (Sch: [0245] if a new version of a browser is released that behaves in a slightly different manner than a previous version, it could trigger a large number of false alarms and these false alarms are averted when [0014-15] monitoring at least one of the plurality of processes for compliance with the compliance policy).
Claim 5: the combination of Sch and Wang teaches the method of claim 1, wherein identifying the set of process profiles from the plurality of process profiles comprises identifying at least one process profile having a scope greater than the individual first process. (Sch: [0217] detecting a compromise is based on behavior observations, antivirus related observations, context from remote systems that has greater visibility and context than the endpoint in question and the like. Detecting a compromise is also or instead include receiving an IOC or receiving an IOC pattern from the endpoint that is indicative of a compromised state).
Claim 6: the combination of Sch and Wang teaches the method of claim 1, wherein evaluating the event information against the set of process profiles comprises determining whether a first of the set of process profiles includes an entry that indicates a combination of an activity type indicated in the event information and a first path that at least partially matches a second path indicated in the event information. (Sch: [0031] normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action, creating an observation for the normalized action that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action and collecting a plurality of observations for the endpoint and a relationship among the plurality of observations).
Claim 7: the combination of Sch and Wang teaches the method of claim 6 further comprising normalizing the second path indicated in the event information prior to evaluating the event information against the set of process profiles. (Sch: [0032] second object includes one or more additional normalized actions each having an additional object thereof... The observation includes one or more other normalized actions each having a child object depending therefrom. The object includes a normalized object expressed in a manner independent from the hardware and software of the endpoint, [0147, 149] the rule compares at least one of the plurality of descriptors to a known or expected descriptor to identify an inconsistency).
Claim 10: the combination of Sch and Wang teaches the method of claim 1, further comprising: based on a determination that the event information does not conform to at least a first of the set of process profiles, determining a causality graph corresponding to the first process. (Sch: [0014] the process is out, wherein the process does not conform to the compliance policy, thereby providing a plurality of in processes and a plurality of out processes; labeling each of a plurality of files on the endpoint as either in, wherein the file is encrypted using a remotely managed key ring, or the file is out, wherein the file is not encrypted using the remotely managed key ring, thereby providing a plurality of in files and a plurality of out files).
Claim 11: the combination of Sch and Wang teaches the method of claim 10, wherein determining the causality graph corresponding to the first process comprises determining at least one of a set of processes and a set of events that both directly and indirectly relate to the first process. (Sch: [0035] collecting a plurality of indications of compromise from an endpoint, each one of the indications of compromise based upon one or more actions on the endpoint and one or more descriptors and objects related thereto and [0313] the properties of an object are used as a metric to directly or indirectly measure the effectiveness of a given IOC reporting system).
Claim 12: the combination of Sch and Wang teaches the method of claim 10 further comprising inputting the causality graph or data generated from the causality graph into a trained detection model to determine likelihood that the causality graph corresponds to a threat or attack. (Sch: [0004] by tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and [0296] rules utilize machine learning, where a rules engine learns the typical behaviors for processes. While the evaluation tool generally analyzes circumstances for malicious behavior, the malicious behavior is identified because it deviates from a normal or expected behavior of an object).
Claim 17: the combination of Sch and Wang teaches the apparatus of claim 16, wherein the machine-readable medium further has stored thereon instructions executable by the processor to cause the apparatus to determine the abnormal causality chain of processes indicated in the event information based, at least in part, on the plurality of processes and a causality graph corresponding to the plurality of processes. (Sch: [0152] when certain colored objects include actions that interact/communicate/engage with other colored objects, the chain of events are monitored and patterns that are of interest are observed, detected, and reported. If a browser process attempts to interact with a non-browser process, this action is detected, which includes detection using the colorization (the browser process colored ‘x’ and the non-browser process colored ‘y,’ where ‘x’ and ‘y’ processes interacting together triggers an IOC)).
Claim 18: the combination of Sch and Wang teaches the apparatus of claim 17, wherein the instructions executable by the processor to cause the apparatus to determine the abnormal causality chain of processes indicated in the event information comprise instructions to, identify a set of one or more causality chains of processes indicated in the event information based, at least in part, on the plurality of processes and a causality graph corresponding to the plurality of processes; and detect the abnormal causality chain of processes based, at least in part, on statistics from event information corresponding to causality chains for the plurality of processes. (Sch: [0249] if no malicious activity is identified the IOCs are encoded together with related IOCs and reported to the threat management facility. IOCs are encoded in any suitable manner, such as with a graph of dependencies, with an XML schema, or any other suitable description, [0266-267] by normalizing these observations and collecting chains of observable actions performed by such threats it is possible to identify such threats… By normalizing these observations into a well-defined schema of objects, colors, and actions it is possible to describe IOCs from malicious software using language that does not rely on a specific type of computer system. Patterns showing IOCs within a collected data set of normalized objects, colors, and actions thus be applicable on different platforms. These patterns are used to detect malicious software operating within the computer system without prior knowledge of the precise implementation of…, the malicious software).
Claim 19: the combination of Sch and Wang teaches the apparatus of claim 17, wherein the machine-readable medium further has stored thereon instructions executable by the processor to (Sch: [0307, 313-317] metrics are used to directly or indirectly measure the effectiveness of a given IOC reporting system, the properties of an object are used as a metric to directly or indirectly measure the effectiveness of a given IOC reporting system. The properties of an object include a hierarchy, a controlling executable, a loaded file, a color, and so forth. Performance also or instead be used as a metric to directly or indirectly measure the effectiveness of a given IOC reporting system, [136, 141] Observing an action includes detecting any observable action on the endpoint related to the object, such as wherever an API is used by the object, or to access the object, or the like).
Claim 20: the combination of Sch and Wang teaches the apparatus of claim 16, wherein the trained detection model is a machine- learning based model. (Sch: [0296] rules utilize machine learning, where a rules engine learns the typical behaviors for processes).

Allowable Subject Matter
Claims 8 and 9 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892. Any inquiry concerning this communication or earlier communications from .
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496.