Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant's arguments filed 2/14/22 have been fully considered but they are not persuasive.  However, upon further consideration a new grounds of rejection is attached and made non-final.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-5, 7-15, 17-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 line 3 specifies “the machine” and there is no antecedent basis for this phrase.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 7-13, 15, 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 2017/0063894) in view of Murthy (US 2009/0259664) and Chari (US 2017/0061322).
Muddu discloses
1, 10,11, 20,21. A method for validating unsupervised machine learning models, (“the models used to generate the anomaly scores are machine-learning (both supervised and unsupervised”, 0618) comprising:
 preprocessing a plurality of sensory inputs associated with the machine, wherein the preprocessing includes extracting at least one feature from raw sensory data (“The target-side computer system collects machine data from the target computer network as the raw event data. The data intake and preparation stage creates an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events. The event feature set can include at least a subset of raw event data; metadata associated with the raw event data; transformed, summarized, and/or normalized representation of portions of the raw event data; derived attributes from portions of the raw event data; labels for portions of the raw event data; or any combination thereof”, 0274);
analyzing, via unsupervised machine learning, a plurality of sensory inputs associated with a machine (sensing electrical signals, packet data or machine data, “machine data can be more than mere logs--it can include configurations, data from APIs, message queues, change events, the output of diagnostic commands, call detail records, sensor data from industrial systems”, 0189;
“Examples of components that may generate machine data from which events can be derived include: web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., which are indicative of performance or operation of a computing system in an information technology environment”, 0135), wherein the unsupervised machine learning outputs at least one normal behavior pattern of the machine anomalies, which may be further analyzed to yield 10 threat indicators, which may again be further analyzed to yield one or two threats”, 0149;
“FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous”, 0130; “If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected. The comparison may be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour), machine learning, or graphical analysis (e.g., in the case of security graphs or security graph projections). Preferably, this detection is performed by various machine learning mod”, 0186); 
Generating (does not specify who or what performs the generating), based on the at least one normal behavior pattern, at least one artificial anomaly, wherein each artificial anomaly deviates from the at least one normal behavior pattern; 
injecting the at least one artificial (see below) anomaly into the plurality of sensory inputs to create an artificial dataset (machines, processors, and/or humans can create anomalies and inject/input them, either unintentionally or as testing/training anomaly 1 is detected based on processing of event data 2302 through anomaly model 1. Anomaly 1 is then input into anomaly model 2 for processing”, 0392); and 
analyzing the artificial dataset to determine whether a candidate model is a valid representation of operation of the machine, wherein analyzing the artificial dataset further comprises running the candidate model using the artificial dataset as an input (data and models are analyzed and compared against thresholds “FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous”, 0130; deliberating, “model deliberation process thread generates a security-related conclusion based on the score. The security-related conclusion can identify the event or the sequence of events corresponding to the time slice as a security-related anomaly, threat indicator or threat. In one example, the model deliberation process compares the score against a constant threshold and makes the security-related conclusion based on the comparison. In another example, the model deliberation process compares the score against a dynamically updated baseline (e.g., statistical baseline) and makes the security-related conclusion based on the comparison”, 0317; using scoring 0361 and thresholds 0365).
injecting the at least one artificial anomaly as well as validating unsupervised machine learning models. 
Chari teaches generating artificial anomalies (“Because anomalous samples are not readily available as input samples for developing the classifier for the target user 110, the present invention will utilize at least some of the normal data samples from other users 120, 130 who also access and use the same system or application 140, to serve as anomalous samples”, 0014, 0063).
Murthy teaches validating unsupervised machine learning models (“model validation tool and a model execution tool”, abstract; “Model deployment may occur in what is called the production environment and involves testing the accuracy of the model against customer data to determine if the model contains any bugs and if the model achieves the expected results. Model deployment may involve actual customer scoring”, 0032).
It would have been obvious to combine the references before the effective filing date because they are in the same field of endeavor and injecting both good and bad test data or anomaly data allows to score a model on both normal and abnormal data and have more real world data.  By extracting features of 2, 12. The method of claim 1, further comprising: determining, based on the analysis of the artificial dataset, a score representing an accuracy of the candidate model in detecting anomalies, wherein the candidate model is valid when the determined score is above a predetermined threshold (data and models are analyzed and compared against thresholds “FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous”, 0130; 0365).3, 13. The method of claim 1, further comprising: selecting a new model, when it is determined that the candidate model is not valid (reads on training an retraining models because as model is retrained it can be said to be different model, “the model training process thread continuously retrains the model state as the group-specific data stream provides additional event feature sets”, 0314; “The ML-based CEP engine 1500 can implement multiple machine learning models of the same model type. For example, a model type can define a workflow for entity-specific models to be trained and applied. In this example, the ML-based CEP engine 1500 trains as many models of the model type as there trains and applies a single version of the machine learning model 1600, then a single model state represents the machine learning model 1600”, 0294;
“The model state is representative of a machine learning model or at least a version of a machine learning model (when there are multiple versions).”, 0296).5. The method of claim 1, wherein the analysis of the artificial dataset includes unsupervised machine learning, wherein the unsupervised machine learning analysis of the artificial dataset outputs at least one detected anomaly, wherein determining whether the candidate model is valid further comprises: determining whether the at least one detected anomaly includes the at least one artificial anomaly. Rather than argue that a “artificial anomaly” merely reads on any anomaly or e.g., a false positive anomaly, the examiner takes the position that Muddu fails to particularly call for artificial anomaly.
Barbadian teaches test data can be injected (“process test data to determine whether the test data represents anomalous or non -anomalous network traffic. As shown in FIG. 7B, the test data can first be subjected to a feature extraction and preprocessing process”, 0284).7, 17. The method of claim 1, further comprising: generating, based on the at least one normal behavior pattern, at least one adaptive threshold, wherein each artificial anomaly does not meet at least one of the at least one adaptive threshold (both anomalies and models are scored, Muddu: “If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, 0186, 0320, 0361, 0378;
Baradaran: “The network anomaly detector 730 can be designed, configured or constructed to detect an anomaly in network traffic by comparing the feature values determined by the feature value identifier 715 with the predetermined threshold values of the detection features in the anomaly detection profile”, 0281).8, 18. The method of claim 7, wherein each adaptive threshold includes at least one threshold value, wherein the at least one threshold value varies over time (both anomalies and models are scored over time, Muddu: “if the particular value has occurred enough times, e.g., exceeds the anomaly count threshold, in a specified time interval, the anomaly detection module 8040 may determine that the particular value is no longer considered an anomaly and may, therefore, dynamically adjust the rarity threshold and/or the anomaly count threshold, to minimize and/or stop identifying the particular value as corresponding to an anomaly.”, 0719, 0634;
“If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, 0186, 0320, 0361, 0378;
Baradaran: “The network anomaly detector 730 can be designed, configured or constructed to detect an anomaly in network traffic by comparing the feature values determined by the feature value identifier 715 with the predetermined threshold values of the detection features in the anomaly detection profile”, 0281).9, 19. The method of claim 1, wherein the plurality of sensory inputs associated with the machine are captured by at least one sensor in proximity to the machine, wherein each proximate sensor is within a predetermined distance of the machine (data can be from sensors or various types of machines/equipment; “In general, " machine data" can include performance data, diagnostic information and/or any of various other types of data indicative of performance or operation of equipment (e.g., an action such as upload, delete, or log-in) in a computing system, as described further below. In general, " machine data" as used herein includes timestamped event data, as discussed further machine data from which events can be derived include: web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., which are indicative of performance or operation of a computing system in an information technology environment”, 0135;  Applicant is reminded that shifting the location of parts does not make an invention patentable.  See In re Japikse, 86 USPQ 70 (CCPA 1950); In re Larson, 144 USPQ 347 (CCPA 1965); and Nerwin v. Erlichman, 168 USPQ 177).).
Claim Rejections - 35 USC § 103
Claims20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 2017/0063894) in view of Murthy (US 2009/0259664) and Chari (US 2017/0061322) and Lindemann (US 2016/0241552)
22, 21. (New) A system for unsupervised (“the models used to generate the anomaly scores are machine-learning (both supervised and unsupervised”, 0618) prediction of machine failures, comprising:
a processing circuitry; and
a memory, the memory containing instructions that, when executed by the
processing circuitry, configure the system to:
analyze, via unsupervised machine learning, a plurality of sensory inputs
associated with a machine (sensing electrical signals, packet data or machine data, “The target-side computer system collects machine data from the target computer network as the raw event data. The data intake and preparation stage creates an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events. The event feature set can include at least a subset of the raw event data; metadata associated with the raw event data; transformed, summarized, and/or normalized representation of portions of the raw event data; derived attributes from portions of the raw event data; labels for portions of the raw event data; or any combination thereof”, 0274;
“machine data can be more than mere logs--it can include configurations, data from APIs, message queues, change events, the output of diagnostic commands, call detail records, sensor data from industrial systems”, 0189;
“Examples of components that may generate machine data from which events can be derived include: web servers, application sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., which are indicative of performance or operation of a computing system in an information technology environment”, 0135); wherein the unsupervised machine learning outputs at least one normal behavior pattern of the machine(anomalies are rare and normal good data is common, “hundreds of millions of packets of incoming event data from various data sources may be analyzed to yield 100 anomalies, which may be further analyzed to yield 10 threat indicators, which may again be further analyzed to yield one or two threats”, 0149;
“FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is anomalous”, 0130; “If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected. The comparison may be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour), machine learning,  
generate, based on the at least one normal behavior pattern, at least one artificial anomaly, wherein each artificial anomaly deviates from the at least one normal behavior pattern, wherein each generated artificial anomaly includes a randomized time for injection and an at least partially randomized magnitude;
inject the at least one artificial anomaly into the plurality of sensory inputs to create an artificial dataset (machines, processors, and/or humans can create anomalies and inject/input them, either unintentionally or as testing/training data “As shown in FIG. 32A, anomaly 1 is detected based on processing of event data 2302 through anomaly model 1. Anomaly 1 is then input into anomaly model 2 for processing”, 0392); and
analyze the artificial dataset to determine whether a candidate model is a valid representation of operation of the machine, wherein analyzing the artificial dataset further comprises running the candidate model using the artificial dataset as an input (data and models are analyzed and compared against thresholds “FIG. 82 shows a table listing example thresholds and/or parameters of a rarity criterion for various example events that can be used for determining whether an event is threshold and makes the security-related conclusion based on the comparison. In another example, the model deliberation process compares the score against a dynamically updated baseline (e.g., statistical baseline) and makes the security-related conclusion based on the comparison”, 0317; using scoring 0361 and thresholds 0365).
Rather than argue that a “artificial anomaly” merely reads on any anomaly or e.g., a false positive anomaly, the examiner takes the position that Muddu fails to particularly call for injecting the at least one artificial anomaly as well as validating unsupervised machine learning models. And preprocessing a plurality of sensory inputs including at least one feature from raw sensory data, and randomized time for injection and an at least partially randomized magnitude.
Chari teaches generating artificial anomalies (“Because anomalous samples are not readily available as input samples for developing the classifier for the target user 110, the present invention will utilize at least some of the normal data samples anomalous samples”, 0014, 0063) and  preprocessing a plurality of sensory inputs including at least one feature from raw sensory data, and randomized time for injection and an at least partially randomized magnitude (anomalous data is random and has random values/quantities, “All the samples from other users that have LOF higher than the threshold are considered as potential anomalous samples for the target user. The invention describes four different strategies for selecting anomalous samples from the potential anomalous samples for the target user. First, we can choose Low LOF samples from all of the potential anomalous samples. Second, we can choose High LOF samples from all of the potential anomalous samples. It is noted that it is desirable to generate anomalous samples from each of the other users for the target user in many situations. Suppose we want to select N anomalous samples, and there are m other users, we would preferably generate approximately N/m samples from each user. By choosing samples from as many other users as possible, we ensure the anomalous sample set represents a diverse set of abnormal situations. We can then apply both the Low LOF sampling and High LOF sampling for each of the users. In other words, we select N/m samples with lowest or highest LOF values from each of the users from the potential anomalous samples respectively”, 0075; see 0075-anomalous samples, and there are m other users, we generate approximately N/m samples from each user.”, 0078).
Murthy teaches validating unsupervised machine learning models (“model validation tool and a model execution tool”, abstract; “Model deployment may occur in what is called the production environment and involves testing the accuracy of the model against customer data to determine if the model contains any bugs and if the model achieves the expected results. Model deployment may involve actual customer scoring”, 0032).
It would have been obvious to combine the references before the effective filing date because they are in the same field of endeavor and injecting both good and bad test data or anomaly data allows to score a model on both normal and abnormal data and have more real world data; anomalous data is random and has random values/quantities because it is not predictable in time or magnitude and using such data can make a prediction system more realistic or deal with more real world data. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Zhuang (US 2016/0078771) teaches preprocessing a plurality of sensory inputs including at least one feature from raw sensory data (“Performing feature extraction may comprise feature vectors; generating an audio representation using the frame-level feature vectors”, 0012; “The training system 200 includes sensors 208 operatively coupled to feature extraction processors 210, a relationship-learning module 212 operatively coupled to the feature extraction processors 210, and a training module 216 operatively coupled to the relationship learning module 212 and the feature extraction processors 210. Stimuli 204 are presented to training subjects 206 to elicit responses, which are detected, measured, recorded, or otherwise sensed by the sensors 208”, 0032; “The sensors 208 are operatively coupled to one or more feature extraction processors 210, which transform raw sensor data (i.e., response data) into a reduced representational set of features (referred to herein as " feature representation data").”, 0039).

Lindemann (US 2016/0241552) teaches extracting data and features (“a biometric sensor 102 reads raw biometric data from the user (e.g., capture the user's fingerprint, record the user's voice, snap a photo of the user, etc) and a feature extraction module 103 extracts specified characteristics of the raw biometric data (e.g., focusing on certain regions of the fingerprint, certain facial features, etc)”, 0012).


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on 5712703428. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic 





/DAVID R VINCENT/Primary Examiner, Art Unit 2123