Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see remarks, filed 03-07-2022, with respect to claims rejection under 35 USC 112 have been fully considered and are persuasive and in light of new amendments.  The 112 rejection has been withdrawn. 
Applicant's arguments filed 03-07-2022 have been fully considered but they are not persuasive and in light of new supplemental amendments filed on 03-17-2022 after the telephonic interview with the examiner. The attorney argues that “no latent feature, collaborative filter, anomaly explanation teachings”. The examiner disagrees with the arguments. During the interview it was clearly how the terms were interpreted (see interview summary) and how the mappings were done from prior arts of record pointing out appropriate paragraphs and mapping explanation inside brackets. Latent features were taught using [014] the behavioral vector is a compact representation of a hierarchical bag, which is a dataset that includes network telemetry data (all network flows to domains, servers, or other such Internet end-points) for a given user, a single behavioral vector generated ([017] with knowledge)/without knowledge of flow-level infections, connection-level infections or even user-level infections (i.e., latent features); Collaborative filter: the spec. recites: “The system 400 may be networked through an interface 414. The system 400 may be a CF-based cybersecurity anomaly detection system 200 which is further equipped with explainability-enhancement software 404 to compute various behavior similarities 336... [0055] Some embodiments expressly include the collaborative filter 206, while collaborative filtering (such as anomaly detection or an anomalousness score) and use CF latent feature vectors (i.e., user behavior vectors), an embodiment does not necessarily include the collaborative filter itself.” Though CF may have one or more defined meanings in different arts per se (such as recommender systems, explanation systems, anomaly detection areas), the specific meaning attributed by the specification is attached to the term CF. Furthermore, CF is not the inventive concept of the application but the explainability factor and contribution of the latent/non-latent features. And it was taught using Stoc: C18L41-43: each detector model (using mathematical machine-learning models) effectively acts as a filter and passes its output… and (C4L51-52) gatherers filters or condense the mass of data down; C9L31-43: The unusual pattern is determined by filtering out what activities, events, or alerts that fall within the window of what is the normal pattern of life for that network entity under analysis. Then the pattern of the behavior of the activities, events, or alerts that are left, after the filtering, can be analyzed to determine whether that pattern is indicative of a behavior of a malicious actor, such as a human, a program, an email, or other threat. The defense system goes back and pulls in some of the filtered out normal activities to help support or refute a possible hypothesis of whether that pattern is indicative of a behavior of a malicious actor; and anomaly explanation using C10L16-20: models performed by the threat detection through a probabilistic change in normal behavior to detect behavioral change in (C5L7-20) user and change in network activities (C1L57-60) multivariate anomaly detector calculates a multivariate centrality score, (C8L1-5) an access entropy score which describes a diversity of visited nodes by the node (i.e., changes in user behavior similarity) and (C5L36-39) normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing i.e., describes change in behavior) set by the moving benchmark, C4L40-50: each hypothesis of typical threats describes various supporting points of data and other metrics associated with that possible threat, such as a human user insider attack, inappropriate network behavior, or email behavior or malicious software or malware attack, inappropriate network behavior or email behavior (i.e., system enhances explainability). A machine-learning algorithm looks at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity or abnormal behavior related for each hypothesis on what the suspicious activity or abnormal behavior relates to (i.e., associating explanation to change in behavior) and C27L39-42: centrality processing module rescales each of the variates and then reports the multivariate centrality scores to the anomaly detector module (i.e., system enhances explainability). Therefore the rejections are maintained.
Applicant’s arguments with respect to claim(s) 16 – 20 rejections under 35 USC 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument and in light of new supplemental amendments filed on 03-17-2022 after the telephonic interview with the examiner. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 5 and 8 – 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Komárek et al (US 20190020671), hereafter Kom and Stockdale et al (US 10986121), hereafter Stoc.
Claim 1: Kom teaches an explanation system for enhancing cybersecurity anomaly explainability, the explanation system comprising: a memory; and a processor in operable Fig. 7) to perform cybersecurity anomaly explanation steps which include (a) obtaining at least two user behavior vectors, each user behavior vector derived from a [trained collaborative filter], ([013] receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time);
each user behavior vector including at least one latent feature, each user behavior vector corresponding to at least one behavior of a user with respect to a monitored computing system, ([014] the behavioral vector is a compact representation of a hierarchical bag, which is a dataset that includes network telemetry data (all network flows to domains, servers, or other such Internet end-points) for a given user, a single behavioral vector generated ([017] with knowledge)/without knowledge of flow-level infections, connection-level infections or even user-level infections (i.e., latent features));
(b) computing a user behavior similarity based on a distance between user behavior vectors and on a similarity threshold, ([044] the similarity is determined based on a similarity threshold or any similarity measure used by any detector or classifier and identify the computing device as infected when known information indicates that at least one of the one or more of the other behavioral vectors is representative of an infected device);
Kom is silent on trained collaborative filter and  (c) producing an explanation of a cybersecurity anomaly which is based at least on a change in the user behavior similarity and which describes the change in the user behavior similarity; whereby the explanation system enhances explainability of cybersecurity anomalies which are detected using the trained collaborative filter by associating in the explanation a collaborative filter anomaly detection result with a change in behavior of an identified user.
C18L41-43: each detector model (using mathematical machine-learning models) effectively acts as a filter and passes its output…); and 
(c) producing an explanation of a cybersecurity anomaly which is based at least on a change in the user behavior similarity and which describes the change in the user behavior similarity; (C10L16-20: models performed by the threat detection through a probabilistic change in normal behavior to detect behavioral change in (C5L7-20) user and change in network activities (C1L57-60) multivariate anomaly detector calculates a multivariate centrality score, (C8L1-5) an access entropy score which describes a diversity of visited nodes by the node (i.e., changes in user behavior similarity) and (C5L36-39) normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters (i.e., describes change in behavior) set by the moving benchmark);
whereby the explanation system enhances explainability of cybersecurity anomalies which are detected using the trained collaborative filter by associating in the explanation a collaborative filter anomaly detection result with a change in behavior of an identified user. (C4L40-50: each hypothesis of typical threats describes various supporting points of data and other metrics associated with that possible threat, such as a human user insider attack, inappropriate network behavior, or email behavior or malicious software or malware attack, inappropriate network behavior or email behavior (i.e., system enhances explainability). A machine-learning algorithm looks at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity or abnormal behavior related for each hypothesis on what the suspicious activity or abnormal behavior relates to (i.e., associating explanation to change in  and C27L39-42: centrality processing module rescales each of the variates and then reports the multivariate centrality scores to the anomaly detector module (i.e., system enhances explainability));
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of using a trained filter and producing an explanation based on user behavior analysis as taught by Stoc so that mathematical models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors (C16L3-9).
Claim 8: Kom teaches a method for enhancing cybersecurity anomaly explainability, the method comprising automatically: obtaining at least two user behavior vectors, each user behavior vector derived from a [trained collaborative filter], each user behavior vector including multiple latent features which individually or collectively correspond to at least one behavior of a user with respect to attempted or accomplished access to at least one resource of a monitored computing system; computing a user behavior similarity based on a distance between user behavior vectors and on a similarity threshold; ([013] receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time; [014] the behavioral vector is a compact representation of a hierarchical bag, which is a dataset that includes network telemetry data (all network flows to domains, servers, or other such Internet end-points) for a given user, a single behavioral vector generated ([017] with knowledge)/without knowledge of flow-level infections, connection-level infections or even user-level infections (i.e., latent features); [044] the similarity is determined based on a similarity threshold or any similarity measure used by any detector or classifier and identify the computing device as infected when known information indicates that at least one of the one or more of the other behavioral vectors is representative of an infected device).
Kom is silent on trained collaborative filter and producing an explanation of a cybersecurity anomaly detected by the trained collaborative filter, the explanation being based at least on a change in the user behavior similarity, the explanation describing the change in the user behavior similarity and identifying at least one user or identifying at least one group of users.
But analogous art Stoc teaches trained collaborative filter and producing an explanation of a cybersecurity anomaly detected by the trained collaborative filter, the explanation being based at least on a change in the user behavior similarity, the explanation describing the change in the user behavior similarity and identifying at least one user or identifying at least one group of users. (C18L41-43: each detector model (using mathematical machine-learning models) effectively acts as a filter and passes its output to another model higher up the pyramid; C10L16-20: models performed by the threat detection through a probabilistic change in normal behavior to detect behavioral change in (C5L7-20) user and change in network activities (C1L57-60) multivariate anomaly detector calculates a multivariate centrality score, (C8L1-5) an access entropy score which describes a diversity of visited nodes by the node (i.e., changes in user behavior similarity) and (C5L36-39) normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters (i.e., describes change in behavior) set by the moving benchmark; C4L40-50: each hypothesis of typical threats describes various supporting points of data and other metrics associated with that possible threat, such as a human user insider attack, inappropriate network behavior, or email behavior or malicious software or malware attack, inappropriate network behavior or email behavior (i.e., system . A machine-learning algorithm looks at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity or abnormal behavior related for each hypothesis on what the suspicious activity or abnormal behavior relates to (i.e., associating explanation to change in behavior) and C27L39-42: centrality processing module rescales each of the variates and then reports the multivariate centrality scores to the anomaly detector module (i.e., system enhances explainability)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of using a trained filter and producing an explanation based on user behavior analysis as taught by Stoc so that mathematical models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors (C16L3-9).
Claim 2: the combination of Kom and Stoc teaches the system of claim 1, wherein the user behavior vectors, vector distance, and explanation each reside in and configure the memory, and wherein the user behavior vectors are further characterized in at least one of the following ways: two of the user behavior vectors identify at least two different users; or two of the user behavior vectors identify the same user and have respective latent features which correspond to behavior of that user at different times. (Kom: [014] generate a single vector that is representative of complex user behavior in a network on the basis of activity of a computing device or applications used by a user in the network. [041] the set of feature vectors are a set of unlabeled feature vectors included in a hierarchical bag for the given user, [045] hierarchal bags covering five-minute intervals of proxy log data were transformed into behavioral vectors for the various users represented by the data).
Claim 3: the combination of Kom and Stoc teaches the system of claim 1, wherein the vector distance is calculated using at least one of the following: a cosine similarity, or a Minkowski distance. (Kom: [044] a similarity value determined with cosine similarity).
Claim 4: the combination of Kom and Stoc teaches the system of claim 1, further comprising the trained collaborative filter. (Stoc: C18L41-43: each detector model effectively acts as a filter and passes its output to another model higher up the pyramid).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of using a trained filter as taught by Stoc so that mathematical models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors (C16L3-9).
Claim 5: the combination of Kom and Stoc teaches the system of claim 1, wherein the explanation resides in and configures the memory, and wherein the explanation is further characterized in that the explanation indicates at least one of the following user behavior similarity changes: a user whose behavior was similar to behaviors of a group X of other users stopped being similar to behaviors of group X users; a user whose behavior was not similar to behaviors of a group X of other users started being similar to behaviors of group X users; membership of a group of users whose behavior is similar has changed; or membership of a group of users whose behavior is not similar has changed. (Kom: [013] security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users, [045] these behavioral vectors were correlated with known information indicating whether the users were associated with an infected or benign computing device).
Claim 9: the combination of Kom and Stoc teaches the method of claim 8, wherein the method further comprises selecting one or more clusters of users based on user behavior vector similarity, and wherein producing the explanation includes identifying at least one cluster in the explanation. (Stoc: C4L40-50: each hypothesis of typical threats describes various supporting points of data and other metrics associated with that possible threat, such as a human user insider attack, inappropriate network behavior, or email behavior or malicious software or malware attack, inappropriate network behavior or email behavior (i.e., system enhances explainability). A machine-learning algorithm looks at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity or abnormal behavior related for each hypothesis on what the suspicious activity or abnormal behavior relates to (i.e., associating explanation to change in behavior) and C27L39-42: centrality processing module rescales each of the variates and then reports the multivariate centrality scores to the anomaly detector module (i.e., system enhances explainability)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of selecting groups and explaining anomalousness as taught by Stoc so that mathematical models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors (C16L3-9).
Claim 10: the combination of Kom and Stoc teaches the method of claim 8, wherein: obtaining includes obtaining a user behavior vector of an abnormal user and obtaining user behavior vectors of other users; computing includes computing user behavior similarities based on distances between the abnormal user behavior vectors and at least some other user behavior vectors; and producing includes producing an explanation which lists N other users whose Kom: [014] the behavioral vector is a compact representation of a hierarchical bag, which is a dataset that includes network telemetry data (all network flows to domains, servers, or other such Internet end-points) for a given user, a single behavioral vector generated without any knowledge of flow-level infections, connection-level infections or even user-level infections (i.e., latent feature); [044] the similarity is determined based on a similarity threshold or any similarity measure used by any detector or classifier and identify the computing device as infected when known information indicates that at least one of the one or more of the other behavioral vectors is representative of an infected device, a computing device associated with a user is determined to be infected when the behavioral vector for the user is similar to a behavioral vector of an infected user or device; [016] generate behavioral vectors for a plurality of users (i.e., N>=2) and an arbitrary classification model and/or detection system are then trained on top of the generated behavioral vectors).
Claim 11: the combination of Kom and Stoc teaches the method of claim 8, wherein the method further comprises sorting multiple users according to their respective extent of user behavior similarity to at least one of the following: behavior of another user, or behavior of a set of users. (Kom: [013] security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users).
Claim 12: the combination of Kom and Stoc teaches the method of claim 8, wherein the method further comprises presenting an anomaly score in or with the explanation, wherein the anomaly score is a numeric measure of anomalousness generated by use of the trained collaborative filter. (Stoc: C10L16-20: models performed by the threat detection through a probabilistic change in normal behavior to detect behavioral change in (C5L7-20) user and change in network activities (C1L57-60) multivariate anomaly detector calculates a multivariate centrality score, (C8L1-5) an access entropy score which describes a diversity of visited nodes by the node (i.e., changes in user behavior similarity) and (C5L36-39) normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters (i.e., describes change in behavior) set by the moving benchmark, C18L41-43: each detector model (using mathematical machine-learning models) effectively acts as a filter and passes its output to another model higher up the pyramid).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of computing score as taught by Stoc so that mathematical models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors (C16L3-9).
Claim 13: the combination of Kom and Stoc teaches the method of claim 8, wherein the method further comprises presenting organizational context information in or with the explanation. (Stoc: C15L1-21: to properly model what should be considered as normal for a device, the behavior of the device is analyzed in the context of other similar devices on the network. The cyber threat defense system leverages the power of unsupervised learning to algorithmically identify naturally occurring groupings of devices… thus providing a non-frequentist architecture for inferring and testing causal links between explanatory variables, observations and feature sets).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of context 
Claim 14: the combination of Kom and Stoc teaches the method of claim 8, wherein obtaining includes receiving at least some of the user behavior vectors through a network connection, after the received user behavior vectors have been derived from the trained collaborative filter. (Kom: [013, 20-21] receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time, as the traffic is received by gateway device, the behavioral vector logic analyzes features extracted from the traffic via a network connection).
Claims 16 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kom and Stoc as applied to claims above, and further in view of Li et al (US 10255628), hereafter Li.Claim 16: Kom teaches a computer-readable storage medium configured with data and instructions which upon execution by a processor cause an explanation computing system to perform a method for enhancing cybersecurity anomaly explainability, the method comprising (Fig. 7): obtaining a plurality of user behavior vectors derived from a [trained collaborative filter], each user behavior vector including multiple latent features, each user behavior vector corresponding to at least one behavior of a user with respect to a monitored computing system; computing a user behavior similarity based on a distance between user behavior vectors and on a similarity threshold; ([013] receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time; [014] the behavioral vector is a compact representation of a hierarchical bag, which is a dataset that includes network telemetry data (all network flows to domains, servers, or other such Internet end-points) for a given user, a single behavioral vector generated ([017] with knowledge)/ without knowledge of flow-level infections, connection-level infections or even user-level infections (i.e., latent features); [044] the similarity is determined based on a similarity threshold or any similarity measure used by any detector or classifier and identify the computing device as infected when known information indicates that at least one of the one or more of the other behavioral vectors is representative of an infected device).
Kom is silent on and producing a textual explanation of a cybersecurity anomaly, the textual explanation based at least on a change in the user behavior similarity, and the textual explanation describing a change in the user behavior similarity pertaining to at least one user who is identified in the textual explanation.
But analogous art Stoc teaches and producing a textual explanation of a cybersecurity anomaly, the textual explanation based at least on a change in the user behavior similarity, and the textual explanation describing a change in the user behavior similarity pertaining to at least one user who is identified in the textual explanation. (C18L41-43: each detector model (using mathematical machine-learning models) effectively acts as a filter and passes its output to another model higher up the pyramid; C10L16-20: models performed by the threat detection through a probabilistic change in normal behavior to detect behavioral change in (C5L7-20) user and change in network activities (C1L57-60) multivariate anomaly detector calculates a multivariate centrality score, (C8L1-5) an access entropy score which describes a diversity of visited nodes by the node (i.e., changes in user behavior similarity) and (C5L36-39) normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters (i.e., describes change in behavior) set by the moving benchmark; C4L40-50: each hypothesis of typical threats describes various supporting points of data and other metrics associated with that possible threat, such as a human user insider attack, inappropriate network behavior, or email behavior or malicious software or malware attack, inappropriate network behavior or email behavior (i.e., system enhances explainability). A machine-learning algorithm looks at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity or abnormal behavior related for each hypothesis on what the suspicious activity or abnormal behavior relates to (i.e., associating explanation to change in behavior) and C27L39-42: centrality processing module rescales each of the variates and then reports the multivariate centrality scores to the anomaly detector module (i.e., system enhances explainability)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of using a trained filter and producing an explanation based on user behavior analysis as taught by Stoc so that mathematical models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors (C16L3-9).
The combination Kom and Stoc is silent on trained collaborative filter.
But analogous art Li teaches trained collaborative filter. (C3L26: a deep collaborative filtering... tightly couples matrix factorization based collaborative filtering with deep feature learning).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Kom and Stoc to include the idea of using a trained collaborative filter instead of the detector model (filter) as taught by Li so that thus making the system highly efficient and scalable (C3L51).
Claim 17: the combination of Kom, Stoc and Li teaches the storage medium of claim 16, wherein producing a textual explanation of a cybersecurity anomaly includes implicating an operational role in the cybersecurity anomaly. (Kom: [031] since an increased volume of a specific type of activity is a good indicator of compromise, various operators analyze user activity (via the feature vectors) to identify increased activity of various types (i.e., the operators verify whether a given flow (represented by the feature vector) satisfies a specific condition (i.e., a pattern)).
Claim 18: the combination of Kom, Stoc and Li teaches the storage medium of claim 16, wherein obtaining a plurality of user behavior vectors includes deriving user behavior vectors from a trained collaborative filter by performing a matrix factorization. (Stoc: C7L12-16 graph detection module "symmetrizes" the simple graph by adding the connection matrix to a transpose of the connection matrix. The graph detection module can weight each edge in the connection matrix with a logarithm of the data transfers on that edge and (C8L22-27) anomaly detector module computes a matrix of two-point correlations between each variate of the multivariate centrality score).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kom to include the idea of context information as taught by Stoc so that mathematical models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors (C16L3-9).
Claim 19: the combination of Kom, Stoc and Li teaches the storage medium of claim 16, wherein the method is free of reliance on any predefined domain-based explanation for cybersecurity anomaly explainability. (Kom: [004, 14] the training data is improper or unreliable labels, at least because each sample is labeled without context (i.e., without knowledge of other samples in the training data); single behavioral vector is generated from unlabeled feature vectors…).
Claim 20: the combination of Kom, Stoc and Li teaches the storage medium of claim 16, wherein is free of reliance on any display of specific dominant features for cybersecurity anomaly explainability. (Kom: [017] a classifier are trained to detect infections with only knowledge of whether users were infected in a particular time period (a classifier trained with weakly labeled data, insofar as connection- or user-level labels are commonly referred to weak labels because these labels are often not suitable for training learning algorithms) and [062] are executed independent of the type of network data or a set of features extracted from the data).

Allowable Subject Matter
Claims 6, 7 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496.