Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 02-28-2022 have been fully considered but they are not persuasive. The attorney’s arguments “…Givental fails to teach or suggest an apparatus including an image generator to generate an image based on the extracted statistical properties, the image including a first pixel corresponding to an amount of data transmitted by the device and a second pixel corresponding to whether the device has communication with an Internet domain, as set forth in claim 1… Beyah fails to teach or suggest an apparatus including an image generator to generate an image based on the extracted statistical properties, the image including a first pixel corresponding to an amount of data transmitted by the device and a second pixel corresponding to whether the device has communication with an Internet domain, as set forth in claim 1… Because each of Givental and Beyah are missing the same elements of claim 1” are based on the new amendments. The examiner disagrees with the arguments as the corresponding teaching(s) is/are provided in this rejection. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Same reasoning applies to claims 7, 13 and 19 and their corresponding dependent claims 2-6, 8-12, 14-18 and 20. MPEP 2141.02 VI. PRIOR ART MUST BE CONSIDERED IN ITS ENTIRETY, INCLUDING DISCLOSURES THAT TEACH AWAY FROM THE CLAIMS. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore the rejections is/are maintained.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word 
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “a communications aggregator to aggregate…; a statistical property extractor to extract…; an image generator to generate an image…; a persona identifier to identify…; a machine learning model trainer to train…;” in claim 1. “means for aggregating communications…; means for extracting…; means for generating…; means for identifying…; and means for training to train” in claim 19.  Since Fig. 2 and paras. [0030-40] indicate that the above place holders are executed using logic circuitry…, it is considered that the claims have sufficient tangible structure. 
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof. If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Givental et al (US 20200342252), hereafter Giv and Beyah et al (US 9225732), hereafter Bey.
Claim 1: Giv teaches an apparatus for detecting anomalous communications, the apparatus comprising (Fig. 1A-1B): a communications aggregator to aggregate communications from a device communicating via a communications interface; ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment); 
an image generator to generate an image based on the extracted statistical properties; ([0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s));
the image including a first pixel corresponding to an amount of data transmitted by the device ([061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., first pixel) and the alert attributes include a traffic count attributes (i.e., amount of transmitted data));
and a second pixel corresponding to whether the device has communication with an Internet domain; ([061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., second pixel) and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain));
and a machine learning model trainer to train a machine learning model using the generated image and the persona. ([0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).
Giv is silent on a statistical property extractor to extract statistical properties of the aggregated communications; and a persona identifier to identify a persona associated with the device;
But analogous art Bey teaches a statistical property extractor to extract statistical properties of the aggregated communications; (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected);
and a persona identifier to identify a persona associated with the device; (C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
C5L48-49; C7L40-43).
Claim 7: Giv teaches at least one non-transitory computer readable medium comprising instructions that, when executed, cause at least one processor to at least (Fig. 1A-1B): aggregate communications from a device communicating via a communications interface; generate an image based on the extracted statistical properties, the image including a first pixel corresponding to an amount of data transmitted by the device and a second pixel corresponding to whether the device has communication with an Internet domain; and train a machine learning model using the generated image and the persona. ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment; [0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s); [061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., first pixel) and the alert attributes include a traffic count attributes (i.e., amount of transmitted data); [061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., second pixel) and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain); [0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).
Giv is silent on extract statistical properties of the aggregated communications; identify a persona associated with the device;
But analogous art Bey teaches extract statistical properties of the aggregated communications; identify a persona associated with the device; (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected; C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Giv to include the idea of the property extraction and device persona identification as taught by Bey so that effectively analyze encrypted network traffic, independent of type or protocol, without the need for prior knowledge about packet payload thus preserving scalability without compromising privacy (C5L48-49; C7L40-43).
Claim 13: Giv teaches a method for detecting anomalous communications, the method comprising: aggregating communications from a device communicating via a communications interface; generating, by executing an instruction with the at least one processor, an image based , the image including a first pixel corresponding to an amount of data transmitted by the device and a second pixel corresponding to whether the device has communication with an Internet domain; and training, by executing an instruction with the at least one processor, a machine learning model using the generated image and the persona. ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment; [0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s); [061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., first pixel) and the alert attributes include a traffic count attributes (i.e., amount of transmitted data); [061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., second pixel) and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain); [0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).

But analogous art Bey teaches extracting, by executing an instruction with at least one processor, statistical properties of the aggregated communications; identifying, by executing an instruction with the at least one processor, a persona associated with the device; (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected; C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Giv to include the idea of the property extraction and device persona identification as taught by Bey so that effectively analyze encrypted network traffic, independent of type or protocol, without the need for prior knowledge about packet payload thus preserving scalability without compromising privacy (C5L48-49; C7L40-43).
Claim 19: Giv teaches an apparatus for detecting anomalous communications, the apparatus comprising (Fig. 1A-1B): means for aggregating communications from a device communicating via a communications interface; means for generating an image based on the extracted statistical properties, the image including a first pixel corresponding to an amount of data transmitted by the device and a second pixel corresponding to whether the device has communication with an Internet domain; and means for training to train a machine learning model using the generated image and the persona. ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment; [0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s); [061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., first pixel) and the alert attributes include a traffic count attributes (i.e., amount of transmitted data); [061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., second pixel) and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain); [0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).
Giv is silent on means for extracting statistical properties of the aggregated communications; means for identifying a persona associated with the device;
But analogous art Bey teaches means for extracting statistical properties of the aggregated communications; means for identifying a persona associated with the device; (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected; C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
C5L48-49; C7L40-43).
Claim 2: the combination of Giv and Bey teaches the apparatus of claim 1, wherein the communications are first communications and represent communications occurring during a first time period, the statistical properties are first statistical properties, the image is a first image, the communications aggregator is to aggregate second communications from the device, the second communications representing communications occurring during a second time period after the first time period, the statistical property extractor is to extract second statistical properties of the aggregated communications, the image generator is to generate a second image based on the second statistical properties, and further including: a machine learning model executor to execute the machine learning model to attempt to classify the second image as an output persona; and an anomaly detector to, in response to not identifying an output persona, perform a responsive action. (Giv: [0029] a trained neural network model translates attributes of alerts into images and then uses a trained image classification neural network model to classify the alert image into a corresponding class, [0033] alert/log entry classification machine learning mechanism comprises a neural network model trained to classify images into one of a plurality of pre-defined classes of images based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features, where all log entries over a predetermined period of time are processed to generate image representations which are then evaluated and [0062] performing responsive actions to improve the operation of the SIEM system and protect the computing resources of the end user computing environment).
Claim 3: the combination of Giv and Bey teaches the apparatus of claim 2, wherein the anomaly detector is to not identify the output persona when at least one similarity score generated in connection with personas identifiable by the machine learning model do not meet or exceed a similarity threshold. (Giv: [0033] the pre-defined classes of images comprises classifying an encoded image representation of an alert/log entry into either a true-threat classification or a false-positive classification (not a true threat). [0066] the alert attributes include ... an alert score QSeverity/Magnitude attribute... [89] the output layer outputs a binary output indicating whether the input alert image represents an anomaly or not, where a normal output is indicative of a false positive).
Claim 4: the combination of Giv and Bey teaches the apparatus of claim 2, wherein the anomaly detector is to instruct routing circuitry to block further communications from the device. (Giv: [0002] responsive actions take many different forms, such as generating alert notifications, inhibiting operation of particular computer components, or the like).
Claim 5: the combination of Giv and Bey teaches the apparatus of claim 1, wherein the aggregated communications represent communications collected via at least two communications interfaces. (Giv: [0055] Security monitoring engines are provided in association with agents deployed and executing on endpoint computing devices, which collect security events and provide the security event data to the SIEM system).
Claim 6: the combination of Giv and Bey teaches the apparatus of claim 1, wherein the generated image is a first image, the persona is a first persona, and the machine learning model trainer is to train the machine learning model using a second image and a second persona. (Giv: [0008, 39] into the first neural network computer model, the event image representation data structure, and the label annotations and [33] second primary cognitive computing system element comprises an alert/log entry classification machine learning mechanism that classifies alerts/log entries based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features).
Claim 8: the combination of Giv and Bey teaches the at least one non-transitory computer readable medium of claim 7, wherein the communications are first communications and represent communications occurring during a first time period, the statistical properties are first statistical properties, the image is a first image, and the instructions, when executed, cause the at least one processor to: aggregate second communications from the device, the second communications representing communications occurring during a second time period after the first time period; extract second statistical properties of the aggregated communications; generate a second image based on the second statistical properties; execute the machine learning model to attempt to classify the second image as an output persona; and in response to not identifying an output persona, perform a responsive action. (Giv: [0029] a trained neural network model translates attributes of alerts into images and then uses a trained image classification neural network model to classify the alert image into a corresponding class, [0033] alert/log entry classification machine learning mechanism comprises a neural network model trained to classify images into one of a plurality of pre-defined classes of images based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features, where all log entries over a predetermined period of time are processed to generate image representations which are then evaluated and [0062] performing responsive actions to improve the operation of the SIEM system and protect the computing resources of the end user computing environment).
Claim 9: the combination of Giv and Bey teaches the at least one non-transitory computer readable medium of claim 8, wherein the output persona is not identified when similarity scores generated in connection with personas identifiable by the machine learning model do not meet or exceed a similarity threshold. (Giv: [0033] the pre-defined classes of images comprises classifying an encoded image representation of an alert/log entry into either a true-threat classification or a false-positive classification (not a true threat). [0066] the alert attributes include ... an alert score QSeverity/Magnitude attribute... [89] the output layer outputs a binary output indicating whether the input alert image represents an anomaly or not, where a normal output is indicative of a false positive).
Claim 10: the combination of Giv and Bey teaches the at least one non-transitory computer readable medium of claim 8, wherein the instructions, when executed, cause the at least one processor to instruct routing circuitry to block further communications from the device. (Giv: [0002] responsive actions take many different forms, such as generating alert notifications, inhibiting operation of particular computer components, or the like).
Claim 11: the combination of Giv and Bey teaches the at least one non-transitory computer readable medium of claim 7, wherein the aggregated communications represent communications collected via at least two communications interfaces. (Giv: [0055] Security monitoring engines are provided in association with agents deployed and executing on endpoint computing devices, which collect security events and provide the security event data to the SIEM system).
Claim 12: the combination of Giv and Bey teaches the at least one non-transitory computer readable medium of claim 7, wherein the generated image is a first image, the persona is a first persona, and the instructions, when executed, cause the at least one processor to train the machine learning model using a second image and a second persona. (Giv: [0008, 39] into the first neural network computer model, the event image representation data structure, and the label annotations and [33] second primary cognitive computing system element comprises an alert/log entry classification machine learning mechanism that classifies alerts/log entries based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features).
Claim 14: the combination of Giv and Bey teaches the method of claim 13, wherein the communications are first communications and represent communications occurring during a first time period, the statistical properties are first statistical properties, the image is a first image, and further comprising: aggregating second communications from the device, the second communications representing communications occurring during a second time period after the first time period; extracting second statistical properties of the aggregated communications; generating a second image based on the second statistical properties; executing the machine learning model to attempt to classify the second image as an output persona; and in response to not identifying an output persona, performing a responsive action. (Giv: [0029] a trained neural network model translates attributes of alerts into images and then uses a trained image classification neural network model to classify the alert image into a corresponding class, [0033] alert/log entry classification machine learning mechanism comprises a neural network model trained to classify images into one of a plurality of pre-defined classes of images based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features, where all log entries over a predetermined period of time are processed to generate image representations which are then evaluated and [0062] performing responsive actions to improve the operation of the SIEM system and protect the computing resources of the end user computing environment).
Claim 15: the combination of Giv and Bey teaches the method of claim 14, wherein the output persona is not identified when similarity scores generated in connection with personas identifiable by the machine learning model do not meet or exceed a similarity threshold. (Giv: [0033] the pre-defined classes of images comprises classifying an encoded image representation of an alert/log entry into either a true-threat classification or a false-positive classification (not a true threat). [0066] the alert attributes include ... an alert score QSeverity/Magnitude attribute... [89] the output layer outputs a binary output indicating whether the input alert image represents an anomaly or not, where a normal output is indicative of a false positive).
Claim 16: the combination of Giv and Bey teaches the method of claim 14, wherein the performance of the responsive action includes instructing routing circuitry to block further communications from the device. (Giv: [0002] responsive actions take many different forms, such as generating alert notifications, inhibiting operation of particular computer components, or the like).
Claim 17: the combination of Giv and Bey teaches the method of claim 13, wherein the aggregated communications represent communications collected via at least two communications interfaces. (Giv: [0055] Security monitoring engines are provided in association with agents deployed and executing on endpoint computing devices, which collect security events and provide the security event data to the SIEM system).
Claim 18: the combination of Giv and Bey teaches the method of claim 13, wherein the generated image is a first image, the persona is a first persona, and the training of the machine learning model is further performed using a second image and a second persona. (Giv: [0008, 39] into the first neural network computer model, the event image representation data structure, and the label annotations and [33] second primary cognitive computing system element comprises an alert/log entry classification machine learning mechanism that classifies alerts/log entries based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features).
Claim 20: the combination of Giv and Bey teaches the apparatus of claim 19, wherein the communications are first communications and represent communications occurring during a first time period, the statistical properties are first statistical properties, the image is a first image, the means for aggregating is to aggregate second communications from the device, the second communications representing communications occurring during a second time period after the first time period, the means for extracting is to extract second statistical properties of the aggregated communications, the means for generating is to generate a second image based on the second statistical properties, and further including: means for executing the machine learning model to attempt to classify the second image as an output persona; and means for detecting to, Giv: [0029] a trained neural network model translates attributes of alerts into images and then uses a trained image classification neural network model to classify the alert image into a corresponding class, [0033] alert/log entry classification machine learning mechanism comprises a neural network model trained to classify images into one of a plurality of pre-defined classes of images based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features, where all log entries over a predetermined period of time are processed to generate image representations which are then evaluated and [0062] performing responsive actions to improve the operation of the SIEM system and protect the computing resources of the end user computing environment).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 



Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496.