DETAILED ACTION
	This action is in response to Applicant’s Amendment ("Response”) received on January 17, 2022 in response to the Office Action dated July 20, 2021. This action is made Final.
Claims 1-19 are pending in the case. 
Claims 1, 10, and 11 are independent claims.
Claims 1-19 are rejected.
	Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Applicant’s Response
	In Applicant’s Response, submitted arguments against the prior art in the Office Action dated July 20, 2021.
	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 10-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Song et al., US Patent Application Publication no. US 2016/0366169 (“Song”), and .
Claim 1:
	Song teaches or suggests a method for detecting anomalies in mission-critical environments using word representation learning, comprising:
	parsing at least one received data set into a text structure (see Fig. 2, 3; para. 0030 - receive the incoming traffic, which can include one or more network data packets, data frames, one or more files that contain various types of data (e.g., text. stream of data in bytes or a stream of various other suitable symbols or tokens in one or more communication sessions; para. 0045 - where the argument strings ( e.g., "vall=foo&val2=bar'') are extracted from the communication protocol message; para. 0046 - extract the argument string, the variable names from the argument string, the input values from the argument string, and/or the structure of the argument string  para. 0048 - determining the content and the structure associated with an argument string; the knowledge of the communication protocol message and its structure can be used to determine, parse, extract, and/or isolate relevant portions of data from argument strings of any suitable protocol; para. 0049 - normalizing the training dataset can be done to, for example, reduce features within the data that are not useful.);
	isolating a protocol language of the at least one received data set, wherein the protocol language is a standardized pattern for communication over at least one communication protocol (see Fig. 2, 3; para. 0010 – dataset of normal communication protocol messages; para. 0011 - protocol messages and learns to recognize legitimate web layer script input; para. 0021 - based on the deviation of the newly received request from 
protocol message and its structure can be used to determine, parse, extract, and/or isolate relevant portions of data from argument strings of any suitable protocol. probabilistic model described herein can be selected based on the protocol and its associated structure.);
	generating at least one document from the contents of the received at least one dataset, wherein the at least one document includes at least one parsed text structure (see para. 0049 - argument strings in the training dataset can be processed prior to being used to train the probabilistic model. normalizing the training dataset can be done to, for example, reduce features within the data that are not useful; para. 0051 - argument strings in the training dataset of legitimate data.);
	detecting insights in the at least one generated document, wherein the insights are detected in at least one representation having at least one dimension, wherein the representation is mapped to at least one learned hyperspace (see Fig. 1A, 1B; para. 0044 -  learning models customized for the protected server or servers, where training datasets of known legitimate data associated with the protected server or servers are available; para. para. 0045 - generating and training a probabilistic model, such as one or more Markov chain models; 0051 - probabilistic model is trained using the argument strings in the training dataset of legitimate data. This probabilistic model is composed as a mixture of the aforementioned Markov chain structures. As communication protocol messages, such as HTTP requests, are generally structured by placing variable name (e.g., vall) followed by an 
	extracting rules from the detected insights (see para. 0051 - probabilistic model is trained using the argument strings in the training dataset of legitimate data. This probabilistic model is composed as a mixture of the aforementioned Markov chain structures. As communication protocol messages, such as HTTP requests, are generally structured by placing variable name (e.g., vall) followed by an input value (e.g., foo) with each pair of variable name and input structure placed from left to right, a Markov chain structure can be used as a string model that can recognizes the distribution of content and structure present within script input strings; para. 0062 - detector can determine whether the substrings "foo" and "vall" from the request 4000 in FIG. 4 are valid, whether their order is valid (i.e., the substring "foo" following the substring "vall "), and/or whether "val2" should follow these substringsCapturing this structure infers that "foo" is an argument for the variable "vall." If "vall" is followed by another sequence of unrecognized characters, the detector would consider the communication protocol message to be 
	detecting anomalies by applying the extracted rules on patterns for the communication over at least one communication protocol (see para. 0048 - the knowledge of the communication protocol message and its structure can be used to determine, parse, extract, and/or isolate relevant portions of data from argument strings of any suitable protocol. probabilistic model described herein can be selected based on the protocol and its associated structure; para. 0062 - detector can determine whether the substrings "foo" and "vall" from the request 4000 in FIG. 4 are valid, whether their order is valid (i.e., the substring "foo" following the substring "vall "), and/or whether "val2" should follow these substringsCapturing this structure infers that "foo" is an argument for the variable "vall." If "vall" is followed by another sequence of unrecognized characters, the detector would consider the communication protocol message to be anomalous; Claim 2 - applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous.).
	Song fails to explicitly disclose referencing a unique identifier.
	Dupont teaches or suggests referencing a unique identifier; and mapped to at least one learned hyperspace (see para. 0324-0336 - A unique identifier is synthesized for every event [100], calculated as described in U.S. Pat. No. 7,143,091. Examples of events [100] considered by the periodic patterns. association between a type of event [100] and the right type of time stamps; para. 0411 - its identifier and time stamp within a compressed 
[115.20]. Using this model, a much greater variety of structures can be represented in the hypergraph; para. 0591 - Mapping Data Sources to the Hypergraph; para. 0599 – a rich, high dimensional model of behavior which allows for even relatively small, subtle changes in behavior to be trapped; para. 1399 - only its identifier and time stamp within a compressed representation of the periodic patterns [126] the event.).
Accordingly, it would have been obvious to one having ordinary skill before the effective filing date of the claimed invention to modify the system and method, taught in Song, to include referencing a unique identifier; and mapped to at least one learned hyperspace for the purpose of efficiently associating data objects and enriching data structures, as taught by Dupont (0411 and 0513).
Claim(s) 10 and 11:
Claim(s) 10 and 11 correspond to Claim 1, and thus, Song and Dupont teach or suggest the limitations of claim(s) 10 and 11 as well.

Claim 2:
	Song further teaches or suggests wherein isolating the protocol language of the at least one received data set and generating documents from the contents of the received at least one data set occur substantially simultaneously (see Fig. 2, 3; para. 0010 – dataset of normal communication protocol messages; para. 0011 - protocol messages and learns to recognize legitimate web layer script input; para. 0021 - based on the deviation of the 
Claim(s) 12:
Claim(s) 12 correspond to Claim 2, and thus, Song and Dupont teach or suggest the limitations of claim(s) 12 as well.

Claim 3:
	Song further teaches or suggests wherein detecting insights in the generated documents further comprises: applying a natural language processing (NLP) technique to the at least one generated document (see para. 0049 - the argument strings in the training dataset can be processed prior to being used. Sanitizing and normalizing the training dataset can be done to, for example, reduce features within the data that are not useful (e.g., attack traffic) or to improve the signal-to-noise ratio. In one example, each string in the training dataset can be un-escaped, where encoded strings can be decoded (e.g., using an unescape ( ) function). In other examples, the training dataset can be normalized by removing white space and numbers and/or ensuring that each character is in lower case; para. 0051 - probabilistic model is trained using the argument strings in the training dataset of legitimate data. Communication protocol messages, such as HTTP requests, are 
Claim(s) 13:
Claim(s) 13 correspond to Claim 3, and thus, Song and Dupont teach or suggest the limitations of claim(s) 13 as well.

Claim 4:
	Song and Dupont teach or suggest wherein the at least one representation includes a vector representation of at least one information element (see Song para. 0047 - the layout or structure is determined. For example, script argument strings within HTTP requests are structured by placing variable name and their respective arguments in pairs; See Dupont para. 1027 - Anomalies by deviation [805] can be detected on any type of feature [2900] associated to events; para. 1029 – vector features are the multidimensional; para. 1321 – groups [225] are computed by associating with each actor [220] a vector with one entry per topic [144] specifying the level of negative sentiment this actor [220] expresses with regard to this topic [144]. These vectors are clustered together using standard clustering techniques or using the continuous clustering component [ 412] that is part of this invention. Each cluster represents an affinity set of actors.).
Claim(s) 14:
Claim(s) 14 correspond to Claim 4, and thus, Song and Dupont teach or suggest the limitations of claim(s) 14 as well.

Claim 5:
	Song further teaches or suggests wherein the at least one received data set includes any one of: machine-to-machine communications and application programming interface (API) communications (see Fig. 1A, 1B; para. 0028 – computer 1060 to inject web layer code injection attacks into the communication protocol messages sent by one of the client computers; para. 0029 - monitor communication protocol messages and/or any other suitable network traffic from both local and remote hosts; para. 0035 - Various protocols can be used by computers or any other suitable digital processing devices to exchange data; para. 0036 - manipulate the execution flow of web applications.).
Claim(s) 15:
Claim(s) 15 correspond to Claim 5, and thus, Song and Dupont teach or suggest the limitations of claim(s) 15 as well.

Claim 6:
	Song and Dupont further teach or suggests parsing the records as any one of: sentences, words information elements, data units, and parsing procedures or sequences involving data packets or messages as paragraphs, wherein paragraphs contain sentences and sentences contain words (see Song para. 0030 - Detector 1030 can receive the incoming traffic, which can include one or more network data packets, data frames, one or more files that contain various types of data (e.g., text. can then analyze the incoming traffic and determine whether one or more of the communication protocol messages or a piece of the incoming traffic is legitimate or anomalous; para. 0046 - extract the argument string, the 
Claim(s) 16:
Claim(s) 16 correspond to Claim 6, and thus, Song and Dupont teach or suggest the limitations of claim(s) 16 as well.

Claim 7:
	Song further teaches or suggests wherein isolating the language of the at least one dataset further comprises: identifying pre-defined messages, procedures, and sessions for a protocol (see Song Fig. 2, 3; para. 0010 – dataset of normal communication protocol messages; para. 0011 - protocol messages and learns to recognize legitimate web layer 
Claim(s) 17:
Claim(s) 17 correspond to Claim 7, and thus, Song and Dupont teach or suggest the limitations of claim(s) 17 as well.

Claim 8:
	Dupont further teaches or suggests wherein generating the at least one document further comprises: identifying unique identifiers in the at least one received data set; and creating separate documents containing records relating to each identified unique identifier (see para. 0183 - textblock detection component [ 470] automatically identifies maximum contiguous sequences of sentences or sentence fragments which can likely be attributed to a single author. Once these textblock patterns [124] have been detected, any item [122] that contains that textblock or a significant portion of it is flagged by the system as a  considered by the periodic patterns. association between a type of event [100] and the right type of time stamps; para. 0411 - its identifier and time stamp within a compressed representation of the periodic patterns [126] the event; para. 0758 - Textblocks consist of the maximum contiguous sequence of sentences or sentence fragments which can be attributed to a single author. In certain cases, especially emails, a different author may interpose responses in the midst of a textblock. However, the textblock retains its core identity for as long as it remains recognizable.).
Accordingly, it would have been obvious to one having ordinary skill before the effective filing date of the claimed invention to modify the system and method, taught in Song, to include wherein generating the at least one document further comprises: identifying unique identifiers in the at least one received data set; and creating separate documents containing records relating to each identified unique identifier for the purpose of efficiently associating data objects and enriching data structures, as taught by Dupont (0411 and 0513).
Claim(s) 18:
Claim(s) 18 correspond to Claim 8, and thus, Song and Dupont teach or suggest the limitations of claim(s) 18 as well.

Claims 9 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Song, in view of Dupont, and further in view of Xue et al., US Patent Application Publication no. US 2014/0298460 (“Xue”).
Claim 9:
	As indicated above, Song and Dupont teach or suggest learned hyperspace as a depiction of the at least one representation. 
	Song appears to fail to explicitly disclose and wherein semantic similarity between the at least one representation is determined by proximity within a hyperspace.
Xue teaches or suggests wherein the learned hyperspace is a depiction of the at least one representation, and wherein semantic similarity between the at least one representation is determined by proximity within a hyperspace (see Fig. 5; para. 0040 - feature extraction module 216 may then extract features associated with each training URL, as further discussed herein. In various embodiments, the extracted features are selective lexical features; para. 0042 - maps an input vector associated with extracted features into a high dimension hyperspace so that similarities between samples can be determined; para. 0045 - an edit distance between a deceptive brand name string and a real brand name string; para. 0047 - example, B={b1, b2 , ..• , bn} is a set of brand names known to be authentic and associated with resources (e.g., web site, group of web pages, etc.) configured by a legitimate entity; para. 0047 – name edit distance between S and an individual brand name b; may be defined as a minimum edit distance between the set of substrings; para. 0071 - feature extraction module 216 extracts features associated with the unknown URL 230 (or a redirected URL). In various embodiments, the feature extraction module 216 may extract one or more lexical features.).
wherein the learned hyperspace is a depiction of the at least one representation, and wherein semantic similarity between the at least one representation is determined by proximity within a hyperspace for the purpose of efficiently determining similarity using determined spaces and text distances, as taught by Xue (0042 and 0074).
Claim(s) 19:
Claim(s) 19 correspond to Claim 9, and thus, Song and Dupont teach or suggest the limitations of claim(s) 19 as well.

Response to Arguments
Rejections under 35 USC 103:
	Applicant argues Song does not teach or suggests “parsing at least one received data set into a text structure.”
	The Examiner respectfully disagrees.
	Song teaches where the argument strings (e.g., "vall=foo&val2=bar'') are extracted from the communication protocol message. Para. 0045. Further, Song recites extract the argument string, the variable names from the argument string, the input values from the argument string, and/or the structure of the argument string. Para. 0046. Further, determining the content and the structure associated with an argument string. Para. 0048. Further, the knowledge of the communication protocol message and its structure can be used to determine, parse, extract, and/or isolate relevant portions of data from argument strings of any suitable protocol. Id. The Examiner notes that Song appears to parse the 

	Applicant argues Song does not teach or suggest “isolating a protocol language of the at least one received data set, wherein the protocol language is a standardized pattern for communication over at least one communication protocol.”
	The Examiner respectfully disagrees.
	Song teaches dataset of normal communication protocol messages. Para. 0010. Further, protocol messages and learns to recognize legitimate web layer script input. para. 0011. Further, based on the deviation of the newly received request from the probabilistic model of normal requests. para. 0021. Further, protocols can be used by computers or any other suitable digital processing devices to exchange data. para. 0035..Further, script argument strings within HTTP requests are structured by placing variable name and their respective arguments in pairs, with each pair placed from left to right within the argument string. Further, knowledge of the communication protocol message and its structure can be used to determine, parse, extract, and/or isolate relevant portions of data from argument strings of any suitable protocol. para. 0048. Further, probabilistic model described herein can be selected based on the protocol and its associated structure. Id. Further, communication protocol messages, such as HTTP requests, are generally structured by placing variable name (e.g., vall) followed by an input value (e.g., foo) with each pair of variable name and input structure placed from left to right. Para. 0051. The Examiner notes HTTP (hypertext transfer protocol) is a communications protocol for establishing connections and sending/receiving content. Further, Song describes isolating or specifically .”

	Applicant argues Song fails to teach or suggest “generating at least one document from the contents of the received at least one dataset, wherein the at least one document includes at least one parsed text structure.”
	The Examiner respectfully disagrees.
	Song teaches argument strings in the training dataset can be processed prior to being used to train the probabilistic model. para. 0049. Further, normalizing the training dataset can be done to, for example, reduce features within the data that are not useful. Id. Further, argument strings in the training dataset of legitimate data. Id. The Examiner notes Song describes generating documents that include the processed structured text sets and normalized versions as well. Accordingly, Song teaches or suggests “generating at least one document from the contents of the received at least one dataset, wherein the at least one document includes at least one parsed text structure.”

	Applicant argues Song does not teach or suggest “detecting insights in the at least one generated document, wherein the insights are detected in at least one representation .”
The Examiner respectfully disagrees.
Song teaches learning models customized for the protected server or servers, where training datasets of known legitimate data associated with the protected server or servers are available. para. 0044. Further, generating and training a probabilistic model, such as one or more Markov chain models. para. 0045. Further, probabilistic model is trained using the argument strings in the training dataset of legitimate data. para. 0051. Further, this probabilistic model is composed as a mixture of the aforementioned Markov chain structures. Id. As communication protocol messages, such as HTTP requests, are generally structured by placing variable name (e.g., vall) followed by an input value (e.g., foo) with each pair of variable name and input structure placed from left to right, a Markov chain structure can be used as a string model that can recognizes the distribution of content and structure present within script input strings. Id. Further, "vall =AAA&val2=" was provided in the training dataset but "vall =BBB&val2" was not included in the training dataset, the latter argument string would be deemed anomalous. para. 0066. Further, detector recognizes that the substrings "vall =" and "val2=" are in the correct positions with respect to each other. para. 0067. Further, Markov chain, on the other hand, leverages the structure of communication protocol messages. para. 0068. Further, probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string. Claim 2. In these sections Song teaches the usage of training datasets of known legitimate data hyperspaces and using the identified patterns in the generated documents that include the processed .”

	Applicant argues Song fails to teach or suggest “extracting rules from the detected insights.”
The Examiner respectfully disagrees.
Song teaches the probabilistic model is trained using the argument strings in the training dataset of legitimate data. para. 0051. This probabilistic model is composed as a mixture of the aforementioned Markov chain structures. Further, as communication protocol messages, such as HTTP requests, are generally structured by placing variable name (e.g., vall) followed by an input value (e.g., foo) with each pair of variable name and input structure placed from left to right, a Markov chain structure can be used as a string model that can recognizes the distribution of content and structure present within script input strings probabilistic model is trained using the argument strings in the training dataset of legitimate data. Id. Further, this probabilistic model is composed as a mixture of the aforementioned Markov chain structures. Id. Further, as communication protocol messages, such as HTTP requests, are generally structured by placing variable name (e.g., vall) followed by an input value (e.g., foo) with each pair of variable name and input structure placed from left to right, a Markov chain structure can be used as a string model that can recognizes the distribution of content and structure present within script input strings. Id. Further, detector can determine whether the substrings "foo" and "vall" from .”

	Applicant further argues Song fails to teach or suggest “detecting anomalies by applying the extracted rules on patterns for the communication over at least one communication protocol.”
	The Examiner respectfully disagrees.
	Song teaches the knowledge of the communication protocol message and its structure can be used to determine, parse, extract, and/or isolate relevant portions of data from argument strings of any suitable protocol. para. 0048. probabilistic model described herein can be selected based on the protocol and its associated structure. Id. Further, detector can determine whether the substrings "foo" and "vall" from the request 4000 in FIG. 4 are valid, whether their order is valid (i.e., the substring "foo" following the substring "vall "), and/or whether "val2" should follow these substringsCapturing this structure infers that "foo" is an argument for the variable "vall." para. 0062. If "vall" is followed by .”

	Applicant further argues Dupont fails to teach or suggest “referencing a unique identifier; and mapped to at least one learned hyperspace.”
	The Examiner respectfully disagrees.
	Dupont teaches a unique identifier is synthesized for every event [100], calculated as described in U.S. Pat. No. 7,143,091. Examples of events [100] considered by the periodic patterns. association between a type of event [100] and the right type of time stamps. para. 0324-0336. Further, its identifier and time stamp within a compressed representation of the periodic patterns [126] the event. para. 0411. Further, use of a hypergraph data structure, which greatly increases expressivity over a conventional graph, as edges [115.20] can now be incident on any number of vertices [115.21] or other edges [115.20]. Using this model, a much greater variety of structures can be represented in the hypergraph. para. 0513. Further, Mapping Data Sources to the Hypergraph. para. 0591. Further, a rich, high dimensional model of behavior which allows for even relatively small, subtle changes in behavior to be trapped. para. 0599. Further, only its identifier and time .”
	
	Applicant further argues Dupont teaches away by teaching “a model without any rules.” 
	The Examiner respectfully disagrees. 
	Dupont simply recites in paragraph 0599 that “such a model can be defined
without any definition of rules.” This does not equate to “a model without any rules.” Dupont even goes on in paragraph 0599 to describe using rules such as “look for behavior that is believed to be bad based on some prior incident … that especially when used in conjunction with other types of data or evidence sources [108] can help predict a dangerous incident before it occurs. The Examiner further notes Dupont’s usage of rules in detection such as at least in para. 0584 – system contains a set of dispatch rules that determine which incremental computation (if any) should be run in response to query matches, these rules trigger computations intended to synthesize new pieces of evidence as well as the procedure(s) used to create or update discussions; para. 0986 - atomic anomaly [830] can also be triggered by a rule violation [855] which corresponds to an observed event [102] having breached a compliance rule [865] or any part of an internal or regulatory policy; para. 0993 - detection component [ 450] can also be configured to trigger atomic anomalies [830] based on rule violations [855], such as compliance rules.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Andrew T McIntosh whose telephone number is (571)270-7790. The examiner can normally be reached M-Th 8:00am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kavita Stanley can be reached on 571-272-8352. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/ANDREW T MCINTOSH/Primary Examiner, Art Unit 2176