DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claims 1-10 are pending.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 3 and 5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 3 recites the limitation “each of the individual-analysis-target connection group” in line 4. Claim 3 is dependent on claim 1, which only claims a single individual-analysis-target connection group, while claim 3 appears to refer to multiple groups. There is insufficient antecedent basis for this limitation in the claim.
Claim 4 is rejected due to dependency on rejected claim 3.
Claim 5 recites the limitation “each of bins” in line 5.  There is insufficient antecedent basis for this limitation in the claim.
Claim 6 is rejected due to dependency on rejected claim 5.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5 and 7-10 are rejected under 35 U.S.C. 103 as being unpatentable over Ho et al., US Patent Pub. US 20190166024 A1 (hereinafter Ho) in view of Pietrowicz et al., US Patent Pub. US 20140204799 A1 (hereinafter Pietrowicz) in view of Matsunaga et al, US Patent Pub. US 20090052330 A1 (hereinafter Matsunaga) in view of Yadav et al., US Patent Pub. US 20160359886 A1 (hereinafter Yadav) in view of Muddu et al., US Patent Pub. US 20180367551 A1 (hereinafter Muddu).

Claim 1
Ho teaches a non-transitory computer-readable storage medium storing therein a computer readable network analysis program for causing a computer to execute processing (Ho, Para [0043] - - A non-transitory computer readable storage medium storing a computer program for performing a network anomaly analysis method.) including: performing local modeling analysis which determines an estimated value of a current network quality corresponding to explanatory variable vector in current aggregated data based on a local model including local training data (Ho, Para [0018-22] - - Performing modeling analysis using network status/quality data using normalized network status/quality data decomposed into eigenvectors/”explanatory variable vector” used as training data to determine a classification/local model.), the local training data including explanatory variable vectors that are within a predetermined distance from an explanatory variable vector in the current aggregated data among explanatory variable vectors in previous training data (Ho, Para [0028] - - Training data used in the normalized network status data decomposed into eigenvectors/”explanatory variable vector” that is within a threshold/predetermined distance from an existing/previous principal component data of a eigenvector/”explanatory variable vector”.), the current aggregated data being obtained by aggregating, in the plurality of connection groups, current network analysis data of connections (Ho, Para [0029-30] - - Collected/”current aggregated” data in a plurality of groups based on station addresses/connections that is analyzed by the network anomaly analysis apparatus.);
	But Ho fails to specify the previous training data being time-period-based training data that is obtained by aggregating, in a plurality of connection groups each including same communication node group as a source or a destination, previous network analysis data of connections which is obtained by acquiring packets the plurality of connection groups on a communication path of a network and analyzing the acquired packets.
However, Pietrowicz teaches the previous training data being time-period-based training data that is obtained by aggregating, in a plurality of connection groups each including same communication node group as a source or a destination, previous network analysis data of connections which is obtained by acquiring packets the plurality of connection groups on a communication path of a network and analyzing the acquired packets. (Pietrowicz, Para [0043-45] - - Time sequence/period based data collection/aggregating in node to node communication/”plurality of connection groups each including same communication node group as a source or a destination” acquired from packet analysis by a packet intercept system/”acquiring packets the plurality of connection groups on a communication path of a network” over a time interval.)
Ho and Pietrowicz are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the above network analysis system, as taught by Ho, and incorporating the time sequence based data collection in node to node communication acquired from packet analysis by a packet intercept system over a time interval, as taught by Pietrowicz.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect system anomalies by using time sequence based data collection in node to node communication acquired from packet analysis by a packet intercept system over a time interval, as suggested by Pietrowicz (Para [0012]).
	But the combination of Ho and Pietrowicz fails to specify determining an abnormality in the network based on whether or not a measured value of the current network quality is lower than an abnormality determination threshold calculated based on the estimated value; performing distribution determination of determining whether or not a distribution of the connections having the measured value of the network quality exceeding the abnormality determination threshold is present in a size equal to or larger than a predetermined size in the network analysis data for the connections during an abnormal time block during which the abnormality in the network is determined.
However, Matsunaga teaches determining an abnormality in the network based on whether or not a measured value of the current network quality is lower than an abnormality determination threshold calculated based on the estimated value (Matsunaga, Para [0011-14], [0044-45], [0065-66] - - Determining if the degree of abnormality in the network based on a network communication quality is higher than/”quality is lower than” an anomaly threshold calculated based on the amount of difference between original and predicted/estimated versions of a data point in the negative direction is considered to be anomalous.); performing distribution determination of determining whether or not a distribution of the connections having the measured value of the network quality exceeding the abnormality determination threshold is present in a size equal to or larger than a predetermined size in the network analysis data for the connections during an abnormal time block during which the abnormality in the network is determined. (Matsunaga, Para [0011-14], [0044-45] - - Performing a probability distribution determination of communication/network quality in the operation of a communication network by counting connection failures/”distribution of connections” to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured/threshold value to detect an anomaly/abnormality in a predetermined time period/”abnormal time block during which the abnormality in the network is determined”.)
Ho, Pietrowicz, and Matsunaga are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho and Pietrowicz, and further incorporating determining if the degree of abnormality in the network based on a network communication quality is higher than an anomaly threshold calculated based on the amount of difference between original and predicted versions of a data point in the negative direction is considered to be anomalous and performing a probability distribution determination of communication quality in the operation of a communication network by counting connection failures to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured value to detect an anomaly in a predetermined time period, as taught by Matsunaga.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect system anomalies by determining if the degree of abnormality in the network based on a network communication quality is higher than an anomaly threshold calculated based on the amount of difference between original and predicted versions of a data point in the negative direction is considered to be anomalous and performing a probability distribution determination of communication quality in the operation of a communication network by counting connection failures to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured value to detect an anomaly in a predetermined time period, as suggested by Matsunaga (Para [0003]).
But the combination of Ho, Pietrowicz, and Matsunaga fails to specify extracting, as an individual-analysis-target connection group, a specified connection group with equal to or more than a standard proportion of connections in the distribution of the connections having the size equal to or larger than the predetermined size.
However, Yadav teaches extracting, as an individual-analysis-target connection group, a specified connection group with equal to or more than a standard proportion of connections in the distribution of the connections having the size equal to or larger than the predetermined size. (Yadav, Para [0089-90] - - Extracting numeric features/”connection group” into a bin/group with a value/”number of connections” larger than a predetermined value/size.) 
Ho, Pietrowicz, Matsunaga, and Yadav are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, and Matsunaga, and further incorporating extracting numeric features into a bin with a value larger than a predetermined value, as taught by Yadav.  
One of ordinary skill in the art would have been motivated to do this modification in order to collect features to serve as input for downstream use for anomaly detection by extracting numeric features into a bin with a value larger than a predetermined value, as suggested by Yadav (Para [0088]).
But the combination of Ho, Pietrowicz, Matsunaga, and Yadav fails to specify individually subjecting, to the local modeling analysis, the previous training data and the current aggregated data for the individual-analysis-target connection group and the previous training data and the current aggregated data for those of the plurality of connection groups other than the individual-analysis-target connection group to determine the abnormality in the network.
However, Muddu teaches individually subjecting, to the local modeling analysis, the previous training data and the current aggregated data for the individual-analysis-target connection group and the previous training data and the current aggregated data for those of the plurality of connection groups other than the individual-analysis-target connection group to determine the abnormality in the network. (Muddu, Para [0521],  [0629], [0664-674] - - Modeling analysis of connection/”individual-analysis-target connection” groups using training data and real/current time data and comparing to beacon data of other connection group/”connection groups other than the individual-analysis-target connection group” data to perform anomaly/abnormality detection.)
Ho, Pietrowicz, Matsunaga, Yadav, and Muddu are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, and Yadav, and further incorporating modeling analysis of connection groups using training data and real time data and comparing to beacon data of other connection group data to perform anomaly detection, as taught by Muddu.  
One of ordinary skill in the art would have been motivated to do this modification in order to determine if a connection group is identifiable as an anomaly by using modeling analysis of connection groups using training data and real time data and comparing to beacon data of other connection group data to perform anomaly detection, as suggested by Muddu (Abstract).

Claim 2
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu teaches all the limitations of the base claims as outlined above.  
Muddu further teaches generating, based on the local model, a local linear model for calculating the estimated value from the explanatory variable vector; and calculating, based on the local linear model, the estimated value with respect to the explanatory variable vector in the current aggregated data. (Muddu, Para [0630-634] - - Generating a local linear model calculating based on a feature/”explanatory variable” vector to determine a feature score/”estimated value”.)
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, Yadav, and Muddu, and further incorporating generating a local linear model calculating based on a feature vector to determine a feature score, as taught by Muddu.  
One of ordinary skill in the art would have been motivated to do this modification in order to determine if a connection group is identifiable as an anomaly by generating a local linear model calculating based on a feature vector to determine a feature score to perform anomaly detection, as suggested by Muddu (Abstract).

Claim 3
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu teaches all the limitations of the base claims as outlined above.  
Muddu further teaches not generating an alarm reporting the abnormality in the network when determining that each of the individual-analysis-target connection group and the other connection groups does not correspond to the abnormality in the network. (Muddu, Para [0659-661] - - Determining if an anomaly/abnormality in a connection group is a not a threat and does not generate an alarm reporting the anomaly/abnormality.)
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, Yadav, and Muddu, and further incorporating determining if an anomaly in a connection group is not a threat and does not generate an alarm reporting the anomaly, as taught by Muddu.  
One of ordinary skill in the art would have been motivated to do this modification in order to reduce the number of false positive alarms by determining if an anomaly in a connection group is not a threat and does not generate an alarm reporting the anomaly, as suggested by Muddu (Para [0349]).

Claim 4
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu teaches all the limitations of the base claims as outlined above.  
Muddu further teaches setting an appropriate range based on a dispersion of the local model by multiplying the dispersion by a factor; and increasing, when a feedback returned from a receiver of the alarm in response to the alarm indicates that the alarm is inadequate, a value of the factor to enlarge the appropriate range. (Muddu, Para [0151-154], [0660], [0667-670] - - Setting an allowed/appropriate connection range using a whitelist/”dispersion of the local model” that is modified/enlarged to include additional models based on user/”receiver of the alarm” feedback.)
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, Yadav, and Muddu, and further incorporating setting an allowed connection range using a whitelist that is modified to include additional models based on user feedback, as taught by Muddu.  
One of ordinary skill in the art would have been motivated to do this modification in order to reduce the number of false positive alarms by setting an allowed connection range using a whitelist that is modified to include additional models based on user feedback, as suggested by Muddu (Para [0349]).

Claim 5
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu teaches all the limitations of the base claims as outlined above.  
Yadav further teaches generating, for the network analysis data for the connections during the abnormal time block, a histogram in which the measured value of the network quality is allocated to each of bins, and a value obtained by multiplying the number of the connections by the measured value is used as the number of the bins, and
determining whether or not the distribution of the connections having the measured value of the network quality exceeding the abnormality determination threshold has a distribution peak having a size equal to or larger than a predetermined size in the histogram. (Yadav, Para [0054], [0078], [0088-93] - - Generating a histogram with measured numeric features/”network quality” exceeding a minimum/threshold value and bin boundaries selected based on a probability of feature density estimates/”predetermined size of distribution peak” to retain the spikiness in the distribution.)
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, Yadav, and Muddu, and further incorporating generating a histogram with measured numeric features exceeding a minimum/threshold value and bin boundaries selected based on a probability of feature density estimates to retain the spikiness in the distribution, as taught by Yadav.  
One of ordinary skill in the art would have been motivated to do this modification in order to collect features to serve as input for downstream use for anomaly detection by generating a histogram with measured numeric features exceeding a minimum/threshold value and bin boundaries selected based on a probability of feature density estimates to retain the spikiness in the distribution, as suggested by Yadav (Para [0088]).

Claim 7
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu teaches all the limitations of the base claims as outlined above.  
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu further teaches the network analysis data includes the numbers of the connections and quality values each representing the network quality, and each of the previous training data and the current aggregated data each resulting from the aggregation in the plurality of connection groups includes a total of the numbers of the connections and an average of the quality values. (Ho, Para [0018], [0029-30] - - Collected/”current aggregated” data in a plurality of groups used in K means/average algorithms includes the number of station addresses/connections and associated quality values that is analyzed by the network anomaly analysis apparatus.)

Claim 8
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu teaches all the limitations of the base claims as outlined above.  
Matsunaga further teaches the abnormality determination threshold is calculated by adding, to the estimated value, an appropriate range based on a dispersion of the network quality in the local model. (Matsunaga, Para [0065], [0073-77] - - The abnormality determination threshold is updated/calculated by adding a value in proportion to the degree of abnormality/”dispersion of the network quality” based on autoregressive modeling.)
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, Yadav, and Muddu, and further incorporating updating an abnormality determination threshold by adding a value in proportion to the degree of abnormality based on autoregressive modeling, as taught by Matsunaga.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect system anomalies by updating an abnormality determination threshold by adding a value in proportion to the degree of abnormality based on autoregressive modeling, as suggested by Matsunaga (Para [0003]).

Claim 9
Ho teaches a network analysis device for determining an abnormality in a network, the device comprising: a processor; and a memory configured to be accessed by the processor (Ho, Para [0017], [0043] - - A processor and memory configured to perform a network anomaly analysis method.); wherein the processor executes: performing local modeling analysis which determines an estimated value of a current network quality corresponding to explanatory variable vector in current aggregated data based on a local model including local training data (Ho, Para [0018-22] - - Performing modeling analysis using network status/quality data using normalized network status/quality data decomposed into eigenvectors/”explanatory variable vector” used as training data to determine a classification/local model.), the local training data including explanatory variable vectors that are within a predetermined distance from an explanatory variable vector in the current aggregated data among explanatory variable vectors in previous training data (Ho, Para [0028] - - Training data used in the normalized network status data decomposed into eigenvectors/”explanatory variable vector” that is within a threshold/predetermined distance from an existing/previous principal component data of a eigenvector/”explanatory variable vector”.), the current aggregated data being obtained by aggregating, in the plurality of connection groups, current network analysis data of connections (Ho, Para [0029-30] - - Collected/”current aggregated” data in a plurality of groups based on station addresses/connections that is analyzed by the network anomaly analysis apparatus.);
	But Ho fails to specify the previous training data being time-period-based training data that is obtained by aggregating, in a plurality of connection groups each including same communication node group as a source or a destination, previous network analysis data of connections which is obtained by acquiring packets the plurality of connection groups on a communication path of a network and analyzing the acquired packets.
However, Pietrowicz teaches the previous training data being time-period-based training data that is obtained by aggregating, in a plurality of connection groups each including same communication node group as a source or a destination, previous network analysis data of connections which is obtained by acquiring packets the plurality of connection groups on a communication path of a network and analyzing the acquired packets. (Pietrowicz, Para [0043-45] - - Time sequence/period based data collection/aggregating in node to node communication/”plurality of connection groups each including same communication node group as a source or a destination” acquired from packet analysis by a packet intercept system/”acquiring packets the plurality of connection groups on a communication path of a network” over a time interval.)
Ho and Pietrowicz are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the above network analysis system, as taught by Ho, and incorporating the time sequence based data collection in node to node communication acquired from packet analysis by a packet intercept system over a time interval, as taught by Pietrowicz.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect system anomalies by using time sequence based data collection in node to node communication acquired from packet analysis by a packet intercept system over a time interval, as suggested by Pietrowicz (Para [0012]).
	But the combination of Ho and Pietrowicz fails to specify determining an abnormality in the network based on whether or not a measured value of the current network quality is lower than an abnormality determination threshold calculated based on the estimated value; performing distribution determination of determining whether or not a distribution of the connections having the measured value of the network quality exceeding the abnormality determination threshold is present in a size equal to or larger than a predetermined size in the network analysis data for the connections during an abnormal time block during which the abnormality in the network is determined.
However, Matsunaga teaches determining an abnormality in the network based on whether or not a measured value of the current network quality is lower than an abnormality determination threshold calculated based on the estimated value (Matsunaga, Para [0011-14], [0044-45], [0065-66] - - Determining if the degree of abnormality in the network based on a network communication quality is higher than/”quality is lower than” an anomaly threshold calculated based on the amount of difference between original and predicted/estimated versions of a data point in the negative direction is considered to be anomalous.); performing distribution determination of determining whether or not a distribution of the connections having the measured value of the network quality exceeding the abnormality determination threshold is present in a size equal to or larger than a predetermined size in the network analysis data for the connections during an abnormal time block during which the abnormality in the network is determined. (Matsunaga, Para [0011-14], [0044-45] - - Performing a probability distribution determination of communication/network quality in the operation of a communication network by counting connection failures/”distribution of connections” to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured/threshold value to detect an anomaly/abnormality in a predetermined time period/”abnormal time block during which the abnormality in the network is determined”.)
Ho, Pietrowicz, and Matsunaga are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho and Pietrowicz, and further incorporating determining if the degree of abnormality in the network based on a network communication quality is higher than an anomaly threshold calculated based on the amount of difference between original and predicted versions of a data point in the negative direction is considered to be anomalous and performing a probability distribution determination of communication quality in the operation of a communication network by counting connection failures to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured value to detect an anomaly in a predetermined time period, as taught by Matsunaga.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect system anomalies by determining if the degree of abnormality in the network based on a network communication quality is higher than an anomaly threshold calculated based on the amount of difference between original and predicted versions of a data point in the negative direction is considered to be anomalous and performing a probability distribution determination of communication quality in the operation of a communication network by counting connection failures to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured value to detect an anomaly in a predetermined time period, as suggested by Matsunaga (Para [0003]).
But the combination of Ho, Pietrowicz, and Matsunaga fails to specify extracting, as an individual-analysis-target connection group, a specified connection group with equal to or more than a standard proportion of connections in the distribution of the connections having the size equal to or larger than the predetermined size.
However, Yadav teaches extracting, as an individual-analysis-target connection group, a specified connection group with equal to or more than a standard proportion of connections in the distribution of the connections having the size equal to or larger than the predetermined size. (Yadav, Para [0089-90] - - Extracting numeric features/”connection group” into a bin/group with a value/”number of connections” larger than a predetermined value/size.) 
Ho, Pietrowicz, Matsunaga, and Yadav are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, and Matsunaga, and further incorporating extracting numeric features into a bin with a value larger than a predetermined value, as taught by Yadav.  
One of ordinary skill in the art would have been motivated to do this modification in order to collect features to serve as input for downstream use for anomaly detection by extracting numeric features into a bin with a value larger than a predetermined value, as suggested by Yadav (Para [0088]).
But the combination of Ho, Pietrowicz, Matsunaga, and Yadav fails to specify individually subjecting, to the local modeling analysis, the previous training data and the current aggregated data for the individual-analysis-target connection group and the previous training data and the current aggregated data for those of the plurality of connection groups other than the individual-analysis-target connection group to determine the abnormality in the network.
However, Muddu teaches individually subjecting, to the local modeling analysis, the previous training data and the current aggregated data for the individual-analysis-target connection group and the previous training data and the current aggregated data for those of the plurality of connection groups other than the individual-analysis-target connection group to determine the abnormality in the network. (Muddu, Para [0521],  [0629], [0664-674] - - Modeling analysis of connection/”individual-analysis-target connection” groups using training data and real/current time data and comparing to beacon data of other connection group/”connection groups other than the individual-analysis-target connection group” data to perform anomaly/abnormality detection.)
Ho, Pietrowicz, Matsunaga, Yadav, and Muddu are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, and Yadav, and further incorporating modeling analysis of connection groups using training data and real time data and comparing to beacon data of other connection group data to perform anomaly detection, as taught by Muddu.  
One of ordinary skill in the art would have been motivated to do this modification in order to determine if a connection group is identifiable as an anomaly by using modeling analysis of connection groups using training data and real time data and comparing to beacon data of other connection group data to perform anomaly detection, as suggested by Muddu (Abstract).

Claim 10
Ho teaches a network analysis method (Ho, Para [0043] - - A network anomaly analysis method.) comprising processing of: performing local modeling analysis which determines an estimated value of a current network quality corresponding to explanatory variable vector in current aggregated data based on a local model including local training data (Ho, Para [0018-22] - - Performing modeling analysis using network status/quality data using normalized network status/quality data decomposed into eigenvectors/”explanatory variable vector” used as training data to determine a classification/local model.), the local training data including explanatory variable vectors that are within a predetermined distance from an explanatory variable vector in the current aggregated data among explanatory variable vectors in previous training data (Ho, Para [0028] - - Training data used in the normalized network status data decomposed into eigenvectors/”explanatory variable vector” that is within a threshold/predetermined distance from an existing/previous principal component data of a eigenvector/”explanatory variable vector”.), the current aggregated data being obtained by aggregating, in the plurality of connection groups, current network analysis data of connections (Ho, Para [0029-30] - - Collected/”current aggregated” data in a plurality of groups based on station addresses/connections that is analyzed by the network anomaly analysis apparatus.);
	But Ho fails to specify the previous training data being time-period-based training data that is obtained by aggregating, in a plurality of connection groups each including same communication node group as a source or a destination, previous network analysis data of connections which is obtained by acquiring packets the plurality of connection groups on a communication path of a network and analyzing the acquired packets.
However, Pietrowicz teaches the previous training data being time-period-based training data that is obtained by aggregating, in a plurality of connection groups each including same communication node group as a source or a destination, previous network analysis data of connections which is obtained by acquiring packets the plurality of connection groups on a communication path of a network and analyzing the acquired packets. (Pietrowicz, Para [0043-45] - - Time sequence/period based data collection/aggregating in node to node communication/”plurality of connection groups each including same communication node group as a source or a destination” acquired from packet analysis by a packet intercept system/”acquiring packets the plurality of connection groups on a communication path of a network” over a time interval.)
Ho and Pietrowicz are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the above network analysis system, as taught by Ho, and incorporating the time sequence based data collection in node to node communication acquired from packet analysis by a packet intercept system over a time interval, as taught by Pietrowicz.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect system anomalies by using time sequence based data collection in node to node communication acquired from packet analysis by a packet intercept system over a time interval, as suggested by Pietrowicz (Para [0012]).
	But the combination of Ho and Pietrowicz fails to specify determining an abnormality in the network based on whether or not a measured value of the current network quality is lower than an abnormality determination threshold calculated based on the estimated value; performing distribution determination of determining whether or not a distribution of the connections having the measured value of the network quality exceeding the abnormality determination threshold is present in a size equal to or larger than a predetermined size in the network analysis data for the connections during an abnormal time block during which the abnormality in the network is determined.
However, Matsunaga teaches determining an abnormality in the network based on whether or not a measured value of the current network quality is lower than an abnormality determination threshold calculated based on the estimated value (Matsunaga, Para [0011-14], [0044-45], [0065-66] - - Determining if the degree of abnormality in the network based on a network communication quality is higher than/”quality is lower than” an anomaly threshold calculated based on the amount of difference between original and predicted/estimated versions of a data point in the negative direction is considered to be anomalous.); performing distribution determination of determining whether or not a distribution of the connections having the measured value of the network quality exceeding the abnormality determination threshold is present in a size equal to or larger than a predetermined size in the network analysis data for the connections during an abnormal time block during which the abnormality in the network is determined. (Matsunaga, Para [0011-14], [0044-45] - - Performing a probability distribution determination of communication/network quality in the operation of a communication network by counting connection failures/”distribution of connections” to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured/threshold value to detect an anomaly/abnormality in a predetermined time period/”abnormal time block during which the abnormality in the network is determined”.)
Ho, Pietrowicz, and Matsunaga are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho and Pietrowicz, and further incorporating determining if the degree of abnormality in the network based on a network communication quality is higher than an anomaly threshold calculated based on the amount of difference between original and predicted versions of a data point in the negative direction is considered to be anomalous and performing a probability distribution determination of communication quality in the operation of a communication network by counting connection failures to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured value to detect an anomaly in a predetermined time period, as taught by Matsunaga.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect system anomalies by determining if the degree of abnormality in the network based on a network communication quality is higher than an anomaly threshold calculated based on the amount of difference between original and predicted versions of a data point in the negative direction is considered to be anomalous and performing a probability distribution determination of communication quality in the operation of a communication network by counting connection failures to determine if the upper probability that the communication quality index during a measurement period becomes lower than a measured value to detect an anomaly in a predetermined time period, as suggested by Matsunaga (Para [0003]).
But the combination of Ho, Pietrowicz, and Matsunaga fails to specify extracting, as an individual-analysis-target connection group, a specified connection group with equal to or more than a standard proportion of connections in the distribution of the connections having the size equal to or larger than the predetermined size.
However, Yadav teaches extracting, as an individual-analysis-target connection group, a specified connection group with equal to or more than a standard proportion of connections in the distribution of the connections having the size equal to or larger than the predetermined size. (Yadav, Para [0089-90] - - Extracting numeric features/”connection group” into a bin/group with a value/”number of connections” larger than a predetermined value/size.) 
Ho, Pietrowicz, Matsunaga, and Yadav are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, and Matsunaga, and further incorporating extracting numeric features into a bin with a value larger than a predetermined value, as taught by Yadav.  
One of ordinary skill in the art would have been motivated to do this modification in order to collect features to serve as input for downstream use for anomaly detection by extracting numeric features into a bin with a value larger than a predetermined value, as suggested by Yadav (Para [0088]).
But the combination of Ho, Pietrowicz, Matsunaga, and Yadav fails to specify individually subjecting, to the local modeling analysis, the previous training data and the current aggregated data for the individual-analysis-target connection group and the previous training data and the current aggregated data for those of the plurality of connection groups other than the individual-analysis-target connection group to determine the abnormality in the network.
However, Muddu teaches individually subjecting, to the local modeling analysis, the previous training data and the current aggregated data for the individual-analysis-target connection group and the previous training data and the current aggregated data for those of the plurality of connection groups other than the individual-analysis-target connection group to determine the abnormality in the network. (Muddu, Para [0521],  [0629], [0664-674] - - Modeling analysis of connection/”individual-analysis-target connection” groups using training data and real/current time data and comparing to beacon data of other connection group/”connection groups other than the individual-analysis-target connection group” data to perform anomaly/abnormality detection.)
Ho, Pietrowicz, Matsunaga, Yadav, and Muddu are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, and Yadav, and further incorporating modeling analysis of connection groups using training data and real time data and comparing to beacon data of other connection group data to perform anomaly detection, as taught by Muddu.  
One of ordinary skill in the art would have been motivated to do this modification in order to determine if a connection group is identifiable as an anomaly by using modeling analysis of connection groups using training data and real time data and comparing to beacon data of other connection group data to perform anomaly detection, as suggested by Muddu (Abstract).


Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Ho et al., US Patent Pub. US 20190166024 A1 (hereinafter Ho) in view of Pietrowicz et al., US Patent Pub. US 20140204799 A1 (hereinafter Pietrowicz) in view of Matsunaga et al, US Patent Pub. US 20090052330 A1 (hereinafter Matsunaga) in view of Yadav et al., US Patent Pub. US 20160359886 A1 (hereinafter Yadav) in view of Muddu et al., US Patent Pub. US 20180367551 A1 (hereinafter Muddu) as applied to Claims 1-5 and 7-10 above, and in further view of Baikalov et al., US Patent Pub. US 20160226901 A1 (hereinafter Baikalov).

Claim 6
The combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu teaches all the limitations of the base claims as outlined above.  
But the combination of Ho, Pietrowicz, Matsunaga, Yadav, and Muddu fails to specify placing, for the plurality of respective connections during the abnormal time block, modified kernel functions each obtained by multiplying a kernel function centering around the measured value by the measured value at positions of the measured values in the histogram and generating, as the histogram, a distribution curve using a value obtained by adding up the plurality of placed modified kernel functions as the number of the bins; and determining whether or not the distribution curve has the distribution peak having the size equal to or larger than the predetermined size at a position having the measured value of the network quality exceeding the abnormality determination threshold.
However, Baikalov teaches placing modified kernel functions each obtained by multiplying a kernel function centering around the measured value by the measured value at positions of the measured values in the histogram and generating, as the histogram, a distribution curve using a value obtained by adding up the plurality of placed modified kernel functions; and determining whether or not the distribution curve has the distribution peak having the size equal to or larger than the predetermined size at a position having the measured value of the network quality exceeding the abnormality determination threshold. (Baikalov, Para [0017-19] - - Generating a distribution curve using kernel density estimation with current data/”measured value” formed by summing the individual kernels for each of the measurements and determining if the distribution peak of activity occurrences/”network quality” is an anomaly if said determined probability exceeds a predetermined threshold.)
Ho, Pietrowicz, Matsunaga, Yadav, Muddu, and Baikalov are analogous art because they are from the same field of endeavor.  They relate to network analysis systems.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to further modify the above network analysis system, as taught by Ho, Pietrowicz, Matsunaga, Yadav, and Muddu, and further incorporating generating a histogram with measured numeric features exceeding a minimum value and bin boundaries selected based on a probability of feature density estimates to retain the spikiness in the distribution, as taught by Baikalov.  
One of ordinary skill in the art would have been motivated to do this modification in order to detect anomalous activities in a computer network by generating a histogram with measured numeric features exceeding a minimum value and bin boundaries selected based on a probability of feature density estimates to retain the spikiness in the distribution, as suggested by Baikalov (Abstract).


Citation of Pertinent Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Cantrell, US Patent Num. US 11181894 B2 relates to claims 1, 9, and 10 regarding anomaly thresholds, training data, and anomaly detection models.
Vassuer et al., US Patent Pub. US 20150195296 A1 relates to claims 1-2, 9, and 10 regarding anomaly detection in a computer network, statistical models, linear models, and alarm thresholds.
Cote et al., US Patent Pub. US 20180248905 A1 relates to claims 1, 9, and 10 regarding determining models based on machine learning training with the performance monitoring data, user defined thresholds, and abnormal behavior detection in networks.
Yang et al., US Patent Pub. US 20170094537 A1 relates to claims 1-2, 9, and 10 regarding anomaly detection in a network and anomaly thresholds.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID E OGG whose telephone number is (469) 295-9163.  The examiner can normally be reached on Mon - Thurs 7:30 am - 5:00 pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mohammad Ali can be reached on 571-272-4105.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DAVID EARL OGG/
Examiner, Art Unit 2119

/MOHAMMAD ALI/Supervisory Patent Examiner, Art Unit 2119