Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   

 Claim Objections 
Applicant is advised that should claim 5 be found allowable, claim 6 will be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. See MPEP § 608.01(m). 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3, 5-10, 12-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bassias et al (US Pub. No. 2016/0381077), hereafter, “Bassias,” in view of Kirti et al (US Pub. No. 2015/0172321), hereafter, “Kirti.”

As to claim 1, Bassias discloses a system, comprising: a computing device comprising a processor and a memory, the computing device executing a management service that manages a plurality of client devices; and machine-readable instructions stored in the memory that, when executed by the processor (Abstract), cause the computing device to at least: 
obtain a plurality of device check-ins associated with the plurality of client devices over a first time period ([0022], particularly, “The one or more log line parameters comprises at least one of: user ID, session, IP address, and URL query. The features of a features table, organized or grouped by sessions, comprises at least one of: user session duration, number of requests in user session, average time between clicks in user session, user session click rate, percentage of image requests in user session, percentage of 4xx responses in user session, percentage of 3xx responses in user session, percentage of 2xx responses in user session, percentage of zip responses in user session, percentage of binary responses in user session, and percentage of head requests in user session.” requests reading on check-ins); 
obtain a set of device check-ins corresponding to the first time period, wherein respective ones of the device check-ins correspond to respective ones of the client devices ([0022] and [0036], particularly, “Processing begins at 600 whereupon, at block 605, log lines belonging to one or more log line parameters are grouped from one or more enterprise or e-commerce system data sources and/or from incoming data traffic to the enterprise or e-commerce system…The one or more log line parameters comprises at least one of: user ID, session, IP address, and URL query.”); 
calculate a variance of the set of device check-ins based on a quantity of device check-ins that correspond to individual client devices ([0038], particularly, “At block 615, one or more statistical models are used on the one or more features tables to identify statistical outliers. The one or more statistical models comprises at least one of: Clustering models, Hidden Markov model, and Copula models.”); 
identify an anomalous device based upon the quantity of device check-ins for the anomalous device exceeding a variance threshold ([0039], particularly, “At block 620, the statistical outliers are labeled to create one or more labeled features tables. In some embodiments, the labeling of the statistical outliers comprises presenting an administrator the statistical outliers for identification as malicious, non-malicious, or other administrator defined label.”); and 
However, Bassias does not explicitly disclose publishing a notification to a notification channel in response to identifying the anomalous device.
But, Kirti discloses publishing a notification to a notification channel in response to identifying an anomalous device ([0092] and [0104], particularly, “For example, an alert notifies an administrator, who then makes changes to an external system in which the monitoring and control system does not have visibility.”).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Bassias and Kirti in order to provide a system that can keep network administrators informed about any security concerns in real-time.

As to claim 8 and 15, they are rejected by a similar rationale to that set forth in claim 1’s rejection.
  
As to claim 2, 9, and 16, the teachings of Bassias and Kirti as combined for the same reasons as set forth in claim 1’s rejection discloses the machine-readable instructions further cause the computing device to at least obtain a response in the notification channel to perform a remedial action with respect to the anomalous device (Kirti, [0092] and [0104], particularly, “For example, an alert notifies an administrator, who then makes changes to an external system in which the monitoring and control system does not have visibility.”)

As to claim 3, 10, and 17, the teachings of Bassias and Kirti as combined for the same reasons as set forth in claim 1’s rejection discloses the machine-readable instructions that cause the computing device to perform the remedial action further cause the computing device to at least perform the remedial action in response to a reply received from an admin device associated with an administrative user (Kirti, [0092] and [0104], particularly, “For example, an alert notifies an administrator, who then makes changes to an external system in which the monitoring and control system does not have visibility.”)


As to claim 5, 6, and 12, the teachings of Bassias and Kirti as combined for the same reasons as set forth in claim 1’s rejection discloses the machine-readable instructions further cause the computing device to at least identify the anomalous device based upon an analysis of a second time period that is greater than the first time period (Bassias, [0022] and [0038], particularly, “At block 615, one or more statistical models are used on the one or more features tables to identify statistical outliers. The one or more statistical models comprises at least one of: Clustering models, Hidden Markov model, and Copula models.” the log analysis can be run multiple times and with varying time periods)

As to claim 13 and 20, the teachings of Bassias and Kirti as combined for the same reasons as set forth in claim 1’s rejection discloses identifying the anomalous device based upon an analysis of a second time period that is greater than the first time period, wherein the anomalous device is associated with the quantity of device check-ins that is less than the variance threshold, and the anomalous device is detected by being associated with more than one time period of an elevated quantity of device check-ins (Bassias, [0022] and [0038], particularly, “At block 615, one or more statistical models are used on the one or more features tables to identify statistical outliers. The one or more statistical models comprises at least one of: Clustering models, Hidden Markov model, and Copula models.” the log analysis can be run multiple times and with varying time periods).

As to claim 7 and 14, the teachings of Bassias and Kirti as combined for the same reasons as set forth in claim 1’s rejection discloses the machine-readable instructions further cause the computing device to at least execute a long short-term memory forecaster to detect a quantity of device check-ins in a subsequent time period based upon a historical log of device check-ins (Bassias, [0022] and [0038], particularly, “At block 615, one or more statistical models are used on the one or more features tables to identify statistical outliers. The one or more statistical models comprises at least one of: Clustering models, Hidden Markov model, and Copula models.”).

As to claim 19, the teachings of Bassias and Kirti as combined for the same reasons as set forth in claim 1’s rejection discloses the machine-readable instructions further cause the computing device to at least identify the anomalous device based upon an analysis of a second time period that is greater than the first time period, wherein the anomalous device is associated with the quantity of device check-ins that is less than the variance threshold, and the anomalous device is detected by being associated with a cluster of other devices causing an elevated quantity of device check-ins (Bassias, [0022] and [0038], particularly, “At block 615, one or more statistical models are used on the one or more features tables to identify statistical outliers. The one or more statistical models comprises at least one of: Clustering models, Hidden Markov model, and Copula models.”).

Allowable Subject Matter
Claims 4, 11, and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US Pub. No. 2017/0124478 (Baradaran et al) - The method involves determining a region with a center and an outer radius that covers a spatial extent of a first cluster of data points by a normalcy calculator of a device. First normalcy radius for the first cluster is determined by adjusting the region around the center until a point at which outliers are excluded from the adjusted region and the adjusted region is defined by the first normalcy radius by the normalcy calculator. The region defined by the first radius is used to determine whether a new data point is normal or abnormal by an outlier detector of the device.
US Pub. No. 2017/0230392 (Dean et al) - The method involves deriving values of metric, representative of data associated with the device. A distribution of the values of the metric is modeled. A probability of observing a more extreme value of the metric than a given value of the metric is determined when the given value is greater than a suitable quantile point of the values, in accordance with the distribution of the values of the metric. The probability is used to determine whether the device is behaving anomalously.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246.  The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Thomas J Dailey/
Primary Examiner, Art Unit 2452