DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to applicant’s filing on July 13, 2020.
Claims 1-17 are pending.

Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The abstract of the disclosure is objected to because it had more than 150 words. Correction is required. See MPEP § 608.01 (b).

The disclosure is objected to because of the following informalities:
In paragraph 0016, the element “host devices 206n” is not shown in FIG. 2.  
Appropriate correction is required.
                                                                                                                                          
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al.  (US 2019/0158517 A1) in view of Miller et al. (US 2019/0188212 A1)

In regards to claim 1, Muddu discloses a computer implemented method for determining malicious activity using clustering algorithmic techniques, the method comprising: 
providing a source of known malicious network entities and known legitimate network entities associated with network traffic flow (Muddu, if the human user 604 begins to access source code server 610 more frequently in support of his work, for example, and his accessing of source code server 610 has been judged to be legitimate by the security platform 300 or a network security administrator (i.e., the anomalies/threats detected upon behavior change have been resolved and deemed to be legitimate activities)); 
generating a dataset consisting of a plurality of known malicious network entities and a plurality of known legitimate network entities from the sources of known malicious network entities and known legitimate network entities (Muddu, Fig. 24, Para. 0352, the process continues with generating anomaly data 2304 indicative of the anomalies in response to the detection. The anomaly data 2304, as used herein, generally refers to the entire set or a subset of the detected anomalies across the computer network and Para. 0353, as shown at step 2412, when the anomaly data 2304 is processed according to threat indicator model Y, no threat indicator is identified); 
identifying network related attributes associated with each of the plurality of malicious network entities and the plurality of legitimate network entities contained in the generated dataset (Muddu, Para. 0240, with the fact-based identity resolution techniques disclosed herein, the security platform has the ability to attribute an event that happens on a device to a user, and to detect behavioral anomalies and threats based on that attribution, and Para. 0539, Fig. 54A shows an example of how a normal behavioral sequence may be represented in a probabilistic suffix tree based mode);
determining if the current number of generated clusters (X) exceeds a predetermined threshold number (Y) in the event a generated cluster from the at least one dataset is not assigned a malicious tag (Muddu, Para. 0522, if the actual next symbol in the sequence is “a”, “b”, or “c,” these symbols may be deemed acceptable or normal because they are acceptably predicted (e.g., because they all have probabilities that meet or exceed a certain threshold, for example, 10%)); and 
increasing the value of X by 1 if X does not exceed Y and then returning to the generating a predetermined number (X) of clusters step (Muddu, Fig. 26, Para. 0561, At step 6015 the process moves the selected normal node to the position determined in step 6014, with the effect being to minimize the selected node's L1-norm. This process repeats for each normal node until all of the normal nodes have been processed in this manner).  
Muddu fails to disclose generating a predetermined number (X) of clusters based upon the plurality of malicious and legitimate network entities, wherein an individual cluster is a clustering of malicious network entities and/or legitimate network entities having determined like associated attributes according to prescribed criteria; 
tagging a generated cluster with a tag wherein: a malicious tag is applied when a majority type of known malicious network entities are clustered;
 a legitimate tag is applied when a majority type of known legitimate network entities are clustered; and
 an unknown tag is applied when neither a majority type of known legitimate network entities or known legitimate network entities are clustered;
 determining if a generated cluster is assigned a malicious tag so as to store it in a database indicative of malicious network entities and assign it with a clusterID for future reference with clusters generated from captured real-time network traffic flow for detecting network attacks wherein the assigned clusterID is indicative of a particular network entity; 
However, Miller teaches generating a predetermined number (X) of clusters based upon the plurality of malicious and legitimate network entities (Miller, Para. 0055, they assume that the group membership for every data point is known a priori, and Para. 0059, FGSS constructs anomalous clusters by jointly searching over subsets of data instances and subsets of anomalous attributes), wherein an individual cluster is a clustering of malicious network entities and/or legitimate network entities having determined like associated attributes according to prescribed criteria (Miller, Para. 0008, Para. 0008, Detecting clusters of anomalous samples on low-dimensional feature subsets—Such joint detections have greater statistical significance and in general are more convincing than individual sample detections); 
tagging a generated cluster with a tag wherein: a malicious tag is applied when a majority type of known malicious network entities are clustered (Miller, Para. 0142, the weight on the labeled suspicious samples);
 a legitimate tag is applied when a majority type of known legitimate network entities are clustered (Miller, Para. 0142, the weight on the labeled innocuous samples αi (t)=1 (i∈I(t)) ); and
 an unknown tag is applied when neither a majority type of known legitimate network entities or known legitimate network entities are clustered (Miller, Para. 0064, each sample and feature is assigned a flag indicating membership or otherwise in a parsimonious alternative model to the null that includes a cluster representing unknown behaviors or categories (403));
 determining if a generated cluster is assigned a malicious tag so as to store it in a database indicative of malicious network entities and assign it with a clusterID for future reference with clusters generated from captured real-time network traffic flow for detecting network attacks wherein the assigned clusterID is indicative of a particular network entity (Miller, Fig. 1, Item. 108 and Para. 0061, anomalous clusters (101) of a received unknown data-batch (109) using a null (107) based on a repository of known samples, and Para. 0123, Thus, there is still great need for an automated way to assess detected clusters and determine whether they are putatively malicious/interesting (worth being examined by an operator, worth validating as an unknown phenomenon and perhaps assigning a suitable, descriptive identifier (naming), worth generating an alert) or not. A framework for active learning to distinguish between attack (or highly suspicious/interesting) and innocuous/uninteresting clusters of anomalies); 
Muddu and Miller are both considered to be analogous to the claim invention because they are in the same field of techniques used for automated fraud detection. Additionally, the techniques can be employed with essentially any suitable behavioral analysis (e.g., fraud detection or environmental monitoring) based on machine data. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Miller to include generating a predetermined number (X) of clusters based upon the plurality of malicious and legitimate network entities (Miller, Para. 0055), wherein an individual cluster is a clustering of malicious network entities and/or legitimate network entities having determined like associated attributes according to prescribed criteria (Miller, Para. 0008, Para. 0008); 
tagging a generated cluster with a tag wherein: a malicious tag is applied when a majority type of known malicious network entities are clustered (Miller, Para. 0142);
 a legitimate tag is applied when a majority type of known legitimate network entities are clustered (Miller, Para. 0142); and
 an unknown tag is applied when neither a majority type of known legitimate network entities or known legitimate network entities are clustered (Miller, Para. 0064);
 determining if a generated cluster is assigned a malicious tag so as to store it in a database indicative of malicious network entities and assign it with a clusterID for future reference with clusters generated from captured real-time network traffic flow for detecting network attacks wherein the assigned clusterID is indicative of a particular network entity (Miller, Fig. 1, Item. 108 and Para. 0061). Doing so would help to improve the confidence in identified anomalies through automated corroboration with other alerts (only rudimentary methods for alert correlation have been deployed commercially), and through costly and slow manual forensics by analysts (Miller, Para. 0033).

In regards to claim 2, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 1, wherein determining malicious activity relates to determining zero-day attacks associated with the monitored network (Miller, Para. 0002, the detection of never before seen behavioral clusters in large and complicated observed datasets, also known as group (cluster) anomaly detection or detection of zero-day activity). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Miller to include wherein determining malicious activity relates to determining zero-day attacks associated with the monitored network (Miller, Para. 0002). Doing so would help to improve the confidence in identified anomalies through automated corroboration with other alerts (only rudimentary methods for alert correlation have been deployed commercially), and through costly and slow manual forensics by analysts (Miller, Para. 0033).

In regards to claim 3, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 1, wherein the network entities are selected from the group consisting of: network events; network devices and/or network users (Muddu, Para. 0182, The security platform 300 can detect anomalies and threats by determining behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices).  

In regards to claim 4, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 3, wherein the plurality of known malicious network entities are network events associated with blacklisted IP addresses (Muddu, Para. 0598, anomaly node A6706 representing a blacklist anomaly. The blacklist anomaly indicates that the user U6705 has accessed the network device D6707 from a blacklisted IP address).  

In regards to claim 5, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 3, wherein the plurality of known malicious network entities are network events associated with blacklisted payload components (Miller, Para. 0066, attacks are often captured from a different network domain, with different timing characteristics than then normal/null flows; also payload information is often unavailable; thus, without limiting the scope of applicability suppose as an example where only the packet size and direction information is considered).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Miller to include wherein the plurality of known malicious network entities are network events associated with blacklisted payload components (Miller, Para. 0066). Doing so would help to improve the confidence in identified anomalies through automated corroboration with other alerts (only rudimentary methods for alert correlation have been deployed commercially), and through costly and slow manual forensics by analysts (Miller, Para. 0033).

In regards to claim 6, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 3, wherein the plurality of known malicious network entities are network events whereby the identified network related attributes consist of one or more of: request bytes; response bytes; request packets; response packets; event duration; event payload size; response code; and event direction associated with the captured network traffic flow for network entities that are network events (Miller, Para. 0066, packet size and other packet header information, packet timing, packet direction sequence, as well as payload information could be used to represent each packet). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Miller to include wherein the plurality of known malicious network entities are network events whereby the identified network related attributes consist of one or more of: request bytes; response bytes; request packets; response packets; event duration; event payload size; response code; and event direction associated with the captured network traffic flow for network entities that are network events (Para. 0066). Doing so would help to improve the confidence in identified anomalies through automated corroboration with other alerts (only rudimentary methods for alert correlation have been deployed commercially), and through costly and slow manual forensics by analysts (Miller, Para. 0033).  

In regards to claim 7, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 1 wherein the majority type of network entities clustered in a cluster is determined by a percentage value of a network entity type clustered in that cluster (Muddu, Para. 0585, the value distributor(s) have a probability of (100%−15%=85%) to follow an edge of the node to move to another node. In some other embodiments, the similarity score assignment process can use a percentage other than 15%).  

In regards to claim 8, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 7, wherein the percentage is 90% or greater (Muddu, Para. 0715, The rarity determination module 8035 can compute the rarity score as a 95% confidence interval).  

In regards to claim 9, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 7, wherein the percentage value is user configurable (Muddu, Para. 0610, while domain xyz.com may not be known to be benign, an analysis of the network traffic can uncover that a high percentage of users on the network regularly connect to xyz).  

In regards to claim 10, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 1, wherein a cluster is only tagged when it has more than a prescribed threshold number of clustered network entities (Muddu, Para. 0186, anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected).  

In regards to claim 11, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 10, wherein the prescribed threshold number of clustered network entities is equal to, or greater than, one thousand (1000) (Miller, Para. 0030, suppose that for each flow there are 1000 features, X1, . . . , X1000. The present AD may identify that an anomalous cluster of 20 samples is such that all samples in this cluster manifest atypicalities only on the feature subset {X17, X211, X279, X414, X678, X737, X898}).  Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Muddu to incorporate the teachings of Miller to include wherein the prescribed threshold number of clustered network entities is equal to, or greater than, one thousand (1000) (Miller, Para. 0030). Doing so would help to improve the confidence in identified anomalies through automated corroboration with other alerts (only rudimentary methods for alert correlation have been deployed commercially), and through costly and slow manual forensics by analysts (Miller, Para. 0033).

In regards to claim 12, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 1, wherein the predetermined threshold maximum number of generated clusters (Y) is user configurable (Muddu, Para. 0279, dynamic thresholding analysis with periodicity patterns at several scales, change-point detection via maximum-a-posteriori-probability (MAP) modeling, cross-correlation and causality analysis via variable-memory modeling and estimation of directed mutual information, outlier analysis, or any combination).  

In regards to claim 13, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 1, further including the steps: capturing network traffic flow associated with a monitored computer network (Muddu, Para.0371, this determination is based on an absolute number tracked from when monitoring of the computer network commenced); determining a real-time cluster ID for a network entity contained in the captured network traffic flow (Muddu, Para.  0147, incoming event data from various data sources is evaluated in two separate data paths: (i) a real-time processing path); and 
determining whether the determined real-time cluster ID matches with a cluster ID stored in the database indicative of malicious network entities (Muddu, Para. 0172, Arrow 360 represents the storing of data supporting the analysis of the anomalies and threats in the real-time path. For example, the anomalies and threats as well as the event data that gives rise to detection of the anomalies and threats may be stored in database 378 (e.g., an SQL store) using a path represented by the arrow 360).  

In regards to claim 14, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 13, further including the step of marking the network entity as suspicious of a network attack when its determined cluster ID matches with a cluster ID stored in the database indicative of malicious network entities (Muddu, Para. 0263, With the new session created in the session database, a process thread starts to automatically look for any preexisting session in the session database that can be linked with the information provided by the new session).  

In regards to claim 15, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 13, wherein the network traffic is captured in real-time (Muddu, Para. 0147, The real-time processing path is configured to continuously monitor and analyze the incoming event data (e.g., in the form of an unbounded data stream) to uncover anomalies and threat).  

In regards to claim 16, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 15, wherein machine learning model techniques are used for determining a real-time clusterID for a network entity (Muddu, Para. 0182, These functions can be performed by one or more machine-learning models, for example, in the real-time path, the batch path, or both).  

In regards to claim 17, the combination of Muddu and Miller teaches the computer implemented method as recited in claim 16, wherein network entities captured in the traffic flow are selected from the group consisting of: network events; network devices and/or network users (Muddu, Para. 0182, The security platform 300 can detect anomalies and threats by determining behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
MIRON (US 2019/0190930 A1) teaches a Methods and systems, including devices, which allow for the rapid detection of malware and other threats, such as malicious intrusions and attacks.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496
 

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496