DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Jordan Becker, Reg. No. 39,602 on May 25, 2022.
	The application has been amended as follows:
	In the claims: 

26. 	(Currently amended) A non-transitory machine-readable storage medium storing instructions, execution of which in a computer system causes the computer system to perform operations comprising:
 	receiving event data representative of data traffic on a computer network, the event data including a plurality of events, wherein each event of the plurality of events includes a plurality of fields and a plurality of values for the plurality of fields;
determining, for a field of the plurality of fields, a set of [[the]] values of the field whose probability of occurrence does not exceed a probability of occurrence of a particular value of [[the]] a respective plurality of values of the field, the set of [[the]] values being those values of the field that have occurred not more than a threshold number of times;
determining a rarity score for the particular value of the field as a function of the probability of occurrence of the set of the values; and
detecting that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value of the field corresponds to an anomaly, based on the rarity score, wherein said determining that the occurrence of the particular value corresponds to an anomaly includes determining that the rarity score of the particular value is less than a score threshold and that a count of a number of times the particular value is indicated as an anomaly is less than a count threshold.

29. 	(Currently amended) A system comprising:
a processor;
a first module operatively coupled to the processor and configured to receive event data representative of data traffic on a computer network, the event data including a plurality of events, wherein each event of the plurality of events includes a plurality of fields and a plurality of values for the plurality of fields; 
a second module operatively coupled to the processor and configured to determine, for a field of the plurality of fields, a set of [[the]] values of the field whose probability of occurrence does not exceed a probability of occurrence of a particular value of [[the]] a respective plurality of values of the field, the set of [[the]] values being those values of the field that have occurred not more than a threshold number of times;
a third module operatively coupled to the processor and configured to determine a rarity score of the particular value of the field as a function of the probability of occurrence of the set of values; and
a fourth module operatively coupled to the processor and configured to detect that activity of an entity on the computer network is anomalous in a security context, by determining that an occurrence of the particular value of the field corresponds to an anomaly, based on the rarity score, wherein said determining that the occurrence of the particular value corresponds to an anomaly includes determining that the rarity score of the particular value is less than a score threshold and that a count of a number of times the particular value is indicated as an anomaly is less than a count threshold. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847. The examiner can normally be reached Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/Primary Examiner, Art Unit 2435