DETAILED ACTION
This action is responsive to communications filed 15 February 2022.
Claims  3-4, 6-7, 11, 14-15 and 17-20 remain cancelled.
Claims 2, 8, 10 and 16 have been cancelled.
Claims 35-38 have been added.
Claims 1, 5, 9, 12-13 and 21-38 are subject to examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Todd Hopfinger #72567 on 1 June 2022.
The application has been amended as follows: 

1. (Previously Presented) A method for reducing storage space used in tracking behavior of a plurality of network endpoints by modeling the behavior with a behavior model, the method comprising: 
receiving a plurality of records, each respective record of the plurality of records corresponding to a respective network endpoint of the plurality of network endpoints; 
determining the respective network endpoint, of the plurality of network endpoints, to which each respective record of the plurality of records corresponds; 
assigning a respective dedicated queue for each respective network endpoint; 
transmitting to each respective dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned; 
generating, for each respective network endpoint, using each record of the respective dedicated queue originating from the respective network endpoint, a respective vector representing a respective behavior model, wherein the generating the respective vector further comprises: 
identifying a module of a plurality of modules that is idle, wherein the plurality of modules are programmed to generate the respective vectors representing the respective behavior models; 
commanding the idle module to generate the respective vector representing the respective behavior model by:Atty. Dkt. No. 4264.4400001-3 -Giacomo BERNARDI 
Reply to Office Action of December 2, 2021Application No. 16/033,127encoding data of each respective record within the respective dedicated queue as a floating point value in the respective vector, wherein the encoding the data further comprises extracting the data from a field of the respective record, and concatenating the data into a string; and 
feeding the string into a Document to Vector (doc2vec) algorithm, thereby outputting the respective vector; 
storing each respective vector to a memory; and 
determining an anomalous behavior state for a network endpoint in the plurality of network endpoints by comparing the respective vector of the network endpoint to a normalcy threshold in a multidimensional space, 
wherein the plurality of records is of a first data size, wherein a sum of a data size of each respective behavior model is of a second data size, and wherein the second data size is two or more orders of magnitude smaller than the first data size.  
2. (Canceled)  
3. (Canceled)  
4. (Canceled)  
5. (Original) The method of claim 1, wherein each respective record identifies a respective single network flow originating from the respective network endpoint that corresponds to the respective record.  
6. (Canceled)  
7. (Canceled)  
8. (Canceled)  
9. (Currently Amended) A system for reducing storage space used in tracking behavior of a plurality of network endpoints by modeling the behavior with a behavior model, the system comprising: 
storage circuitry; 
communications circuitry; and 
control circuitry configured to: 
receive, by the communications circuitry, a plurality of records, each respective record of the plurality of records corresponding to a respective network endpoint of the plurality of network endpoints; 
determine the respective network endpoint, of the plurality of network endpoints, to which each respective record of the plurality of records corresponds; 
assign a respective dedicated queue for each respective network endpoint; 
transmit, to each respective dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned; 
generate, for each respective network endpoint, using each record of the respective dedicated queue corresponding to the respectiveAtty. Dkt. No. 4264.4400001- 5 -Giacomo BERNARDI Reply to Office Action of December 2, 2021Application No. 16/033,127network endpoint, a respective vector representing a respective behavior model, wherein to generate the respective vector, the control circuitry is further configured to: 
identify one or more modules of a plurality of modules that are idle, wherein the plurality of modules are programmed to generate the respective vectors representing the respective behavior models; and 
command an idle module of the one or more identified idle modules to generate the respective vector representing the respective behavior model by: 
encoding data of each respective record 
feeding the string into a Document to Vector (doc2vec) algorithm, thereby outputting the respective vector; 
store, by the storage circuitry, each respective vector in a memory; and 
determine an anomalous behavior state for a network endpoint in the plurality of network endpoints by determining a current position of the respective vector of the network endpoint is in a region of a multidimensional space, the region having a probability value less than a threshold value, and 
wherein the plurality of records is of a first data size, wherein a sum of a data size of each respective behavior model is of a second data size, and wherein the second data size is two or more orders of magnitude smaller than the first data size.  
10. (Canceled) Atty. Dkt. No. 4264.4400001-6-Giacomo BERNARDI Reply to Office Action of December 2, 2021Application No. 16/033,127  
11. (Canceled)  
12. (Previously Presented) The system of claim 9, wherein the control circuitry is further configured to: 
in response to determining the anomalous behavior state for the network endpoint, alert a network administrator.  
13. (Original) The system of claim 9, wherein each respective record identifies a respective single network flow originating from the respective network endpoint that corresponds to the respective record.  
14-20. (Canceled)  
21. (Previously Presented) A non-transitory computer-readable medium having instructions stored thereon that, when executed by a computing device, cause the computing device to perform operations comprising: 
receiving a plurality of records, each respective record of the plurality of records corresponding to a respective network endpoint of a plurality of network endpoints; 
determining the respective network endpoint, of the plurality of network endpoints, to which each respective record of the plurality of records corresponds; 
assigning a respective dedicated queue for each respective network endpoint; 
transmitting, to each respective dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned;Atty. Dkt. No. 4264.4400001-7-Giacomo BERNARDI 
Reply to Office Action of December 2, 2021Application No. 16/033,127generating, for each respective network endpoint, using each record of the respective dedicated queue corresponding to the respective network endpoint, a respective vector representing a respective behavior model, wherein the generating the respective vector further comprises: 
identifying one or more modules of a plurality of modules that are idle, wherein the plurality of modules are programmed to generate the respective vectors representing the respective behavior models; and 
commanding an idle module of the one or more identified idle modules to generate the respective vector representing the respective behavior model by: 
encoding data of each respective record within the respective dedicated queue as a floating point value in the respective vector, wherein the encoding the data further comprises extracting the data from a field of the respective record, and concatenating the data into a string; and 
feeding the string into a Document to Vector (doc2vec) algorithm, thereby outputting the respective vector; 
storing each respective vector to a memory; and 
determining an anomalous behavior state for a network endpoint in the plurality of network endpoints by comparing the respective vector of the network endpoint to a normalcy threshold in a multidimensional space, 
wherein the plurality of records is of a first data size, wherein a sum of a data size of each respective behavior model is of a second data size, and wherein the second data size is smaller than the first data size.  
22. (Previously Presented) The non-transitory computer-readable medium of claim 21, wherein the generating the respective vectors representing the respective behavior models further comprises: 
determining first dedicated queues each having a number of records that exceed a threshold value; and assigning a first portion of the identified idle modules to the first dedicated queues.  
23. (Previously Presented) The non-transitory computer-readable medium of claim 22, wherein the generating the respective vectors representing the respective behavior models further comprises: 
assigning a second portion of the identified idle modules to second dedicated queues based on a load balancing scheme.  
24. (Previously Presented) The non-transitory computer-readable medium of claim 22, wherein the generating the respective vectors representing the respective behavior models further comprises: 
randomly assigning a second portion of the identified idle modules to second dedicated queues.  
25. (Previously Presented) The method of claim 1, further comprising: 
tracking behavior of each respective network endpoint over time by comparing a current position of the respective vector in the multidimensional space to a previous position of a previous version of the respective vector in the multidimensional space.  
26. (Previously Presented) The method of claim 25, wherein the tracking is performed using a Kalman filter.  
27. (Previously Presented) The method of claim 1, further comprising: 
tracking behavior of the network endpoint in the plurality of network endpoints by deriving a multivariate Gaussian distribution to determine a current position of the respective vector of the network endpoint in the multidimensional space.  
28. (Previously Presented) The system of claim 9, wherein the control circuitry is further configured to: 
track behavior of each respective network endpoint over time by comparing a current position of the respective vector in the multidimensional space to a previous position of a previous version of the respective vector in the multidimensional space.  
29. (Previously Presented) The system of claim 28, wherein the control circuitry is further configured to track the behavior of each respective network endpoint over time using a Kalman filter.  
30. (Previously Presented) The system of claim 9, wherein the control circuitry is further configured to: 
track behavior of the network endpoint in the plurality of network endpoints by deriving a multivariate Gaussian distribution to determine the current position of the respective vector of the network endpoint in the multidimensional space.  
31. (Previously Presented) The non-transitory computer-readable medium of claim 21, wherein the operations further comprise: 
tracking behavior of each respective network endpoint over time by comparing a current position of the respective vector in the multidimensional space to a previous position of a previous version of the respective vector in the multidimensional space.  
32. (Previously Presented) The non-transitory computer-readable medium of claim 31, wherein the tracking is performed using a Kalman filter.  
33. (Previously Presented) The non-transitory computer-readable medium of claim 21, wherein the operations further comprise: 
tracking behavior of the network endpoint in the plurality of network endpoints by deriving a multivariate Gaussian distribution to determine a current position of the respective vector of the network endpoint in the multidimensional space.  
34. (Previously Presented) The method of claim 1, wherein the generating further comprises: 
forming a document from the string; and 
wherein the feeding the string into doc2vec algorithm further comprises analyzing, using the doc2vec algorithm, the document using a shallow neural network.  
35. (Previously Presented) The system of claim 9, wherein to generate the respective vector, the control circuity is further configured to: 
form a document from the string; and Atty. Dkt. No. 4264.4400001- 11 -Giacomo BERNARDIReply to Office Action of December 2, 2021Application No. 16/033,127
wherein to feed the string into doc2vec algorithm, the control circuitry is further configured to analyze, using the doc2vec algorithm, the document using a shallow neural network.  
36. (Previously Presented) The non-transitory computer-readable medium of claim 21, wherein the generating further comprises: 
forming a document from the string; and 
wherein the feeding the string into doc2vec algorithm further comprises analyzing, using the doc2vec algorithm, the document using a shallow neural network.  
37. (Previously Presented) The system of claim 9, wherein to generate the respective vectors representing the respective behavior models, the control circuitry is further configured to: 
determine first dedicated queues each having a number of records that exceed a threshold value; and 
assign a first portion of the identified idle modules to the first dedicated queues.  
38. (Previously Presented) The system of claim 37, wherein to generate the respective vectors representing the respective behavior models, the control circuitry is further configured to: 
assign a second portion of the identified idle modules to second dedicated queues based on a load balancing scheme.

Allowable Subject Matter
Claims 1, 5, 9, 12-13, 21-24, 25-27, 28-30, 31-33, 34, 35, 36, 37-38 allowed. They are to be renumbered to claims 1, 2, 7, 8-9, 16-19, 3-5, 10-12, 20-22, 6, 13, 23, 14-15, respectively.
The following is an examiner’s statement of reasons for allowance: In interpreting the currently amended claims in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record:
Mahaffey et al. (US-20170339178-A1) discloses Data is collected from a set of devices according to a data collection policy. The data is associated with device configuration, device state, or device behavior. A norm is established using the collected data. A different data collection policy is established based on the norm. Data is collected from a particular device according to the different data collection policy. The norm is compared to the data collected from the particular device. If there is a deviation outside of a threshold deviation between the norm and the data collected from the particular device, a response is initiated. (abstract)
Ridley (US-20180115574-A1) discloses A network sensor, inserted into a mirror port of a network switch or router, may be configured to monitor the network traffic originating from an embedded device. Metadata in the network traffic may be passively extracted by the network sensor and transmitted to a server in order to monitor and analyze the behavior of the embedded device. The server may employ machine learning to distinguish typical behavior of the embedded device from atypical behavior. Further, code may be injected into the firmware of the embedded device, and the code may be programmed to broadcast a performance beacon whenever certain firmware functions are executed. A collection of the performance beacons may be analyzed at the server to reconstruct an execution path of the embedded device, and machine learning may be applied to determine whether the execution path is typical or atypical. (abstract)
M. Mimura and H. Tanaka, "Long-Term Performance of a Generic Intrusion Detection Method Using Doc2vec," 2017 Fifth International Symposium on Computing and Networking (CANDAR), 2017, pp. 456-462, doi: 10.1109/CANDAR.2017.109 discloses a generic detection method which is independent of attack methods and does not need devising feature vectors. This method uses Paragraph Vector an unsupervised algorithm that learns fixed-length feature representations from variable-length pieces of texts, such as sentences, paragraphs, and documents, and learns the content in proxy server logs. (abstract)
BOUBEZ (US-20150341246-A1) discloses An anomaly detection system is able to detect spatial and temporal environment anomalies and spatial and temporal behavior anomalies, and monitor servers for anomalous characteristics of the environment and behavior. If metrics and/or characteristics associated with a given server are beyond a certain threshold, an alert is generated. Among other options, the alert can take the form of a heat map or a cluster cohesiveness report. (abstract)
He et al. (US-20140181825-A1) discloses A processing system is described which assigns jobs to heterogeneous processing modules. The processing system assigns jobs to the processing modules in a manner that attempts to accommodate the service demands of the jobs, but without advance knowledge of the service demands. In one case, the processing system implements the processing modules as computing units that have different physical characteristics. Alternatively, or in addition, the processing system may implement the processing modules as threads that are executed by computing units. Each thread which runs on a computing unit offers a level of performance that depends on a number of other threads that are simultaneously being executed by the same computing unit. (abstract)
Andersson et al. (US-6836719-B2) discloses A method and system for controlling a vehicle includes receiving vehicle position information from a positioning system and combining the position information with information from a map database and a driver behavior model to control the vehicle's speed and braking for not only the current roadway the vehicle is operating on but also on upcoming road sections. (abstract)
Varsanyi et al. (US-20140201838-A1) discloses Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). Score(s) for the operation(s) or event(s) may be generated using a plurality of scoring algorithms, and potential threats among the operation(s) or event(s) may be identified using the score(s). (abstract)
Wright et al. (US-20170149813-A1) discloses Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly. (abstract)
Dang et al. (US-10635565-B2) discloses A system, includes: a distributed cache that stores state information for a plurality of configuration items (CIs). Management, instrumentation, and discovery (MID) servers form a cluster, each of the MID servers including one or more processors that receive, from the distributed cache, a subset of the state information associated with assigned CIs and perform a statistical analysis on the subset of the state information. (abstract)
Vasseur et al. (US-20150195296-A1) discloses In one embodiment, a device in a network identifies a plurality of applications from observed traffic in the network. The device forms two or more application clusters from the plurality of applications. Each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters. The device generates anomaly detection models for each of the application clusters. The device tests the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application. The device selects a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models. (abstract)
However, the prior art of record, individually or in combination, fail to disclose or teach:

A system for reducing storage space used in tracking behavior of a plurality of network endpoints by modeling the behavior with a behavior model, the system comprising: 
storage circuitry; 
communications circuitry; and 
control circuitry configured to: 
receive, by the communications circuitry, a plurality of records, each respective record of the plurality of records corresponding to a respective network endpoint of the plurality of network endpoints; 
determine the respective network endpoint, of the plurality of network endpoints, to which each respective record of the plurality of records corresponds; 
assign a respective dedicated queue for each respective network endpoint; 
transmit, to each respective dedicated queue, each record of the plurality of records that corresponds to the respective network endpoint to which the respective dedicated queue is assigned; 
generate, for each respective network endpoint, using each record of the respective dedicated queue corresponding to the respectiveAtty. Dkt. No. 4264.4400001- 5 -Giacomo BERNARDI Reply to Office Action of December 2, 2021Application No. 16/033,127network endpoint, a respective vector representing a respective behavior model, wherein to generate the respective vector, the control circuitry is further configured to: 
identify one or more modules of a plurality of modules that are idle, wherein the plurality of modules are programmed to generate the respective vectors representing the respective behavior models; and 
command an idle module of the one or more identified idle modules to generate the respective vector representing the respective behavior model by: 
encoding data of each respective record within the respective dedicated queue as a floating point value in the respective vector, wherein to encode the data the control circuitry is further configured to extract the data from a field of the respective record, and concatenate the data into a string; and 
feeding the string into a Document to Vector (doc2vec) algorithm, thereby outputting the respective vector; 
store, by the storage circuitry, each respective vector in a memory; and 
determine an anomalous behavior state for a network endpoint in the plurality of network endpoints by the respective vector of the network endpoint in a multidimensional space to a threshold value, and 
wherein the plurality of records is of a first data size, wherein a sum of a data size of each respective behavior model is of a second data size, and wherein the second data size is two or more orders of magnitude smaller than the first data size.

The claims that depend upon one of the above-mentioned allowable independent claims are therefore allowed by virtue of their dependencies.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alex H. Tran whose telephone number is (571)272-8173. The examiner can normally be reached Monday-Friday 11AM-6PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Divecha B. Kamal can be reached on (571)272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Alex H. Tran/Examiner, Art Unit 2453                                                                                                                                                                                                        
/Hitesh Patel/Primary Examiner, Art Unit 2419                                                                                                                                                                                                        
6/2/22