DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 12/26/2019.
Status of claims in the instant application:
Claims 1-20 are pending.
Priority
The instant application claims priority benefit to foreign patent application  “INDIA 201941043497 filed on 10/25/2019”. Examiner notes that the proper priority document has been provided by the Applicant.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 12/26/2019 and 03/18/2022 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Claim limitations of the instant Application are NOT being interpreted under 35 U.S.C. 112(f). The limitations of claims 12-21 do use the terms like” “a processor configured to …”, “an anomaly detection engine in communication with the processor and configured to …”, “wherein the anomaly detection engine comprises a data segmentation unit in communication with the processor, said data segmentation unit AAM0148US33configured to …”, “wherein the anomaly detection engine comprises an identification unit in communication with the processor, said identification unit configured to …”.
	But the terms processor and engine are treated as known structural term in the art, and hence the claims limitations are not being interpreted under 35 U.S.C. 112(f).

Examiner has investigated the claims of the instant Application to identify if any of the claim limitations do recite any abstract idea. It is in the Examiner’s opinion that claims of the instant Application do not recite limitations that can be characterized as one of the 3 groups (i.e. mathematical expression, organizing human activities and mental process) of  abstract ideas. Although the limitation of the independent claim 1 that recites, “determining, by the processor, a generic pattern of behavior associated with the plurality of anomaly classes based on the extracted feature values, wherein the generic pattern is representative of behavior which substantially simulates feature values on attack by any of the plurality of anomaly classes” may have some mental process aspect (determining) to it, but Examiner does not consider that the limitation as a whole can reasonably be performed in human mind.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 12-13 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2021/0034994 A1 to Stocker et al. (hereinafter “Stocker”) in view of Pub. No.: US 2017/0339022 A1 to Hegde et al. (hereinafter “Hegde”).
Regarding Claim 1. Stocker discloses A method for detecting anomalous behavior patterns in a network, wherein the method is implemented by at least one processor executing program instructions stored in a memory (Stocker, Abstract, Para [0019, 0034]: Systems and methods of the present disclosure include at least one processor that receives a data set of a data stream from a data source, where the data set includes a time-varying data points. The processor determines event observations associated with data points of the time-varying data points based on a detection model to identify types of the event observations, including: i) anomalies, ii) change-points, iii) patterns, or iv) outliers. The processor generates anomaly records in an event data store based on the event observations and automatically generates event records for at least one of the anomaly records based on variables of at least one dimension of the time-varying data points, where the event record links one or more event observations …  Statistical power is increased by reducing the necessary degrees of freedom in subsequent models to effectively capture behavior in the smaller number of event observations as compared to the much larger set of individual change-point, outlier, pattern, and/or anomaly observations … In embodiments, the detection model 210 may include, e.g., a processing device, a memory device and or a storage device for storing and executing instructions for change-points, outliers, patterns, anomalies, and or any other event detection according to the one or more detection methodologies …), the method comprising:
extracting, by the processor, a plurality of feature values associated with predetermined features from a first collection of one or more datasets associated with a plurality of anomaly classes, wherein the predetermined features are individual measurable characteristics of network behavior and user behavior in the presence or absence of an anomaly (Stocker, Para [0018]: … In some embodiments, the anomaly recognition system 100 provides for multi-dimensional anomaly detection. In some embodiments, individual observations in individual variables may or may not be identified as individual irregularities in the data across one or more dimensions, such as time, location, classification, geography, or other dimension. In some embodiments, irregularities may include change-points, outliers, patterns, and/or anomalies. Yet in some embodiments, collectively associated irregularities, even if they are not individually identified as change-points, outliers, patterns, and/or anomalies may contribute to the identification of a multi-dimensional change-points, anomalies, patterns, and/or outlier events. Machine learning models, e.g., of the COPA engine 110 may associate irregularities across a large number of dimensions, or variables, to detect subtle events that would not be indicated as by univariate change-points, outliers, patterns, and/or anomalies detection models. Detecting multi-dimensional change-point, outlier, pattern, and/or anomaly events, which may be nuanced, is challenging at best. The anomaly recognition system 100 provides the technical underpinnings to manage datasets in a way to make building and scoring multi-dimensional detection models as straightforward as possible. The anomaly recognition system 100 may also provide data storage and management capacity to subsequently record and manage identified events and their relationships to individual irregularities, be they univariate change-points, outliers, patterns, and/or anomalies or not, in each appropriate variable …);
determining, by the processor, a generic pattern of behavior associated with the plurality of anomaly classes based on the extracted feature values, wherein the generic pattern is representative of behavior which substantially simulates feature values on attack by any of the plurality of anomaly classes (Stocker, Para [0018]: … In an embodiment, where the detection model 310 is a univariate detection model, the association model 320, retrieves the detected change-points, outliers, patterns, and anomalies from the detection model 310. In datasets, such as large datasets, many change-points, outliers, patterns, and anomalies may exist in the data. While the change-points, outliers, patterns, and anomalies may come from different data sources, such as from credit card transactions and from investment transactions, or any two or more different sources of data, or may present in different dataset or data types, some change-points, outliers, patterns, and anomalies may be a result of a common event. It may be difficult and costly to sort through the change-points, the outliers, the patterns, and the anomalies to infer associated pairs or groups resulting from, e.g., a same root-cause or event, especially where the change-points, outliers, patterns, and anomalies are provided by different sources and/or event detection is performed using exclusively univariate detection models. In embodiments, the association model 320 automatically links associated change-points, outliers, patterns, and anomalies to a single event observation. For example, the association model 320 determines that two or more change-points, outliers, patterns, and/or anomalies are related based on, e.g., common variables, related variables, and/or related dimensions having similar change-point, outlier, pattern, and/or anomaly types. Commonalities in aspects of the variables and dimension may be indicative of a common causal event giving rise to each of the associated change-points, outliers, patterns, and anomalies. Thus, in embodiments, the association model 320 analyzes the variables and dimensions of each change-points, outliers, patterns, and/or anomalies and determines one or more of the change-points, outliers, patterns, and anomalies that are associated based on commonalities in the variables and dimensions …);
updating, by the processor, the determined generic pattern based on the analysis of performance of the determined generic pattern based on a second collection of one or more datasets associated with the plurality of anomaly classes and normal behavior classes (Stocker, Para [0035, 0039, 0045, 0055]: … in embodiments, an error function at the recommendation engine 200 receives the updated event observations and compares the updated event observations to the event observations prior to the update. The recommendation engine 200 may then determine an error between the generated event observations and the updated event observations and, e.g., backpropagate the error to update models used for generated the event observations. However, other learning methods are contemplated. As a result, the recommendation engine 200 is continually updated and improved to more accurately and efficiently generate event observations indicative of characteristics of each anomaly in each dataset 29 … In some embodiments, the recommendation engine 300 changes to event observations in the database 360 are tracked and recorded. The changes may then be fed back to the recommendation engine 300 via, e.g., backpropagation, to update and train each of the severity model 340, root-cause model 350, classification model 330, association model 320 and detection model 310. For example, in embodiments, an error function at each of the severity model 340, root-cause model 350, classification model 330, association model 320 and detection model 310 receives the updated event observations and compares the updated event observations to the event observations prior to the update. Each of the severity model 340, root-cause model 350, classification model 330, association model 320 and detection model 310 may then determine an error between the generated event observations and the updated event observations and, e.g., backpropagate the error to update models used for generated the event observations. However, other learning methods are contemplated …); and
However, Stocker does not explicitly teach, but Hegde from same or similar field of endeavor teaches, “detecting, by the processor, anomalous behavior pattern in a real-time traffic based on the updated generic pattern (Hegde, Para [0018-0019, 0028]: … Embodiments of the present disclosure provide techniques that can be implemented by a packet broker in a visibility network for detecting and predicting anomalies in the network traffic of a core network. In one set of embodiments, these techniques can include training, by the packet broker based on traffic data replicated from the core network, one or more machine learning models that are designed to model the core network's typical traffic patterns … Once the machine learning models have been trained, the packet broker can apply these models (and/or other pre-trained models) to subsequent traffic that is replicated from the core network in order to detect and/or predict the occurrence of traffic anomalies in the core network in real-time. For example, in the case where the packet broker has trained a machine learning model M that models subscriber attach rate, the packet broker can compare the current subscriber attach rate in the core network with the subscriber attach rate value modeled by M for the current point in time. If the difference between these two values exceeds a threshold, the packet broker can determine that an anomaly with respect to subscriber attach rate has occurred (or is in the process of occurring). Alternatively or in addition, the packet broker can compare an extrapolated future subscriber attach rate in the core network modeled by M with a predefined threshold. If the extrapolated future value exceeds the threshold, the packet broker can predict that an anomaly with respect to subscriber attach rate will very likely occur in the future …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hegde into the teachings of Stocker, because it discloses that “since the packet broker monitors for anomalies in a real-time manner, in certain embodiments the packet broker can actively predict the occurrence of future anomalies and take steps to address them. For example, the packet broker may forward a traffic flow associated with a predicted future anomaly to the analytic probes/tools for preemptive analysis and review, before the anomaly actually occurs (Hegde, Para [0022]).


Regarding Claim 2. The combination of Stocker-Hegde discloses the method as claimed in claim 1, wherein, Hegde further discloses, “a notification indicating abnormal traffic is generated if the feature values associated with the real-time traffic is abnormal (Hegde, Para [0057-0058]: …  In yet another embodiment, packet broker 206 can provide the discovered network information to a tool (e.g., an SDN app running on an SDN controller) so that users can visualize the topology of core network 204. FIG. 7 depicts an example UI 700 that illustrates a visualization of a core network using such a tool according to an embodiment. In this tool, a user can view the entities and their connections/interfaces, and can filter the view based on types of entities (e.g., ENodeB, SGW, MME, PGW, HSS, AAA, etc.) and other criteria. A user can also view alerts/notifications pertaining to anomalies that are detected or predicted by packet broker 206 in accordance with the techniques described in the foregoing sections …).”
The motivation to further combine Hegde remains same as in claim 1.
Regarding Claim 12. This claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
Regarding Claim 13. This claim contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2.
Regarding Claim 22. This claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
Claims 3 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2021/0034994 A1 to Stocker et al. (hereinafter “Stocker”) in view of Pub. No.: US 2017/0339022 A1 to Hegde et al. (hereinafter “Hegde”), as applied to claim 2 above, and further in view of Pub. No.: US 2017/0116059 A1 to Wolf et al. (hereinafter “Wolf”).
Regarding Claim 3. The combination of Stocker-Hegde discloses the method as claimed in claim 2, however it does not explicitly teach, but Wolf from same or similar field of endeavor teaches, “wherein the updated generic pattern is further updated based on cumulative rewards generated based on each correct notification (Wolf, Abstract:  … a data analyzer engine in a network environment aggregates real-time feedback from multiple resources that collectively provide delivery of content to multiple subscribers in a network environment. According to one arrangement, the multiple resources are disposed along a network communication path between a content delivery source and the subscriber. Based on analyzing the aggregated real-time feedback from the multiple resources disposed along the network communication path, assume that the data analyzer engine detects occurrence of multiple anomaly conditions at a location in the network communication path. Each of the anomaly condition may or may not be representative of an actual network resource failure. In response to detecting first occurrence of the anomaly conditions, the data analyzer engine initiates generation of a notification to appropriate network management personnel indicating the occurrence of the detected anomaly condition. The network management personnel determine a root cause of the first occurrence of the detected anomaly conditions and provide feedback indicating the root cause and how to correct it. Subsequent to learning and recording a pattern of first detected anomaly conditions and the corresponding root cause, a data analyzer engine compares the learned pattern to future received real-time feedback. Upon detecting a match of the learned pattern to a future occurrence of a same set of anomaly conditions, the analyzer engine provides notification to network management personnel to address the network failure. The notification can include information indicating the likely root cause of the newly detected anomaly condition (which matches a pattern of the originally detected anomaly) as well as how to fix it …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wolf into the combined teachings of Stocker-Hegde, because it discloses that “techniques herein are well suited for aiding in the identification of a root cause of a network anomaly to prevent or reduce the time of data delivery outages in a network environment. However, it should be noted that embodiments herein are not limited to use in such applications and that the techniques discussed herein are well suited for other applications as well (Wolf, Para [0152])”.
Regarding Claim 14. This claim contains all the same or similar limitations as claim 3, hence similarly rejected as claim 3.
Allowable Subject Matter
Claims 4-11, 15-21 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Examiner further notes that should the Applicant decides to amend claims as noted above, all the independent claims (method, system and crm claims) are to be amended to make them similar in scope.
Reasons for allowance will be furnished upon allowance.
Pertinent Prior Arts:  The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
	PGPUB US 20160234167 A1, Engel et al.: Engel discloses a method for network monitoring includes intercepting, in an anomaly detection module, a first data packet transmitted over a network in accordance with a predefined protocol to or from an entity on the network. Both a network address that is assigned to the entity and a strong identity, which is incorporated in the first data packet in accordance with the predefined protocol, of the entity are extracted from the intercepted first data packet. An association is recorded between the network address and the strong identity. Second data packets transmitted over the network are intercepted, containing the network address. Responsively to the recorded association and the network address, the second data packets are associated with the strong identity. The associated second data packets are analyzed in order to detect anomalous behavior and to attribute the anomalous behavior to the entity.
	The present invention relates generally to the field of cyber security and more particularly to detection of anomaly action within a computer network.
PGPUB US 20190245876 A1, FAIGON et al.: FAIGON discloses technology that relates to machine learning based anomaly detection. In particular, it relates to constructing activity models on per-tenant and per-user basis using an online streaming machine learner that transforms an unsupervised learning problem into a supervised learning problem by fixing a target label and learning a regressor without a constant or intercept. Further, it relates to detecting anomalies in near real-time streams of security-related events of one or more tenants by transforming the events in categorized features and requiring a loss function analyzer to correlate, essentially through an origin, the categorized features with a target feature artificially labeled as a constant. It further includes determining an anomaly score for a production event based on calculated likelihood coefficients of categorized feature-value pairs and a prevalencist probability value of the production event comprising the coded features-value pairs.
The technology disclosed generally relates to using machine learning for detecting in real-time anomalous events in network delivered services.
	PGPUB US 20200195672 A1, Mugambi et al.: 	Mugambi discloses systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.
	Embodiments of the present invention generally relate to network security. In particular, embodiments of the present invention relate to an improved user entity behavior analytics (UEBA) anomaly detection approach that detects compromised nodes as a result of an advanced persistent threat (APT) while also minimizing false positives by identifying and combining various user behavior elements (e.g., failed logins, new computer connections and sequence of connections opened).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434