DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/16/2022 has been entered and claims 1-20 are currently pending.
                                     Response to Arguments
Applicant’s arguments filed on 5/16/22 were fully considered, but are moot in view of new rejections made below in response to applicant’s amendments.
 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-14, 16-20, are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20160173511 to BRATSPIESS et al. (hereinafter BRATSPIESS) in view of U.S. PGPub. No. 20180241654 to DANICHEV et al. (hereinafter DANICHEV).
Regarding claim 1, BRATSPIESS discloses a method comprising: accessing network traffic from a network (¶0068 wherein Hardware processors 140A and 140B perform measurements of the traffic of the network “Hardware processors 140A and 140B may be configured to perform measurements on the traffic of network 170 passing through ports 160A, 160B and 160C. Each of network interfaces 130A and 130B and storage devices 150A and 150B may be operatively coupled with one of hardware processors 140A and 140B, correspondingly”);
storing a first value of a property of a plurality of properties that are associated with an entity communicatively coupled to the network, wherein the first value of the property is based on the network traffic, and each of the plurality of properties are associated with a respective weight (¶ 0073 wherein the a baseline profile of an activity of the network devices may be initially created “ a baseline profile of an activity of the network may be initially created. The network activity may be in (i.e., incoming) and/or out (i.e., outgoing) network activity. The baseline profile may include baseline values for various provided, inquirable and/or measurable characteristics of the network, including characteristics representing the network architecture and topology (e.g., number, identification and location of network appliances and other network elements), characteristics of the network appliances (e.g., the power which is drawn by a network appliance, inbound and outbound traffic generated by a network appliance and its characteristics) and/or of other network elements such as cables and fibers (e.g., cable length, fiber length, fiber reflections and/or fiber attenuation)”.Wherein plurality of properties is recited as “the baseline profile may include baseline values for various provided, inquirable and/or measurable characteristics of the network”…….), and each of the plurality of the properties are associated with a respective weight (respective baseline value, ¶ 0073). Applicant’s definition of weight as a multiplier applied to a number (eg one) implies that weight is a value applied to a property.  
accessing additional network traffic associated with the entity (¶ 0011, ¶ 0074, in particular ¶ 0074 discloses how further traffic is collected eg “the ports may be continuously monitored”);
 determining, by a processing device, a second value of the property based on the additional network traffic (¶ 0074 wherein an event is recorded that is triggered by the additional monitoring of traffic: “following an activation of a protection mode, an irregular event may be identified….”;
 determining whether the first value of the property does not match the second value of the property (¶ 0074, wherein the irregular traffic is compared with the baseline: “….detecting a deviation of traffic of the network passing through a port from the baseline profile”.; 
and in response to the first value of the property not matching the second value of the property, 
 storing an indicator that an anomaly is detected (¶ 0073 - ¶ 0074, and ¶ 0076, wherein once a deviation from the baseline profile is detected, the system may classify the deviation as an irregular event that may indicate a cyber or physical attack “The characteristics are such that a change in the inquired or measured values of these characteristics may indicate that the network is under a physical or a cyber-attack”……..) (¶ 0076 wherein consecutive measurements are made).
However, BRATSPIESS does not explicitly disclose the following limitation taught by DANICHEV: weight that is associated with a priority of a respective one of the plurality of properties; and
incrementing a counter using the respective weight of the property and, in response to the counter being greater than a threshold storing an indicator that an anomaly is detected.
DANICHEV discloses associating weights of different scores to different property values using a gradual step function in computing anomaly score (See DANICHEV disclosure in ¶0056 “The function G.sub.S(Δx) is a gradual step function that has the following properties. First, G.sub.s(Δx≥0)=1, which means that property values within the histogram above x are fully considered with a weight of 100%. Second, G.sub.s(−Δx=s)˜0.5, which means that property values within the histogram below x by the separation scale parameter s are partially considered with a weight of 50%. Third, G.sub.s(−Δx>>s).fwdarw.0, which means that property values within the histogram below x by much more than the separation scale parameter s are effectively ignored with a weight of approaching 0%. Fourth, G.sub.s(Δx) should be continuous so that the computed anomaly score does not become a discontinuous function of x that is sensitive to very small changes in x”). The examiner interprets DANICHEV disclosure as prioritizing one property over other properties in the computation of anomaly score.
DANICHEV discloses updating a histogram of the property values using the computed value in a current time slot by incrementing the count for that property value (See DANICHEV disclosure in ¶0042 “Referring back to FIG. 1, for each different property (including each event property and each global property), a histogram of the property values of the property in question is updated using the property value computed in part 104 or part 106 for this property in the current time slot (108). Most generally, the count for the property value of a property that has been computed for the property in the current time slot is incremented by one. For instance, as to the example histogram 300 of FIG. 3, if the property value computed in part 104 or part 106 is the property value 302B, then the count 304B is incremented by one”). The examiner equates the above disclosure to incrementing a counter using the respective weight of the property because values of the property that are used to increment the count are occurrence weights and incrementing a count inherently means a counter is present,
DANICHEV discloses anomaly detection based on anomaly score or event is greater than a threshold (See DANICHEV disclosure in ¶0063 “For instance, the anomaly scores may be ranked from highest score to lowest score. If any anomaly score is greater than a threshold, then it may be concluded that an anomaly has occurred at the system generating the events in relation to which the anomaly score has been computed. As another example, if more than a certain number of events are each greater than a threshold, then it may be concluded that an anomaly has occurred”). The examiner equates the above disclosure to “and in response to the counter being greater than a threshold storing an indicator that an anomaly is detected”. 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS to include the concept of prioritizing a property over other properties and detecting an anomaly when the score or events exceeded the threshold as disclosed by DANICHEV and be motivated in doing so because it provides a utilization for continuous computation of anomaly score in the system and pushing insignificant anomalies toward Zero – DANICHEV ¶0056 and ¶0058 in parts.

Regarding claim 2, BRATSPIESS in view of DANICHEV discloses the method of claim 1. BRATSPIESS further discloses the method of claim 1 comprising: performing an action based on the indicator that an anomaly is detected (¶ 0076 “Once a deviation from the baseline value is detected (i.e., beyond the error range), the system may take an action or engage in a set of actions, according to the specific action configuration of the system”).  
Regarding claim 3, BRATSPIESS in view DANICHEV discloses the method of claim 1. DANICHEV further discloses: wherein a first weight associated with a first of the plurality of properties is different from a second weight that is associated with a second of the plurality of properties.  
See DANICHEV disclosure about different property values having different occurrence weights in (¶ 0060 “For example, if there are properties P1 and P2, where P1 has three different property values p1a, p1b, and plc for which there are counts or occurrence weights within the histogram for P1, and P2 has four different property values p2a, p2a, p2b, p2c, and p2d for which there are counts or occurrence weights within the histogram for P2, then a total of seven anomaly scores are computed”).  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS in view of DANICHEV in clam1 to include the concept of associating different weights to different properties as disclosed by DANICHEV and be motivated in doing so because it provides a method to compute anomaly score for each identified property value within the time-decaying histogram of each different property to detect occurrence of an anomaly within the system – DANICHEV abstract.

Regarding claim 4, BRATSPIESS in view of DANICHEV discloses the method of claim 3. BRATSPIESS further discloses the method of claim 3, wherein the threshold is associated with two or more of the plurality of properties in (¶ 0088 “An acceptable error range may be set, optionally by a user of the system, in order to prevent false alarm. For example, a threshold of ten meters may be set”).  
Regarding claim 5, BRATSPIESS in view of DANICHEV discloses the method of claim 3. BRATSPIESS further discloses the method of claim 3, wherein the respective weight associated with the plurality of properties is based on a policy in (¶ 0074 “The irregular events may be identified according to a predetermined set of rules and according to the network defaults”).   
Regarding claim 6, BRATSPIESS in view of DANICHEV discloses the method of claim 5. BRATSPIESS further discloses wherein at least one of the respective weight associated with each of the plurality of properties or the threshold are user configurable in (¶ 0093 “…..The above values of the threshold and the period of time may be adjusted and fine-tuned by a user subject to the specific environment on site”).  
Regarding claim 7, BRATSPIESS in view of DANICHEV discloses the method of claim 2.  BRATSPIESS further discloses wherein the action comprises at least one of changing a virtual local area network (VLAN) associated with the entity, quarantining the entity, initiating an update, tracking further network traffic of the entity, or sending a notification associated with the entity in (¶ 0077 “The actions which may be taken by the system, once an irregular event is detected or confirmed may include generation of an event log (e.g., by using syslog or Simple Network Management Protocol trap), issuing an alert, disabling the port, blocking the communication from and/or to a specific network appliance, and/or sending suspicious data with respect to the irregular event for further analysis in an external dedicated system”).
Regarding claim 8, BRATSPIESS in view of DANICHEV discloses the method of claim 1. BRATSPIESS further discloses wherein the first value of a property associated with the entity is determined without an agent (¶ 0010, wherein a hardware processor creates the baseline profile of the network, “hardware processor configured to: upon initial setup of said security device, create a baseline profile of an activity of the network, and following an activation of a protection mode, identify an irregular event by detecting a deviation of network traffic passing through a port of the ports from said baseline profile. (An agent is a software).  

Regarding claim 9, BRATSPIESS discloses a system comprising: a memory (¶ 0186 “a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing”);
 and a processing device, operatively coupled to the memory, (¶ 0187 “A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device” to: access network traffic from a network (¶ 0068 “wherein Hardware processors 140A and 140B perform measurements of the traffic of the network “Hardware processors 140A and 140B may be configured to perform measurements on the traffic of network 170 passing through ports 160A, 160B and 160C. Each of network interfaces 130A and 130B and storage devices 150A and 150B may be operatively coupled with one of hardware processors 140A and 140B, correspondingly”); 
store a first value of a property of a plurality of properties that are associated with an entity communicatively coupled to the network, wherein the first value of the property is based on the network traffic, and each of the plurality of properties are associated with a respective weight (¶ 0073 wherein the a baseline profile of an activity of the network devices may be initially created “ a baseline profile of an activity of the network may be initially created. The network activity may be in (i.e., incoming) and/or out (i.e., outgoing) network activity. The baseline profile may include baseline values for various provided, inquirable and/or measurable characteristics of the network, including characteristics representing the network architecture and topology (e.g., number, identification and location of network appliances and other network elements), characteristics of the network appliances (e.g., the power which is drawn by a network appliance, inbound and outbound traffic generated by a network appliance and its characteristics) and/or of other network elements such as cables and fibers (e.g., cable length, fiber length, fiber reflections and/or fiber attenuation)”.Wherein plurality of properties is recited as “the baseline profile may include baseline values for various provided, inquirable and/or measurable characteristics of the network”…….), and each of the plurality of the properties are associated with a respective weight (respective baseline value, ¶ 0073). Applicant’s definition of weight as a multiplier applied to a number (eg one) implies that weight is a value applied to a property;
access additional network traffic associated with the entity (¶ 0011, ¶ 0074, in particular ¶ 0074 discloses how further traffic is collected eg “the ports may be continuously monitored”); 
determine a second value of the property based on the additional network traffic (¶ 0074 wherein an event is recorded that is triggered by the additional monitoring of traffic: “following an activation of a protection mode, an irregular event may be identified….”; 
determine whether the first value of the property does not match the second value of the property (¶ 0074, wherein the irregular traffic is compared with the baseline: “….detecting a deviation of traffic of the network passing through a port from the baseline profile”; 
and in response to the first value of the property not matching the second value of the property, store an indicator that an anomaly is detected (¶ 0073 - ¶ 0074, and ¶ 0076, wherein once a deviation from the baseline profile is detected, the system may classify the deviation as an irregular event that may indicate a cyber or physical attack “The characteristics are such that a change in the inquired or measured values of these characteristics may indicate that the network is under a physical or a cyber-attack”……..) (¶ 0076 wherein consecutive measurements are made). 
  However, BRATSPIESS does not explicitly disclose the following limitation taught by DANICHEV: weight that is associated with a priority of a respective one of the plurality of properties; and
incrementing a counter using the respective weight of the property and, in response to the counter being greater than a threshold storing an indicator that an anomaly is detected.
DANICHEV discloses associating weights of different scores to different property values using a gradual step function in computing anomaly score (See DANICHEV disclosure in ¶0056 “The function G.sub.S(Δx) is a gradual step function that has the following properties. First, G.sub.s(Δx≥0)=1, which means that property values within the histogram above x are fully considered with a weight of 100%. Second, G.sub.s(−Δx=s)˜0.5, which means that property values within the histogram below x by the separation scale parameter s are partially considered with a weight of 50%. Third, G.sub.s(−Δx>>s).fwdarw.0, which means that property values within the histogram below x by much more than the separation scale parameter s are effectively ignored with a weight of approaching 0%. Fourth, G.sub.s(Δx) should be continuous so that the computed anomaly score does not become a discontinuous function of x that is sensitive to very small changes in x”). The examiner interprets DANICHEV disclosure as prioritizing one property over other properties in the computation of anomaly score.
DANICHEV discloses updating a histogram of the property values using the computed value in a current time slot by incrementing the count for that property value (See DANICHEV disclosure in ¶0042 “Referring back to FIG. 1, for each different property (including each event property and each global property), a histogram of the property values of the property in question is updated using the property value computed in part 104 or part 106 for this property in the current time slot (108). Most generally, the count for the property value of a property that has been computed for the property in the current time slot is incremented by one. For instance, as to the example histogram 300 of FIG. 3, if the property value computed in part 104 or part 106 is the property value 302B, then the count 304B is incremented by one”). The examiner equates the above disclosure to incrementing a counter using the respective weight of the property because values of the property that are used to increment the count are occurrence weights and incrementing a count inherently means a counter is present,
DANICHEV discloses anomaly detection based on anomaly score or event is greater than a threshold (See DANICHEV disclosure in ¶0063 “For instance, the anomaly scores may be ranked from highest score to lowest score. If any anomaly score is greater than a threshold, then it may be concluded that an anomaly has occurred at the system generating the events in relation to which the anomaly score has been computed. As another example, if more than a certain number of events are each greater than a threshold, then it may be concluded that an anomaly has occurred”). The examiner equates the above disclosure to “and in response to the counter being greater than a threshold storing an indicator that an anomaly is detected”. 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS to include the concept of prioritizing a property over other properties and detecting an anomaly when the score or events exceeded the threshold as disclosed by DANICHEV and be motivated in doing so because it provides a utilization for continuous computation of anomaly score in the system and pushing insignificant anomalies toward Zero – DANICHEV ¶0056 and ¶0058 in parts.

Regarding claim 10, BRATSPIESS in view of DANICHEV discloses the system of claim 9. BRATSPIESS further discloses the processing device further to: perform an action based on the indicator that an anomaly is detected (¶ 0076 “Once a deviation from the baseline value is detected (i.e., beyond the error range), the system may take an action or engage in a set of actions, according to the specific action configuration of the system”).  


Regarding claim 11, BRATSPIESS in view of DANICHEV discloses the system of claim 9. 
DANICHEV further discloses: wherein a first weight associated with a first of the plurality of properties is different from a second weight that is associated with a second of the plurality of properties.  
See DANICHEV disclosure about different property values having different occurrence weights in (¶ 0060 “For example, if there are properties P1 and P2, where P1 has three different property values p1a, p1b, and plc for which there are counts or occurrence weights within the histogram for P1, and P2 has four different property values p2a, p2a, p2b, p2c, and p2d for which there are counts or occurrence weights within the histogram for P2, then a total of seven anomaly scores are computed”).  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS in view of DANICHEV in clam1 to include the concept of associating different weights to different properties as disclosed by DANICHEV and be motivated in doing so because it provides a system to compute anomaly score for each identified property value within the time-decaying histogram of each different property to detect occurrence of an anomaly within the system – DANICHEV abstract.
 
 Regarding claim 12, BRATSPIESS in view of DANICHEV discloses the system of claim 11. BRATSPIESS further discloses the system of claim 11, wherein the threshold is associated with two or more properties in (¶ 0088 “An acceptable error range may be set, optionally by a user of the system, in order to prevent false alarm. For example, a threshold of ten meters may be set”).  
Regarding claim 13, BRATSPIESS in view of DANICHEV discloses the system of claim 11. BRATSPIESS further discloses the system of claim 11, wherein the respective weight associated with the plurality of properties is based on a policy in (¶ 0074 “The irregular events may be identified according to a predetermined set of rules and according to the network defaults”).  
Regarding claim 14, BRATSPIESS in view of DANICHEV discloses the system of claim 13.  BRATSPIESS further discloses wherein at least one of the respective weight associated with each of the plurality of properties or the threshold are user configurable in (¶ 0093 “…..The above values of the threshold and the period of time may be adjusted and fine-tuned by a user subject to the specific environment on site”).   

Regarding claim 16, BRATSPIESS in view of DANICHEV  discloses the system of claim 10. BRATSPIESS further discloses wherein the action comprises at least one of changing a virtual local area network (VLAN) associated with the entity, quarantining Application No.: 16/584,001-5- Docket No.: F102152 1230US.1 (IS 099)the entity, initiating an update, tracking further network traffic of the entity, or sending a notification associated with the entity in (¶ 0077 “The actions which may be taken by the system, once an irregular event is detected or confirmed may include generation of an event log (e.g., by using syslog or Simple Network Management Protocol trap), issuing an alert, disabling the port, blocking the communication from and/or to a specific network appliance, and/or sending suspicious data with respect to the irregular event for further analysis in an external dedicated system”).
Regarding claim 17, BRATSPIESS in view of DANICHEV discloses the system of claim 9. BRATSPIESS further discloses wherein the first value of a property associated with the entity is determined without an agent (¶ 0010, wherein a hardware processor creates the baseline profile of the network, “hardware processor configured to: upon initial setup of said security device, create a baseline profile of an activity of the network, and following an activation of a protection mode, identify an irregular event by detecting a deviation of network traffic passing through a port of the ports from said baseline profile. (An agent is a software).  
Regarding claim 18, BRATSPIESS discloses a non-transitory computer readable medium having instructions encoded thereon that( (¶ 0186 “A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire”), when executed by a processing device (¶ 0187 “A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device”), cause the processing device to: access network traffic from a network (¶ 0068 wherein Hardware processors 140A and 140B perform measurements of the traffic of the network “Hardware processors 140A and 140B may be configured to perform measurements on the traffic of network 170 passing through ports 160A, 160B and 160C. Each of network interfaces 130A and 130B and storage devices 150A and 150B may be operatively coupled with one of hardware processors 140A and 140B, correspondingly”); 
 
store a first value of a property of a plurality of properties that are associated with an entity communicatively coupled to the network, wherein the first value of the property is based on the network traffic, and each of the plurality of properties are associated with a respective weight (¶ 0073 wherein the a baseline profile of an activity of the network devices may be initially created “ a baseline profile of an activity of the network may be initially created. The network activity may be in (i.e., incoming) and/or out (i.e., outgoing) network activity. The baseline profile may include baseline values for various provided, inquirable and/or measurable characteristics of the network, including characteristics representing the network architecture and topology (e.g., number, identification and location of network appliances and other network elements), characteristics of the network appliances (e.g., the power which is drawn by a network appliance, inbound and outbound traffic generated by a network appliance and its characteristics) and/or of other network elements such as cables and fibers (e.g., cable length, fiber length, fiber reflections and/or fiber attenuation)”.Wherein plurality of properties is recited as “the baseline profile may include baseline values for various provided, inquirable and/or measurable characteristics of the network”…….), and each of the plurality of the properties are associated with a respective weight (respective baseline value, ¶ 0073). Applicant’s definition of weight as a multiplier applied to a number (eg one) implies that weight is a value applied to a property;
access additional network traffic associated with the entity (¶ 0011, ¶ 0074, in particular ¶ 0074 discloses how further traffic is collected eg “the ports may be continuously monitored”); 
determine a second value of the property based on the additional network traffic (¶ 0074 wherein an event is recorded that is triggered by the additional monitoring of traffic: “following an activation of a protection mode, an irregular event may be identified….”; 
 determine, by the processing device, whether the first value of the property does not match the second value of the property (¶ 0074, wherein the irregular traffic is compared with the baseline: “….detecting a deviation of traffic of the network passing through a port from the baseline profile”; 
and in response to the first value of the property not matching the second value of the property, store an indicator that an anomaly is detected (¶ 0073 - ¶ 0074, and ¶ 0076, wherein once a deviation from the baseline profile is detected, the system may classify the deviation as an irregular event that may indicate a cyber or physical attack “The characteristics are such that a change in the inquired or measured values of these characteristics may indicate that the network is under a physical or a cyber-attack”……..) (¶ 0076 wherein consecutive measurements are made). 
  However, BRATSPIESS does not explicitly disclose the following limitation taught by DANICHEV: weight that is associated with a priority of a respective one of the plurality of properties; and
incrementing a counter using the respective weight of the property and, in response to the counter being greater than a threshold storing an indicator that an anomaly is detected.
DANICHEV discloses associating weights of different scores to different property values using a gradual step function in computing anomaly score (See DANICHEV disclosure in ¶0056 “The function G.sub.S(Δx) is a gradual step function that has the following properties. First, G.sub.s(Δx≥0)=1, which means that property values within the histogram above x are fully considered with a weight of 100%. Second, G.sub.s(−Δx=s)˜0.5, which means that property values within the histogram below x by the separation scale parameter s are partially considered with a weight of 50%. Third, G.sub.s(−Δx>>s).fwdarw.0, which means that property values within the histogram below x by much more than the separation scale parameter s are effectively ignored with a weight of approaching 0%. Fourth, G.sub.s(Δx) should be continuous so that the computed anomaly score does not become a discontinuous function of x that is sensitive to very small changes in x”). The examiner interprets DANICHEV disclosure as prioritizing one property over other properties in the computation of anomaly score.
DANICHEV discloses updating a histogram of the property values using the computed value in a current time slot by incrementing the count for that property value (See DANICHEV disclosure in ¶0042 “Referring back to FIG. 1, for each different property (including each event property and each global property), a histogram of the property values of the property in question is updated using the property value computed in part 104 or part 106 for this property in the current time slot (108). Most generally, the count for the property value of a property that has been computed for the property in the current time slot is incremented by one. For instance, as to the example histogram 300 of FIG. 3, if the property value computed in part 104 or part 106 is the property value 302B, then the count 304B is incremented by one”). The examiner equates the above disclosure to incrementing a counter using the respective weight of the property because values of the property that are used to increment the count are occurrence weights and incrementing a count inherently means a counter is present,
DANICHEV discloses anomaly detection based on anomaly score or event is greater than a threshold (See DANICHEV disclosure in ¶0063 “For instance, the anomaly scores may be ranked from highest score to lowest score. If any anomaly score is greater than a threshold, then it may be concluded that an anomaly has occurred at the system generating the events in relation to which the anomaly score has been computed. As another example, if more than a certain number of events are each greater than a threshold, then it may be concluded that an anomaly has occurred”). The examiner equates the above disclosure to “and in response to the counter being greater than a threshold storing an indicator that an anomaly is detected”. 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS to include the concept of prioritizing a property over other properties and detecting an anomaly when the score or events exceeded the threshold as disclosed by DANICHEV and be motivated in doing so because it provides a utilization for continuous computation of anomaly score in the system and pushing insignificant anomalies toward Zero – DANICHEV ¶0056 and ¶0058 in parts.

Regarding claim 19, BRATSPIESS in view of DANICHEV discloses the non-transitory computer readable medium of claim 18. BRATSPIESS further discloses the processing device further to: perform an action based on the indicator that an anomaly is detected (¶ 0076 “Once a deviation from the baseline value is detected (i.e., beyond the error range), the system may take an action or engage in a set of actions, according to the specific action configuration of the system”).  
Regarding claim 20, BRATSPIESS in view of DANICHEV discloses the non-transitory computer readable medium of claim 18.
 DANICHEV further discloses: wherein a first weight associated with a first of the plurality of properties is different from a second weight that is associated with a second of the plurality of properties.  
See DANICHEV disclosure about different property values having different occurrence weights in (¶ 0060 “For example, if there are properties P1 and P2, where P1 has three different property values p1a, p1b, and plc for which there are counts or occurrence weights within the histogram for P1, and P2 has four different property values p2a, p2a, p2b, p2c, and p2d for which there are counts or occurrence weights within the histogram for P2, then a total of seven anomaly scores are computed”).  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS in view of DANICHEV in clam1 to include the concept of associating different weights to different properties as disclosed by DANICHEV and be motivated in doing so because it provides a system to compute anomaly score for each identified property value within the time-decaying histogram of each different property to detect occurrence of an anomaly within the system – DANICHEV abstract.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20160173511 to BRATSPIESS et al. (hereinafter BRATSPIESS) in view of U.S. PGPub. No. 2080241654 to DANICHEV et al. (hereinafter DANICHEV) and further in view of U.S. PGPub. No. 20070113281 to LEACH; John. (hereinafter LEACH).
Regarding claim 15, BRATSPIESS in view of DANICHEV discloses the system of claim 9. However, their combination does not explicitly disclose the following limitation taught by LEACH: wherein a risk that is associated with the at least one entity is determined based on an objective associated with at least one of entity risk, entity sensitivity, or entity types in the network portion.  
LEACH discloses entity risk selected from entity properties in (¶ 0016 “Each entity in the risk chain may be an entity with substantially the properties of an entity selected from the following list of entity types: threat agents; attacks; security breaches; disruptions; damage”).  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the system of BRATSPIESS in view of DANICHEV in claim 9 to include the concept risk associated with an entity being determined based on entity types as disclosed by LEACH and be motivated in doing so in order to efficiently control threats in the network.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. PGPub. Nos. 20170163666, 20180357415, 20190182278 and U.S. Pat. No. 7181768.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495       

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495