Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 12/18/2020.
Claims 1-20 are pending and are rejected.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/4/2021 and 5//26/2022 were filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 15 is objected to because of the following informalities:  Claim 15 should written “A computer storage media storing …”.  Claims 16-20 recite “the media of claim 15” should be written as “the computer storage media of claim 15”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2 and 4-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cai (US 20200412603 A1) in view of Fenoglio (US 20190306011 A1).
As to claim 1, Cai teaches a computer-implemented method comprising:
receiving behavioral information from a first device and a second device in a network, the behavioral information of the first device and the behavioral information of the second device each indicating that a third device has an inactive operational status in the network ([0036] each node is responsible for maintaining the respective probe list and for sending of probe message(s) to the nodes of the probe list.  Each node may handle its responsibility for detecting failure of other nodes, i.e. node 110 (first device) and node 130 (second device) detect the failure (third device has an inactive operational status));
Cai does not explicitly teach
based on the received behavioral information from the first device and the second device and based on each indication from the first device and the second device that the third device has the inactive operational status, generating an abnormality score for the third device using anomaly detection logic;
determining that the abnormality score exceeds an anomaly threshold; and
based on the abnormality score exceeding the anomaly threshold, causing a security mitigation action.
Fenoglio teaches
based on the received behavioral information from the first device and the second device and based on each indication from the first device and the second device that the third device has the inactive operational status, generating an abnormality score for the third device using anomaly detection logic ([0079], fig. 4, the anomaly detector 406 may report the anomaly to the user interface via network anomaly as a ranked list of anomalies (abnormality score), output and visualization interface 318. However, as noted, a key challenge in network monitoring systems, and particularly those that rely on anomaly detection, is referred to as ‘alert storms’ in which the system raises a large number of alerts that can overwhelm the alert reviewer);
determining that the abnormality score exceeds an anomaly threshold ([0079] In such a case, the alert reviewer may choose to either analyze the top ranked anomalies or use a cut-off threshold to select among anomalies.  Examiner node: The ranked list comprise a third device); and
based on the abnormality score exceeding the anomaly threshold, causing a security mitigation action ([0080], fig. 4, DFRE 408 may operate in conjunction with anomaly detector(s) 406 to prioritize the anomaly detection alerts generated by anomaly detector(s) 406 and send these alerts to output and visualization interface 318 based on their rankings).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, a ranking to detect anomalies of a device, as taught by Fenoglio.  One would be motivated to do so to send an alert for a particular one of the detected anomalies to a user interface, based on its corresponding rank.	

As to claim 2, 11, and 16, Cai and Fenoglio teaches all the limitations of claims 1, 10, and 15, wherein Cai further teaches
(1) the behavioral information from the first device includes (a) health information of the first device and (b) observation data of the second device and the third device, and (2) the behavioral information from the second device includes (a) health information of the second device and (b) observation data of the first device and the third device ([0009] after every T time units, a node Mi (first device) selects a random node from its membership list, e.g., Mj (second device), and sends a ping to it. It then waits for an ack message from Mj. If it does not receive the ack within the pre-specified timeout, Mi indirectly probes Mj by randomly selecting k nodes (third device) from its neighbors and asks them to send a ping to Mj; [0036] indicates manages a respective probe list.  That is, when the Mj does the same process as the node Mi).

As to claim 4, Cai and Fenoglio teaches the method of claim 3, wherein Cai further teaches the observation data of the first and second devices includes the operational status of the third device in the network ([0095] at each interval, every node will be probed once by one of its neighbors. Therefore, the failure of any node may be detected in around one time interval).

As to claims 5, 17, and 12, Cai and Fenoglio teaches all limitations of claim 1, 11, and 15, Fenoglio further teaches
aggregating the behavioral information from the first and second devices ([0079], figs. 3-4, the anomaly detector 406 may report the anomaly to the user interface via network anomaly as a ranked list (aggregate) of anomalies, output and visualization interface 318); and 
indexing health information and observation data of the first device with health information and observation data of the second device such that the operational status of the third device is determined based on the indexing ([0080] DFRE 408 may operate in conjunction with anomaly detector(s) 406 to prioritize (indexing) the anomaly detection alerts generated by anomaly detector(s) 406 and send these alerts to output and visualization interface 318 based on their rankings).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, a ranking to detect anomalies of a device, as taught by Fenoglio.  One would be motivated to do so to send an alert for a particular one of the detected anomalies to a user interface, based on its corresponding rank.	

As to claims 6, 13, and 18, Cai and Fenoglio teaches all limitations of claim 1, 11, and 15, wherein Fenoglio further teaches
using anomaly detection logic comprises a trained machine-learning model ([0037] machine learning is concerned with the design and the development of techniques that take as input empirical data and recognize complex patterns in these data).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, a training machine, as taught by Fenoglio.  One would be motivated to do so to allow network monitoring system to operate in real-time and constantly learn and adapt to new network conditions and traffic characteristics.	

As to claims 7 and 19, Cai and Fenoglio teaches all limitations of claim 1 and 15, wherein Fenoglio further teaches
determining the inactive operational status of the third device comprises utilizing Address Resolution Protocol (ARP) to map a network address of the third device to a physical address of the third device ([0092] allows the network monitoring system to infer the impact of an anomaly alert by mapping the origins of the alert to the impacted layers; [0111], fig. 7, model 722 may further include a feature model that links high level protocol information together such as, but not limited to, Address Resolution Protocol (ARP)).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, the system include an ARP, as taught by Fenoglio.  One would be motivated to do so to discovery of regions that are physically or functionally linked to each other and to abstract symbols used in symbolic layer.	

As to claim 8, Cai and Fenoglio teaches the method of claim 7, wherein Fenoglio further teaches
the first device includes a software agent utilizing reverse DNS resolution to report device names of the second and third devices based on utilizing the ARP ([0049] Predictive Analytics Model(s): These model(s) may be configured to predict the network status, which is a significant paradigm shift from reactive approaches to network health. For example, in a Wi-Fi network, analyzer may be configured to build predictive models for the joining/roaming time by taking into account a large plurality of parameters/observations (e.g., RF variables, time of day, number of clients, traffic load, DHCP/DNS/).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, the system include a software agent utilizing reverse DNS resolution, as taught by Fenoglio.  One would be motivated to do so to identify the major root cause of this predicted condition, thus allowing cloud service 302 to remediate the situation before it occurs.	

As to claims 9, 14, and 20, Cai and Fenoglio teaches all limitations of claim 1, 11, and 15, wherein Cai further teaches causing a security mitigation action further comprises at least one of isolating the third device from the network or generating a notification ([0081] the indication of the respective node that failed to respond, thereby enabling the second or third node 120, 130 to exclude (isolating the third node) the respective node given by the indication from its member list).

As to claim 10, Cai teaches an abnormal computer behavior detection system comprising:
a hardware processor ([0101] processing unit); and 
computer-readable media having executable instructions embodied thereon, which, when executed by the hardware processor ([0100] the memory may comprise, such as contain or store, instructions, e.g. in the form of a computer program 503, which may comprise computer readable code units), cause the hardware processor to execute: 
an abnormal behavior detector configured to: 
receive behavioral information from a first device and a second device in a network, the behavioral information of the first device and the behavioral information of the second device each indicating that a third device has an inactive operational status in the network ([0036] each node is responsible for maintaining the respective probe list and for sending of probe message(s) to the nodes of the probe list.  Each node may handle its responsibility for detecting failure of other nodes, i.e. node 110 (first device) and node 130 (second device) detect the failure (third device has an inactive operational status));
Cai does not explicitly teach
based on receiving the behavioral information from the first device and the second device and based on each indication from the first device and the second device that the third device has the inactive operational status, generate an abnormality score for the third device using anomaly detection logic;
determine that the abnormality score exceeds an anomaly threshold; and
based on the abnormality score exceeding the anomaly threshold, cause a security mitigation action.
Fenoglio teaches
based on receiving the behavioral information from the first device and the second device and based on each indication from the first device and the second device that the third device has the inactive operational status, generate an abnormality score for the third device using anomaly detection logic ([0079], fig. 4, the anomaly detector 406 may report the anomaly to the user interface via network anomaly as a ranked list of anomalies (abnormality score), output and visualization interface 318. However, as noted, a key challenge in network monitoring systems, and particularly those that rely on anomaly detection, is referred to as ‘alert storms’ in which the system raises a large number of alerts that can overwhelm the alert reviewer);
determine that the abnormality score exceeds an anomaly threshold ([0079] In such a case, the alert reviewer may choose to either analyze the top ranked anomalies or use a cut-off threshold to select among anomalies.  Examiner node: The ranked list comprise a third device); and
based on the abnormality score exceeding the anomaly threshold, cause a security mitigation action ([0080], fig. 4, DFRE 408 may operate in conjunction with anomaly detector(s) 406 to prioritize the anomaly detection alerts generated by anomaly detector(s) 406 and send these alerts to output and visualization interface 318 based on their rankings).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, a ranking to detect anomalies of a device, as taught by Fenoglio.  One would be motivated to do so to send an alert for a particular one of the detected anomalies to a user interface, based on its corresponding rank.

As to claim 15, Cai teaches  computer storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising:
 receiving behavioral information from a first device and a second device in a network, the behavioral information of the first device and the behavioral information of the second device each indicating that a third device has an inactive operational status in the network ([0036] each node is responsible for maintaining the respective probe list and for sending of probe message(s) to the nodes of the probe list.  Each node may handle its responsibility for detecting failure of other nodes, i.e. node 110 (first device) and node 130 (second device) detect the failure (third device has an inactive operational status)); 
Cai does not explicitly teach
based on the received behavioral information from the first device and the second device and based on each indication from the first device and the second device that the third device has the inactive operational status, generating an abnormality score for the third device using anomaly detection logic; 
determining that the abnormality score exceeds an anomaly threshold; and 
based on the abnormality score exceeding the anomaly threshold, causing a security mitigation action.
Fenoglio teaches
based on the received behavioral information from the first device and the second device and based on each indication from the first device and the second device that the third device has the inactive operational status, generating an abnormality score for the third device using anomaly detection logic ([0079], fig. 4, the anomaly detector 406 may report the anomaly to the user interface via network anomaly as a ranked list of anomalies (abnormality score), output and visualization interface 318. However, as noted, a key challenge in network monitoring systems, and particularly those that rely on anomaly detection, is referred to as ‘alert storms’ in which the system raises a large number of alerts that can overwhelm the alert reviewer); 
determining that the abnormality score exceeds an anomaly threshold ([0079] In such a case, the alert reviewer may choose to either analyze the top ranked anomalies or use a cut-off threshold to select among anomalies.  Examiner node: The ranked list comprise a third device); and 
based on the abnormality score exceeding the anomaly threshold, causing a security mitigation action ([0080], fig. 4, DFRE 408 may operate in conjunction with anomaly detector(s) 406 to prioritize the anomaly detection alerts generated by anomaly detector(s) 406 and send these alerts to output and visualization interface 318 based on their rankings).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, a ranking to detect anomalies of a device, as taught by Fenoglio.  One would be motivated to do so to send an alert for a particular one of the detected anomalies to a user interface, based on its corresponding rank. 

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Cai (US 20200412603 A1) Fenoglio (US 20190306011 A1) and further in view of Maturana (US 20220103591 A1).
As to claim 3, Cai and Fenoglio teaches the method of claim 2, wherein Cai further teaches
the health information comprises a keepalive beacon ([0003] failure detection is performed by exchange of so called keep-alive messages between the nodes in a distributed system periodically. There are two types of keep alive messages: heartbeat messages and polling messages) 
Cai does not explicitly teach
observation data comprises MAC addresses and device names.
Maturana teaches
observation data comprises MAC addresses and device names ([[0091] Based on identifying particular IoT devices and the metrics related to communication between the particular IoT devices, the anomaly detection system generates an actor model. For example, the actor model may include the extracted metrics described above properties such as IP address, MAC address, type of vendor, name of device, geolocation, and user role associated with each IoT device identified).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Cai disclosure, the identifier include a MAC address, as taught by Maturana  .  One would be motivated to do so for the observer agent may also determine the type of IoT device based on the MAC address, lookup tables, and/or or other sources of information that provide device contextualization.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Tasi (US 11197263 B1).
Shukla (US 10924343 B1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH NGUYEN whose telephone number is (571)270-0657. The examiner can normally be reached M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANH NGUYEN/Primary Examiner, Art Unit 2456