DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 8/21/2020.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application (No. 62/890,032, filed on 8/21/2019) under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 
Claim Objections
Claims 1-6, 11-13, 20 are objected to because of the following informalities:  
Claim 1 line 3 recites “… computer program code executable by the processor” which may read “… computer program code executed by the processor”.
Claim 1 line 12, “...when an anomaly is …” may read “...when the anomaly is …”.
Similarly, claim 12 line 9, “...when an anomaly is detected …” may read “...when the anomaly is detected …”.
Similarly, claim 20 line 11, ““...when an anomaly is detected …” may read “...when the anomaly is detected …”.
Claim 2 line 4, “an anomaly” may read “the anomaly”.
Similarly, claim 13 line 6, “detecting an anomaly …” may read “detecting the anomaly …”.
Claims 3-6, each recites “The anomaly detector of claim 1 wherein:” which may read “The anomaly detector of claim 1 wherein”.
Claim 11 line 4, “… when an anomaly is detected …” may read “… when the anomaly is detected …”.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 12, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal et al (US10970395B1, hereinafter, “Bansal”), in view of Shrivastava et al (US20190378048A1, hereinafter, “Shrivastava”).
Regarding claim 1, Bansal teaches:
An anomaly detector (Bansal, discloses method and system for identifying anomaly based on performance metric data for a storage system, see [Abstract]. And Fig. 4, Security Threat Monitoring System (i.e. anomaly detector)), comprising: at least one processor; and 5at least one memory including computer program code executable by the processor; the processor configured to cause the anomaly detector (Bansal, [Col. 45 lines 38-46] FIG. 4 illustrates an exemplary security threat monitoring system 400 (“system 400”)… Facilities 402 and 404 may each include or be implemented by hardware and/or software components (e.g., processors, memories, communication interfaces, instructions stored in memory for execution by the processors, etc.)) to: 
collect performance metrics for a microservice of a plurality of microservices deployed in a data center for an application (Bansal, Fig. 1A shows a plurality of Storage Array (i.e. microservices deployed in data center), and [Col. 25 lines 28-34] the cloud services provider 302 may be configured to provide services to the storage system 306 and users of the storage system 306 through the implementation of a software as a service (‘SaaS’) service model where the cloud services provider 302 offers application software, databases, as well as the platforms that are used to run the applications to the storage system 306 ... And Fig. 11 step 1102, [Col. 52 lines 41-43] In operation 1102, a security threat monitoring system receives performance metric data representative of a performance metric for a storage system); 
feed the structured dataset to a machine learning system to determine whether an anomaly exists in the structured dataset based on an anomaly detection model (Bansal, see Fig. 11 step 1104-1106, and [Col. 52 lines 41-53] In operation 1104, the security threat monitoring system applies (i.e. feed) the performance metric data as an input to an unsupervised machine learning model); 
perform an anomaly classification with the machine learning system based on an anomaly classification model and the structured dataset when an anomaly is 15detected in the structured dataset (Bansal, [Col. 51 lines 36-39] Additionally or alternatively, supervised machine learning model 802 may be trained while system 400 is using supervised machine learning model 802 to classify anomalies identified in performance metric data 604); 
and perform an action based on the anomaly classification (Bansal, [Col. 51 lines 39-43] For example, in response to detecting that a particular anomaly is representative of a security threat to storage system 502, system 400 may provide a notification (i.e. action) to a user (e.g., an administrator of storage system 502)).  
	While Bansal discloses the main concept of invention of anomaly detection based on performance metric, but does not expressly teach the following limitation(s) taught by Shrivastava in the same field of endeavor:
transform the performance metrics into a time-series structured dataset for the 10microservice (Shrivastava, discloses predicting performance result based on training machine learning model from performance entry data, see [Abstract]. And [0041] A query intent generator 310 generates query intents from at least input queries extracted from the query-URL click graph 305. The resulting query intents are distributed along a timeline or time series to yield a query intent time series 311. A metadata extractor 302 may also extract time-dependent … from the known entity data and performance results 301, the entity knowledge graph 303, and/or the query-URL click graph 305. For example, the metadata extractor 302 can extract time-dependent performance results from the known entity data and performance results 301 for input to the time-factored aggregator 306 and the machine learning model 308); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Shrivastava in the security threat monitoring of Bansal by extracting time-series performance data from entity knowledge graph and performance results to provide aggregated data to machine learning model. This would have been obvious because the person having ordinary skill in the art would have been motivated to train the machine learning model to output a performance confidence score as representing the likelihood of accurate performance result (Shrivastava, [Abstract], [0043]). 

Regarding claim 12, Bansal-Shrivastava combination teaches:
A method of anomaly detection for a microservice (Bansal, discloses method and system for identifying anomaly based on performance metric data for a storage system, see [Abstract]. And Fig. 4, Security Threat Monitoring System (i.e. anomaly detector)), the method comprising: performing method steps substantially similar to the steps performed by anomaly detector of claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 20, Bansal-Shrivastava combination teaches:
A non-transitory computer readable medium embodying programmed instructions executed by one or more processors, wherein the instructions direct the processors to implement a method of anomaly detection (Bansal, discloses method and system for identifying anomaly based on performance metric data for a storage system, see [Abstract]. And Fig. 4, Security Threat Monitoring System (i.e. anomaly detector). And [Col. 45 lines 38-46] FIG. 4 illustrates an exemplary security threat monitoring system 400 (“system 400”)… Facilities 402 and 404 may each include or be implemented by hardware and/or software components (e.g., processors, memories, communication interfaces, instructions stored in memory for execution by the processors, etc.)), the method comprising:10 performing method steps substantially similar to the steps performed by anomaly detector of claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above.

Claims 2, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal- Shrivastava as applied above to claim 1, 12 respectively, further in view of Marchi et al ("A novel approach for automatic acoustic novelty detection using a denoising autoencoder with bidirectional LSTM neural networks," 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2015, pp. 1996-2000, hereinafter, “Marchi”).
Regarding claim 2, similarly claim 13, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1, the method of claim 12, 
Bansal further teaches: wherein the processor is further configured to cause the anomaly detector to: 20implement a Long Short-Term Memory (LSTM) autoencoder to determine whether an anomaly exists in the structured dataset (Bansal, [Col. 47 lines 59-62] For example, unsupervised machine learning model 602 may analyze performance metric data 604 in accordance with a variational autoencoder heuristic. And [Col. 43 lines 40-43] in some embodiments of the FPGA-based AI or ML platform, the FPGAs that are contained within the FPGA-accelerated servers may be reconfigured for different types of ML models (e.g., LSTMs, CNNs, GRUs)); 
While the combination of Bansal-Shrivastava does not explicitly teaches the following limitation(s), Marchi in the similar field of endeavor teaches:
wherein the LSTM autoencoder is configured to yield a reconstruction loss based on the structured dataset, to detect an anomaly in the structured dataset when the reconstruction loss is greater than a reconstruction loss threshold, and to detect no anomaly when the 25reconstruction loss is less than or equal to the reconstruction loss threshold (Marchi, referring to Fig. 3, Section 3, BLSTM RECURRENT NEURAL NETWORK AND THRESHOLDING: “Thus, the trained autoencoder is able to reconstruct each sample and novel events are identified by processing the reconstruction error (i.e. reconstruction loss) with an adaptive threshold” and “Figure 3 shows the reconstruction error for a given sequence. The figure clearly depicts a low reconstruction error in reproducing ‘normal’ input such as talking, television sounds and other ‘normal’ environmental sounds. On the other hand, the denoising autoencoder shows a high reconstruction error when it comes to reproducing novel acoustic events such as a scream, or an alarm”).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Marchi in the security threat monitoring of Bansal-Shrivastava by using denoising autoencoder with bidirectional LSTM neural networks for identifying abnormality of acoustic signal. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify abnormality with measurement of reconstruction error by using detector with LSTM autoencoder on input features (Marchi, [Abstract]).

Claims 3, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal- Shrivastava as applied above to claim 1, 12 respectively, further in view of Backholm et al (US20190174319A1, hereinafter, “Backholm”).
Regarding claim 3, similarly claim 14, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1, the method of claim 12, 
While the combination of Bansal-Shrivastava does not explicitly teaches the following limitation(s), Backholm in the same field of endeavor teaches:
wherein: the processor, in performing the action based on the anomaly classification, is further configured to cause the anomaly detector to: block traffic to or from the microservice when the anomaly classification 5indicates a type of malware infection (Backholm, [0094] The malware traffic handling engine 435 can also implement different handing procedures based on maliciousness and/or level of certainty that the suspicious traffic is in fact malicious... A list of malware or malicious traffic identifiers and/or the associated applications can be compiled and updated (e.g., by the malware list manager 445) and stored in the local proxy. And [0096] Either based on its own identification and/or identification of malware by the local proxy 275 communicated to the proxy 325, the proxy 325 can intercept the malicious or potentially malicious traffic (e.g., by the suspicious traffic interceptor 505), to block the traffic entirely or to hold the traffic from passing until verification that the traffic is not malicious).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Backholm in the security threat monitoring of Bansal-Shrivastava by intercepting and blocking traffic with proxy. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify harmful application in malware detection to protect against undesirable execution of applications on mobile communication devices (Backholm, [Abstract], [0002]).

Claims 4, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal- Shrivastava as applied above to claim 1, 12 respectively, further in view of Larsson et al (US10404525B2, hereinafter, “Larsson”).
Regarding claim 4, similarly claim 15, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1, the method of claim 12, 
While the combination of Bansal-Shrivastava does not explicitly teaches the following limitation(s), Larsson in the similar field of endeavor teaches:
wherein: the processor, in performing the action based on the anomaly classification, is further configured to cause the anomaly detector to: 10report an alert to a customer of the data center when the anomaly classification indicates a type of non-malware issue involving a single customer (Larsson, discloses classification of detected network anomalies using additional data, [Abstract] and [Title]. And [Col. 6 lines 29-44] The network analyzer 40 may perform time-domain correlation and/or location domain correlation of the external data with the data representing a newly detected network anomaly to perform classification of the newly detected network anomaly... Similarly, if the time and location of the detected network anomaly matches with the time and location of specific weather conditions, the network anomaly may be classified as being due to the specific weather conditions (i.e. non-malware issue). In another example, the detected network anomaly could be due to a power outage in a part of the service area, which may cause nodes in the communication network to switch to battery backup power and send corresponding notifications (i.e. alert)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Larsson in the security threat monitoring of Bansal-Shrivastava by identifying non-malware issue from classification of detected network anomalies. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the cause of non-malware network anomaly issue and notifying network nodes of expected anomaly behavior to suppress the anomaly (Larsson, [Abstract]).

Claims 5, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal- Shrivastava as applied above to claim 1, 12 respectively, further in view of Backholm et al (US20190174319A1, hereinafter, “Backholm”) and Larsson et al (US10404525B2, hereinafter, “Larsson”).
Regarding claim 5, similarly claim 16, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1, the method of claim 12,  
While the combination of Bansal-Shrivastava does not explicitly teaches the following limitation(s), Backholm in the same field of endeavor teaches:
wherein: the processor, in performing the action based on the anomaly classification, is further 15configured to cause the anomaly detector to: report an alert to an operator of the data center (Backholm, [0248] In process 2502, notifications that suspicious or malicious traffic has been detected are generated. The notification can prompt a user of the mobile device whether the user wishes to allow the malicious or potentially malicious traffic as in process 2504, notify an operating system of the mobile device as in process 2506, notify a network operator servicing the mobile device as in process 2508). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Backholm in the security threat monitoring of Bansal-Shrivastava by intercepting and blocking traffic with proxy. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify harmful application in malware detection to protect against undesirable execution of applications on mobile communication devices (Backholm, [Abstract], [0002]).
The combination of Bansal-Shrivastava-Backholm does not explicitly teaches, Larsson in the similar field of endeavor teaches:
when the anomaly classification indicates a type of non-malware issue involving multiple customers (Larsson, [Col. 6 lines 29-44] The network analyzer 40 may perform time-domain correlation and/or location domain correlation of the external data with the data representing a newly detected network anomaly to perform classification of the newly detected network anomaly... Similarly, if the time and location of the detected network anomaly matches with the time and location of specific weather conditions, the network anomaly may be classified as being due to the specific weather conditions (i.e. non-malware issue). In another example, the detected network anomaly could be due to a power outage in a part of the service area, which may cause nodes in the communication network to switch to battery backup power and send corresponding notifications (i.e. alert)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Larsson in the security threat monitoring of Bansal-Shrivastava-Backholm by identifying non-malware issue from classification of detected network anomalies. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the cause of non-malware network anomaly issue to suppress the anomaly (Larsson, [Abstract]).  

Claims 6, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal- Shrivastava as applied above to claim 1, 12 respectively, further in view of Fan et al (US7424619B1, hereinafter, “Fan”) and Larsson et al (US10404525B2, hereinafter, “Larsson”).
Regarding claim 6, similarly claim 17, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1, the method of claim 12,  
The combination of Bansal-Shrivastava does not explicitly teaches, Fan in the same field of endeavor teaches:
wherein: 20the processor is further configured to cause the anomaly detector to: detect an unclassified anomaly when the machine learning system does not output a valid anomaly classification from the anomaly classification model; and re-train the anomaly classification model with the structured dataset and a new 25anomaly classification assigned to the unclassified anomaly (Fan, discloses system and method for anomaly detection and adaptive learning, see [Abstract] and [Title]. And [Col. 3 lines 11-13] Therefore there is a need to develop anomaly detection models for classification of network activities and to classify previously unknown anomalies. And [Col. 17 lines 57-59] Another comparison is to determine if the novel method is effective in detecting unclassified known intrusions as anomalies. And [Col. 20 lines 44-45] Configuration I The second classifier H.sub.2 is trained from new_intrusion and normal data. And [Col. 21 lines 18-20] The second classifier H.sub.2 is trained from new_intrusion and artificial anomalies computed from new_intrusion's data (i.e. re-train)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Fan in the security threat monitoring of Bansal-Shrivastava by training anomaly detection model with new intrusion and unclassified anomaly. This would have been obvious because the person having ordinary skill in the art would have been motivated to retrain the anomaly mode to generate rule set for adaptive learning (Fan, [Abstract]).
The combination of Bansal-Shrivastava-Fan does not explicitly teach, Larsson in the similar field of endeavor teaches:
log the structured dataset (Larsson, discloses classification of detected network anomalies, [Abstract]. And [Col. 11 lines 60-62] At step 750, the network anomaly analyzer 40 may log the event corresponding to the detection an successful classification of the network anomaly);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Larsson in the security threat monitoring of Bansal-Shrivastava-Fan by logging the network anomaly event. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the cause of network anomaly issue to suppress the anomaly (Larsson, [Abstract]).

Claims 7, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal- Shrivastava as applied above to claim 1, 12 respectively, further in view of Li et al (CN110149343A, hereinafter, “Li”).
Regarding claim 7, similarly claim 18, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1, the method of claim 12,  
The combination of Bansal-Shrivastava does not explicitly teaches, Li in the same field of endeavor teaches:
wherein the processor is further configured to cause the anomaly detector to: collect the performance metrics for the microservice with a tracer in the data center that uses extended Berkeley Packet Filter (eBPF) in-kernel tracing (Li, discloses system and method of abnormal behaviour detecting, [Abstract]. And [0056] step 2: the data packet capturing is as follows: using the operating system bottom layer interface, such as libpcap, winpcap, Vth (Berkeley packet filter), such as the data packet flowing through the system network interface for real time capture analysis. And [0122] a data collecting module, a data sending end router configuration netflow/netstream function and supports v9, v5 two format streaming data, configuring the destination IP address is a server of the data collecting module. data collecting module uses the operating system bottom layer interface, such as libpcap, winpcap, Vth, or DPDK network card driver intel provides, using the characteristic for high-performance network packet).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Li in the security threat monitoring of Bansal-Shrivastava by collecting performance network packet using data packet capturing with Berkeley packet filter. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter the collected stream data information for abnormal network behaviour detection (Li, [Abstract]).

Claims 8, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal- Shrivastava as applied above to claim 1, 12 respectively, further in view of Gaddam et al (US20220050897A1, hereinafter, “Gaddam”) and Iliofotou et al (US20190095599A1, hereinafter, “Ilifotou”).
Regarding claim 8, similarly claim 19, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1, the method of claim 12,
The combination of Bansal-Shrivastava does not explicitly teaches, Gaddam in the same field of endeavor teaches:
wherein the processor is further configured to cause the anomaly detector to: perform a microservice classification with the machine learning system based on a microservice classification model and a sequence of system calls from the structured dataset 10when no anomaly is detected in the structured dataset (Gaddam, discloses methods and systems for evaluating microservice system level activities, [Abstract]. And [0108] The microservice evaluator 704 may train the machine learning models to classify system level activities (including system calls and commands) from the system level activity data as either normal or abnormal. Normal system level activities may include system level activities that occur frequently during normal execution of the microservices, while abnormal system level activities may include system level activities that do not occur frequently); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gaddam in the security threat monitoring of Bansal-Shrivastava by classifying microservice based on system level activity data such as system calls. This would have been obvious because the person having ordinary skill in the art would have been motivated to generate security policies for microservices (Gaddam, [Abstract]).
The combination of Bansal-Shrivastava-Gaddam does not explicitly teaches, Iliofotou in the same field of endeavor teaches:
and report the microservice classification to an operator of the data center (Iliofotou, discloses user behavior analytics on contained microservices, [Abstract]. And [0360] During operation, the enterprise security application facilitates detecting “notable events” that are likely to indicate a security threat… Upon detection, notable events can be stored in a dedicated “notable events index,” which can be subsequently accessed to generate various visualizations containing security-related information. Also, alerts can be generated to notify system operators when important notable events are discovered).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Iliofotou in the security threat monitoring of Bansal-Shrivastava-Gaddam by notifying system operators with alert when important events are discovered. This would have been obvious because the person having ordinary skill in the art would have been motivated to generate user behavior analytics for contained microservices to detect occurrences of anomaly via behavior model (Iliofotou, [Abstract], [0005], [0360]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Bansal-Shrivastava-Gaddam-Iliofotou as applied above to claim 8, further in view of Rai et al (US20180357556A1, hereinafter, “Rai”).
Regarding claim 9, Bansal-Shrivastava-Gaddam-Iliofotou combination teaches:
The anomaly detector of claim 8 
The combination of Bansal-Shrivastava-Gaddam-Iliofotou does not explicitly teaches, Rai in the same field of endeavor teaches:
wherein the processor is further configured to cause the anomaly detector to: 15re-train the microservice classification model of the machine learning system based on the structured dataset and the microservice classification determined for the microservice when no anomaly is detected in the structured dataset (Rai, [0043] the anomaly detection engine 142 can modify at least one the particular anomaly-detection rules applied to identify the asset as anomalous, such as by changing conditions associated with the anomaly-detection rule, including loosening or tightening a threshold based on input provided by the user. When machine learning models are used for anomaly detection, user feedback (e.g., to identify an anomaly or not) can be added as an additional feature in the full context view and used to retrain the machine learning model, …).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Rai in the security threat monitoring of Bansal-Shrivastava-Gaddam-Iliofotou by modifying anomaly-detection rule to retrain the machine learning model. This would have been obvious because the person having ordinary skill in the art would have been motivated to retrain the anomaly detection model with input to modifying the anomaly detection rule as feedback to influence future anomaly detection (Rai, [Abstract], [0043]).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Bansal-Shrivastava as applied above to claim 1, further in view of Rai et al (US20180357556A1, hereinafter, “Rai”).
Regarding claim 10, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1 
The combination of Bansal-Shrivastava does not explicitly teaches, Rai in the same field of endeavor teaches:
wherein the processor is further configured to cause the 20anomaly detector to: re-train the anomaly detection model of the machine learning system based on the structured dataset for the microservice when no anomaly is detected in the structured dataset (Rai, discloses systems and methods for machine learning anomaly detection for a set of assets, [Abstract]. And [0043] The anomaly detection engine 142 can receive inputs 146 from the user that identifies at least one asset identified in the presentation as anomalous or as a non-anomalous asset. Based on the received input 146, the anomaly detection engine 142 can modify at least one the particular anomaly-detection rules applied to identify the asset as anomalous, such as by changing conditions associated with the anomaly-detection rule, including loosening or tightening a threshold based on input provided by the user. When machine learning models are used for anomaly detection, user feedback (e.g., to identify an anomaly or not) can be added as an additional feature in the full context view and used to retrain the machine learning model, thus allowing user feedback to influence future prediction).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Rai in the security threat monitoring of Bansal-Shrivastava by modifying anomaly-detection rule to retrain the machine learning model. This would have been obvious because the person having ordinary skill in the art would have been motivated to retrain the anomaly detection model with input to modifying the anomaly detection rule as feedback to influence future anomaly detection (Rai, [Abstract], [0043]).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Bansal-Shrivastava as applied above to claim 1, further in view of Maher et al (US20170352245A1, hereinafter, “Maher”).
Regarding claim 11, Bansal-Shrivastava combination teaches:
The anomaly detector of claim 1 
The combination of Bansal-Shrivastava does not explicitly teaches, Maher in the similar field of endeavor teaches:
wherein the processor is further configured to cause the anomaly detector to: perform the anomaly classification with the machine learning system based on the anomaly classification model from a group of N candidates when an anomaly is detected in 5the structured dataset; or add a new candidate to the group of N candidates when an anomaly is detected in the structured dataset and the machine learning system does not output a valid classification of the anomaly from the group of N candidates (Maher, discloses systems and methods of anomaly detection in network of connected devices, [Abstract]. And [0045] anomaly classification based devices and/or data associated with known anomaly types may utilize, for example, one or more of multi-class classification machine learning algorithms (e.g., using a model selected based on a volume of data and an out-of-sample performance) such as k-nearest neighbors, multi-class logistic regression, neural networks, random forest, and/or the like (i.e. N candidates). In certain embodiments, if a plurality of failures, anomalies, and/or suboptimal performance modes are identified, voting or other analytic techniques may be used to identify more likely failures, anomalies, and/or suboptimal performance modes). Examiner notes, N candidates is interpreted as more than one types of candidates or classifications (classes).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Maher in the security threat monitoring of Bansal-Shrivastava by classifying anomaly with multi-class classification machine learning algorithm. This would have been obvious because the person having ordinary skill in the art would have been motivated to perform anomaly classification based on devices and/or data associated with known anomaly types in predicting impending failures and/or suboptimal performance to improve system and device performance (Maher, [Abstract], [0045]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Lev et al (US20200394496A1) discloses detecting non-anomalous and anomalous sequences of computer-executed operations.
Raghavendra et al (US20200287923A1) disclosures system and method for unsupervised learning to distributed systems for anomaly detection.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436