DETAILED ACTION
This action is written in response to the application filed 1/29/20. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
Claims 26-30 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Independent claim 26 recites a “graphical user interface” (GUI). The Examiner interprets GUI in light of its usual meaning as encompassing software. Software per se is not a process, machine, manufacture, or a composition of matter, and therefore is nonstatutory subject matter.
This rejection applies equally to dependent claims 27-30, which inherit this deficiency from claim 26.
Invitation to Participate in DSMER Pilot Program
The present application satisfies the criteria for participation set forth in the Federal Register Notice entitled “Deferred Subject Matter Eligibility Response (DSMER) Pilot Program.” Therefore, the examiner invites applicant to participate in the DSMER pilot program. 
An applicant who accepts the invitation to participate in this pilot program must still file a reply to every Office action mailed in this application, but may defer presenting arguments or amendments in response to subject matter eligibility (SME) rejection(s) until the earlier of final disposition of the application, or the withdrawal or obviation of all other outstanding non-SME rejections. A final disposition for purposes of this pilot program occurs upon the earliest of: mailing of a notice of allowance; mailing of a final Office action; filing of a notice of appeal; filing of a request for continued examination; or abandonment of the application. Other than applicant’s ability to defer responding to SME rejections, participation in the DSMER pilot program does not alter the normal examination process (e.g., as outlined in MPEP 700), and applicant must still respond to all non-SME rejections when replying to Office actions. 
Further information about the pilot program, including an explanation of the criteria for receiving an invitation, and the conditions of participation, is provided in the Federal Register Notice announcing the program, which is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response.

Applicant has two choices with respect to this invitation:
(1) Applicant may elect to participate in the DSMER pilot program. To effect this choice, applicant MUST accept this invitation by filing a completed request form PTO/SB/456 with a timely response to this Office action. The DSMER Pilot request form must be signed in accordance with 37 CFR § 1.33(b) by a person having authority to prosecute the application, and must be submitted via the USPTO’s patent electronic filing systems (EFS-Web or Patent Center). The form is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response. If the form is properly completed and timely received, the application will be entered into the pilot program.
(2) Applicant may decline to participate in the pilot program. No action is required from applicant to effect this choice, because if applicant does not timely file a properly completed form PTO/SB/456, the application will not be entered into the pilot program.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The following are the references relied upon in the rejections below:
SAS (primary reference) (SAS. SAS/Insight 9.1 User’s Guide. 2004. SAS Publishing. 824 pages.)
Borowiak (Borowiak K, Lavery R. An Animated Guide: SAS Editor Regular Expressions. Northeast SAS Users Group, 14-17 Sept. 2008. Pittsburgh, Pennsylvania. 4 pages.)
Chandola (Chandola V, Banerjee A, Kumar V. Anomaly detection: A survey. ACM computing surveys (CSUR). 2009 Jul 30;41(3):1-58. Cited by Applicant in IDS dated 11/24/21.)
Denning (Denning, D., and Neumann, P.G., “Requirements and Model for IDES - A Real-Time Intrusion-Detection Expert System”, SRI Project 6169-10, August, 1985. 74 pages. City by Applicant in IDS dated 11/24/21.)
Hoefelmeyer (US 2008/0172264 A1)
Kumar (Kumar S. Survey of current network intrusion detection techniques. Washington Univ. in St. Louis. 2007 Dec:1-8.)
Ross ("Introduction to Probability Models", Eighth Edition, Academic Press, pp. 1-96. 2003. Cited by Applicant in IDS dated 11/24/21.)
Scott ("Scott's Rule", Wiley Interdisciplinary Reviews: Computational Statistics, vol.2, No.4, pp.497-502, 2010. Cited by Applicant in IDS dated 11/24/21.)

Claims 1, 2, 4, 5, 11, 15-18, 23, 25-27 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over SAS and Chandola.
Regarding claims 1, 25 and 26 SAS discloses a computer-implemented method (and a related non-transitory computer readable media and GUI) comprising:
causing display of a first portion of a graphical user interface, wherein the first portion includes graphical elements for obtaining an outlier event determination command, the outlier event determination command including an indication of event fields to use in determining outlier events;
P. 72, “Scroll all the way to the right to find the SALARY variable. Point and click on the variable name.” This chosen variable is subsequently used for data exploration in one dimension.P. 511, fig. 33.5. This dialog box allows the user to specify whisker length for a box-and-whisker plot (illustrated on the preceding page). These parameters are used for determining outliers.
causing display of a second portion of the graphical user interface, wherein the second portion includes a set of results associated with the outlier event determination command, wherein the set of results includes:
Id. ‘First portion’ = selection of variable. ‘Second portion’ = subsequent exploratory analysis of that variable.
a set of events, each event of the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment,
P. 510: figs. 33.3 and 33.4 and accompanying description: box-and-whisker plots are used to identify outliers. P. 754, fig. 40.35: scatter plot matrix with 80% prediction confidence ellipses. The Examiner notes that the user can adjust the confidence interval percentage using the graphical slider.
...
a set of outlier indicators indicating whether the corresponding event is an outlier event, wherein an event is determined to be an outlier using the probability of occurrence for the corresponding event and the event fields indicated for use in determining outlier events.
P. 754, fig. 40.35: scatter plot matrix with 80% prediction confidence ellipses. The Examiner notes that the observations falling outside of the confidence interval are considered outliers.
Chandola discloses the following further limitations which SAS does not disclose:
a set of events, each event of the set of events including a portion of raw machine data that reflects activity in an information technology environment and that is produced by a component of that information technology environment,
P. 11: applications of anomaly detection to computer network intrusion detection. PP. 14-15: applications to industrial damage detection. PP. 17-18: applications to sensor networks.
a set of probabilities each indicating a probability of occurrence for a corresponding event from the set of events, and
PP. 29-31: statistical anomaly detection techniques. Probabilistic anomaly scores can be determined from an estimated probability density function, as described in sec. 7.1, or can be obtained from a test instance z-score as described in sec. 7.2
At the time of filing, it would have been obvious to a person of ordinary skill to apply the SAS GUI system for exploratory data analysis to anomaly detection in an “information technology environment” as taught by Chandola. As noted by Chandola, “Anomaly detection finds extensive use in a wide variety of applications” (p. 2), and a GUI makes anomaly detection tasks intuitive and fast. Both disclosures pertain to predictive analytics / statistical exploration of data.

Regarding claim 2, Chandola discloses the further limitation wherein the raw machine data comprises aggregated heterogeneous machine data generated by at least one of:
a server, a database, an application, or a network.
p. 12: “The data available for intrusion detection systems can be at different levels of granularity, for example, packet level traces, CISCO net-flows data, and so forth. The data has a temporal aspect associated with it but most of the techniques typically do not explicitly handle the sequential aspect. The data is high dimensional typically with a mix of categorical as well as continuous attributes.”

Regarding claims 4 and 30, SAS discloses the further limitation wherein at least one event in the set of events includes a categorical field value and a numerical field value.
P. 510, fig. 33.3 and 33.4: League (American or National is a categorical field value. “No Hits” is a numerical field value.Also p. 75, fig. 4.9.

Regarding claim 5, SAS discloses the further limitation wherein the probability of occurrence for the corresponding event is determined using a probability of occurrence for a first field value of the corresponding event and a probability of occurrence for a second field value of the corresponding event.
P. 754, fig. 40.35 (reproduced below). The Examiner notes that each of the confidence intervals shown is based on a two-dimensional analysis.

    PNG
    media_image1.png
    655
    588
    media_image1.png
    Greyscale



Regarding claim 11, SAS discloses its further limitation wherein each event includes a plurality of field values comprising at least one NULL field value that indicates that the field value does not have a value for the event.
P. 324: “The log transformation is useful in many cases. However, the result of log( Y ) is undefined where Y is less than or equal to 0. In such cases, SAS/INSIGHT software cannot transform the value, so a missing value (.) is generated.”

Regarding claim 15, SAS discloses the further limitation wherein the event is determined to be the outlier by:
determining a first quartile value, a second quartile value, and a third quartile value for event probabilities of occurrence of the set of events, wherein a quarter of the event probabilities of occurrence are less than or equal to the first quartile value, wherein half of the event probabilities of occurrence are less than or equal to the second quartile value, and wherein three quarters of the event probabilities of occurrence are less than or equal to the third quartile value;
P. 511: method for computing median and quartile values.
determining an interquartile range, wherein the interquartile range is equal to the third quartile value minus the first quartile value;
P. 511: interquartile range.
Page 33 of 37NonprovisionalAttorney Docket No. SP0119.OUS/225838-CONdetermining an outlier event threshold, wherein the outlier event threshold is equal to the first quartile value minus k times the interquartile range, wherein k is a positive number parameter; and
P. 511: on this pages, k values of 1.0 and 1.5 are discussed, but a user may specify any value using the dialog box illustrated at fig. 33.5.
designating the event as an outlier event based on the probability of occurrence for the corresponding event being less than the outlier event threshold.
P. 511: “The figures in this chapter were created using whisker lengths that were 1.0 times the distance between the quartiles; this results in more observations being classified as outliers.”


Regarding claim 16, Chandola discloses its further limitation wherein the event is determined to be the outlier using at least one of histogram-based density estimation, kernel density estimation, quantile estimation, an empirical cumulative distribution function, and a Z test.
PP. 33-34, sec. 7.2.1: Histogram-based nonparametric anomaly detection.PP. 34-35, sec. 7.2.2: Kernel function-based anomaly detection.PP. 30-31, sec. 7.1.1: Gaussian model-based anomaly detection employing quartile analysis, i.e. using inter-quartile ranges to define/detect anomalies.P. 30: Z-test. “A simple outlier detection technique, often used in process quality control domain [Shewhart 1931], is to declare all data instances that are more than 3σ distance away from the distribution mean μ, where σ is the standard deviation for the distribution. The μ ± 3σ region contains 99.7% of the data instances.”

Regarding claim 17, SAS discloses the further limitation wherein determining the event is the outlier is performed in response to receiving the anomalous event determination command.
P. 72, “Scroll all the way to the right to find the SALARY variable. Point and click on the variable name.” This chosen variable is subsequently used for data exploration in one dimension.P. 511, fig. 33.5. This dialog box allows the user to specify whisker length for a box-and-whisker plot (illustrated on the preceding page). These parameters are used for determining outliers.

Regarding claims 18 and 27, Chandola discloses its further limitation comprising causing display of an alert indicating the determination of at least one outlier event.
P. 14.: “issue an alarm when an account appears to have been misused” (i.e. when an anomalous event is detected).Also p. 34, discussing “false alarm rates” for anomaly detection alarms.

Regarding claim 23, SAS discloses the further limitation comprising storing the set of events in a data source.
P. 50: “A library is a location where data sets are stored. The Examiner notes that generic data storage is inherent throughout the SAS disclosure.

Claims 3 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over SAS, Chandola and Kumar.
Regarding claims 3 and 29, Kumar discloses its further limitation which neither SAS nor Chandola discloses wherein each event of the set of events includes a plurality of field values and is associated with a timestamp extracted from the raw machine data associated with the event, and
P. 189: “Data Types. STATL includes several built-in types: i n t and u - i n t in various sizes, bool, string , timeval (for timestamps), and timer. It also includes arrays, plus containers vector , set, list , and map. It is not possible to define new data types within a STATL scenario. Application specific types must be defined within the application-specific extension library (see Section 2.3). For example, network-based scenarios may use different types than host-based scenarios, but both use int and timeval.” (Emphasis added.)
wherein a field is defined by an extraction rule for extracting a subportion of text from the portion of raw machine data in an event to produce a value for the field for that event.
P. 189: “Lexical Elements. STATL identifiers consist of letters, digits, and the underscore character '_', and start with a letter. For example host_name and IPaddr2 are identifiers. STATL identifiers are case-sensitive, so IPaddress is different from IPAddress. STATL compound identifiers use standard object-oriented dot notation, as in ''object.attribute". STATL keywords are reserved words and may not be used as identifiers. For example, since scenari is a keyword, it may not be used as a variable name. STATL includes two kinds of comments: any text between "/*" and ''*/" (except "*/"), including the delimiters, is a comment. Any text following "II" to the end of the line, including the '7/ " marker, is a comment. Whitespace may appear anywhere in a STATL specification except within tokens (keywords, identifiers, and multiple-character operators).”
At the time of filing, it would have been obvious to a person of ordinary skill to apply the techniques disclosed by Kumar (namely considering data sources with text / lexical elements as well as timestamps) in the combined system of SAS/Chandola because observations for these variables may help inform whether or not the observations are anomalous. All three disclosures pertain to predictive analytics / anomaly detection.

Claims 6-8, 10, 12-14, 21, 28 are rejected under 35 U.S.C. 103 as being unpatentable over SAS, Chandola and Ross.

Regarding claim 6, Ross discloses the further limitation which neither SAS nor Chandola discloses wherein the probability of occurrence for the corresponding event is determined using a probability of occurrence for a categorical field value of the corresponding event and a probability of occurrence for a numerical field value of the corresponding event.
P. 4, example 1.1: categorical field value.P. 34 et. seq., sec. 2.3 continuous random variables.
At the time of filing, it would have been obvious to a person of ordinary skill to apply basic probability analysis (as taught by Ross) in an anomaly detection (intrusion detection) system (such as SAS/Chandola) because it quantifies information that can be used to detect anomalies, which may indicate intrusion. Chandola explicitly discusses statistical anomaly detection techniques, see sec. 7 at p. 29 et seq.
Denning discusses the use of related probability and statistics tools at pp. 12-14 (e.g. mean and standard deviation model; multivariate models; Markov processes). Although Denning does not seem to disclose explicitly determining a probability for the field value for every field, a person of ordinary skill in the art would have found it to apply the technique taught for one field (e.g. at p. 13, last paragraph) to all fields so that abnormalities in any field (or indeed any combination of fields) might cause an anomalous event to be identified.

Regarding claim 7, Ross discloses its further limitation which neither SAS nor Chandola discloses wherein the probability of occurrence for the corresponding event is determined using a probability of occurrence of a categorical field value determined using a first method and using a probability of occurrence for a numerical field value determined using a second method different from the first method.
P. 4, example 1.1: categorical field value.P. 34 et. seq., sec. 2.3 continuous random variables.
P. 51 et seq., sec. 2.5.2: independent random variables, eqn. 2.12 and 2.13. The Examiner notes that this formula—known as the product rule or the chain rule—can be used to compute the probability of occurrence for any combination of independent events, whether they are categorical events or numerical events.Alternately, this limitations also encompasses the computation of conditional probabilities, eg as discussed at p. 7, sec. 1.4, particularly at example 1.4: here, there are two field values pertaining to two cards drawn, each of which is both categorical and numerical.
The obviousness analysis of claim 6 applies equally here.

Regarding claim 8, Ross discloses its further limitation which neither SAS nor Chandola discloses explicitly wherein the probability of occurrence for the corresponding event is determined using a probability of occurrence for a categorical field value of the corresponding event, wherein the probability of occurrence for the categorical field value is equal to O divided by a number of events in the set of events, wherein O is an integer that represents total number of times the categorical field value occurs in the set of events.
P. 4, example 1.: categorical field values.P. 51 et seq., sec. 2.5.2: independent random variables, eqn. 2.12 and 2.13. The Examiner notes that this formula—known as the product rule or the chain rule—can be used to compute the probability of occurrence for any combination of independent events, whether they are categorical events or numerical events.Alternately, this limitations also encompasses the computation of conditional probabilities, eg as discussed at p. 7, sec. 1.4, particularly at example 1.4: here, there are two field values pertaining to two cards drawn, each of which is both categorical and numerical.
The obviousness analysis of claim 6 applies equally here.

Regarding claim 10, Ross discloses its further limitation which neither SAS nor Chandola disclose wherein the probability of occurrence for the corresponding event is determined using a probability of occurrence for a categorical field value of the corresponding event, and wherein the probability of occurrence for the categorical field value is equal to O divided by number of events in the set of events, wherein O is an integer that represents total number of times the categorical field value occurs in the set of events,
P. 4, example 1.1: categorical field value.
wherein the probability of occurrence for a numerical field value is determined using kernel density estimation, quantile estimation, or an empirical cumulative distribution function.
PP. 26-27: cumulative distribution function.
The obviousness analysis of claim 6 applies equally here.

Regarding claim 12, Ross discloses its further limitation which neither SAS nor Chandola discloses wherein determining the probability of occurrence for the corresponding event comprises determining a product of a probability of occurrence determined for at least the categorical field value and at least one numerical field value.
P. 4, example 1.1: categorical field value.P. 34 et. seq., sec. 2.3 continuous random variables.
P. 51 et seq., sec. 2.5.2: independent random variables, eqn. 2.12 and 2.13. The Examiner notes that this formula—known as the product rule or the chain rule—can be used to compute the probability of occurrence for any combination of independent events, whether they are categorical events or numerical events.Alternately, this limitations also encompasses the computation of conditional probabilities, eg as discussed at p. 7, sec. 1.4, particularly at example 1.4: here, there are two field values pertaining to two cards drawn, each of which is both categorical and numerical.
The obviousness analysis of claim 6 applies equally here.

Regarding claim 13, Ross discloses its further limitation which neither SAS nor Chandola discloses wherein determining the probability of occurrence for the corresponding event comprises
(a) using a dense frequency table to compute a conditional probability, [or] ...
PP. 7-10, sec. 1.4: conditional probabilities.
(c) using a conditional probability table or a custom function to compute the conditional probability.
PP. 7-10, sec. 1.4: conditional probabilities.
The obviousness analysis of claim 6 applies equally here.

Regarding claims 14 and 28, Ross discloses its further limitation which neither SAS nor Chandola discloses comprising:
for each event of the set of events, determining a probability of occurrence for each field value of the corresponding event, and using the probabilities of occurrence determined for each field value of the corresponding event to determine the probability of occurrence for the corresponding event.
P. 4, examples 1.1 and 1.2.P. 51 et seq., sec. 2.5.2: independent random variables, eqn. 2.12 and 2.13. The Examiner notes that this formula—known as the product rule—can be used to compute the probability of occurrence for any combination of independent events.
The obviousness analysis of claim 6 applies equally here.

Regarding claim 21, Ross discloses its further limitation which neither SAS nor Chandola discloses comprising:
for each event of the set of events, adding a field indicating the probability of occurrence for the corresponding event.
P. 4, examples 1.1 and 1.2.

Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over SAS, Chandola and Scott.
Regarding claim 9, Scott discloses its further limitation which neither SAS nor Chandola disclose wherein the probability of occurrence for the corresponding event is determined using a probability of occurrence for a numerical field value of the corresponding event, and wherein the probability of occurrence for the numerical field value is determined using histogram-based density estimation.


    PNG
    media_image2.png
    369
    464
    media_image2.png
    Greyscale
Excerpt from Scott, p. 497.

At the time of filing, it would have been obvious to a person of ordinary skill to use Scott’s rule to determine the histogram bin-width using Scott’s rule in the combined system of SAS/Chandola because it provides for relatively easy computation without oversmoothing for large samples when compared with other methods. See discussion in Scott at p. 501.

Claims 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over SAS, Chandola and Hoefelmeyer.

Regarding claim 19, Hoefelmeyer discloses the further limitation which neither SAS nor Chandola discloses comprising:
for each event of the set of events, adding a field indicating whether the event is an outlier event.
fig. 6 and [52]: analysis status field which may take the value “potential anomaly”
At the time of filing, a person of ordinary skill in the art would have found it obvious to modify the combined system of SAS/Chandola to include an additional field containing information about whether a record was identified as being a possible anomaly (as taught by Hoefelmeyer) so that this information would be persistent, portable, reusable, and could be seen by system users or administers whenever the record is viewed.

Regarding claim 20, SAS discloses its further limitation comprising:
filtering out events...
P. 151: “This displays the Find Observations dialog. Select the variable SEX. With the default values in the other lists, this creates a test for SEX = Female.”
Additionally, Hoefelmeyer discloses the following further event which neither SAS nor Chandola discloses comprising:
for each event of the set of events, adding a field indicating whether the event is an outlier event; and
Fig. 6 and [52]: analysis status field which may take the value “potential anomaly”
At the time of filing, a person of ordinary skill in the art would have found it obvious to modify the combined system of SAS/Chandola to include an additional field containing information about whether a record was identified as being a possible anomaly (as taught by Hoefelmeyer) so that this information would be persistent, portable, reusable, and could be seen by system users or administers whenever the record is viewed. Additionally, it would have been obvious to filter (and graph) a particular subset of observations (as taught by SAS) so that the user could view only the detected anomalies, and perhaps draw conclusions from considering only this set.

Claims 22 is rejected under 35 U.S.C. 103 as being unpatentable over SAS, Chandola, Denning and Borowiak.
Regarding claim 22, Denning discloses the following further limitation which neither SAS nor Chandola discloses wherein each event includes a plurality of field values, wherein a field is defined by an extraction rule for extracting a subportion of text from the portion of raw machine data in an event to produce a value for the field for that event ...
P. 9, audit records comprising several fields) and is associated with a timestamp extracted from the raw machine data associated with that event (p. 9, audit record fields include time stamps).P. 10: queries, e.g. “RETRIEVE * FROM Audit-Records WHERE Subject = s and Object = o. The Examiner notes that audit records comprise text as described on p. 9.P. 9: Action and Exception-Condition are each categorical/discrete fields.P. 9, Resource-Usage is a quantitative/numerical field.
At the time of filing, it would have been obvious to a person of ordinary skill to apply the text extraction techniques disclosed by Denning in the combined system of SAS/Chandola because these field could contain information that is highly predictive of anomalies / network intrusion. All three disclosures pertain to predictive analytics.
Borowiak discloses the following further limitation which neither SAS, Chandola nor Denning discloses:
the extraction rule comprising a regular expression rule (regex rule).
Abstract, introduction, and passim.
At the time of filing, it would have been obvious to a person of ordinary skill to employ regex rules (as taught by Borowiak) to the combined system of SAS/Chandola/Denning because they provide for a powerful yet compact means for performing complex text extraction.

Claims 24 is rejected under 35 U.S.C. 103 as being unpatentable over SAS, Chandola and Denning.
Regarding claim 24, Denning discloses the further limitation which neither SAS nor Chandola discloses wherein each event includes a plurality of field values, wherein a field is defined by an extraction rule for extracting a subportion of text from the portion of raw machine data in an event to produce a value for the field for that event, the raw machine data comprising log data, application data, or packet data.
P. 9, audit records comprising several fields) and is associated with a timestamp extracted from the raw machine data associated with that event (p. 9, audit record fields include time stamps).P. 10: queries, e.g. “RETRIEVE * FROM Audit-Records WHERE Subject = s and Object = o. The Examiner notes that audit records comprise text as described on p. 9.
[Additionally, Chandola discloses considering log data and packet data. See p. 12: “The data available for intrusion detection systems can be at different levels of granularity, for example, packet level traces, CISCO net-flows data, and so forth. The data has a temporal aspect associated with it but most of the techniques typically do not explicitly handle the sequential aspect. The data is high dimensional typically with a mix of categorical as well as continuous attributes.” (Emphasis added.)]
At the time of filing, it would have been obvious to a person of ordinary skill to apply the text extraction techniques disclosed by Denning in the combined system of SAS/Chandola because these field could contain information that is highly predictive of anomalies / network intrusion. All three disclosures pertain to predictive analytics.

Additional Relevant Prior Art
The following references were identified by the Examiner as being relevant to the disclosed invention, but are not relied upon in any particular prior art rejection:
Bhuyan discloses a survey of network anomaly detection systems, including a discussion of user interfaces. See e.g. pp. 313 and 319. (Bhuyan MH, Bhattacharyya DK, Kalita JK. Network anomaly detection: methods, systems and tools. IEEE communications surveys & tutorials. 2013 Jun 6;16(1):303-36.)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vincent Gonzales whose telephone number is (571) 270-3837. The examiner can normally be reached on Monday-Friday 7 a.m. to 4 p.m. MT.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang, can be reached at (571) 270-7092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Vincent Gonzales/Primary Examiner, Art Unit 2124