DETAILED ACTION
This communication is responsive to the application # 16/938,776 filed on July 24, 2020. Claims 1-20 are pending and are directed toward DETECTION OF ANOMALOUS COUNT OF NEW ENTITIES.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8 and 9 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 8 recites a baseline period, which is not defined. Claim 9 recites a single anomaly detection model, however there are “one or more” models claimed in Claim 1. Claim 9 further recites calculating step before determining step, which is in contradiction with causality.
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 2, 3, 7, and 9 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 3 recites “starting at the timestamp”.  Claim 1 however claims around the timestamp, which is alternative to the cited limitation of claim 3. Claim 7 recites “the last bin”.  Claims 1 and 6 however do not have a “bin” limitation 2. Claim 9 recites “the last day”.  Claim 1 however does not have this limitation 2. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Examiner is requesting Applicant to adjust claims 12-20 accordingly.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 1-5, 12-16, and 20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Fletcher et al. (US 2016/0104091, Pub. Date: Apr. 14, 2016), hereinafter referred to as Fletcher.
As per claim 1, Fletcher teaches a computing system comprising:
one or more processors (Fletcher, [1125]); and
one or more computer-readable media having thereon computer-executable instructions that are structured such that, when executed by the one or more processors (Fletcher, [1128]), cause the computing system to:
receive an indication of a security alert and a context for the security alert (Fletcher, [0212]), the context including one or more entities related to the context (Fletcher, [0235]-[0237]) and a timestamp for the security alert (Fletcher, [0262]);
search one or more data sources for the one or more entities during a time window around the timestamp (Fletcher, [0701], FIG. 43A);
execute one or more anomaly detection models to identify anomalies that are related to the security alert based on the context (Fletcher, [0788]-[0789]); and
output identified anomalies for investigation of the security alert (Fletcher, [0790]).
As per claim 2, Fletcher teaches the computing system of claim 1, further comprising computer-executable instructions that are structured such that, when executed by the one or more processors, cause the computing system to send an indication that the security alert is likely a false positive when no anomalies are identified (Fletcher, [0667], [1034]).
As per claim 3, Fletcher teaches the computing system of claim 1, wherein data at the data sources are grouped into one-day bins (Fletcher, [0545], [0693], [0751]), and anomalies are detected for a one-day period starting at the timestamp (Fletcher, [0545], [1004]).
As per claim 4, Fletcher teaches the computing system of claim 1, wherein the one or more entities comprise one or more of a machine name, a username, an IP address, a process name, or a network identifier (Fletcher, [1004]).
As per claim 5, Fletcher teaches the computing system of claim 1, wherein the anomaly detection model comprises evaluating mean and distance in standard deviations (Fletcher, [0523], [0528]). 
Claims 12-16, and 20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6-8, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Fletcher et al. (US 2016/0104091, Pub. Date: Apr. 14, 2016), in view of Patil (Looking for unknown anomalies - what is normal? Time Series analysis & its applications in Security, May 15 2019, 11 pages), hereinafter referred to as Fletcher and Patil.
As per claim 6, Fletcher teaches the computing system of claim 1, but does not teach time series decomposition, Patil however teaches wherein the anomaly detection model comprises a time series decomposition model (Use time series functions (e.g. series_decompose and series_decompose_anomalies) to apply decomposition transformation on an input data series and extract anomalous points. Patil, page 2).
Fletcher in view of Patil are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Fletcher in view of Patil. This would have been desirable because by analyzing time series data over an extended period, we can identify time-based patterns (e.g. seasonality, trend etc.) in the data and extract meaningful statistics which can help in flagging outliers. A particular example in a security context is user logon patterns over a period of time exhibiting different behavior after hours and on weekends: computing deviations from these changing patterns is rather difficult in traditional atomic detections with static thresholds (Patil, page 2).

As per claim 7, Fletcher in view of Patil teaches the computing system of claim 6, further comprising computer-executable instructions that are structured such that, when executed by the one or more processors, cause the computing system to calculate an anomaly score for the series including the last bin using Tukey's fence test with a custom 10th-90th percentile range (AD_method parameter in above syntax specifically controls the anomaly detection method on the residual time series. Available options are ctukey (default option- 10th-90th percentile range) and tukey (standard -25th-75th percentile range), Patil, page 3).
Fletcher in view of Patil are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Fletcher in view of Patil. This would have been desirable because this function is for anomaly detection which is based on series decomposition (refer to series_decompose() ) It takes an expression containing a series (dynamic numerical array) as input and extract anomalous points with scores. anomaly detections used with this function are based on Tukey’s test. (Patil, page 3).

As per claim 8, Fletcher in view of Patil teaches the computing system of claim 7, wherein series that have five or more anomalies in a baseline period are filtered (Configure alerts on specific outliers from the results of the Time Series Analysis, Patil, page 4) and anomalies with a score higher than 3 are reported (Investigate anomalies by joining it against base logs to populate additional fields, , Patil, page 4).
Fletcher in view of Patil are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Fletcher in view of Patil. This would have been desirable because mv-expand : This operator is primarily used to expand results of time series analysis decomposition functions which areoriginally a collection of multi value array into associated timestamps and data points with total, baseline countsand score as individual rows. This output is useful to filter out just the anomalies which are then used to alertingpurpose or join against other tables on timestamp columns to gather additional context around anomalies. (Patil, page 4).

Claims 17 and 18 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/265,742 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because all elements of claims 1-20 of the instant application correspond to elements of claims 1-20 of the reference application. The above claims of the present application would have been obvious over claims 1-20 of the reference application because each element of the claims of the present application is anticipated by the claims of the reference application and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)).
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Allowable Subject Matter
Claims 9-11 and 19 are indicated as allowable over prior art.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).

Pertinent Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, and provided in PTO-892.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492