DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Response to Amendment
This Office Action is in response to the amendment filed 4/21/2022.
Claims 1-20 are currently amended. Claims 1-20 are pending and considered.
Response to Argument
Applicant’s argument, see pages 8-12 of the Remark filed 4/21/2022, with respect to claims over prior arts have been fully considered and are persuasive, further in view of the examiner’s amendments below. Upon examiner’s updated search on the features recited in the claims, examiner believes the case is in condition for allowance. Therefore, the rejection under 35 U.S.C. 103 of claims 1-20 has been withdrawn.
Allowable Subject Matter
Claims 1-6, 8-13, 15-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to generating clusters of groups of anomaly reports using rules based on association rule learning using suffix tree to present values of field for each respective groups of anomaly reports and marking cluster of groups of anomaly reports as possible false positive anomaly cluster.
Claim 1 (similarly claims 8 and 15) identifies the uniquely distinct features “extracting fields, and values for the fields, from each of the plurality of anomaly reports; generating a suffix tree of the values for the fields, wherein the suffix tree comprises the values for the fields corresponding with possible security breaches that are split into subsidiary nodes that are each common to the network security anomaly”, “clustering a plurality of groups from the suffix tree; generating a respective rule for each of the plurality of groups according to association rule learning, wherein the respective rule differentiates the plurality of groups from other groups describing distinguishable network security anomalies; for each group of the plurality of groups, automatically creating one or more clusters that comprises at least one of the plurality of groups and the respective rule; and marking the one or more clusters as a possible false positive anomaly cluster; displaying a view of one of the possible false positive anomaly clusters”. 
The prior art, Hagi et al (US20190149565A1) discloses anomaly detection system and method to provide a plurality of tensors to a HTM network to generate HTM reports with determination to indicate anomaly and provide notification to user with user interface.
The prior art, Cherepanov et al (US20120209592A1) discloses system and method for generating suffix rewriting rules. In particular, Cherepanov teaches generating final suffix rewriting rules based on canonical suffix-rewriting rules associated with words to define rules for the purpose of grouping anomaly reports as associating words using suffix tree as applied in search queries.
The prior art, Gamble et al (US20190342307A1) discloses system and method to process collected data using a data model to identify and link anomalies and in order to identify generating security events and intrusions. In particular, Gamble teaches combining similar nodes or grouping security events with common features in monitoring security attack chain for anomaly detection to identify unique groupings of events in graph form to provide more accurate detection mechanism of intrusion.
The prior arts, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claim 1 (similarly claims 8 and 15) of “extracting fields, and values for the fields, from each of the plurality of anomaly reports; generating a suffix tree of the values for the fields, wherein the suffix tree comprises the values for the fields corresponding with possible security breaches that are split into subsidiary nodes that are each common to the network security anomaly”, “clustering a plurality of groups from the suffix tree; generating a respective rule for each of the plurality of groups according to association rule learning, wherein the respective rule differentiates the plurality of groups from other groups describing distinguishable network security anomalies; for each group of the plurality of groups, automatically creating one or more clusters that comprises at least one of the plurality of groups and the respective rule; and marking the one or more clusters as a possible false positive anomaly cluster; displaying a view of the one or more clusters as the possible false positive anomaly cluster”.
Regarding the dependent claims: dependent claims 2-6, 9-13, and 16-20 are also allowed for incorporating the allowable feature recited in the respective independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Examiner’s Amendment
The application has been amended as follows: 
An Examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Melissa Paterson (858-720-7460) on 5/12/2022 (See PTO-413 interview summary).

PLEASE AMEND THE CLAIMS AS FOLLOWS:
1.	(Currently Amended) A system, comprising:
a hardware processor; and
a non-transitory machine-readable storage medium encoded with instructions executable by the hardware processor to perform a method comprising: 
receiving a plurality of anomaly reports, wherein each of the plurality of anomaly reports describes a network security anomaly;
extracting fields, and values for the fields, from each of the plurality of anomaly reports;
generating a suffix tree of the values for the fields, wherein the suffix tree comprises the values for the fields corresponding with possible security breaches that are split into subsidiary nodes that are each common to the network security anomaly;
clustering a plurality of groups from the suffix tree; 
generating a respective rule for each of the plurality of groups according to association rule learning, wherein the respective rule differentiates the plurality of groups from other groups describing distinguishable network security anomalies;
for each group of the plurality of groups, automatically creating one or more clusters that comprises at least one of the plurality of groups and the respective rule; [[and]]
marking the one or more clusters as a possible false positive anomaly cluster; and 
displaying a view of the one or more clusters as the possible false positive anomaly cluster.
2.	(Previously Presented) The system of claim 1, wherein the hardware processor further to perform the method comprising:
applying a frequent pattern growth algorithm to the plurality of anomaly reports.
3.	(Previously Presented) The system of claim 1, wherein the hardware processor further to perform the method comprising: 
filtering the plurality of groups according to confidence values respectively associated with the groups after grouping the plurality of anomaly reports and before creating the one or more clusters.
4.	(Previously Presented) The system of claim 3, wherein filtering the plurality of groups according to the confidence values further comprises:
discarding groups having a confidence value below a determined confidence threshold.
5.	(Previously Presented) The system of claim 3, wherein the hardware processor further to perform the method comprising:
selecting a portion of the plurality of groups according to the respective rules after grouping the plurality of anomaly reports and before filtering the plurality of groups.
6.	(Previously Presented) The system of claim 1, wherein creating the one or more clusters comprises:
selecting the respective rule for each of the plurality of groups corresponding with a 
7.	(Canceled) 
8.	(Currently Amended) A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing component, the machine-readable storage medium comprising instructions to cause the hardware processor to perform a method comprising: 
receiving a plurality of anomaly reports, wherein each of the plurality of anomaly reports describes a network security anomaly;
extracting fields, and values for the fields, from each of the plurality of anomaly reports;
generating a suffix tree of the values for the fields, wherein the suffix tree comprises the values for the fields corresponding with possible security breaches that are split into subsidiary nodes that are each common to the network security anomaly;
clustering a plurality of groups from the suffix tree;
generating a respective rule for each of the plurality of groups according to association rule learning, wherein the respective rule differentiates the plurality of groups from other groups describing distinguishable network security anomalies;
for each group of the plurality of groups, automatically creating one or more clusters that comprises at least one of the plurality of groups and the respective rule; [[and]]
marking the one or more clusters as a possible false positive anomaly cluster; and 
displaying a view of the one or more clusters as the possible false positive anomaly cluster.
9.	(Previously Presented) The non-transitory machine-readable storage medium of claim 8, wherein the instructions further cause the hardware processor to perform the method comprising:
applying a frequent pattern growth algorithm to the plurality of anomaly reports.
10.	(Previously Presented) The non-transitory machine-readable storage medium of claim 8, wherein the instructions further cause the hardware processor to perform the method comprising: 
filtering the plurality of groups according to confidence values respectively associated with the groups after grouping the plurality of anomaly reports and before creating the one or more clusters.
11.	(Previously Presented) The non-transitory machine-readable storage medium of claim 10, wherein filtering the plurality of groups according to the confidence values further comprises:
discarding groups having a confidence value below a determined confidence threshold.
12.	(Previously Presented) The non-transitory machine-readable storage medium of claim 10, wherein the instructions further cause the hardware processor to perform the method comprising:
selecting a portion of the plurality of groups according to the respective rules after grouping the plurality of anomaly reports and before filtering the plurality of groups.
13.	(Previously Presented) The non-transitory machine-readable storage medium of claim 8, wherein creating the one or more clusters comprises:
selecting the respective rule for each of the plurality of groups corresponding with a highest number of the fields.
14.	(Canceled) 
15.	(Currently Amended) A method comprising: 
receiving a plurality of anomaly reports, wherein each of the plurality of anomaly reports describes a network security anomaly;
extracting fields, and values for the fields, from each of the plurality of anomaly reports;
generating a suffix tree of the values for the fields, wherein the suffix tree comprises the values for the fields corresponding with possible security breaches that are split into subsidiary nodes that are each common to the network security anomaly;
clustering a plurality of groups from the suffix tree; 
generating a respective rule for each of the plurality of groups according to association rule learning, wherein the respective rule differentiates the plurality of groups from other groups describing distinguishable network security anomalies;
for each group of the plurality of groups, automatically creating one or more clusters that comprises at least one of the plurality of groups and the respective rule; [[and]]
marking the one or more clusters as a possible false positive anomaly cluster; and 
displaying a view of the one or more clusters as the possible false positive anomaly cluster.
16.	(Previously Presented) The method of claim 15, further comprising:
applying a frequent pattern growth algorithm to the plurality of anomaly reports.
17.	(Previously Presented) The method of claim 15, further comprising: 
filtering the plurality of groups according to confidence values respectively associated with the groups after grouping the plurality of anomaly reports and before creating the one or more clusters.
18.	(Previously Presented) The method of claim 17, wherein filtering the plurality of groups according to the confidence values further comprises:
discarding groups having a confidence value below a determined confidence threshold.
19.	(Previously Presented) The method of claim 17, further comprising: 
selecting a portion of the plurality of groups according to the respective rules after grouping the plurality of anomaly reports and before filtering the plurality of groups.
20.	(Previously Presented) The method of claim 15, wherein creating the one or more clusters comprises:
selecting the respective rule for each of the plurality of groups corresponding with a highest number of the fields.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        
/TRONG H NGUYEN/Primary Examiner, Art Unit 2436