Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see Remarks, filed 6-30-2022, with respect to claims interpretation have been fully considered and are persuasive in light new amendments.  The interpretation, though is not an objection nor rejection, is hereby withdrawn. 
Applicant's arguments filed 6-30-2022 have been fully considered but they are not persuasive. The attorney’s arguments “…Givental fails to teach or disclose the image including afirst pixel having a first value representing an amount of data transmitted by the device and a second pixel having a second value representing whether the device has communication with an Internet domain, as claimed in claim 1. Beyah fails to teach or disclose the image including a first pixel having a first value representing an amount of data transmitted by the device and a second pixel having a second value representing whether the device has communication with an Internet domain, as claimed in claim 1.” are based on the new amendments. The examiner disagrees with the arguments as the corresponding teaching(s) is/are provided in this rejection. The spec. [0047] recites ‘image represents a data structure capable of storing the extracted statistics or a transformation thereof. In FIG. 3, the image is represented by a two dimensional array with cell values (e.g., pixel values) corresponding to particular extracted statistics’, therefore by MPEP 2111.01 BRI, the image is formed by a pattern of pixel values and typically an image cannot be formed by only one pixel. The prior art obviously teaches that the image representation is created by encoding specific pixels as follows: ‘[061] alert image representations, as with the alert image representations generated during training, are data structures specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation…’ Same reasoning applies to claims 7, 13 and 19 and their corresponding dependent claims 2-6, 8-12, 14-18 and 20. MPEP 2141.02 VI. PRIOR ART MUST BE CONSIDERED IN ITS ENTIRETY, INCLUDING DISCLOSURES THAT TEACH AWAY FROM THE CLAIMS. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore the rejections is/are maintained.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 5 – 7, 11 – 13, 17 – 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Givental et al (US 20200342252), hereafter Giv and Beyah et al (US 9225732), hereafter Bey.
Claim 1: Giv teaches an apparatus for detecting anomalous communications, the apparatus comprising: at least one memory; machine readable instructions; and processor circuitry to at least one of instantiate or execute the machine readable instructions to (Figs. 1A-1B, 7): ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment); 
 ([0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s));
the image including a first pixel having a first value representing  ([061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation and the alert attributes include a traffic count attributes (i.e., amount of transmitted data) and [077] with regard to the event name and event names count, the event names count are normalized and scaled to the 0-255 (i.e., one or more pixel values) range to generate a pixel color characteristic for the pixel, and the event name has a bit mask applied to the event name string...);
and a second pixel having a second value representing  ([061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain) and [077] scaled alert score is used to determine the pixel color while the scaled magnitude is used to determine pixel location based on a bit mask applied to the scaled magnitude (i.e., one or more pixel values));
and ([0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).
Giv is silent on 
But analogous art Bey teaches (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected);
(C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Giv to include the idea of the property extraction and device persona identification as taught by Bey so that effectively analyze encrypted network traffic, independent of type or protocol, without the need for prior knowledge about packet payload thus preserving scalability without compromising privacy (C5L48-49; C7L40-43).
Claim 7: Giv teaches at least one non-transitory computer readable medium comprising instructions that, when executed, cause at least one processor to at least (Fig. 1A-1B): aggregate communications from a device communicating via a communications interface; generate an image based on the extracted statistical properties, the image including a first pixel having a first value representing pixel having a second value representing ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment; [0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s); [061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., first pixel) and the alert attributes include a traffic count attributes (i.e., amount of transmitted data) and [077] with regard to the event name and event names count, the event names count are normalized and scaled to the 0-255 (i.e., one or more pixel values) range to generate a pixel color characteristic for the pixel, and the event name has a bit mask applied to the event name string...; [061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., second pixel) and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain) and [077] scaled alert score is used to determine the pixel color while the scaled magnitude is used to determine pixel location based on a bit mask applied to the scaled magnitude (i.e., one or more pixel values); [0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).
Giv is silent on extract statistical properties of the aggregated communications; identify a persona associated with the device;
But analogous art Bey teaches extract statistical properties of the aggregated communications; identify a persona associated with the device; (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected; C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Giv to include the idea of the property extraction and device persona identification as taught by Bey so that effectively analyze encrypted network traffic, independent of type or protocol, without the need for prior knowledge about packet payload thus preserving scalability without compromising privacy (C5L48-49; C7L40-43).
Claim 13: Giv teaches a method for detecting anomalous communications, the method comprising: aggregating communications from a device communicating via a communications interface; generating, by executing an instruction with the at least one processor, an image based on the extracted statistical properties, the image including a first pixel having a first value representing having a second value representing ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment; [0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s); [061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., first pixel) and the alert attributes include a traffic count attributes (i.e., amount of transmitted data) and [077] with regard to the event name and event names count, the event names count are normalized and scaled to the 0-255 (i.e., one or more pixel values) range to generate a pixel color characteristic for the pixel, and the event name has a bit mask applied to the event name string...; [061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., second pixel) and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain) and [077] scaled alert score is used to determine the pixel color while the scaled magnitude is used to determine pixel location based on a bit mask applied to the scaled magnitude (i.e., one or more pixel values); [0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).
Giv is silent on extracting, by executing an instruction with at least one processor, statistical properties of the aggregated communications; identifying, by executing an instruction with the at least one processor, a persona associated with the device; 
But analogous art Bey teaches extracting, by executing an instruction with at least one processor, statistical properties of the aggregated communications; identifying, by executing an instruction with the at least one processor, a persona associated with the device; (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected; C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Giv to include the idea of the property extraction and device persona identification as taught by Bey so that effectively analyze encrypted network traffic, independent of type or protocol, without the need for prior knowledge about packet payload thus preserving scalability without compromising privacy (C5L48-49; C7L40-43).
Claim 19: Giv teaches an apparatus for detecting anomalous communications, the apparatus comprising (Fig. 1A-1B): means for aggregating communications from a device communicating via a communications interface; means for generating an image based on the extracted statistical properties, the image including a first pixel having a first value representing having a second value representing ([0008] receiving an event data structure comprising a plurality of event attributes. The event data structure represents an [056] event occurring in association with at least one computing resource in a monitored computing environment; [0008] executing for each event attribute in the plurality of event attributes, a corresponding event attribute encoder that encodes the event attribute as  an event image representation data structure corresponding to the event attribute(s); [061, 66, Figs. 2A-2C, 3A] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., first pixel) and the alert attributes include a traffic count attributes (i.e., amount of transmitted data) and [077] with regard to the event name and event names count, the event names count are normalized and scaled to the 0-255 (i.e., one or more pixel values) range to generate a pixel color characteristic for the pixel, and the event name has a bit mask applied to the event name string...; [061, 66] alert image representations… specifying image pixel characteristics for each pixel of a predefined size alert image and which encode alert attributes in predefined sections of the alert image representation (i.e., second pixel) and the alert attributes includes a Source (Src) Geo/Src Geo count attribute, a Destination (Dst) geo/Dst Geo Count attribute, source Internet Protocol (IP), destination IP addresses (i.e., communication with internet domain) and [077] scaled alert score is used to determine the pixel color while the scaled magnitude is used to determine pixel location based on a bit mask applied to the scaled magnitude (i.e., one or more pixel values); [0008, 39] inputting and training the neural network computer model using the event image representation data structure and based on the provided labels for the events associated with the computing resource).
Giv is silent on means for extracting statistical properties of the aggregated communications; means for identifying a persona associated with the device;
But analogous art Bey teaches means for extracting statistical properties of the aggregated communications; means for identifying a persona associated with the device; (C7L23-25: a feature extraction process measures, determines, record one or more traffic properties, or features, as network traffic is collected; C2L16-20: generating a device signature comprising encoded information about the hardware and software architecture of the device).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Giv to include the idea of the property extraction and device persona identification as taught by Bey so that effectively analyze encrypted network traffic, independent of type or protocol, without the need for prior knowledge about packet payload thus preserving scalability without compromising privacy (C5L48-49; C7L40-43).
Claim 5: the combination of Giv and Bey teaches the apparatus of claim 1, wherein the aggregated communications represent communications collected via at least two communications interfaces. (Giv: [0055] Security monitoring engines are provided in association with agents deployed and executing on endpoint computing devices, which collect security events and provide the security event data to the SIEM system).
Claim 6: the combination of Giv and Bey teaches the apparatus of claim 1, wherein the generated image is a first image, the persona is a first persona, and the processor circuitry to at least one of instantiate or execute the machine readable instructions to:  (Giv: [0008, 39] into the first neural network computer model, the event image representation data structure, and the label annotations and [33] second primary cognitive computing system element comprises an alert/log entry classification machine learning mechanism that classifies alerts/log entries based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features).
Claim 11: the combination of Giv and Bey teaches the at least one non-transitory computer readable medium of claim 7, wherein the aggregated communications represent communications collected via at least two communications interfaces. (Giv: [0055] Security monitoring engines are provided in association with agents deployed and executing on endpoint computing devices, which collect security events and provide the security event data to the SIEM system).
Claim 12: the combination of Giv and Bey teaches the at least one non-transitory computer readable medium of claim 7, wherein the generated image is a first image, the persona is a first persona, and the instructions, when executed, cause the at least one processor to train the machine learning model using a second image and a second persona. (Giv: [0008, 39] into the first neural network computer model, the event image representation data structure, and the label annotations and [33] second primary cognitive computing system element comprises an alert/log entry classification machine learning mechanism that classifies alerts/log entries based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features).
Claim 17: the combination of Giv and Bey teaches the method of claim 13, wherein the aggregated communications represent communications collected via at least two communications interfaces. (Giv: [0055] Security monitoring engines are provided in association with agents deployed and executing on endpoint computing devices, which collect security events and provide the security event data to the SIEM system).
Claim 18: the combination of Giv and Bey teaches the method of claim 13, wherein the generated image is a first image, the persona is a first persona, and the training of the machine learning model is further performed using a second image and a second persona. (Giv: [0008, 39] into the first neural network computer model, the event image representation data structure, and the label annotations and [33] second primary cognitive computing system element comprises an alert/log entry classification machine learning mechanism that classifies alerts/log entries based on image analysis algorithms applied by the nodes of the neural network model to extract and process features of the input image based on learned functions of the extracted features).

Allowable Subject Matter
Claims 2-4, 8-10, 14-16 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion



The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /P'Examiner, Art Unit 2496.