DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 6-9, 12-19, 21-22, 28 are rejected under 35 U.S.C. 103 as being unpatentable over Humphrey et al (US 20210273961 A1) in view of Beser et al (US 20190012592 A1).
Regarding claims 1, 2, Humphrey et al, discloses a system (figs. 6-7) comprising: a plurality of computers (the first computer system 10 comprises three computers 1, 2, 3, a local server 4, and a multifunctional device 5 ; paragraph 0162); one or more first neural networks (one or more machine learning modules that are trained on a normal behavior of entities; machine learning models: the machine learning learns what is normal within a network ; paragraph 0032, 0170, 0176-0177) to detect anomalous activity (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) within a first computer (computer 10 of fig. 6 or computer 40 of fig. 6) of the plurality computers (computers 1, 2, 3 ; computers 41, 42; paragraph 0163-0164) and one or more second neural networks (the cyber security appliance 100 in computer 1 builds and maintains a dynamic, ever-changing model of the “normal behavior” of each user and machine within the system 10; in addition, the cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks; paragraph 0064, 0166) to detect (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) anomalous activity (detect anomalies potentially indicative of cyber-threats) within the plurality of computers (computer 1 on the first computer system 10 has the hardware and software of the cyber security appliance 100; and therefore, runs threat detection for detecting threats to the first computer system; furthermore, the models may perform by the threat detection through a probabilistic change in normal behavior through the application of an unsupervised Bayesian mathematical model to detect behavioral change in computers and computer networks; the detectors in the cyber-threat module including its network module and email module components can be discrete mathematical models that implement a specific mathematical method against different sets of variables with the target; paragraph 0075-0076, 0165-0166; paragraph 0170-0172).
However, Humphrey et al, does not specifically disclose the features of accepted behavior using a second neural network, wherein the one or more second neural networks infer a set of accepted activities based, at least in part, on the set of first activities and the set of second activities; and the one or more first neural networks. 
On the other hand, Beser et al, from the same field of endeavor, discloses a computing componentry 30, such as the first artificial neural network 12, the second artificial neural network 14, the third artificial neural network 16, and a central server 18 (paragraph 0039, 0041-0042). The first artificial neural network trains on the first local data, the second artificial neural network trains on second local data, and the third artificial neural network trains on third local data (paragraph 0036-0037). Furthermore, a central model is downloaded from a central server to the first plurality of artificial neural networks and to the second plurality of artificial neural networks; a first local model within the first federation is computed based on the first local data as applied to central model, as is a second local model within the second federation based on the second local data as applied to central model, a first inference is drawn using the first local model within the first federation, as is a second inference using the second local model within the second federation, a first update from the first local model of the first federation is uploaded to the central server using authentication and encryption, as is a second update from the second local model of the second federation to the central server using authentication and encryption , and the first update and the second update are received at the central server, and the central model at the central server is updated based on the first update and the second update (paragraph 0041-0042). It is shown above that Beser discloses the features of accepted behavior using a second neural network, wherein the one or more second neural networks infer a set of accepted activities based, at least in part, on the set of first activities and the set of second activities; and the one or more first neural networks. Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made to apply the technique of Beser to the communication system of Humphrey in order to provide a method for processing information in machine learning, including neural networks used in deep artificial intelligence.
	Regarding claim 6,  Humphrey et al as modified, discloses a system (figs. 6-7), wherein the anomalous activity (detect anomalies potentially indicative of cyber-threats
) comprises a behavior by one or more users of the first computer (the cyber security appliance 100, computer 1 on the first computer system 10 has the hardware and software of the cyber security appliance 100; and therefore, runs threat detection for detecting threats to the first computer system ; paragraph 0162, 0165).
	 Regarding claims 7, 8, Humphrey et al, discloses a processor (computer system 10) comprising: one or more circuits (one or more machine learning modules that are trained on a normal behavior of entities; machine learning models: the machine learning learns what is normal within a network ; paragraph 0032, 0170, 0176-0177) to detect (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) anomalous activity (detect anomalies potentially indicative of cyber-threats) using one or more first neural networks on a first computer (computer 10 of fig. 6 or computer 40 of fig. 6) based, at least in part, on one or more second neural networks (the cyber security appliance 100 in computer 1 builds and maintains a dynamic, ever-changing model of the “normal behavior” of each user and machine within the system 10; in addition, the cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks; paragraph 0064, 0166) to facilitate detection (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) of anomalous activity (detect anomalies potentially indicative of cyber-threats) on one or more second computers (the LAN 6 of the first computer system 10 is connected to the Internet 20, which in turn provides computers 1, 2, 3 with access to a multitude of other computing devices 18 including server 30 and second computer system 40; the second computer system 40 also includes two computers 41, 42, connected by a second LAN 43; paragraph 0163-0164). 
However, Humphrey et al, does not specifically disclose the features accepted behavior using a second neural network, wherein the one or more second neural networks infer a set of accepted activities based, at least in part, on the set of first activities and the set of second activities; and the one or more first neural networks. 
On the other hand, Beser et al, from the same field of endeavor, discloses a computing componentry 30, such as the first artificial neural network 12, the second artificial neural network 14, the third artificial neural network 16, and a central server 18 (paragraph 0039, 0041-0042). The first artificial neural network trains on the first local data, the second artificial neural network trains on second local data, and the third artificial neural network trains on third local data (paragraph 0036-0037). Furthermore, a central model is downloaded from a central server to the first plurality of artificial neural networks and to the second plurality of artificial neural networks; a first local model within the first federation is computed based on the first local data as applied to central model, as is a second local model within the second federation based on the second local data as applied to central model, a first inference is drawn using the first local model within the first federation, as is a second inference using the second local model within the second federation, a first update from the first local model of the first federation is uploaded to the central server using authentication and encryption, as is a second update from the second local model of the second federation to the central server using authentication and encryption , and the first update and the second update are received at the central server, and the central model at the central server is updated based on the first update and the second update (paragraph 0041-0042). It is shown above that Beser discloses the features of accepted behavior using a second neural network, wherein the one or more second neural networks infer a set of accepted activities based, at least in part, on the set of first activities and the set of second activities; and the one or more first neural networks. Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made to apply the technique of Beser to the communication system of Humphrey in order to provide a method for processing information in machine learning, including neural networks used in deep artificial intelligence.  
	Regarding claim 12,  Humphrey et al as modified, discloses a processor (computer system 10), wherein each set of activities comprises data values representing one or more first users on the first computer and one or more second users on each of the one or more second computers (the LAN 6 of the first computer system 10 is connected to the Internet 20, which in turn provides computers 1, 2, 3 with access to a multitude of other computing devices 18 including server 30 and second computer system 40; the second computer system 40 also includes two computers 41, 42, connected by a second LAN 43; paragraph 0163-0164).
	  Regarding claim 13,  Humphrey et al as modified, discloses a processor (computer system 10), wherein the one or more second neural networks infer new data values for the first neural network based, at least in part, on a plurality of activities (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) from the one or more second computers (the LAN 6 of the first computer system 10 is connected to the Internet 20, which in turn provides computers 1, 2, 3 with access to a multitude of other computing devices 18 including server 30 and second computer system 40; the second computer system 40 also includes two computers 41, 42, connected by a second LAN 43; paragraph 0163-0164).
	Regarding claims 14, 15,  Humphrey et al, discloses a machine-readable medium (figs. 6-7) having stored thereon a set of instructions, which if performed by one or more processors, cause the one or more processors to at least: detect (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) anomalous activity (detect anomalies potentially indicative of cyber-threats) using one or more first neural networks (one or more machine learning modules that are trained on a normal behavior of entities; machine learning models: the machine learning learns what is normal within a network ; paragraph 0032, 0170, 0176-0177) on a first computer (computer 10 of fig. 6 or computer 40 of fig. 6) based, at least in part, on one or more second neural networks (the cyber security appliance 100 in computer 1 builds and maintains a dynamic, ever-changing model of the “normal behavior” of each user and machine within the system 10; in addition, the cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks; paragraph 0064, 0166) to detect (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) anomalous activity (detect anomalies potentially indicative of cyber-threats) on one or more second computers (the LAN 6 of the first computer system 10 is connected to the Internet 20, which in turn provides computers 1, 2, 3 with access to a multitude of other computing devices 18 including server 30 and second computer system 40; the second computer system 40 also includes two computers 41, 42, connected by a second LAN 43; paragraph 0163-0164). 
However, Humphrey et al, does not specifically disclose the features accepted behavior using a second neural network, wherein the one or more second neural networks infer a set of accepted activities based, at least in part, on the set of first activities and the set of second activities; and the one or more first neural networks. 
On the other hand, Beser et al, from the same field of endeavor, discloses a computing componentry 30, such as the first artificial neural network 12, the second artificial neural network 14, the third artificial neural network 16, and a central server 18 (paragraph 0039, 0041-0042). The first artificial neural network trains on the first local data, the second artificial neural network trains on second local data, and the third artificial neural network trains on third local data (paragraph 0036-0037). Furthermore, a central model is downloaded from a central server to the first plurality of artificial neural networks and to the second plurality of artificial neural networks; a first local model within the first federation is computed based on the first local data as applied to central model, as is a second local model within the second federation based on the second local data as applied to central model, a first inference is drawn using the first local model within the first federation, as is a second inference using the second local model within the second federation, a first update from the first local model of the first federation is uploaded to the central server using authentication and encryption, as is a second update from the second local model of the second federation to the central server using authentication and encryption , and the first update and the second update are received at the central server, and the central model at the central server is updated based on the first update and the second update (paragraph 0041-0042). It is shown above that Beser discloses the features of accepted behavior using a second neural network, wherein the one or more second neural networks infer a set of accepted activities based, at least in part, on the set of first activities and the set of second activities; and the one or more first neural networks. Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made to apply the technique of Beser to the communication system of Humphrey in order to provide a method for processing information in machine learning, including neural networks used in deep artificial intelligence.
	Regarding claim 16,  Humphrey et al as modified, discloses a machine-readable medium (figs. 6-7) having stored thereon a set of instructions, wherein the set of accepted activities comprise neural network data values representing one or more activities by one or more users on the first computer and the one or more second computers (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333).   
	 Regarding claim 17,  Humphrey et al as modified, discloses a machine-readable medium (figs. 6-7) having stored thereon a set of instructions, wherein the first neural network infers that one or more activities in the first set of activities are anomalous activities using one or more neural network data values received from the one or more second neural networks (the cyber security appliance 100 in computer 1 builds and maintains a dynamic, ever-changing model of the “normal behavior” of each user and machine within the system 10; in addition, the cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks; paragraph 0064, 0166).
	Regarding claim 18,  Humphrey et al as modified, discloses a machine-readable medium (figs. 6-7) having stored thereon a set of instructions, wherein the set of accepted activities is inferred by the one or more second neural networks based, at least in part, on a second set of activities on the first computer (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333), and a third set of activities on the one or more second computers (the LAN 6 of the first computer system 10 is connected to the Internet 20, which in turn provides computers 1, 2, 3 with access to a multitude of other computing devices 18 including server 30 and second computer system 40; the second computer system 40 also includes two computers 41, 42, connected by a second LAN 43; paragraph 0163-0164).  
	Regarding claim 19,  Humphrey et al as modified, discloses a machine-readable medium (figs. 6-7) having stored thereon a set of instructions, wherein the second set of activities comprises one or more neural network data values for training the first neural network (the cyber security appliance 100 in computer 1 builds and maintains a dynamic, ever-changing model of the “normal behavior” of each user and machine within the system 10; in addition, the cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks; paragraph 0064, 0166).
	Regarding claim 21,  Humphrey et al as modified, discloses a machine-readable medium (figs. 6-7) having stored thereon a set of instructions, wherein the anomalous activity on the first computer comprises one or more first behaviors by one or more first users of the first computer , and the anomalous activity on the one or more second computers comprises one or more second behaviors by one or more second users on each of the one or more second computers (the LAN 6 of the first computer system 10 is connected to the Internet 20, which in turn provides computers 1, 2, 3 with access to a multitude of other computing devices 18 including server 30 and second computer system 40; the second computer system 40 also includes two computers 41, 42, connected by a second LAN 43; paragraph 0163-0164).
	Regarding claim 22, Humphrey et al, discloses a method (figs. 6-7) comprising: detecting (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) anomalous activity on a first computer (computer 10 of fig. 6 or computer 40 of fig. 6) of a plurality of computers (computers 1, 2, 3 ; computers 41, 42; paragraph 0163-0164) using one or more first neural networks (one or more machine learning modules that are trained on a normal behavior of entities; machine learning models: the machine learning learns what is normal within a network ; paragraph 0032, 0170, 0176-0177) based, at least in part, on one or more second neural networks (the cyber security appliance 100 in computer 1 builds and maintains a dynamic, ever-changing model of the “normal behavior” of each user and machine within the system 10; in addition, the cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks; paragraph 0064, 0166) for detecting (the system 50 comprises a first computer system 10 within a building, which uses the threat detection system to detect and thereby attempt to prevent threats to computing devices within its bounds ; paragraph 0162, 0333) anomalous activity (detect anomalies potentially indicative of cyber-threats) within the plurality of computers (computer 1 on the first computer system 10 has the hardware and software of the cyber security appliance 100; and therefore, runs threat detection for detecting threats to the first computer system; furthermore, the models may perform by the threat detection through a probabilistic change in normal behavior through the application of an unsupervised Bayesian mathematical model to detect behavioral change in computers and computer networks; the detectors in the cyber-threat module including its network module and email module components can be discrete mathematical models that implement a specific mathematical method against different sets of variables with the target; paragraph 0075-0076, 0165-0166; paragraph 0170-0172). 
However, Humphrey et al, does not specifically disclose the features of accepted behavior using a second neural network.
On the other hand, Beser et al, from the same field of endeavor, discloses a computing componentry 30, such as the first artificial neural network 12, the second artificial neural network 14, the third artificial neural network 16, and a central server 18 (paragraph 0039, 0041-0042). The first artificial neural network trains on the first local data, the second artificial neural network trains on second local data, and the third artificial neural network trains on third local data (paragraph 0036-0037). Furthermore, a central model is downloaded from a central server to the first plurality of artificial neural networks and to the second plurality of artificial neural networks; a first local model within the first federation is computed based on the first local data as applied to central model, as is a second local model within the second federation based on the second local data as applied to central model, a first inference is drawn using the first local model within the first federation, as is a second inference using the second local model within the second federation, a first update from the first local model of the first federation is uploaded to the central server using authentication and encryption, as is a second update from the second local model of the second federation to the central server using authentication and encryption , and the first update and the second update are received at the central server, and the central model at the central server is updated based on the first update and the second update (paragraph 0041-0042). Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made to apply the technique of Beser to the communication system of Humphrey in order to provide a method for processing information in machine learning, including neural networks used in deep artificial intelligence. 
	Regarding claim 28, Humphrey et al as modified, discloses a method (figs. 6-7), wherein the anomalous activity on the first computer comprises one or more behaviors by one or more users of the first computer (the cyber security appliance 100, computer 1 on the first computer system 10 has the hardware and software of the cyber security appliance 100; and therefore, runs threat detection for detecting threats to the first computer system ; paragraph 0162, 0165). 
Claims 3, 4,  9, 11,  are rejected under 35 U.S.C. 103 as being unpatentable over Humphrey et al (US 20210273961 A1) in view of Beser et al (US 20190012592 A1) as applied to claims 1, 7 above, and further in view of Kuppa et al (US 11178170 B2).
Regarding claims 3-4, 9, 11, Humphrey and Besser disclose everything claimed as explained above except the features of the plurality of computers comprises a reputation value, and the one or more second neural networks infers the set of accepted activities based, at least in part, on the reputation value for each computer of the plurality of computers; wherein the one or more first neural networks infer whether one or more third activities are anomalous activities based, at least in part, on if the one or more third activities comprise activities not included in the set of accepted activities.
However, Kuppa et al discloses the features of the features of the plurality of computers comprises a reputation value (detecting anomalous behaviors within computing sessions ; performing by the computer device, a security action to address the anomaly within the computing session; col. 1, lines  42-53), and the one or more second neural networks infers the set of accepted activities based, at least in part, on the reputation value (include machine and/or customer identifiers, static features of binaries or processes, parent-child relationships of processes executed, reputation and/or prevalence of a file or process within an enterprise, command lines executed by a process and/or file, file names and/or directories, timestamps of activities, and/or other low-level behavior; col. 7, line 54-col. 8, line 12) for each computer of the plurality of computers (virtual machine, configure to run one or more computing devices;  col. 4, lines24-44; col. 5, lines 20-39); wherein the one or more first neural networks ( neural network of the encoder section; col. 7, lines 43-56) infer whether one or more third activities are anomalous activities (detection module, identification module; identify a set of events) based, at least in part, on if the one or more third activities (Group anomaly module 528; identify group anomalies, group anomaly module 528 may compute the distance of a group from the group reference; in addition, distant scores may be converted into classification labels based on a predetermined threshold; group anomalies may then be detected; col. 10, lines 15-62 ) comprise activities not included in the set of accepted activities (autoencoder module 106 may prepare information collected by identification module 104 for evaluation by an autoencoder; autoencoder module 106 may group raw events by session ID and then may extract features from the raw event data; col. 8, lines 14-56; col. 11, lines 26-52; col. 12, lines 1-46). Therefore, it would have been obvious to one of ordinary skill in the art, at the time the invention was made to apply the technique of Kuppa to the modified system of Beser and Humphrey in order to provide a method for detecting anomalous behavior within computing sessions.
Allowable Subject Matter
Claims 5, 10, 20, 23-27 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARCEAU MILORD whose telephone number is (571)272-7853. The examiner can normally be reached 10-6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CHARLES APPIAH can be reached on 571-2727904. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MARCEAU  MILORD
Examiner
Art Unit 2641



/MARCEAU MILORD/Primary Examiner, Art Unit 2641