DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are pending in this application.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Specification
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,379,453, US Application No. 16/801,686. Although the claims at issue are not identical, they are not patentably distinct from each other because the currently filed claims of the instant invention are broader in scope than the previously patented claims and are anticipated by the patented invention.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Application No. 16/801686. Although the claims at issue are not identical, they are not patentably distinct from each other because the currently filed claims of the instant invention are broader in scope than the co-pending claims and are anticipated by the narrower claims of the co-pending invention.

Examiner Note - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 11-20 are drawn to functional descriptive material recorded on a “computer program product comprising a computer readable storage medium having a computer readable program stored”.  Normally, the claim would be statutory.  In accordance with the written disclosure, the broadest reasonable interpretation of a claim drawn to a “computer readable storage medium” excludes forms of transitory propagating signals per se as exemplified in paragraph [0034], making the recited claim language compliant under 35 U.S.C. 101 as being directed towards statutory subject matter.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dodson et al. (US PGPub US 2018/0316707 A1, hereby referred to as “Dodson”).
Consider Claims 1, 11 and 20.
Dodson teaches: 
1. A method, in a data processing system comprising at least one processor and at least one memory, the memory comprising instructions executed by the at least one processor to cause the at least one processor to implement an ensemble of unsupervised machine learning (ML) models, the method comprising: / 11. A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed on a computing device, causes the computing device to be specifically configured to implement an ensemble of unsupervised machine learning (ML) models and to: / 20. An apparatus comprising: at least one processor; and at least one memory coupled to the at least one processor, wherein the at least one memory comprises instructions which, when executed by the at least one processor, cause the at least one processor to be specifically configured to implement an ensemble of unsupervised machine learning (ML) models and to:  (Dodson: abstract, Clustering and outlier detection in anomaly and causation detection for computing environments is disclosed. [0024] Fig. 1 is a high level schematic diagram of an exemplary computing architecture. [0025]- [0026] In one embodiment, the system 105 comprises a processor 115 and memory 120 for storing instructions. The memory 120 can include an input stream interface module 125, an input stream parser module 130, an anomaly detection module 135, a counterfactual processing module 140, and a remediation module 145. [0028] In some embodiments, using unsupervised machine learning, the exemplary system 105 can evaluate the data instances over time to detect anomalous behavior.)
1. processing, by the ensemble of unsupervised ML models, a portion of input data to generate an ensemble output; / 11. process, by the ensemble of unsupervised ML models, a portion of input data to generate an ensemble output; / 20. process, by the ensemble of unsupervised ML models, a portion of input data to generate an ensemble output; (Dodson: [0027]-[0028] In some embodiments, using unsupervised machine learning, the exemplary system 105 can evaluate the data instances over time to detect anomalous behavior. [0029], [0053], Figure 2)
1. outputting the ensemble output to an authorized user computing device to obtain user feedback from the authorized user via the user computing device, wherein the user feedback indicates a correctness of the ensemble output; / 11. output the ensemble output to an authorized user computing device to obtain user feedback from the authorized user via the user computing device, wherein the user feedback indicates a correctness of the ensemble output; / 20. output the ensemble output to an authorized user computing device to obtain user feedback from the authorized user via the user computing device, wherein the user feedback indicates a correctness of the ensemble output; (Dodson: [0028] In one embodiment, user feedback can be incorporated into an anomaly score via supervised machine learning techniques, or at least partially supervised or a mixture that is based on how unusual the deviation/anomaly is relative to models of historical behavior of the system 105, as well as how it compares to other anomaly instances that have been indicated as important. [0031] In various embodiments, each data instance is comprised of at least one principle value that represents an aspect or object of the computing environment that is to be measured for anomalies. Non-limiting examples of principle values include network traffic volume, memory access and/or usage, processor usage rates, file transfer, file access, device access, and so forth. In various embodiments, the at least one principle values selected can be a subset of all available principle values in the data instances. The principle values selected for the data instances can be user-selected or user-defined, or can be based on prior knowledge, such as prior instances of anomalous network activity.) 
1. modifying at least one feature of the ensemble of unsupervised ML models based on the obtained user feedback to thereby generate a modified ensemble of unsupervised ML models; / 11. modify at least one feature of the ensemble of unsupervised ML models based on the obtained user feedback to thereby generate a modified ensemble of unsupervised ML models; / 20. modify at least one feature of the ensemble of unsupervised ML models based on the obtained user feedback to thereby generate a modified ensemble of unsupervised ML models; (Dodson: [0031] In various embodiments, each data instance is comprised of at least one principle value that represents an aspect or object of the computing environment that is to be measured for anomalies. Non-limiting examples of principle values include network traffic volume, memory access and/or usage, processor usage rates, file transfer, file access, device access, and so forth. In various embodiments, the at least one principle values selected can be a subset of all available principle values in the data instances. The principle values selected for the data instances can be user-selected or user-defined, or can be based on prior knowledge, such as prior instances of anomalous network activity.)
1. and processing subsequent portions of input data using the modified ensemble of unsupervised ML models. / 11. and process subsequent portions of input data using the modified ensemble of unsupervised ML models./ 20. and process subsequent portions of input data using the modified ensemble of unsupervised ML models. (Dodson: [0034] When the input strean1 is received, the exemplary input stream parser module 130, shown in the example in FIG. 1, may be executed to separate or parse the input stream into data instances that are ordered in time. That is, in various embodiments, the data instances are collected over a period of time and time stamped as noted above. The input stream parser module 130 can determine the influence that instances of the collected data have on the computing environment using the principle values v (or at least one principle value) and corresponding set of categorical attributes [a/]. In various embodiments, the input stream parser module 130 considers the data as a collection { d;=(V ;, a/, a/, ... , a;")}, where data represented by { } includes a set. Again, using the example above, a principle value v is log on time and two categorical attributes a/E{jim, jill, greg}, which are indicative of users and a/E{home, work}, which are indicative of a location. Additional or fewer categorical attributes can be considered. In various embodiments, the input stream parser module 130 converts the principle value and categorical attributes into a collection of sets (8:50 am, jim, work); (7:40 am, jill, work); and (6:45 pm greg, home). Other similar tuples can be created for other types of data sets, and can include a combination of nU111erical and/or non-numerical values. [0035]-[0041], Figures 1-2)

Consider Claim 2/12. Dodson teaches: 2. The method of claim 1, further comprising: updating at least one performance metric associated with at least one unsupervised ML model in the ensemble based on the user feedback, wherein the at least one performance metric represents at least an accuracy of the at least one unsupervised ML model./ 12. The computer program product of claim 11, wherein the computer readable program further causes the computing device to: update at least one performance metric associated with at least one unsupervised ML model in the ensemble based on the user feedback, wherein the at least one performance metric represents at least an accuracy of the at least one unsupervised ML model. (Dodson: [0052] In sum, the present disclosure provides various embodiments of systems and methods to detect anomalies within computing environments and deduce the cause or causes of those anomalies. The systems and methods can detect unusual events, rates, metrics and so forth for any computing environment. [0135]- The system creates a vocabulary of transforms to allow for construction of multiple sensible features for the data in a scalable way. As well as aggregations of metric values, these would include word frequencies, character frequencies, and so forth. [0136] The system then allows users to create feature vectors by concatenation of individual features. [0146] The present disclosure presents scalable fast versions of random projection clustering and agglomerative clustering that operate on sketches of the data obtained by combining nearby points into a collection of summary stat1st1cs. These stat1st1cs are chosen so the system can compute the appropriate distance metrics for the collections of points the sununary statistics represent.)

Consider Claim 3/13. Dodson teaches: 3. The method of claim 1, wherein the at least one feature of the ensemble is a membership of unsupervised ML models in the ensemble, and wherein modifying the at least one feature comprises removing a first unsupervised ML model from the ensemble in response to a performance metric associated with the first unsupervised ML model meeting a predetermined criterion. / 13. The computer program product of claim 11, wherein the at least one feature of the ensemble is a membership of unsupervised ML models in the ensemble, and wherein modifying the at least one feature comprises removing a first unsupervised ML model from the ensemble in response to a performance metric associated with the first unsupervised ML model meeting a predetermined criterion. (Dodson: [0043] Using the aforementioned algorithms and the separation of data instances by their categorical attributes, the exemplary counterfactual processing module 140 may selectively remove portions of the data instances corresponding to each categorical attribute, recalculate the anomaly scores, and determine if removal of the categorical attributes reduces or removes the anomaly. If removal does reduce or remove the anomaly, it can be determined that the object of the computing environment responsible for producing the removed categorical attributes is likely a source (could be one of many) for the anomaly. This process, in various embodiments, does not categorize the detection of an anomaly as a malicious or nefarious event, but instead detects the anomaly and flags associated portions of the computing environment for further consideration or review. [0044])

Consider Claim 4/14. Dodson teaches: 4. The method of claim 3, wherein modifying the at least one feature further comprises replacing the first unsupervised ML model with a second unsupervised ML model different from the first unsupervised ML model. / 14. The computer program product of claim 13, wherein modifying the at least one feature further comprises replacing the first unsupervised ML model with a second unsupervised ML model different from the first unsupervised ML model. (Dodson: [0028]- [0029] The use of unsupervised machine learning in various embodiments allows the system 105 to evaluate only the data instances available and examine these data instances for anomalous behavior in a self-referential manner. That is, in various embodiments, the data instances are modeled for the time period for which data instances are collected and these data instances are used without referencing pre-generated behavior profiles or other similar profiles. The use of pre-generated behavior profiles may be advantageous in some embodiments, if available, but these profiles are not required. Examiner Note: Dodson’s disclosure inherently allows for multiple models and behavior profiles to be leveraged for machine learning [0030] Changes in data instances over time can be flagged as anomalous if the changes have a magnitude that is unexpected. The exemplary system 105 need not rely on rigid thresholds or rules for determining if changes in the data instances are anomalous, but such information can be used to confirm or validate the anomaly. In some embodiments, the system 105 can calculate a probability of a current behavior based on historical behavior, where low probability events are classified as anomalies. (0051] Once an anomaly has been detected and a cause or causes isolated, the remediation module 145 may be executed to remediate the cause or causes in some embodiments. In various embodiments, the specific methods by which the remediation module 145 remediates a cause are highly dependent upon the type of anomaly detected. For example, if the anomaly includes a high rate of access to a particular database, the remediation module 145 may restrict access privileges for the database until the anomaly is reviewed. If the anomaly is unusually frequent file transfers (e.g., exfiltration) of high volumes of data outside a protected network, the remediation module 145 may restrict file transfers by specifically identified machines in the network. This could occur through changing firewall policies or preventing access to any external network by the machines.)

Consider Claim 5/15. Dodson teaches: 5. The method of claim 1, wherein the at least one feature of the ensemble is one of a weight associated with a first unsupervised ML model in the ensemble, and wherein modifying the at least one feature comprises increasing the weight associated with the first unsupervised ML model by a first modification amount in response to the user feedback indicating that the first unsupervised ML model generated a correct output, or decreasing the weight associated with the first unsupervised ML model by a second modification amount in response to the user feedback indicating that the first unsupervised ML model generated an incorrect output. / 15. The computer program product of claim 11, wherein the at least one feature of the ensemble is one of a weight associated with a first unsupervised ML model in the ensemble, and wherein modifying the at least one feature comprises increasing the weight associated with the first unsupervised ML model by a first modification amount in response to the user feedback indicating that the first unsupervised ML model generated a correct output, or decreasing the weight associated with the first unsupervised ML model by a second modification amount in response to the user feedback indicating that the first unsupervised ML model generated an incorrect output. (Dodson: [0096] In one or more embodiments, the method includes a step 610 of associating a weight, where each pair comprises a projection and a normalized measure of an outlier factor and using these to generate an overall measure of outlier-ness. [0147] This sort of functionality can be achieved using a weighted graph whose vertices comprise the items to cluster and whose edges connect pairs of vertices corresponding to items which are in the same cluster at least once and whose weights are equal to the count of clusters in which they co-occur. For example, components of this graph, i.e. with no edges between them, are fully consistent clusters of the data. Nearly consistent clusters in the data correspond to the components after removing all edges with weight less then a specified value. For any given clustering the system can use this graph to define a measure of the degree to which each point consistently belongs to its cluster as the average weight of edges to that cluster.)

Consider Claim 6/16. Dodson teaches: 6. The method of claim 5, wherein at least one of the first modification amount or the second modification amount is determined based on a function of a confidence score, generated by the first unsupervised ML model, in association with an output generated by the first unsupervised ML model. / 16. The computer program product of claim 15, wherein at least one of the first modification amount or the second modification amount is determined based on a function of a confidence score, generated by the first unsupervised ML model, in association with an output generated by the first unsupervised ML model.  (Dodson:[0059]-[0061], Figure 3, [0059] FIG. 3 is a flowchart of an example method 300 of counterfactual analysis, which is an example embodiment of the identifying step 220 in FIG. 2.  [0100] In one or more embodiments, feature scores calculated for grouped data instances can be compared against thresholds to identify anomalous behavior in order to perform methods of anomaly detection. For example, a threshold can include an upper bounding threshold where feature values at or above the threshold are indicative of anomalous behavior, or a lower bounding threshold where feature values at or below the threshold are indicative of anomalousness. [0101] Also, it will be reiterated that the anomaly detection is performed subsequent to outlier/singularity detection and grouping steps described herein. Thus, it will be understood that in some embodiments, a feature score is calculated for one or more of the features in a multi-dimensional feature set. These feature scores are compared against the anomaly thresholds in order to identify anomalies. [0102] In some embodiments, the anomaly detection and threshold comparison may apply to multi-dimensional attribute sets that are included in time-series data instances)

Consider Claim 7/17. Dodson teaches: 7. The method of claim 5, wherein at least one of the first modification amount or the second modification amount is a predetermined incremental amount. ./ 17. The computer program product of claim 15, wherein at least one of the first modification amount or the second modification amount is a predetermined incremental amount. (Dodson: [0096] In one or more embodiments, the method includes a step 610 of associating a weight, where each pair comprises a projection and a normalized measure of an outlier factor and using these to generate an overall measure of outlier-ness. [0147] This sort of functionality can be achieved using a weighted graph whose vertices comprise the items to cluster and whose edges connect pairs of vertices corresponding to items which are in the same cluster at least once and whose weights are equal to the count of clusters in which they co-occur. For example, components of this graph, i.e. with no edges between them, are fully consistent clusters of the data. Nearly consistent clusters in the data correspond to the components after removing all edges with weight less then a specified value. For any given clustering the system can use this graph to define a measure of the degree to which each point consistently belongs to its cluster as the average weight of edges to that cluster. Examiner Note: the use of a weighted graph is incremental by nature)

Consider Claim 8/18. Dodson teaches: 8. The method of claim 1, further comprising: generating a partially labeled dataset based on a selected subset of entries in the input data for which user feedback is received, and other unlabeled data in the input data; performing, by a semi-supervised machine learning model, a similarity analysis of the unlabeled data in the partially labeled dataset with entries in the selected subset of entries; and propagating, by the semi-supervised machine learning model, labels of the selected subset of entries to the other unlabeled data based on results of the similarity analysis to thereby generate a fully labeled dataset. / 18. The computer program product of claim 11, wherein the computer readable program further causes the computing device to: generate a partially labeled dataset based on a selected subset of entries in the input data for which user feedback is received, and other unlabeled data in the input data; perform, by a semi-supervised machine learning model, a similarity analysis of the unlabeled data in the partially labeled dataset with entries in the selected subset of entries; and propagate, by the semi-supervised machine learning model, labels of the selected subset of entries to the other unlabeled data based on results of the similarity analysis to thereby generate a fully labeled dataset. (Dodson: [0044], [0048] For other types of set functions , for example, where the presence of a single example data instance can cause an anomaly of a similar score, then the system 105 may use a regularity approach for understanding causation (i.e. "B causes C" if "whenever B occurs C occurs"). More specifically, it is known that the categorical attribute a/ influences an anomaly score of a bucket 'B k if the output of an anomaly detection algorithm (i.e., score of the bucket) is roughly the same in all alternative worlds (such as removing any subset of the data instances which are not labeled with a/) in which all the data instances labeled a/ exist (e.g., whenever B occurred, C also occurred). [0090] While this method can be used to support anomaly detection, it will be understood that the methods of extracting outliers and singularities in data instances are to be understood as being separate from methods of anomaly detection in some instances. That is, the methods of determining and extracting outliers and singularities in data instances are fully capable of being used in conjunction with methods of anomaly detection, but are also fully capable of being used without consideration of anomaly detection, such as in e-commerce embodiments described herein. Thus, the various embodiments disclosed herein can be used independently of anomaly detection. For example, the outlier detection methods herein can be applied to many use cases outside of digital security and machine data. For example, methods of extracting outliers and singularities can be used for an e-commerce website where a user may want to segment customers (via clustering) according to behavior for marketing purposes, or the user may desire to identify fraudulent financial transactions in bank records, and so forth. [0091] FIG. 6, referred to briefly, is a flowchart of an example process of point outlier detection with respect to multi-dimensional attribute sets.[0098], [0148])

Consider Claim 9/19. Dodson teaches: 9. The method of claim 8, further comprising: identifying, in the fully labeled dataset, a subset of labeled data having corresponding labels indicating that the data is to be output to a user computing system; and outputting the subset of labeled data to the user computing device./ 19. The computer program product of claim 18, wherein the computer readable program further causes the computing device to: identify, in the fully labeled dataset, a subset of labeled data having corresponding labels indicating that the data is to be output to a user computing system; and output the subset of labeled data to the user computing device. (Dodson: [0091] FIG. 6, referred to briefly, is a flowchart of an example process of point outlier detection with respect to multi-dimensional attribute sets. [0098] Steps 602-610 culminate in a step 612 of generating and training of a rule based classifier that identifies outliers using the labeling generated by applying a threshold to the overall outlier-ness. After the creation of the rule based classifier, the method includes a step of applying the rule based classifier to the data instances to automatically determine outliers in the data instances. [0148] These same approach, discussed above in relation to outlier detection, can be used to provide an interpretable description of the clustering. In particular, the system can train an interpretable multiclass classifier to replicate the clustering from the labeling generated by that clustering.)

Consider Claim 10. Dodson teaches: The method of claim 9, wherein the subset of labeled data comprises labeled data whose labels indicate that the labeled data represents an anomaly, and wherein the user computing device is a security incident and event management (SIEM) computing system. (Dodson: [0090] While this method can be used to support anomaly detection, it will be understood that the methods of extracting outliers and singularities in data instances are to be understood as being separate from methods of anomaly detection in some instances. That is, the methods of determining and extracting outliers and singularities in data instances are fully capable of being used in conjunction with methods of anomaly detection, but are also fully capable of being used without consideration of anomaly detection, such as in e-commerce embodiments described herein. Thus, the various embodiments disclosed herein can be used independently of anomaly detection. For example, the outlier detection methods herein can be applied to many use cases outside of digital security and machine data. For example, methods of extracting outliers and singularities can be used for an e-commerce website where a user may want to segment customers (via clustering) according to behavior for marketing purposes, or the user may desire to identify fraudulent financial transactions in bank records, and so forth. [0091] FIG. 6, referred to briefly, is a flowchart of an example process of point outlier detection with respect to multi-dimensional attribute sets.)


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAHMINA ANSARI whose telephone number is 571-270-3379.  The examiner can normally be reached on IFP Flex - Monday through Friday 9 to 5.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SUMATI LEFKOWITZ can be reached on 571-272-3638.  The fax phone numbers for the organization where this application or proceeding is assigned are 571-273-8300 for regular communications and 571-273-8300 for After Final communications. TC 2600’s customer service number is 571-272-2600.
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist whose telephone number is 571-272-2600.




2662
/Tahmina Ansari/

July 27, 2022

/TAHMINA N ANSARI/Primary Examiner, Art Unit 2662