DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 10/20/2020. Claims 1-20 are currently pending.
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter.
Regarding claim 15, several electronic devices that are recited are basically defined by their function without any recitation of any hardware as part of the devices. In other words, it is just software implementing the devices which can be interpreted as software per se. Therefore, the claim does not fall within at least one of the four categories of patent eligible subject matter and is rejected under 35 U S C 101.
Regarding claim 16, by virtue of its dependency on claim 15 and failure to cure the deficiency of claim 15 by not reciting anything hardware in the claim is also rejected under 35   U S C 101.
Regarding claim 17, there is no recitation of anything hardware in the claim and as such, it is also interpreted as software per se which does not fall within at least one of the four statutory categories of patent eligible subject matter. The claim is also rejected under 35   U S C 101.
Regarding claim 18, there is recitation of machine learning model which is also software per se. The claim is therefore rejected under 35   U S C 101.
Regarding claim 19, there is no recitation of hardware in the claim which can cure the deficiency of claim 15 upon which it depends and as such it is also rejected under 35 U S C 101.
Regarding claim 20, there is no indication of hardware device that performs its limitations which makes the claim a software per se which does not fall within at least one of the four statutory categories of patent eligible subject matter and is also rejected under 35 U S C 101.
Applicant is therefore advised to address these observations with a view to making appropriate amendments to cure the deficiency. 
 
 Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. PGPub. No. 20200296124 to Pratt et al. (hereinafter Pratt).

Regarding claim 1, Pratt disclosesText Document cannot be displayed a computer-implemented method comprising:
 receiving a request to detect anomalies (“FIG. 19 is a flow diagram describing an example process 2300 for detecting anomalies using machine learning algorithms. Process 2300 begins at step 2302 with receiving event data 2280 indicative of activity by a particular entity associated with an information technology environment”, ¶0237, Fig. 19), 
using an anomaly detection service (analysis module (830), ¶0133-¶0145, Figs. 7 and 8), in time series data (“…time-series analysis (e.g., number of log-ins per hour)”, ¶0149) using one or more machine learning models (“machine learning models”, ¶0133-¶0145, Figs. 7 and 8); 
configuring the anomaly detection service by: 
determining a time series metric to evaluate (“…number of log-ins per hour….”, ¶0149), 
generating a configuration (configuration by the model state, ¶0202, see also ¶0213 wherein the state model configures a model deliberation thread to process event feature sets into security-related conclusions such as security anomalies, etc.  mentioned in ¶0202), for the anomaly detection service based on one or more of: the request, the time series data (“the data intake and preparation stage can process, in real-time, the raw machine data as it is received”, ¶0203), a type of anomaly to detect (a machine learning model can be a label used to refer to the group of model states that are specifically trained by a specific type of anomalies and applied to that type of anomalies” ¶0224), and domain knowledge metadata (“metadata associated with the raw machine data”, ¶0203), 
wherein the configuration identifies at least one particular machine learning model of the one or more machine learning models (“…“instantiating” a model refers to instantiating the model deliberation process thread 1608 for a particular version of a machine learning model”, ¶0224, note: the deliberation process (“deliberation can include scoring input data according to a model deliberation process logic as configured by the model state”) of one or more machine learning models  or a version of a machine learning models begins in ¶0202), and 
configuring the anomaly detection service using the generated configuration (“The ML-based CEP engine 1500 instantiates a model deliberation process thread 1608 based on the model state…”, ¶0224); 
evaluating the time series data for an anomaly using the configured anomaly detection service by: 
ingesting the time series data (Data from data sources (802), ¶0126- ¶0127, Fig. 7, and “time series analysis”, ¶0149)
observing potentially anomalous behavior using the identified at least one particular machine learning model of the one or more machine learning models (“User behavior analysis” ¶0145-¶0150, and Fig. 9), 
aggregating the observed potentially anomalous behavior with other observed potentially anomalous behavior (¶0125, “anomalies detected using rule-based analysis can be input and combined with anomalies detected using the real time analyzer 710 or batch analyzer 740 to detect threat indicators or threats”,  ¶0144 “As previously discussed, anomalies detected using rules based-analysis may be combined with anomalies detected using machine learning anomaly detection models (e.g. at real time analysis module 830 or batch analysis module 882)”
and generating an anomaly indication (The process continues with generating anomaly data 2282 indicative of the anomalies in response to the detection” ¶0232), when an amount aggregated observed potentially anomalous behaviors exceeds a threshold (¶0240 “Process 2300 continues at step 2308 with outputting an indicator of a particular anomaly if the anomaly score satisfies a specified criterion (e.g., exceeds a threshold)”); 
and providing the anomaly to a user (¶0071 “In addition to outputting anomalies for acquisition by system 122, at step 178 the rules-based network security system 124 may output anomalies for display to a user 164, for example, via GUI 162”).

Regarding claim 2, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 1, wherein the type of anomaly to detect is one of a threshold-based anomaly, a missing data anomaly, and a changepoint anomaly (“dynamic thresholding analysis with periodicity patterns at several scales”, “change-point detection via maximum-a-posteriori-probability (MAP) modeling”, ¶0208).  
 
Regarding claim 3, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 1, wherein the time series data (“event data”, ¶0068) is ingested from a metrics service of a provider network (“services by one or more service providers”, ¶0068). Atty. Docket No.: 1030P70687US 21  

Regarding claim 4, Pratt disclosesText Document cannot be displayed a computer-implemented method comprising: 
receiving a request to detect anomalies (“FIG. 19 is a flow diagram describing an example process 2300 for detecting anomalies using machine learning algorithms. Process 2300 begins at step 2302 with receiving event data 2280 indicative of activity by a particular entity associated with an information technology environment”, ¶0237, Fig. 19), 
using an anomaly detection service (analysis module (830), ¶0133-¶0145, Figs. 7 and 8), 
in time series data (“…time-series analysis (e.g., number of log-ins per hour)”, ¶0149) using one or more detectors (“machine learning models”, ¶0133-¶0145, Figs. 7 and 8); 
configuring the anomaly detection service by: 
generating a configuration (configuration by the model state, ¶0202, see also ¶0213 wherein the state model configures a model deliberation thread to process event feature sets into security-related conclusions such as security anomalies, etc.  mentioned in ¶0202)  for the anomaly detection service based on at least in part on one or more of the request , the time series data (“the data intake and preparation stage can process, in real-time, the raw machine data as it is received”, ¶0203), and metadata (“metadata associated with the raw machine data”, ¶0203), 
  
wherein the configuration identifies at least one particular detector of the one or more detectors (“…“instantiating” a model refers to instantiating the model deliberation process thread 1608 for a particular version of a machine learning model”, ¶0224,  note: the deliberation process (“deliberation can include scoring input data according to a model deliberation process logic as configured by the model state”) of one or more machine learning models  or a version of a machine learning models begins in ¶0202), 
and configuring the anomaly detection service using the generated configuration (“The ML-based CEP engine 1500 instantiates a model deliberation process thread 1608 based on the model state…”, ¶0224);  


evaluating the time series data for an anomaly using the configured anomaly detection service by: ingesting the time series data (Data from data sources (802), ¶0126- ¶0127, Fig. 7, and “time series analysis”, ¶0149), 
observing potentially anomalous behavior using the identified at least one particular detector of the one or more detectors (“User behavior analysis” ¶0145-¶0150, and Fig. 9), 
 
and generating an anomaly indication (“The process continues with generating anomaly data 2282 indicative of the anomalies in response to the detection” ¶0232); 
and providing the anomaly indication to a user (“In addition to outputting anomalies for acquisition by system 122, at step 178 the rules-based network security system 124 may output anomalies for display to a user 164, for example, via GUI 162”, ¶0071).  

Regarding claim 5, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, wherein the time series data (“event data”, ¶0068) is ingested from a metrics service of a provider network (“services by one or more service providers”, ¶0068). Atty. Docket No.: 1030P70687US 21  

Regarding claim 6, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, wherein the type of anomaly to detect is one of a threshold-based anomaly, a missing data anomaly, and a changepoint anomaly (“dynamic thresholding analysis with periodicity patterns at several scales”, “change-point detection via maximum-a-posteriori-probability (MAP) modeling”, ¶0208).  

Regarding claim 7, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, wherein the identified at least one particular detector of the one or more detectors is one of a machine learning model, rules-based, or statistics-based (“machine-learning based network security system 122” ¶0068,  “rules-based network security system 124.” ¶0067, and Fig. 1B). 

Regarding claim 8, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, further comprising: 
aggregating the observed potentially anomalous behavior with other observed potentially anomalous behavior (¶0125, “anomalies detected using rule-based analysis can be input and combined with anomalies detected using the real time analyzer 710 or batch analyzer 740 to detect threat indicators or threats”,  ¶0144 “As previously discussed, anomalies detected using rules based-analysis may be combined with anomalies detected using machine learning anomaly detection models (e.g. at real time analysis module 830 or batch analysis module 882)”, 
and only generating an anomaly indication when an amount aggregated observed potentially anomalous behaviors exceeds a threshold (“threshold”, ¶0240).  

Regarding claim 9, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, further comprising: annotating the anomaly to provide insight as to why the anomaly was generated (“The events or anomalies output for display via GUI 162 can also be annotated based on the identity resolution data. The identity resolution data can provide the user 164 with additional information on which to base network security decisions and to develop additional anomaly detection rules”, ¶0074, See also ¶0122). Atty. Docket No.: 1030P70687US 22  

Regarding claim 10, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, further comprising: raising an alarm for the anomaly (“alarm”, ¶0134).  

Regarding claim 11, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, wherein the request includes one or more of: an indication of a source of time series data to evaluate (“time series database 870”, ¶0137 ), a location of where to put detected anomalies (“GUI 162”, ¶0071), see also ¶0253 for an indication of a type of anomaly to detect, and an indication of a period for evaluation. 

Regarding claim 12, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, further comprising: configuring the anomaly detection service by: determining a time series metric to evaluate (“…the use case described in FIG. 23 involves a process that begins with determining a measure (e.g. a count) of anomalies associated with a particular entity of the an information technology environment….”, ¶0258. See also ¶0049), generating a configuration for the anomaly detection service (“configuration file”, ¶0130), based on one or more of: the request (“various request” ¶0081), the time series data (“time series data” ¶0049), a type of anomaly to detect (“type of anomaly” ¶0272), and domain knowledge metadata (“metadata fields” ¶0101),
wherein the configuration identifies at least one particular detector of the one or more detectors (“The ML-based CEP engine continuously receives new incoming event feature sets and reacts to each new incoming event feature set by processing it through at least one machine learning model”, ¶0202), 
and configuring the anomaly detection service using the generated configuration (“The ML-based CEP engine trains and retrains (e.g., updates) the machine learning models in real-time...”, ¶0204).  

Regarding claim 13, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 4, further comprising: receiving feedback and reconfiguring the anomaly detection service based on the received feedback (“The operator feedback information (e.g., whether an alarm is accurate or false) may be employed to update the model to improve future evaluation” ¶0134, see also ¶0070).  

Regarding claim 14, Pratt disclosesText Document cannot be displayed the computer-implemented method of claim 13, wherein the anomaly indication includes at least one of a score to indication how different the potentially anomalous behavior was from an expected behavior (…“an unexpected and (mostly) periodic fashion”, ¶0178), event information including a start and a stop time (“a starting time and an end time”, ¶0262), and a type of anomaly detected (“particular model type configured to detect a particular category of anomalies based on received events, ¶0238). Atty. Docket No.: 1030P70687US 23  

Regarding claim 15, Pratt disclosesText Document cannot be displayed a system comprising: a first one or more electronic devices to provide time series data (“event data”, ¶0126) to be analyzed for anomalies;
 	a second one or more electronic devices to implement an anomaly detection service in a multi-tenant (“client applications”, “host applications”, ¶0079) provider network (“service provider”, ¶0079), 
the anomaly detection service including instructions that upon execution cause the anomaly detection service to: 
receive a request to detect anomalies (“FIG. 19 is a flow diagram describing an example process 2300 for detecting anomalies using machine learning algorithms. Process 2300 begins at step 2302 with receiving event data 2280 indicative of activity by a particular entity associated with an information technology environment”, ¶0237, Fig. 19), using an anomaly detection service (analysis module (830), ¶0133-¶0145, Figs. 7 and 8), in time series data(“…time-series analysis (e.g., number of log-ins per hour)”, ¶0149) using one or more detectors (“machine learning models”, ¶0133-¶0145, Figs. 7 and 8); 
 configure the anomaly detection service by: 
generating a configuration (“configuration by the model state, ¶0202, see also ¶0213 wherein the state model configures a model deliberation thread to process event feature sets into security-related conclusions such as security anomalies, etc.  mentioned in ¶0202), for the anomaly detection service based on at least in part on one or more of the request, the time series data (“the data intake and preparation stage can process, in real-time, the raw machine data as it is received”, ¶0203), and metadata (“metadata associated with the raw machine data”, ¶0203),   
wherein the configuration identifies at least one particular detector of the one or more detectors (“…“instantiating” a model refers to instantiating the model deliberation process thread 1608 for a particular version of a machine learning model”, ¶0224,  note: the deliberation process (“deliberation can include scoring input data according to a model deliberation process logic as configured by the model state”) of one or more machine learning models  or a version of a machine learning models begins in ¶0202),
and configuring the anomaly detection service using the generated configuration (“The ML-based CEP engine 1500 instantiates a model deliberation process thread 1608 based on the model state…”, ¶0224);  

evaluate the time series data for an anomaly using the configured anomaly detection service by: 
ingesting the time series data (Data from data sources (802), ¶0126- ¶0127, Fig. 7, and “time series analysis”, ¶0149), 
observing potentially anomalous behavior using the identified at least one particular detector of the one or more detectors (“User behavior analysis” ¶0145-¶0150, and Fig. 9), 
 and generating an anomaly indication (“The process continues with generating anomaly data 2282 indicative of the anomalies in response to the detection” ¶0232); 
and provide the anomaly indication to a user (“In addition to outputting anomalies for acquisition by system 122, at step 178 the rules-based network security system 124 may output anomalies for display to a user 164, for example, via GUI 162”, ¶0071).  

Regarding claim 16, Pratt disclosesText Document cannot be displayed the system of claim 15, wherein the time series data (“event data”, ¶0068) is ingested from a metrics service of a provider network (“services by one or more service providers”, ¶0068). Atty. Docket No.: 1030P70687US 21  

Regarding claim 17, Pratt disclosesText Document cannot be displayed the system of claim 15, wherein the type of anomaly to detect is one of a threshold-based anomaly, a missing data anomaly, and a changepoint anomaly (“dynamic thresholding analysis with periodicity patterns at several scales”, “change-point detection via maximum-a-posteriori-probability (MAP) modeling”, ¶0208).  

Regarding claim 18, Pratt disclosesText Document cannot be displayed the system of claim 15, wherein the identified at least one particular detector of the one or more detectors is one of a machine learning model, rules-based, or statistics-based (“machine-learning based network security system 122” ¶0068, “rules-based network security system 124.” ¶0067, and Fig. 1B).  

Regarding claim 19, Pratt disclosesText Document cannot be displayed the system of claim 15, wherein the anomaly detection service is further to raise an alarm for the anomaly (“alarm”, ¶0134). Atty. Docket No.: 1030P70687US 24  

Regarding claim 20, Pratt disclosesText Document cannot be displayed tText Document cannot be displayedhe system of claim 15, wherein the request includes one or more of: an indication of a source of time series data to evaluate (“time series database 870”, ¶0137), a location of where to put detected anomalies (“GUI 162”, ¶0071), see also ¶0253 for an indication of a type of anomaly to detect, and an indication of a period for evaluation.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. PGPub. No. 20220207434, 20210319179, and U.S. Pat. No. 10931692
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495        

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495