Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	This communication is in response to the application filed on 07/30/2020.
	Claims 1-20 are pending.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/29/2020, 04/02/2021, 07/01/2021, 11/05/2021 and 05/31/2022 are in compliance with the provisions of 37 C.F.R. § 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 U.S.C. § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 rejected under 35 U.S.C. § 101 because they do not limit one or more computer-readable media to non-transitory embodiments. Applicant’s specification also does not limit one or more computer-readable media to non-transitory embodiments. Accordingly, claims 15-20 are directed to non-statutory subject matter and are rejected under 35 U.S.C. § 101.



Claim Objections
Claim 10 is objected to for minor informalities. Specifically, the claim currently ends with a semi colon and not a period. See MPEP 608.01(m), “Each claim begins with a capital letter and ends with a period”. Appropriate correction is required. 
Claim Rejections - 35 U.S.C. § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA  35 U.S.C. §§ 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-4, 8, and 11-20 are rejected under 35 U.S.C. 102(a)(2) as anticipated by Thampy (Pub. No. US 2019/0068627 A1).

Regarding claim 1, Thampy teaches system for mapping incident scores to a fixed range, comprising: one or more processors; and computer-readable media storing first computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving events data associated with events detected at host devices (Thampy Fig. 14 and ¶¶ [0271]-[0272], activity data is collected based on monitoring host devices/resources); determining incidents from the events detected during a time interval (Thampy Fig. 14 and ¶ [0272], incidents, such as file uploads or transfers, are determined during a time interval); determining incident scores associated with the incidents (Thampy Fig. 14 and ¶ [0271], number of occurrences is determined); determining, based at least in part on a distribution of incident scores, an estimated threshold beyond value (Thampy ¶ [0264], “the mapping engine 1330 can normalize the activity data 1302 to using one or more levels 1332. The levels 1332 can indicate thresholds of interest… ‘noise’ in the activity data 1302, such as small or statistically insignificant variations can be normalized into the coarse data 1334”, normalization creates a threshold beyond value – see also formula in ¶ [0276], occurrences beyond a threshold of 15 are normalized to 10); determining a minimum quantile value for a threshold estimation (Thampy Fig. 15 and ¶¶ [0276]-[0277], activity is normalized where the lower level of occurrences, such as 0, is the minimum quantile value); determining a maximum quantile value for the threshold estimation (Thampy Fig. 15 and ¶¶ [0276]-[0277], activity is normalized where the higher level of occurrences, is the maximum quantile value); determining quantile steps between the minimum quantile value and the maximum quantile value for the threshold estimation (Thampy ¶ [0277], “more levels can be used, as needed to obtain a useful generalization of activity data. For example, for the activity data plotting in FIG. 14, levels of 0, 5, and 15 could alternatively have been used”); determining a number of bins to map the incident scores and mapping the incident scores to bins (Thampy ¶ [0276], see the formula for mapping incident scores to three bins; see also Fig. 16B and ¶ [0282], regarding extracting four patterns A-D [bins] from the activity data).

Regarding claim 2, Thampy teaches the system of claim 1. Thampy furthermore teaches determining an incident score is below a first quantile value and mapping the incident score to a first bin (Thampy ¶ [0276], see the formula for 3 bins for mapping incident scores; see also Fig. 16B and ¶ [0282], regarding extracting four patterns A-D from the activity data).

Regarding claim 3, Thampy teaches the system of claim 1. Thampy furthermore teaches the operations further comprising: determining an incident score is greater than a last quantile threshold; and mapping the incident score to a last bin (Thampy ¶ [0276], see the formula for 3 bins for mapping incident scores; see also Fig. 16B and ¶ [0282], regarding extracting four patterns A-D from the activity data).

Regarding claim 4, Thampy teaches the system of claim 1. Thampy furthermore teaches the operations further comprising: determining an incident score is above a first quantile value determining an incident associated with the incident score indicates malicious events (Thampy Abstract, anomalous activity is identified; see also ¶ [0240], risk score is computed and a high risk score indicates malicious activity) and determining to perform a remediation step based at least in part on the malicious events (Thampy ¶ [0242], remediation is performed in response to detection of a malicious event).

Regarding claim 8, Thampy teaches a method, comprising: receiving incident scores associated with incidents detected during a time interval at a plurality of host devices (Thampy Fig. 14 and ¶¶ [0271]-[0272], activity data is collected based on monitoring host devices/resources, number of occurrences of incidents, such as file uploads or transfers, are determined during a time interval); determining, based at least in part on a distribution of the incident scores, an estimated threshold beyond (Thampy ¶ [0264], “the mapping engine 1330 can normalize the activity data 1302 to using one or more levels 1332. The levels 1332 can indicate thresholds of interest… ‘noise’ in the activity data 1302, such as small or statistically insignificant variations can be normalized into the coarse data 1334”, normalization creates a threshold beyond value – see also formula in ¶ [0276], occurrences beyond a threshold of 15 are normalized to 10); determining a minimum quantile value and a maximum quantile value for a threshold estimation (Thampy Fig. 15 and ¶¶ [0276]-[0277], activity is normalized where the lower level of occurrences, such as 0, is the minimum quantile value and the higher level of occurrences is the maximum quantile value); determining steps between the minimum quantile value and the maximum quantile value for the threshold estimation (Thampy ¶ [0277], “more levels can be used, as needed to obtain a useful generalization of activity data. For example, for the activity data plotting in FIG. 14, levels of 0, 5, and 15 could alternatively have been used”); determining a number of bins to map the incident scores and determining a range of threshold scores for mapping the incident scores to bins (Thampy ¶ [0276], see the formula for mapping incident scores to three bins; see also Fig. 16B and ¶ [0282], regarding extracting four patterns A-D [bins] from the activity data).

Thampy teaches all the limitations of claim 11 as asserted above with regard to claim 1. 

Regarding claim 12, Thampy teaches the method of claim 11. Thampy furthermore teaches generating a notification based on mapping an incident score to a bin higher than a third bin (Thampy ¶ [0308], notification is sent based on classification).

Regarding claim 13, Thampy teaches the method of claim 11. Thampy furthermore teaches generating a user interface to present a visualization of mapping the incident scores to the bins (Thampy ¶ [0314], “a graphical interface may be generated to display notifications about patterns that are classified)”

Regarding claim 14, Thampy teaches the method of claim 8. Thampy furthermore teaches wherein the estimated threshold beyond is based at least in part on a distribution of extreme values using the incident scores (Thampy ¶ [0264], normalizing is based on distribution of extreme values, “Because the activity data 1302 can include every occurrence of an action, the activity data 1302 can include occurrences that may not be statistically significant or may represent statistically small variations from a norm. Thus, in various implementations, the mapping engine 1330 can normalize the activity data 1302 to using one or more levels 1332. The levels 1332 can indicate thresholds of interest. For example, for a particular set of data, occurrences of an action between 0 and the 5th percentile of occurrences, and occurrences above the 5th percentile may be statistically interesting.”).

Regarding claim 15, Thampy teaches one or more computer-readable media having computer executable instructions that, when executed, cause one or more processors to perform operations comprising: receiving incident scores associated with incidents detected at a time interval (Thampy Fig. 14 and ¶¶ [0271]-[0272], activity data is collected based on monitoring host devices/resources, number of occurrences of incidents, such as file uploads or transfers, are determined during a time interval); determining, based at least in part on a distribution of the incident scores, a threshold beyond value (Thampy ¶ [0264], “the mapping engine 1330 can normalize the activity data 1302 to using one or more levels 1332. The levels 1332 can indicate thresholds of interest… ‘noise’ in the activity data 1302, such as small or statistically insignificant variations can be normalized into the coarse data 1334”, normalization creates a threshold beyond value – see also formula in ¶ [0276], occurrences beyond a threshold of 15 are normalized to 10); determining a minimum quantile value and a maximum quantile value for a threshold estimation (Thampy Fig. 15 and ¶¶ [0276]-[0277], activity is normalized where the lower level of occurrences, such as 0, is the minimum quantile value and the higher level of occurrences is the maximum quantile value); determining quantile steps between the minimum quantile value and the maximum quantile value (Thampy ¶ [0277], “more levels can be used, as needed to obtain a useful generalization of activity data. For example, for the activity data plotting in FIG. 14, levels of 0, 5, and 15 could alternatively have been used”); and determining a number of bins to map the incident scores (Thampy ¶ [0276], see the formula for mapping incident scores to three bins).

Regarding claim 16, Thampy teaches the one or more computer-readable media as recited in claim 15. Thampy furthermore teaches receiving input data including second incident scores (Thampy Fig. 14 and ¶¶ [0271]-[0272], activity data is collected based on monitoring host devices/resources); determining output binned data based at least in part on mapping the second incident scores to bins (Thampy ¶ [0276], see the formula for mapping incident scores to three bins).

Thampy teaches all the limitations of claim 17 as asserted above with regard to claims 11-12. 

Regarding claim 18, Thampy teaches the one or more computer-readable media as recited in claim 15. Thampy furthermore teaches wherein the operations further comprise: determining to increase the minimum quantile value based at least in part on determining a number of incidents above a threshold are mapped to a bin higher than a first bin (Thampy Fig. 15 and ¶ [0277], lower value level is chosen based on the activity data to obtain a useful generalization of activity data).

Regarding claim 19, Thampy teaches the one or more computer-readable media as recited in claim 15. Thampy furthermore teaches wherein the operations further comprise: determining to decrease the minimum quantile value based at least in part on determining a number of incidents below a threshold are mapped to a bin higher than a first bin (Thampy Fig. 15 and ¶ [0277], lower value level is chosen based on the activity data to obtain a useful generalization of activity data).

Regarding claim 20, Thampy teaches the one or more computer-readable media as recited in claim 14. Thampy furthermore teaches wherein the operations further comprise: determining to recompute the threshold beyond value based at least in part on a change in the time interval (Thampy ¶¶ [0264]-[0265], “normalize the activity data 1302 to using one or more levels 1332… different levels can be used for… different time frames”)

Claim Rejections - 35 U.S.C. § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA  35 U.S.C. §§ 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. § 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 5-6 are rejected under 35 U.S.C. § 103 as being unpatentable over Thampy (Pub. No. US 2019/0068627 A1) in view of Bradley (Pat. No. US 10,778,699 B1).

Regarding claim 5, Thampy teaches the system of claim 1. Thampy furthermore teaches, wherein the incidents are determined based on a plurality of events detected at the host devices and the operations further comprising: identifying patterns within the plurality of the events based at least in part on the patterns meeting a predetermined criterion (Thampy Fig. 16B and ¶ [0282], patterns are identified); 
Thampy does not explicitly teach determining pattern scores associated with the patterns based at least in part on respective relative frequencies of the patterns, wherein the incident scores are based at least in part on the pattern scores.
However, Bradley teaches determining pattern scores associated with the patterns based at least in part on respective relative frequencies of the patterns, wherein the incident scores are based at least in part on the pattern scores (Bradley Fig. 2, 240, 250 and column 6 lines 16-18 and lines 63-67 & column 7, lines 1-24, attack signature [pattern] scores for header properties are summed up for the incidents to create an total score [incident score] identified based on a frequency of occurrences of individual header properties).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Thampy and Bradley to teach summing up attack signature scores into a total incident score because it identifies a likelihood and signature of an attack. Bradley Fig. 2 and column 6 lines 16-18 and lines 63-67 & column 7, lines 1-24.

Regarding claim 6, Thampy and Bradley teach the system of claim 5. Thampy furthermore teaches receiving second incident scores associated with second incidents during a second time interval determining at least one pattern change in the second incidents with respect to the incidents; and determining, based at least in part on the least one pattern change, to recalculate the estimated threshold beyond value (Thampy ¶ [0264], normalization is based on updated activity dataset).

Claim 7 is rejected under 35 U.S.C. § 103 as being unpatentable over Thampy (Pub. No. US 2019/0068627 A1) in view of Sampaio (Pub. No. US 2020/0366699 A1).

Regarding claim 7, Thampy teaches the system of claim 1. Thampy does not explicitly teach determining, based at least in part on averaging threshold beyond values over time, a second estimated threshold beyond value for a second time interval.
However, Sampaio teaches determining, based at least in part on averaging threshold beyond values over time, a second estimated threshold beyond value for a second time interval (Sampaio ¶ [0103], an adaptive threshold is taught here, which is based on moving average weights, “exponential moving average smoothing is applied on the calculated threshold to obtain a new threshold as described above”).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Thampy and Sampaio to teach an adaptive threshold because it is merely combining prior art elements (determining threshold beyond) according to known methods (averaging to create an adaptive threshold) to yield predictable results (obtaining the most useful/appropriate threshold value). MPEP 2143(I). See also Sampaio ¶ [0030], “An adaptive threshold is determined and applied to monitoring values calculated from the model scores to detect anomalous behavior.”

Claim 9 is rejected under 35 U.S.C. § 103 as being unpatentable over Thampy (Pub. No. US 2019/0068627 A1) in view of Ahmed (Pat. No. US 10,320,813 A1).

Regarding claim 9, Thampy teaches the method of claim 8. Thampy furthermore teaches wherein the minimum quantile value is determined based at least in part on the incident scores (Thampy Fig. 14 [0264], incident scores are used to determine minimum value of occurrences in the normalized data).
Thampy does not explicitly teach a confidence value associated with the incident scores.
However, Ahmed teaches a confidence value associated with the incident scores (Ahmed column 11, lines 33-36, a confidence value is associated with a score).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Thampy and Ahmed to teach associating a confidence level with a score because this is merely combining prior art elements (scoring) according to known methods (utilizing a confidence value) to yield predictable results. MPEP 2143(I).

Claim 10 is rejected under 35 U.S.C. § 103 as being unpatentable over Thampy (Pub. No. US 2019/0068627 A1) in view of Kamulete (Pub. No. US 2020/0410403 A1 – the portions of Kamulete that teach the claim limitations below can be found in the Jun 27, 2019 provisional application 62/867,492 ¶ [0021]).

Regarding claim 10, Thampy teaches the method of claim 8. 
Thampy does not explicitly teach wherein the estimated threshold beyond is based at least in part on a generalized Pareto distribution.
However, Kamulete teaches wherein the estimated threshold beyond is based at least in part on a generalized Pareto distribution (Kamulete ¶ [0069] “threshold exceedances can be modelled as the generalized Pareto distribution”; see also ¶ [0021] of provisional application 62/867,492 to which Kamulete claims benefit to, “threshold exceedances can be modelled as the generalized Pareto distribution”).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Thampy and Kamulete to teach utilizing a generalized Pareto distribution to model threshold exceedance because it is merely combining prior art elements (determining threshold beyond) according to known methods (utilizing a generalized Pareto distribution) to yield predictable results. MPEP 2143(I).
Conclusion
The following prior art made of record and not relied upon is considered pertinent to Applicant's disclosure: 
Dean (Pub. No. US 2017/0230392 A1) teaches “The measure of anomalousness of the device may be determined relative to a reference measure of anomalousness. The measure of anomalousness of the device may be attenuated above a given level. The distribution of the values of the metric may be modelled using extreme value theory. The distribution of the values of the metric may be modelled as a generalized Pareto.” Dean ¶ [0022]. 
Wang (Pub. No. US 2019/0362074 A1) teaches “each event score histogram in the set of event score histograms takes the form of an ordered array of buckets. Assuming, for example, that an event score indicates a probability between 0 and 1 that the most recent event history relative to event e.sub.t indicates malicious activity, then four buckets evenly divide that probability into fourths (e.g., [0-0.24], [0.25-0.49], [0.5-0.74], [0.75-1]) while ten buckets evenly divide that probability into tenths. Any number of buckets could be used although more buckets tend to require more memory. All buckets are typically initialized to zero.” Wang ¶ [0087]
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY P TOLCHINSKY whose telephone number is (571)270-0599.  The examiner can normally be reached on m-f (9:30-6:30PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


Gregory P. Tolchinsky
/G.P.T./
Examiner, Art Unit 2456

/Brian Whipple/Primary Examiner, Art Unit 2456                                                                                                                                                                                                        8/22/2022