Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 17/093,915 filed on 11/10/2020. Claims 1-19 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 11/10/2020 and 12/27/2021, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) 1, 2, 4, 5, 7-12, 14, 15 and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sternby et al. (US 2021/0160266) in view of Shrestha et al. (US 2022/013832).

	As per claim 1, Sternby teaches a method for anomaly interpretation and mitigation, comprising: extracting at least one input feature vector from observation data related to an observation, wherein the observation indicates anomalous behavior of a connected device (Sternby, Paragraph 0037 recites “Training of the model comprises collecting 511 feature samples of network data traffic at a monitoring point between a first and a second part of a network, and training S12 the model for detecting anomalies on the collected feature samples. The feature samples are collected from network data traffic between devices in the first part of a network and devices in the second part of the network, e.g., between internal network devices and external network devices, or between internal network devices. The network flows may originate from different device types such as IoT devices, computers, mobile phones or network equipment. Thus, network data traffic is exchanged in a physical layer between the first and second part of the network, e.g., over a radio interface in a wireless network. The model is trained to detect anomalies in a mixed set of categorical, discrete and continuous features of single and/or aggregated network flows or packets.”);
	applying an isolation forest to the at least one input feature vector (Sternby, Paragraph 0038 recites “FIG. 2 shows a flowchart representation of a method for anomaly detection using the forest model of FIG. 1, i.e., a computer-implemented method for detecting anomalies in network data traffic between devices in a first part of a network and devices in a second part of the network. The forest algorithms are trained for detecting anomalies on the collected feature samples using a plurality of detection trees. The computer-implemented method comprises retrieving S21 at least one network data traffic sample, i.e., a sample of data traffic between devices in the first part of the network and devices in the second part of the network”),
	wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features (Sternby, Paragraph 0039 recites “The anomaly score may be determined from a mean path length in the decision tree models. Anomalies in the network data traffic sample are classified S25 based on the determined anomaly score and a determined feature importance that is determined S24 for each feature of a feature-associated anomaly score. The anomaly detection method produces an anomaly score that may be based on the above-mentioned mixed set of categorical, discrete and continuous features of single and/or aggregated network flows or packets. The node implementing this method can then raise an alarm for any score above a certain threshold.”);
	wherein each output feature represents at least a portion of a description of why the observation was determined to indicate anomalous behavior (Sternby, Paragraph 0041 recites “The present disclosure solves this problem by specifying a method for obtaining an ordered list of the most important features inducing a high anomaly-score from the model for a certain data point. In some examples, the classifying comprises ranking the one or more anomalies in relation to one another, e.g., in the ordered list, based on a combination of anomaly score and feature importance that may be obtained by adding an anomaly score value and a feature importance value.”).
	But fails to teach generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object. 
	However, in an analogous art Shrestha teaches generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object (Shrestha, Paragraph 0098 recites “FIG. 8 shows a flowchart of a method 80 of detecting and acting on security anomalies according to an embodiment. The method 80 begins with a process 81 retrieving historical request pattern data from a data store. The historical request pattern data may be data 704, and the data store may be fingerprint store 112. The method 80 continues with a process 83 applying the isolation forest algorithm to input request data in view of the historical request pattern data. The input request data may be data 72, and the isolation forest algorithm may be performed as described in detail above. The method 80 moves to a decision process 85 asking whether the request has an anomalous path score (or length) as determined by the isolation forest algorithm. If not, the method completes with a process 87 indicating success, which may be performed by the policy manager 706. If so, the method completes with a process 89 taking remedial action, which also may be performed by the policy manager 706 as described above.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Shrestha’s encryption as a service with request pattern anomaly detection with Sternby’s computer-implemented method and arrangement for classifying anomalies because the use of isolation forests for remedial action, is an effective and concise way of identifying an anomaly and the necessary mitigation.  

	As per claim 2, Sternby in combination with Shrestha teaches the method of claim 1, Shrestha further teaches wherein clipping the mapping object further comprises: sorting the plurality of split-paths based on their respective path-lengths; and removing at least one split-path from the plurality of split-paths (Shrestha, Paragraph 0092 recites “As is known in the art, the core of the isolation forest algorithm lies in “isolating” an anomaly by creating decision trees over random attributes. That is, a random attribute (i.e. axis in the multidimensional state space) is selected, then values the points might take are partitioned randomly into ranges; each point in the state space falls into one of these partitions, and typically several points will. This process is continued recursively with another random attribute until single points are isolated in an “isolation tree”.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Shrestha’s encryption as a service with request pattern anomaly detection with Sternby’s computer-implemented method and arrangement for classifying anomalies because the use of isolation forests for remedial action, is an effective and concise way of identifying an anomaly and the necessary mitigation.  

	As per claim 4, Sternby in combination with Shrestha teaches the method of claim 1, Shrestha further teaches generating additional contextual data based on the clipped mapping object, wherein the at least one mitigation action is determined based further on the additional contextual data (Shrestha, Paragraph 0092 recites “As is known in the art, the core of the isolation forest algorithm lies in “isolating” an anomaly by creating decision trees over random attributes. That is, a random attribute (i.e. axis in the multidimensional state space) is selected, then values the points might take are partitioned randomly into ranges; each point in the state space falls into one of these partitions, and typically several points will. This process is continued recursively with another random attribute until single points are isolated in an “isolation tree”.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Shrestha’s encryption as a service with request pattern anomaly detection with Sternby’s computer-implemented method and arrangement for classifying anomalies because the use of isolation forests for remedial action, is an effective and concise way of identifying an anomaly and the necessary mitigation.  

	As per claim 5, Sternby in combination with Shrestha teaches the method of claim 4, Shrestha further teaches wherein the additional contextual data includes statistical data for each output feature determined based on the split-paths of the clipped mapping object (Shrestha, Paragraph 0092 recites “As is known in the art, the core of the isolation forest algorithm lies in “isolating” an anomaly by creating decision trees over random attributes. That is, a random attribute (i.e. axis in the multidimensional state space) is selected, then values the points might take are partitioned randomly into ranges; each point in the state space falls into one of these partitions, and typically several points will. This process is continued recursively with another random attribute until single points are isolated in an “isolation tree”.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Shrestha’s encryption as a service with request pattern anomaly detection with Sternby’s computer-implemented method and arrangement for classifying anomalies because the use of isolation forests for remedial action, is an effective and concise way of identifying an anomaly and the necessary mitigation.  


	As per claim 7, Sternby in combination with Shrestha teaches the method of claim 1, Sternby further teaches wherein the observation was determined to indicate an anomaly (Sternby, Paragraph 0037 recites “Training of the model comprises collecting 511 feature samples of network data traffic at a monitoring point between a first and a second part of a network, and training S12 the model for detecting anomalies on the collected feature samples. The feature samples are collected from network data traffic between devices in the first part of a network and devices in the second part of the network, e.g., between internal network devices and external network devices, or between internal network devices. The network flows may originate from different device types such as IoT devices, computers, mobile phones or network equipment. Thus, network data traffic is exchanged in a physical layer between the first and second part of the network, e.g., over a radio interface in a wireless network. The model is trained to detect anomalies in a mixed set of categorical, discrete and continuous features of single and/or aggregated network flows or packets.”).

	As per claim 8, Sternby in combination with Shrestha teaches the method of claim 7, Sternby further teaches wherein the observation has an anomaly score representing a likelihood that the observation indicates an anomaly, wherein the anomaly score is above a threshold (Sternby, Paragraph 0043 recites “In some examples, the disclosed method further comprises activating an alarm based on a comparison between the determined anomaly score and a predetermined anomaly score threshold. In complimentary examples, the method comprises activating the alarm when the feature importance surpasses a predetermined feature importance value.”).

	As per claim 9, Sternby in combination with Shrestha teaches the method of claim 1, Sternby further teaches wherein each estimator is a binary decision tree (Sternby, Paragraph 0039 recites “The anomaly score may be determined from a mean path length in the decision tree models. Anomalies in the network data traffic sample are classified S25 based on the determined anomaly score and a determined feature importance that is determined S24 for each feature of a feature-associated anomaly score. The anomaly detection method produces an anomaly score that may be based on the above-mentioned mixed set of categorical, discrete and continuous features of single and/or aggregated network flows or packets. The node implementing this method can then raise an alarm for any score above a certain threshold.”).

Regarding claims 10 and 11, claims 10 and 11 are directed to a non-transitory readable medium and a system associated with the method of claim 1. Claims 10 and 11 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Regarding claim 12, claim 12 is directed to a similar system associated with the method of claim 2 respectively. Claim 12 is similar in scope to claim 2, respectively, and are therefore rejected under similar rationale. 

Regarding claim 14, claim 14 is directed to a similar system associated with the method of claim 4 respectively. Claim 14 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. 

Regarding claim 15, claim 15 is directed to a similar system associated with the method of claim 5 respectively. Claim 15 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale. 

Regarding claim 17, claim 17 is directed to a similar system associated with the method of claim 7 respectively. Claim 17 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale. 

Regarding claim 18, claim 18 is directed to a similar system associated with the method of claim 8 respectively. Claim 18 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale. 

Regarding claim 19, claim 19 is directed to a similar system associated with the method of claim 9 respectively. Claim 19 is similar in scope to claim 9, respectively, and are therefore rejected under similar rationale. 






Claim(s) 3, 6, 13 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sternby et al. (US 2021/0160266) and Shrestha et al. (US 2022/013832) and in further view of Brandt et al. (US 2021/0067548).

	As per claim 3, Sternby in combination with Shrestha teaches the method of claim 2, but fails to teach determining the at least one split-path to be removed from the plurality of split-paths based on the sorted plurality of split-paths and a ratio of a total number of estimators.
	However, in an analogous art Brandt teaches determining the at least one split-path to be removed from the plurality of split-paths based on the sorted plurality of split-paths and a ratio of a total number of estimators (Brandt, Paragraph 0061 recites “Because there is a plethora of risk factors that may be derived from prior confirmed malicious activity, the machine learning model may be implemented by a random forest-based prediction model. In random forest classification, a network-based authentication system may utilize a plurality of different decision trees where each decision tree is trained based on different risk factors to determine if a system administrator or a system administrator location is suspected of malicious activity. For example a first decision tree may determine malicious activity based on the risk factors of size of network transactions and/or log-in time of system administrators. A second decision tree may determine malicious activity based on the risk factors of source and/or destination of network transactions. A third decision tree may determine malicious activity based on the risk factor of log-in patterns of a system administrator and/or remote access patterns of a system administrator. By training each decision tree based on different risk factors, the total votes from each decision tree (e.g. the number of decision trees that indicate malicious activity) may represent an accurate overall determination.” Brandt is looking at all the factors and decision trees in order to make accurate determinations and trees.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Brandt’s detection of malicious activity within a network with Sternby’s computer-implemented method and arrangement for classifying anomalies because the use of accounting for all factors will help make accurate determinations.  

	As per claim 6, Sternby in combination with Shrestha teaches the method of claim 5, but fails to teach wherein the statistical data indicates, for each output feature, at least one of: a number of occurrences of the output feature among the output features of the split-paths of the clipped mapping object, a percentile of the value of the output feature with respect to other observations in a sub-population of observations, and a position of the output feature within a distribution of the output features of the split-paths of the clipped mapping object.
	However, in an analogous art Brandt teaches wherein the statistical data indicates, for each output feature, at least one of: a number of occurrences of the output feature among the output features of the split-paths of the clipped mapping object, a percentile of the value of the output feature with respect to other observations in a sub-population of observations, and a position of the output feature within a distribution of the output features of the split-paths of the clipped mapping object (Brandt, Paragraph 0061 recites “Because there is a plethora of risk factors that may be derived from prior confirmed malicious activity, the machine learning model may be implemented by a random forest-based prediction model. In random forest classification, a network-based authentication system may utilize a plurality of different decision trees where each decision tree is trained based on different risk factors to determine if a system administrator or a system administrator location is suspected of malicious activity. For example a first decision tree may determine malicious activity based on the risk factors of size of network transactions and/or log-in time of system administrators. A second decision tree may determine malicious activity based on the risk factors of source and/or destination of network transactions. A third decision tree may determine malicious activity based on the risk factor of log-in patterns of a system administrator and/or remote access patterns of a system administrator. By training each decision tree based on different risk factors, the total votes from each decision tree (e.g. the number of decision trees that indicate malicious activity) may represent an accurate overall determination.” Brandt is looking at all the factors and decision trees in order to make accurate determinations and trees.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Brandt’s detection of malicious activity within a network with Sternby’s computer-implemented method and arrangement for classifying anomalies because the use of accounting for all factors will help make accurate determinations.  

Regarding claim 13, claim 13 is directed to a similar system associated with the method of claim 3 respectively. Claim 13 is similar in scope to claim 2, respectively, and are therefore rejected under similar rationale. 

Regarding claim 16, claim 16 is directed to a similar system associated with the method of claim 6 respectively. Claim 16 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale. 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439