Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


The term "{resource, entity, and time-window} tuple" in claims 5 and 17 line 2 is unclear whether the limitation within bracket {} is for referencing only or it is as part of the claimed limitation which required the tuple to be the resource, entity, and time-window tuple.  For examination purposes, the examiner is considered the term to be merely the tuple.  If the applicant is intended to claim this specific tuple, then the applicant should amend the claim to clearly define the tuple such as resource, entity, and time-window tuple.
The term “an appearance of a new entity” in claim 13 line 4 is unclear whether it is referring to the previous “an appearance of a new entity” in line 3 or it is completely different new appearance of a new entity.  For examination purposes, the examiner considers the term to be same “the appearance of the new entity” in line 3.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because this claim is directing to a computer program product computing one or more computer-readable storage media.  However, neither the specification nor the claim define the computer-readable storage media as non-transitory computer-readable storage media or exclude the signal per se from these computer-readable storage media.  The closest paragraph of specification in paragraph [0128] does mention/exclude the signal per se from computer-readable storage medium, but the medium is not necessary same as media wherein the media is plural of the medium.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chitalia et al. (U.S. 2020/0007405 A1).
Re claim 1, Chitalia et al. disclose in Figures 1-10 a computing system comprising: one or more processors; and one or more computer-readable media having thereon computer-executable instructions that are structured such that, when executed by the one or more processors, cause the computing system to: receive an indication of a security alert, the indication generated based on a detected anomaly in one of a data plane or a control plane of a computing environment (e.g. abstract, Figures 8-10, paragraphs [0007-0009, 0109 and 0155] wherein data plane and control plane are monitored for any issue); when the detected anomaly is in the data plane, monitor the control plane for a subsequent anomaly in the control plane, and otherwise monitor the data plane for a subsequent anomaly in the data plane (e.g. paragraphs [0008, 0040 and 0042, 0049-0055] wherein policies are configured to monitor either or both data and control plane based on the condition); determine a correlation between the detected anomalies (e.g. paragraphs [0006, 0117, and 0142] wherein metrics from both planes are analyzed and correlated to produce the alarm); and send a notification of the security alert when the correlation exceeds a predetermined threshold (e.g. Figure 9 with component 911 and paragraphs [0007 and 0053-0054] wherein a notification/alarm is generated and sent to the administration once the monitoring condition(s) meets the threshold(s)). 
Re claim 2, Chitalia et al. disclose in Figures 1-10 the indication is generated based on a detected anomaly in the data plane, and the detected anomaly is a new entity accessing a resource (e.g. paragraphs [0070, 0104 and 0141]). 
Re claim 3, Chitalia et al. disclose in Figures 1-10 the new entity is an entity observed during a modeling period (e.g. paragraph [0110]). 
Re claim 4, Chitalia et al. disclose in Figures 1-10 the indication is generated based on a detected anomaly in the control plane, and the detected anomaly is a user performing an anomalous pattern or amount of operations (e.g. paragraph [0125]). 
Re claim 5, Chitalia et al. disclose in Figures 1-10 the correlation is determined based on a similarity of a {resource, entity, time-window} tuple (e.g. paragraph [0117]). 
Re claim 6, Chitalia et al. disclose in Figures 1-10 the entity comprises one or more of a machine name, a username, an IP address, a process name, or a network identifier (e.g. inherently as the entity in the network must have at least of the above and paragraph [0039]). 
Re claim 7, Chitalia et al. disclose in Figures 1-10 the anomaly is determined based on a detection model comprising evaluating mean and distance in standard deviations (e.g. paragraphs [0107, 0109, and 0110]). 
Re claim 8, Chitalia et al. disclose in Figures 1-10 computer-executable instructions that are structured such that, when executed by the one or more processors, cause the computing system to activate an active listening mode to monitor the control plane or the data plane (e.g. abstract and paragraphs [0054, 0081, and 0088]). 
Re claim 9, Chitalia et al. disclose in Figures 1-10 the correlation is determined by combining logs of data plane activity with logs of correlated control plane activity (e.g. table 3  and paragraphs [0004, 0057,  and 0079-0080]). 
Re claim 10, Chitalia et al. disclose in Figures 1-10 computer-executable instructions that are structured such that, when executed by the one or more processors, cause the computing system to: receive user feedback pertaining to notifications; and input the user feedback as labels to a learning model for identifying security alerts (e.g. paragraphs [0051-0056]). 
Re claim 11, Chitalia et al. disclose in Figures 1-10 data plane anomalies are determined based on an estimated probability model of an appearance of a new entity and control plane anomalies are determined using a score-based method for each user active at a resource (e.g. paragraphs [0051-0055]). 
Re claim 12, it is a method claim having similar limitations as cited in claim 1.  Thus, claim 12 is also rejected under the same rationale as cited in the rejection of claim 1 above. 
Re claim 13, Chitalia et al. disclose in Figures 1-10 data plane anomalies are determined based on an estimated probability model of an appearance of a new entity; and an appearance of a new entity is determined to constitute an anomaly when the estimated probability is below a predetermined threshold (e.g. paragraphs [0109, 0119-0122, and 0155]). 
Re claim 14, Chitalia et al. disclose in Figures 1-10 control plane anomalies are determined based on an anomaly model implemented using a score-based method for each user active at a resource as a time series signal; and a high outlier of a score signifies a control plane anomaly (e.g. paragraphs [0109, 0119-0122, and 0155] wherein outlier is the anomaly or abnormally).
Re claim 15, it is a method claim having similar limitations as cited in claim 2.  Thus, claim 15 is also rejected under the same rationale as cited in the rejection of claim 2 above.
Re claim 16, it is a method claim having similar limitations as cited in claim 4.  Thus, claim 16 is also rejected under the same rationale as cited in the rejection of claim 4 above.
Re claim 17, it is a method claim having similar limitations as cited in claim 5.  Thus, claim 17 is also rejected under the same rationale as cited in the rejection of claim 5 above.
Re claim 18, it is a method claim having similar limitations as cited in claim 8.  Thus, claim 18 is also rejected under the same rationale as cited in the rejection of claim 8 above.
Re claim 19, it is a method claim having similar limitations as cited in claim 10.  Thus, claim 19 is also rejected under the same rationale as cited in the rejection of claim 10 above.
Re claim 20, it is a product claim having similar limitations as cited in claim 1.  Thus, claim 20 is also rejected under the same rationale as cited in the rejection of claim 1 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Patent Application Publication No. 2022/0191173
U.S. Patent Application Publication No. 2022/0086179
U.S. Patent Application Publication No. 2022/0060491
U.S. Patent Application Publication No. 2020/0007405
U.S. Patent Application Publication No. 2019/0281078
U.S. Patent Application Publication No. 2019/0098046
U.S. Patent No. 11,406,053
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHUOC H NGUYEN whose telephone number is (571)272-3919. The examiner can normally be reached M-F: 7:30 am -3:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/PHUOC H NGUYEN/Primary Examiner, Art Unit 2451