Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2016, is being examined under the first inventor to file provisions of the AIA . 
DETAILED ACTION
This Office Action is in response to the application 16/202,217 filed on 11/28/2018. Claims 1, 3-9, 11-17 have been examined and are pending. 
Authorization for this Examiner’s Amendment was made via phone with the Applicant’s representative, Anand Ashwin (Reg. No.: 68533) on August 22, 2022. Ashwin has agreed and authorized the Examiner to amend claim 1, 9, 17 and cancel claims 8 and 16. 
Examiner’s Amendments
Claims
Replacing claims 1, 3-9, 11-17 as follows:

1.	(Currently amended) A method comprising:
performing, by a computing system implemented by one or more processors configured to execute instructions stored on a memory:
receiving network metadata of a network comprising:
a number of bytes sent from a host device in the network, and
a number of bytes sent to the host device;
calculating a directionality magnitude based on a ratio between the number of bytes sent from the host device and the number of bytes received by the host device, wherein the directionality magnitude is positive or negative depending on whether more bytes are sent or received by the host device;
generating a z-score based on the network metadata and previously received network metadata that was received before the network metadata, wherein generating the z-score includes performing a logarithmic transformation on the network metadata;
detecting that an anomaly exists on the network based at least on the z-score exceeding a z-score threshold and the directionality magnitude deviating from a baseline directionality magnitude; and
performing at least one mitigation procedure to mitigate the anomaly upon detecting that the anomaly exists.

2.	(Canceled)

3.	(Previously presented) The method of claim 1, wherein the network metadata includes at least one feature of a connection, wherein the at least one feature comprises at least one of a time of the connection, a type of the connection, a connection duration, or a connection byte count.

4.	(Previously presented) The method of claim 3, further comprising the computing system:
detecting that the anomaly exists upon determining that a plurality of features deviate from a feature baseline.

5.	(Previously presented) The method of claim 4, further comprising the computing system:
detecting that the anomaly exists upon determining that a number of the at least one feature deviating from feature baselines exceed a feature threshold.

6.	(Previously presented) The method of claim 3, further comprising the computing system:
suppressing an alert upon determining that a number of the at least one feature deviating from feature baselines is below a feature threshold.

7.	(Previously Presented) The method of claim 1, wherein the z-score is a directionality magnitude z-score.

8.	(Canceled) 

9.	(Currently amended) A system comprising:
a computing system implemented by one or more processors and a memory that stores instructions executable by the one or more processors to:
receive, via an interface of the computing system, 
a number of bytes sent from a host device in the network, and
a number of bytes sent to the host device; 
calculate a directionality magnitude based on a ratio between the number of bytes sent from the host device and the number of bytes received by the host device, wherein the directionality magnitude is positive or negative depending on whether more bytes are sent or received by the host device;
generate a z-score based on the network metadata and previously received network metadata that was received before the network metadata, wherein the generation of the z-score includes performing a logarithmic transformation on the network metadata;
detect that an anomaly exists on the network based at least on the z-score exceeding a z-score threshold and the directionality magnitude deviating from a baseline directionality magnitude; and
perform at least one mitigation procedure to mitigate the anomaly upon detecting that the anomaly exists.

10.	(Canceled)

11.	(Previously presented) The system of claim 9, wherein the network metadata includes at least one feature of a connection, wherein the at least one feature comprises at least one of a time of the connection, a type of the connection, a connection duration, or a connection byte count.

12.	(Previously presented) The system of claim 11, wherein the computing system is configured to detect that the anomaly exists upon determining that a plurality of features deviate from a feature baseline.

13.	(Previously presented) The system of claim 12, wherein the computing system is configured to detect that the anomaly exists upon determining that a number of the at least one feature deviating from feature baselines exceed a feature threshold.

14.	(Previously presented) The system of claim 11, wherein the computing system is configured to is configured to suppress an alert upon determining that a number of the at least one feature deviating from feature baselines is below a feature threshold.

15.	(Previously Presented) The system of claim 9, wherein the z-score is a directionality magnitude z-score.

16.	(Canceled) 

17.	(Currently amended) A method comprising:
performing, by a computing system implemented by one or more processors configured to execute instructions stored on a memory:
receiving, using an interface of the computing system, network metadata regarding activity on a network, the network metadata including:
a count of bytes sent from a host device in the network, and
a count of bytes received by the host device; 
calculating a directionality magnitude based on a ratio between the number of bytes sent from the host device and the number of bytes received by the host device, wherein the directionality magnitude is positive or negative depending on whether more bytes are sent or received by the host device;
generating a z-score based on the network metadata and previously received network metadata that was received before the network metadata, wherein generating the z-score includes performing a logarithmic transformation on the network metadata;
retrieving a baseline directionality magnitude value from a database, wherein the baseline directionality magnitude value is based on previous behavior of the host device;
determining that an anomaly exists on the network based at least on the z-score exceeding a z-score threshold and the directionality magnitude deviating[[es]] from the baseline directionality magnitude value; and
performing at least one mitigation procedure upon determining that the anomaly exists on the network.  


Examiner’s Statement of Reasons for Allowance
Claims 1, 3-7, 9, 11-15, and 17 are allowed. 
The following is an examiner’s statement of reasons for allowance. 
The invention is directed to method for detecting anomalous activity on a network. The method includes receiving, using an interface, network metadata regarding a host1 DOCKET NO. RAP-030device on the network; generating, using a processor executing instructions stored on a memory, at least one of a z-score related to the network metadata and a directionality magnitude related to the network metadata; detecting, using the processor, that an anomaly exists on the network based upon at least one of the generated z-score exceeding a z-score threshold and the generated5 directionality magnitude deviating from a baseline directionality magnitude; and issuing, using the processor, an alert upon detecting the anomaly exists. 
In some embodiments, the network metadata includes at least one feature selected from the group consisting of time of a connection, type of connection, connection duration, and byte count. In some embodiments, the method further includes detecting the anomaly upon determining a plurality of the features deviate from a feature baseline. In some embodiments, the method15 further includes detecting the anomaly upon determining a number of features deviating from feature baselines exceed a feature threshold. In some embodiments, the method further includes suppressing an alert upon determining a number of features deviating from feature baselines is below a feature threshold. 
In some embodiments, the z-score is a directionality magnitude z-score. 20In some embodiments, generating the z-score includes performing a logarithmic transformation on the network metadata. 
The closest prior art are Kashyap et al. (“Kashyap,” US 7860006), Rathod et al. (“Rathod ,” US 20160241576) and Aiello (“Aiello,” US 20060190998) are also generally directed to various aspects of a system/method for detecting network anomalies. 
However, none of Kashyap, Rathod or Aiello, alone or in combination, the particular combination of steps or elements as recited in the independent claim 1. For example, these references fails to teach all limitations recited in claim 1 as a whole, especially “A method comprising: performing, by a computing system implemented by one or more processors configured to execute instructions stored on a memory:receiving network metadata of a network comprising: a number of bytes sent from a host device in the network, and a number of bytes sent to the host device; calculating a directionality magnitude based on a ratio between the number of bytes sent from the host device and the number of bytes received by the host device, wherein the directionality magnitude is positive or negative depending on whether more bytes are sent or received by the host device; generating a z-score based on the network metadata and previously received network metadata that was received before the network metadata, wherein generating the z-score includes performing a logarithmic transformation on the network metadata; detecting that an anomaly exists on the network based at least on the z-score exceeding a z-score threshold and the directionality magnitude deviating from a baseline directionality magnitude; and performing at least one mitigation procedure to mitigate the anomaly upon detecting that the anomaly exists.”
These features in light of other features described in the independent claim 1 is allowable over the prior art of record. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to void processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” 







Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6 PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 


/EDWARD LONG/
Examiner, Art Unit 2439


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439