DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the first inventor to file provisions of the AIA . 

Applicant(s) Response to Office Action
The response filed on 7/29/2022 has been entered and made of record.

Response to Amendment/Remarks
Claims 1, 2, 9, and 16 have been amended.  Claims 1-20 remain pending in the application.

Applicant's remarks and/or amendments to claims have overcome each and every claim objection and claim rejection under 35 U.S.C. 112(b) previously set forth.  Accordingly, said claim rejections as articulated therein are withdrawn.

Applicant’s remarks have been fully considered and are most respectfully, incorrect.  First, the claims were rejected under “AIA ”, not “pre-AIA ”.  Second, if the applicant’s remarks were directed to AIA  portions of the MPEP, they would still be incorrect. 
The filing date of the instant application is 7/9/2020.  There are no provisional or parent applications for this case.  The publication date of the reference Lin et al. (US 2020/0028862 A1) is 1/23/2020 which is before the filing date.  Therefore, in AIA , the reference qualifies as prior art under AIA  35 USC 102(A)(1).  Respectfully, in pre-AIA  analysis, this would be similar to pre-AIA  35 USC 102(a).  
Next, the instant application and the reference application have no common inventors at all.  The instant application and the reference have a common applicant of IBM, succinctly.  
	In AIA , there are 5 exceptions to overcoming a reference on the basis of having common inventors or ownership. The only one which allows the applicant to overcome a reference to the basis of having a similar applicant is 102(B)(2)(C).  However, 102(B)(2)(C) can only be meaningfully invoked when the reference is only available as prior art under AIA  35 USC 102(A)(2) (i.e., similar to pre-AIA  102(e)), which it is not.  It is also available as prior art under AIA  35 USC 102(A)(1) as described above.  
	Thus, even if the applicant had invoked the correct portions of the MPEP, the refence would still stand.  The applicant makes no remarks to any alleged deficiencies of the references based on their content and therefore remain rejected on the previous grounds of rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-6, 8, 10-13, 15, and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lin et al. (US 2020/0028862 A1), in view of Schneider et al. (US 2016/0103702 A1). 
Regarding claims 1, 8, and 15, Lin teaches:
“A computer-implemented method for analyzing data in a security threat to determine a threat (Lin, ¶ 28-31 teaches a processor, memory, bus and non-transitory computer readable medium for storing, transmitting and executing the method steps), comprising: 	capturing security data related a security incident as to actions performed by one or more users (Lin, ¶ 78 makes reference to user behavior analysis system 600 which further makes reference to Lin Figs. 3-4 and ¶ 35.  These figures depict and describe the system ingesting packet information to distributed database 306 analogous to data server 608 of Fig. 6 related to user behavior indicative of malicious activities); 	creating individual tasks related to each captured data (Lin, Fig. 7, ¶ 78-80, each sequential time interval of information is broken up into use cases), configured to be an analytic task and a transfer task (Lin, Fig. 7, ¶ 78-80 depicts time series data broken up moved through workflow both transferring through the machine learning system and being analyzed); 	registering each individual task to a workflow for executing particular tasks (Lin, Fig. 7, U1 through Uk, ¶ 78-80, each sequential time interval of information is broken up into use cases), wherein the workflow is selected based on the captured security data (Lin, ¶ 80, the use cases take the packet information representing user behavior and security anomalies); and 	executing the workflow (Lin, ¶ 78-80, the system executes the check on the user behavior data), wherein the workflow includes: 	transporting the security data from an origin location to a machine learning destination (Lin, Figs. 6-7, ¶ 78-80, data is transported from user behavior analysis system to distributed machine learning system); 	performing machine learning analytics on the security data to determine a threat (Lin, Fig. 7, analytic 1 through analytic K, ¶ 78-80, the distributed machine learning system analyzes the time series of information); 		transporting, upon determining the threat, the threat to the origin location (Lin, Figs. 6-7, ¶ 79-81, suspicious activities are reported to security analysts); and 		visualizing the threat (Lin, Figs. 3 and, 6, ¶ 35 and 80, suspicious activities are reported to security analyst using console 308 analogous to user interface 610 of Fig. 6)”.
Lin does not, but in related art, Schneider teaches:
“the individual task being a container (Schneider, Fig. 6, ¶ 74-78 depicts and describes the process of breaking individual tasks as logical containers)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lin and Schneider, to modify the distributed machine learning anomaly detection system of Lin to include the representation of tasks as logical containers as taught in Schneider.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Regarding claims 3, 10, and 17, Lin in view of Schneider teaches:
“The method of claim 1 (Lin in view of Schneider teaches the limitations of the parent claim as discussed above) further comprising providing the individual tasks to be reused (Lin, Figs. 6-7, ¶ 78-80, data is transported from user behavior analysis system to distributed machine learning system which has separate models for different use cases as they occur)”.

Regarding claims 4, 11, and 18, Lin in view of Schneider teaches:
“The method of claim 1 (Lin in view of Schneider teaches the limitations of the parent claim as discussed above), wherein the tasks are specific to a platform and providing platforms for the tasks to run on when executing the workflow (Lin, ¶ 80, the use cases take the packet information representing user behavior and security anomalies such as outbound transfer attempts and IP addresses)”.

Regarding claims 5, 12, and 19, Lin in view of Schneider teaches:
“The method of claim 1 (Lin in view of Schneider teaches the limitations of the parent claim as discussed above), wherein the executing the workflow comprises performing analysis of the tasks and the analysis is shared between a cloud computing  system and an edge device (Lin, Fig. 8, ¶ 83-85, local first tier analysis is passed to second tier analysis in the cloud computing environment for further insights whose results are then shared back to the local machine)”.
	
Regarding claims 6, and 13, Lin in view of Schneider teaches:
“The method of claim 1 (Lin in view of Schneider teaches the limitations of the parent claim as discussed above), wherein the executing further comprises performing machine learning analytics on the captured data (Lin, Fig. 7, analytic 1 through analytic K, ¶ 78-80, the distributed machine learning system analyzes the time series of information)”.

Claim(s) 2, 9, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lin, in view of Schneider, in view of Koottayi et al. (US 2018/0288063 A1). 
Regarding claims 2, 9, and 16, Lin in view of Schneider teaches:
“The method of claim 1 (Lin in view of Schneider teaches the limitations of the parent claim as discussed above)”.
Lin in view of Schneider does not, but in related art, Koottayi teaches:
“wherein the captured data relates to a security incident or threat and formatted as Structured Threat Information eXpression data (Koottayi, ¶ 107 teaches threat information formatted as STIX data)”.	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lin, Koottayi, and Schneider, to modify the distributed machine learning anomaly detection system of Lin and Schneider to include the representation of threat data in the STIX format as taught in Koottayi.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Claim(s) 7, 14, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lin, in view of Schneider, in view of Mangolore et al. (US 2012/0131339 A1).
Regarding claims 7, 14, and 20, Lin in view of Schneider teaches:
“The method of claim 1 (Lin in view of Schneider teaches the limitations of the parent claim as discussed above), further comprising providing an interactive analysis  (Lin, Figs. 3 and, 6, ¶ 35 and 80, suspicious activities are reported to security analyst using console 308 analogous to user interface 610 of Fig. 6)”.
Lin in view of Schneider does not, but in related art, Mangalore teaches
“for data frame as a service (Mangalore, ¶ 74 teaches interactive display for a frame of data)”.	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lin, Mangalore, and Schneider, to modify the distributed machine learning anomaly detection system of Lin and Schneider to include the representation of threat data as in interactive service for a frame of data as taught in Mangalore.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
 	A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435  

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435