Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The present application is being examined under the pre-AIA  first to invent
provisions.
This office action is in response to the amendment filed on 06/03/2022. Claims 1, 8, and 15 have been amended.
Claims 1 – 3, 6 – 10, 13 – 17, and 20 – 23 are pending for consideration. 

Response to Arguments
Applicant's arguments filed on 06/03/2022 have been fully considered but they are moot in view of new grounds of rejection. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 – 3, 6 – 10, 13 – 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kune et al. (US 2018/0007074) (hereafter Kune), in view of Bartos et al. (US 2019/0020663) (hereafter Bartos), and in view of Humphrey et al. (US 2019/0260782) (hereafter Humphrey).

Regarding claim 1 Kune teaches: A method implemented by an information handling system that includes a processor and a memory accessible by the processor, (Kune, in Para. [0013] discloses “The instructions can also cause the one or more data processors to store the plurality of samples as a data structure in a memory element coupled to the one or more data processors”),
the method comprising: receiving a set of actual hardware power consumption details pertaining to the use of a computer system at a first time (Kune, in Para. [0003] discloses “Installed external to the target device, the system can monitor the activity of the target device by analyzing side-channel phenomena such as, but not limited to, power consumption of the target device.” Kune, in Para. [0022] discloses “the server 104 may perform a classification analysis on the received feature samples, and responsive to detecting an anomaly temporarily request the full, original data signal (or a down sampled version thereof) from the monitoring device 102” Kune, in Para. [0020] discloses “The monitoring device 102 includes a sensor 116 that monitors the power consumption of the target device 108. The sensor 116 transmits the power consumption data to a microprocessor 118. The microprocessor 118 includes a signal processing module 120, a machine learning module 124, and a database 126.”);
receiving a set of software activity details pertaining to the use of the computer system at the first time (Kune, in Para. [0051] discloses “the machine learning module can detect periods of 60 Hz line activity that can correspond to the RAM scraping malware or the intermittent activity of other malware software.” Kune, in Para. [0036] discloses “the signal processing module 151 and the machine learning module 152 may be configured the same as or differently than the signal processing module 120 and the machine learning module 124.”),
[wherein the set of software activity details includes a set of processes running on the computer system at the first time and a number of input/output (1/O) packages transmitted at the first time;] (Bartos)
[training a machine learning (ML) system to determine expected hardware power consumption of the computer system, wherein the training utilizes ,] (Humphrey)
[wherein the different computer systems have substantially similar hardware configurations as the computer system, and wherein the external machine training data comprises a type of system, collected process data, and hardware power consumption data;] (Humphrey)
determining a set of expected hardware power consumption details based on the set of software activity details (Examiner note: expected power consumption is met by calculated power consumption) (Kune, in Para. [0008] discloses “The method can also include calculating an aggregate power consumption of the target device over the subset of the plurality of samples.”),
wherein the determining comprises: inputting, to the trained ML system, the set of software activity details pertaining to the use of the computer system at the first time; and Docket No. P201805759US01Page 2 of 15 Atty Ref. No. 8065 16/380,970PATENT receiving, from the trained ML system, the set of expected hardware power consumption details based on the set of software activity details (Examiner note: expected power consumption is met by calculated power consumption) (Kune, in Para. [0008] discloses “The method can also include calculating an aggregate power consumption of the target device over the subset of the plurality of samples.” Kune, in Para. [0003] discloses “the system can monitor the activity of the target device by analyzing side-channel phenomena such as, but not limited to, power consumption of the target device. Unlike traditional anti-virus software that may interfere with normal operations and require updates, side-channel analysis can be independent of the software running on the target device.”); comparing the set of actual hardware power consumption details to the set of expected hardware power consumption details (Kune, in Para. [0048] discloses “the machine learning module can switch into an online detection mode where incoming features are compared against the training set” Kune, in Para. [0051] discloses “Infected target devices should consume more power when compared to clean target devices because the malware is performing additional computational tasks that require additional power of the target device's processor.”);
[and in response to the comparison identifying one or more variances that exceed one or more thresholds,] (Bartos)
performing one or more threat responses (Examiner note: threat analysis/detection is met by anomalies analysis/detection) (Kune, in Para. [0033] discloses “The machine learning module 124 can include an anomaly detector that detects anomalies, by, for example, detecting when one or more features crosses a threshold.” Kune, in Para. [0039] discloses “Responsive to the server 104 detecting the calculated features of the low sampled data crossing a predetermined threshold, the server 104 can send a signal to the monitoring device 102”).
Kune fails to explicitly teach: wherein the set of software activity details includes a set of processes running on the computer system at the first time and a number of input/output (1/O) packages transmitted at the first time;
and in response to the comparison identifying one or more variances that exceed one or more thresholds
Bartos from the analogous technical field teaches: wherein the set of software activity details includes a set of processes running on the computer system at the first time and a number of input/output (1/O) packages transmitted at the first time; (Examiner note: the processes analysis running at the first time is met by traffic process analysis in terms of the first (second etc.) time series running within the windows 814a, and/or 816a-816c of Bartos) (Bartos, in Para. [0034] discloses “These software processors and/or services may comprise a traffic analysis process 248”. Bartos, in Para. [0084] discloses “the traffic analysis process may compare the characteristics from time window 814a of the first time series 812 to that of time windows 816a-816c from the other time series 812.”);
and in response to the comparison identifying one or more variances that exceed one or more thresholds (Bartos, in Para. [0036] discloses “traffic analysis process 248 may execute one or more machine learning-based classifiers to classify traffic in the network for any number of purposes. In one embodiment, traffic analysis process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network” Bartos, in Para. [0036] further discloses “traffic analysis process 248 may classify the gathered telemetry data to detect other anomalous behaviors (e.g., malfunctioning devices, misconfigured devices, etc.), traffic pattern changes (e.g., a group of hosts begin sending significantly more or less traffic)”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Kune, in view of the teaching of Bartos which discloses network traffic analysis by comparative technique using predefined thresholds in order to higher security against the malware treats (Bartos, [0034, 0036, 0084]).
Kune, as modified by Bartos, fails to explicitly teach: training a machine learning (ML) system to determine expected hardware power consumption of the computer system, wherein the training utilizes training data pertaining to a machine training performed on one or more different computer systems,
wherein the different computer systems have substantially similar hardware configurations as the computer system, and wherein the external machine training data comprises a type of system, collected process data, and hardware power consumption data
Humphrey from the analogous technical field teaches: training a machine learning (ML) system to determine expected hardware power consumption of the computer system, wherein the training utilizes (Examiner note: utilizing eternal data sets for ML training is met by using different ML training models using both internal and  external data sets) (Humphrey, in Para. [0033] discloses “one or more machine-learning models such as a first Artificial Intelligence model trained on characteristics of vectors for malicious activity and related data, a second Artificial Intelligence model trained on the characteristics of external hosts and the interaction of network entities with external hosts, a third Artificial Intelligence model trained on potential cyber threats, and one or more Artificial Intelligence models each trained on different users, devices, system activities and interactions between entities in the system” Humphrey, in Para. [0046] discloses “The researcher module is configured to assess the validity of the threat intelligence derived from the intelligent resources through a machine learning modelling of the value of the data and assign a confidence weighting to the external host information gathered from the intelligent resources”) performed on one or more different computer systems, wherein the different computer systems have substantially similar hardware configurations as the computer system, and wherein the external machine training data comprises a type of system, collected process data, (Examiner note: different computer systems having similar hardware configurations is met by the computational network of Humphrey consisting of different systems 10 and 40 having similar hardware configurations as depicted in Fig. 3) (Humphrey, in Para. [0082] discloses “The example network FIG. 3 illustrates a network of computer systems 50 using a threat detection system.” Humphrey, in Para. [0083] discloses “The LAN 6 of the first computer system 10 is connected to the Internet 20, which in turn provides computers 1, 2, 3 with access to a multitude of other computing devices including server 30 and second computer system 40. Second computer system 40 also includes two computers 41, 42, connected by a second LAN 43.”) and hardware power consumption data (Humphrey, in Para. [0047] discloses “The cyber threat module's configured cooperation with the autonomous response module, to cause one or more autonomous actions to be taken to contain the cyber threat, improves computing devices in the email system by limiting an impact of the cyber threat from consuming unauthorized CPU cycles, memory space, and power consumption in the computing devices via responding to the cyber threat without waiting for some human intervention.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Kune, as modified by Bartos, in view of the teaching of Humphrey which discloses training of machine learning system using both internal and external data sets/databases in order to improve efficiency of the machine learning in the system (Humphrey, [0033, 0046, 0047, 0083]).

Regarding claim 2 Kune, as modified by Bartos and Humphrey, teaches: The method of claim 1 wherein the set of actual hardware power consumption details include at least one reading from the set of details consisting of a temperature reading, a voltage reading, and an electrical current reading (Examiner note: temperature sensor is met by a plurality of sensors of the type 116) (Kune, in Para. [0024] discloses “the monitoring device 102 can include a plurality of sensors 116” Kune, in Para. [0024] discloses “The signal (e.g., the voltage signal) generated by the sensor 116 is received by the microprocessor 118 where the signal can be converted from an analog signal to a digital signal” Kune, in Para. [0024] discloses “The monitoring device 102 can include one or more sensors 116 that can detect and monitor the current flowing between the female connector 112 and the male connector 114, and thus the power consumption of the target device 108.”),
Kune fails to explicitly teach: and wherein the set of software activity details further include at least one detail from the set of details consisting of a plurality of process identifications corresponding to a plurality of processes running on the computer system at the first time, a CPU usage at the first time, a memory usage at the first time, and a number of ports used at the first time.
Bartos from the analogous technical field teaches: and wherein the set of software activity details further include at least one detail from the set of details consisting of a plurality of process identifications corresponding to a plurality of processes (Bartos, in Para. [0032] discloses “Device 200 comprises one or more network interfaces 210, one or more processors 220”. Bartos, in Para. [0034] discloses “The memory 240 comprises a plurality of storage locations that are addressable by the processor(s) 220”), running on the computer system at the first time, a CPU usage at the first time, a memory usage at the first time, and a number of ports used at the first time (Examiner note: as noted above, the processes analysis running at the first time is met by traffic process analysis in terms of the first (second etc.) time series running within the windows 814a, and/or 816a-816c of Bartos) (Bartos, in Para. [0034] discloses “These software processors and/or services may comprise a traffic analysis process 248”. Bartos, in Para. [0084] discloses “the traffic analysis process may compare the characteristics from time window 814a of the first time series 812 to that of time windows 816a-816c from the other time series 812.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Kune, in view of the teaching of Bartos and Humphrey, which discloses plurality of running processes and relevant storage locations management, as well as network traffic analysis by comparative technique using predefined thresholds in order to improve data processing and storage, as well as to higher security against the malware treats in the system (Bartos, [0032, 0034, 0084]).

Regarding claim 3 Kune, as modified by Bartos and Humphrey, teaches: The method of claim 1 further comprising: further training the machine learning (ML) system with a plurality of instances of actual software activity details and a plurality of resulting actual hardware power consumption details corresponding to each of the instances (Examiner note: power consumption corresponding to the plurality of executable software instances is met by the power consumption corresponding to the plurality of samples, i.e. executable instructions running on the target devices) (Kune, in Para. [0005] discloses “Each of the plurality of samples represent a power consumption level of a target device at a given time.” Kune, in Para. [0043] discloses “Each of the samples represent a power consumption level of a target device at a given time. The target device can be a computer or other device capable of executing processor executable instructions” Kune, in Para. [0048] discloses “the machine learning module is trained with a set of known "clean data" on site (for the anomaly detection) after being connected to the target device and a set of known malware behavior (for the classifier) prior to being connected to the target device.” Kune, in Para. [0020] discloses “The monitoring device 102 includes a sensor 116 that monitors the power consumption of the target device 108. The sensor 116 transmits the power consumption data to a microprocessor 118. The microprocessor 118 includes a signal processing module 120, a machine learning module 124, and a database 126.”);

Regarding claim 6 Kune, as modified by Bartos and Humphrey, teaches: The method of claim 1 wherein the set of software activity details includes 2a set of system data and a set of process data, wherein the process data 3is collected for each of the processes running on the computer system 4during the time period (Kune, in Para. [0036] discloses “the machine learning module 152 may be configured to receive data from a plurality of monitoring devices 102 and make classifications based on the data from the plurality of monitoring devices 102 while the signal processing module 120 and the machine learning module 124 may be configured to only process data generated by the monitoring device 102.”).

Regarding claim 7 Kune, as modified by Bartos and Humphrey, teaches: The method of claim 6 wherein the period of time is one of a plurality of 2periods of time that occur on a predetermined interval, wherein the set of 3system data includes an operating system version, an operating system 4level, a set of operating system applied patches, (Kune, in Para. [0063] discloses “The various methods or processes outlined herein may be coded as software that is executable on one or more processors that employ any one of a variety of operating systems or platforms.”) a processor age, a 5processor vendor, a processor type, and wherein the process data 6collected for each process running on the computer system (Kune, in Para. [0010] discloses “The one or more data processors are also configured to store the plurality of samples as a data structure in a memory element that is coupled to the one or more data processors.”) includes a 7processor usage, a number of threads, a memory usage, and a set of port 8usage information (Examiner note: operations at predetermined time periods for processor analysis are met by the operations of signal processing module comprising the time domain analysis; the processor, memory, ports, i.e. input/output unit usage are met by the execution of samples, i.e. data structures by processors, memories, and ports) (Kune, in Para. [0005] discloses “The method also includes storing, by the one or more data processors, the plurality of samples as a data structure in a memory element coupled to the one or more data processors.” Kune, in Para. [0013] discloses “The instructions can also cause the one or more data processors to store the plurality of samples as a data structure in a memory element coupled to the one or more data processors.” Kune, in Para. [0030] discloses “The time domain and frequency features calculated by the signal processing module 120 can include, but are not limited to, root mean square, minimums, maximums, means, variance, skew, Kurtosis, discrete Fourier transforms (DFT), and interquartile interval.” Kune, in Para. [0049] discloses “the machine learning module may wait and classify signals representing predetermined amounts of time.” Kune, in Para. [0063] discloses “The various methods or processes outlined herein may be coded as software that is executable on one or more processors that employ any one of a variety of operating systems or platforms.”).

Regarding claim 8, claim 8 discloses a system that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 8 and rejected for the same reasons.

Regarding claim 9, claim 9 depended on claim 8, discloses a system that is substantially equivalent to the method of claim 2 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 2 are equally applicable to claim 9 and rejected for the same reasons.

Regarding claim 10, claim 10 dependent on claim 8, discloses a system that is substantially equivalent to the method of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 10 and rejected for the same reasons.

Regarding claim 13, claim 13 depended on claim 8, discloses a system that is substantially equivalent to the method of claim 6 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 6 are equally applicable to claim 13 and rejected for the same reasons.

Regarding claim 14, claim 14 depended on claim 13, discloses a system that is substantially equivalent to the method of claim 7 dependent on claim 6. Therefore, the arguments set forth above with respect to claim 7 are equally applicable to claim 14 and rejected for the same reasons.

Regarding claim 15, claim 15 discloses a computer program product that is substantially equivalent to the method and system of claims 1 and 8. Therefore, the arguments set forth above with respect to claims 1 and 8 are equally applicable to claim 15 and rejected for the same reasons.

Regarding claim 16, claim 16 depended on claim 15, discloses a product that is substantially equivalent to the method of claim 2 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 2 are equally applicable to claim 16 and rejected for the same reasons.

Regarding claim 17, claim 17 depended on claim 15, discloses a product that is substantially equivalent to the method of claim 3 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 3 are equally applicable to claim 17 and rejected for the same reasons.

Regarding claim 20, claim 20 depended on claim 15, discloses a product that is substantially equivalent to the method of claim 7 dependent on claim 1. Therefore, the arguments set forth above with respect to claim 7 are equally applicable to claim 20 and rejected for the same reasons.

Claims 21 – 23 are rejected under 35 U.S.C. 103 as being unpatentable over Kune et al. (US 2018/0007074) (hereafter Kune), in view of Bartos et al. (US 2019/0020663) (hereafter Bartos), in view of Humphrey et al. (US 2019/0260782) (hereafter Humphrey), and in view Parker et al. (US 10907940) (hereafter Parker).

Regarding claim 21, Kune, as modified by Humphrey, fails to explicitly teach: The method of claim 1 further comprising: determining that the number of I/O packages transmitted at the first time represents an increase in outgoing network traffic as compared with a previous number of I/O packages transmitted during a previous time period; 
Bartos from the analogous technical field teaches: The method of claim 1 further comprising: determining that the number of I/O packages transmitted at the first time represents an increase in outgoing network traffic as compared with a previous number of I/O packages transmitted during a previous time period; (Bartos, in Para. [0036] discloses “traffic analysis process 248 may execute one or more machine learning-based classifiers to classify traffic in the network for any number of purposes. In one embodiment, traffic analysis process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network” Bartos, in Para. [0036] further discloses “traffic analysis process 248 may classify the gathered telemetry data to detect other anomalous behaviors (e.g., malfunctioning devices, misconfigured devices, etc.), traffic pattern changes (e.g., a group of hosts begin sending significantly more or less traffic)” Bartos, in Para. [0034] discloses “These software processors and/or services may comprise a traffic analysis process 248”. Bartos, in Para. [0084] discloses “the traffic analysis process may compare the characteristics from time window 814a of the first time series 812 to that of time windows 816a-816c from the other time series 812.”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Kune, as modified by Humphrey, in view of the teaching of Bartos which discloses network traffic analysis by comparative technique using predefined thresholds in order to higher security against the malware treats (Bartos, [0034, 0036, 0084]).
 Kune, as modified by Bartos and Humphrey, fails to explicitly teach: and wherein the performing the one or more threat responses is further based on the determining the increase in outgoing network traffic.
Parker from the analogous technical field teaches: and wherein the performing the one or more threat responses is further based on the determining the increase in outgoing network traffic (Examiner note: input/output threat analysis based on signal/network traffic is met by threat assessment based on inputs/outputs analysis from different sensors) (Parker, in col. 21, ll.  6-10 discloses “FIG. 6 shows an example non-limiting sensor fusion and threat assessment process performed by sensor fusion processor 32. In the example non-limiting embodiment, sensor fusion processor 32 receives and processes the inputs of many different sensors” Parker, in col. 24, ll.  9-12 discloses “Threat Value data output may be input to the Threat Assessment algorithm, which applies machine learning protocols and algorithms to develop the Threat Assessment”).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Kune, as modified by Bartos and Humphrey, in view of the teaching of Parker which discloses threat assessment based on input/output signal/traffic from different sensors analysis in order to improve system security with respect to external threats (Parker, col. 21, ll.  6-10, col. 24, ll.  9-12).  

Regarding claim 22, claim 22 depended on claim 8, discloses a system that is substantially equivalent to the method of claim 21 depended on claim 1. Therefore, the arguments set forth above with respect to claim 21 are equally applicable to claim 22 and rejected for the same reasons.

Regarding claim 23, claim 23 depended on claim 15, discloses a product that is substantially equivalent to the method of claim 21 depended on claim 1. Therefore, the arguments set forth above with respect to claim 21 are equally applicable to claim 23 and rejected for the same reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form, Sridhara (US 20160337390), Chen (US 20170046510), Vasseur (20170279833).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VLADIMIR IVANOVICH GAVRILENKO whose telephone number is (313) 446-6530.  The examiner can normally be reached on Monday-Friday 7:30-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Vladimir I. Gavrilenko/Examiner, Art Unit 2431   

/TRANG T DOAN/Primary Examiner, Art Unit 2431