DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/09/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 2 and 5 are objected to because of the following informalities: 
Claim 2 recites “communication protocol a message source” on line 4, which appears to be a typo for “communication protocol message source”.  
Claim 5 does not end with a period (“.”). 
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-4, 7-12, and 17-23 are rejected under 35 U.S.C. 102(a)(1) and 35 U.S.C. 102(a)(2) as being anticipated by Vasseur et al. (U.S. Patent Application Publication No. 2017/0279833, hereinafter “Vasseur”).

Claim 1:
Vasseur discloses a method comprising:
receiving, by a processing device executing a wide area network (WAN) accessible service (“SCA”), network communication data from a plurality of devices (§ 0050, Lines 10-12; Distributed learning agents (DLAs) monitor network conditions such as router states, traffic flows, etc.) communicating with the WAN accessible service (§ 0014, Lines 10-12; WANs typically connect geographically dispersed nodes over long-distance communications links) (§ 0025, Lines 3-11; Also see Fig. 1B; Network backbone 130 provides connectivity between devices located in different geographical areas and/or different types of local networks.  Local networks 160-162 and data center/cloud environment 150 may be located in different geographical locations) (§ 0050, Lines 15-21; A supervisory and control agent (SCA) coordinates the deployment and configuration of DLAs, receives information from the DLAs, and provides information regarding a detected anomaly to a user interface);
identifying a set of candidate devices (“DLAs”) from the plurality of devices communicating with the WAN accessible service, wherein the set of candidate devices are associated with a same device type (§ 0054, Lines 1-3; Routers CE-2 and CE-3 are configured as distributed learning agents (DLAs) and server 152 is configured as an supervisory and control agent (SCA));
determining, in view of the received network communication data for the set of candidate devices, one or more network communication anomaly conditions that indicate abnormal network communication traffic for the device type associated with the set of candidate devices (§ 0080, Lines 10-17; Such traffic may be characterized by a source/destination IP address, additional partner flows, duration and packet timing information, port information, or information specific to the IP protocol involved.  The traffic may also be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering));
selecting a candidate device from the set of candidate devices to receive the one or more network communication anomaly conditions and providing the network communication anomaly conditions to the selected candidate device to cause the candidate device to monitor for the one or more network communication anomaly conditions (§ 0081, Lines 1-4; In response to receiving the traffic data associated with the raised anomaly, SCA 502 trains the classifier to distinguish between legitimate and illegitimate scans) (§ 0083, Lines 1-3; Once the SCA has trained the scanning classifier, the SCA deploys the classifier to any or all of DLAs 400a-400n).

Claim 2:
Vasseur further discloses wherein the one or more network communication anomaly conditions are associated with at least one of a communication protocol message format, a communication protocol message content, a communication protocol message size, communication protocol message source, a communication protocol message destination, a communication protocol message sequence, or a networking traffic level (§ 0080, Lines 10-17; Such traffic may be characterized by a source/destination IP address, additional partner flows, duration and packet timing information, port information, or information specific to the IP protocol involved.  The traffic may also be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering)).

Claim 3:
Vasseur further discloses wherein determining the network communication anomaly conditions further comprises:
analyzing the network communication data for the set of candidate devices (§ 0080, Lines 10-17; Such traffic may be characterized by a source/destination IP address, additional partner flows, duration and packet timing information, port information, or information specific to the IP protocol involved.  The traffic may also be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering));
identifying a network communication functionality performed by the candidate devices (See citation above.  The traffic may also be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering));
determining a sequence of networking messages associated with the network communication functionality (See citation above.  Such traffic may be characterized by additional partner flows); and
determining one or more one message attributes associated with each networking message of the sequence of networking messages that indicate normal network communication traffic for the network communication functionality (Abstract, Lines 4-7; The device receives labeled traffic data associated with a detected anomaly that identifies whether the traffic data is associated with legitimate or illegitimate scanning activity).

Claim 4:
Vasseur further discloses:
performing clustering on the network communication data to divide the network communication data into a first subset indicative of normal network communication traffic (“legitimate”) for the communication functionality and a second subset indicative of abnormal network communication traffic (“illegitimate”) for the communication functionality (§ 0080, Lines 13-17; The traffic may be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering)) (Abstract, Lines 4-7; The device receives labeled traffic data associated with a detected anomaly that identifies whether the traffic data is associated with legitimate or illegitimate scanning activity);
determining one or more normal network communication conditions for the first subset and one or more abnormal network communication conditions for the second subset based on a result of the clustering (§ 0047, Lines 3-5; Clustering is a family of (machine learning) techniques that seek to group data according to some typically predefined notion of similarity); and
generating a machine learning model trained to classify between the normal network communications and the abnormal network communications (See citation above).

Claim 7:
Vasseur further discloses wherein the candidate device is an internet of things (IoT) device comprising an embedded system (§ 0031, Lines 9-11; The device 200 may be any other suitable type of device depending up on the type of network architecture in place, such as IoT nodes), and wherein the embedded system monitors for anomaly network communication conditions using the network communication anomaly conditions (§ 0059, Lines 1-5; DLA 400 may execute a Network Sensing Component (NSC) 416 that is a passive sensing construct used to collect a variety of traffic record inputs 426 to assist in detecting network anomalies).

Claim 8:
Vasseur further discloses wherein providing the network communication anomaly conditions to the selected candidate device further comprises:
sending the network communication anomaly conditions to the selected candidate device (§ 0083, Lines 1-3; Once the SCA has trained the scanning classifier, the SCA deploys the classifier to any or all of DLAs 400a-400n).

Claim 9:
Vasseur further discloses wherein providing the network communication anomaly conditions to the selected candidate device further comprises: 
sending a notification to the selected candidate device to cause the selected candidate device to retrieve the network communication anomaly conditions from the WAN accessible service (§ 0083, Lines 6-10; SCA 502 may send message 610 to DLA 400a that detected the anomaly or may broadcast/multicast message 610 to any or all of the DLAs 400a-400n, thus updating their classifier to reflect the newly added legitimate scanning).

Claim 10:
Vasseur discloses a method comprising:
receiving, by a computing device, one or more network communication anomaly conditions that indicate abnormal network communication traffic for a class of devices (§ 0054, Lines 1-3; Routers CE-2 and CE-3 are configured as distributed learning agents (DLAs) and server 152 is configured as an supervisory and control agent (SCA)) associated with the computing device (§ 0050, Lines 15-21; A supervisory and control agent (SCA) coordinates the deployment and configuration of DLAs, receives information from the DLAs, and provides information regarding a detected anomaly to a user interface);
monitoring network communication data of the computing device (§ 0050, Lines 10-12; Distributed learning agents (DLAs) monitor network conditions such as router states, traffic flows, etc.);
determining whether the network communication data of the computing device satisfies the one or more network communication anomaly conditions (§ 0080, Lines 10-17; Such traffic may be characterized by a source/destination IP address, additional partner flows, duration and packet timing information, port information, or information specific to the IP protocol involved.  The traffic may also be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering)); and
responsive to determining that the network communication data of the computing device satisfies the one or more network communication anomaly conditions, performing, by the computing device, an anomaly detection operation for the computing device (§ 0083, Lines 10-13; Based on the results of the updated classifier, any of the receiving DLAs 400a-400n may suppress detected anomalies that are classified as being associated with legitimate scanning activity.  Conversely, the receiving DLAs 400a-400n may output detected anomalies that are classified as being associated with illegitimate scanning activity). 

Claim 11:
Vasseur further discloses wherein performing the anomaly detection operation further comprises:
determining that the network communication data of the computing device indicates at least one of a network communication message directed to an unauthorized communication source, a network communication message directed to an authorized communication source that comprises content that is significantly different from an expected content, or a network communication message sequence directed to an authorized communication source that is significantly different from an expected network communication message sequence (§ 0039, Lines 1-4; The presence of malware using unknown attack patterns may lead to modifying the behavior of a host in terms of traffic patterns, graphs structure, etc.); and
generating an alert indicating a computing device based anomaly (§ 0050, Line 14; Report detected anomalies to the SCA).

Claim 12:
Vasseur further discloses wherein performing the anomaly detection operation further comprises:
determining that the network communication data of the computing device indicates at least one of an attempt to control the computing device from an unauthorized communication source, a network communication message from an authorized communication source that comprises content that is significantly different from an expected content, or a network communication message sequence from an authorized communication source that is significantly different from an expected network communication message sequence (§ 0039, Lines 1-4; The presence of malware using unknown attack patterns may lead to modifying the behavior of a host in terms of traffic patterns, graphs structure, etc.); and
generating an alert indicating a server based anomaly (§ 0050, Line 14; Report detected anomalies to the SCA).
	
Claim 17:
Vasseur further discloses:
receiving a notification from a WAN accessible service that indicates that the one or more network communication anomaly conditions are available for the computing device and retrieving the one or more network communication anomaly conditions from the WAN accessible service (§ 0083, Lines 6-10; SCA 502 may send message 610 to DLA 400a that detected the anomaly or may broadcast/multicast message 610 to any or all of the DLAs 400a-400n, thus updating their classifier to reflect the newly added legitimate scanning); and
storing the one or more network communication anomaly conditions in a memory of the computing device (See citation above.  DLAs 400a-400n receive the classifier).

Claim 18:
Vasseur further discloses wherein the computing device is an internet of things (IoT) device comprising an embedded system (§ 0083, Lines 1-3; Once the SCA has trained the scanning classifier, the SCA deploys the classifier to any or all of DLAs 400a-400n).

Claim 19:
Vasseur discloses a system comprising: 
a server computing device (§ 0031, Line 5; Servers 152-154) comprising: 
a memory (§ 0031, Lines 11-14; Device 200 comprises a memory 240); and 
a processing device operatively coupled to the memory (§ 0031, Lines 11-14; Device 200 comprises one or more processors 220 and a memory 240 interconnected by a system bus 250), the processing device to: 
receive network communication data from a plurality of devices (§ 0050, Lines 10-12; Distributed learning agents (DLAs) monitor network conditions such as router states, traffic flows, etc.) communicating with a wide area network (WAN) accessible service (§ 0014, Lines 10-12; WANs typically connect geographically dispersed nodes over long-distance communications links) (§ 0025, Lines 3-11; Also see Fig. 1B; Network backbone 130 provides connectivity between devices located in different geographical areas and/or different types of local networks.  Local networks 160-162 and data center/cloud environment 150 may be located in different geographical locations) (§ 0050, Lines 15-21; A supervisory and control agent (SCA) coordinates the deployment and configuration of DLAs, receives information from the DLAs, and provides information regarding a detected anomaly to a user interface); 
identify a set of candidate devices from the plurality of devices communicating with the WAN accessible service (“SCA”), wherein the set of candidate devices are associated with a same device type (“router”) (§ 0054, Lines 1-3; Routers CE-2 and CE-3 are configured as distributed learning agents (DLAs) and server 152 is configured as an supervisory and control agent (SCA)); 
generate a training dataset comprising the network communication data associated with the set of candidate devices (§ 0074, Lines 1-5; SCA executes a classification computation engine (CCE) 508 configured to interface with DLA 400 and UI process 510 to train and deploy classifiers that distinguish between legitimate and illegitimate scanning activities); 
train a machine learning model using the training dataset (§ 0081, Lines 1-4; In response to receiving the traffic data associated with the raised anomaly, SCA 502 trains the classifier to distinguish between legitimate and illegitimate scans), wherein the machine learning model is trained to process additional network communication data and to output an indication as to whether or not an anomaly is detected for the additional network communication data (§ 0083, Lines 10-13; Based on the results of the updated classifier, any of the receiving DLAs 400a-400n may suppress detected anomalies that are classified as being associated with legitimate scanning activity); and 
transmit the trained machine learning model to one or more devices in the set of candidate devices (§ 0083, Lines 1-3; Once the SCA has trained the scanning classifier, the SCA deploys the classifier to any or all of DLAs 400a-400n).

Claim 20:
Vasseur further discloses: 
a device from the set of candidate devices, the device comprising an additional memory and an additional processing device (§ 0054, Lines 1-3; Routers CE-2 and CE-3 are configured as distributed learning agents (DLAs) and server 152 is configured as an supervisory and control agent (SCA)), wherein the additional processing device is to: 
receive the trained machine learning model (§ 0074, Lines 1-5; SCA executes a classification computation engine (CCE) 508 configured to interface with DLA 400 and UI process 510 to train and deploy classifiers that distinguish between legitimate and illegitimate scanning activities); 
store the trained machine learning model in the additional memory, monitor network communication data of the device, and input the network communication data of the device into the trained machine learning model, wherein the trained machine learning model is to generate an output indicating whether or not an anomaly is detected (§ 0083, Lines 10-13; Based on the results of the updated classifier, any of the receiving DLAs 400a-400n may suppress detected anomalies that are classified as being associated with legitimate scanning activity.  Conversely, the receiving DLAs 400a-400n may output detected anomalies that are classified as being associated with illegitimate scanning activity); and 
perform an action based on whether or not an anomaly is detected (§ 0064, Lines 1-3; DLA 400 may execute a Predictive Control Module (PCM) 406 that triggers relevant actions in light of the events detected by DLC 408).

Claim 21:
Vasseur further discloses wherein responsive to the trained machine learning model outputting an indication that an anomaly is detected (§ 0083, Lines 10-13; Based on the results of the updated classifier, any of the receiving DLAs 400a-400n may suppress detected anomalies that are classified as being associated with legitimate scanning activity.  Conversely, the receiving DLAs 400a-400n may output detected anomalies that are classified as being associated with illegitimate scanning activity), the additional processing device is further to perform an anomaly detection operation for the device (§ 0063, Lines 1-4; DLA 400 may include a threat intelligence processor (TIP) 404 that processes anomaly characteristics so as to further assess the relevancy of the anomaly).

Claim 22:
Vasseur further discloses wherein the processing device is further to:
receive additional network communication data from one or more devices in the set of candidate devices (§ 0081, Lines 1-4; In response to receiving the traffic data associated with the raised anomaly, SCA 502 trains the classifier to distinguish between legitimate and illegitimate scans);
retrain the machine learning model using the additional network communication data to generate an updated machine learning model (See citation above); and
transmit the updated machine learning model to the one or more devices in the set of candidate devices (§ 0083, Lines 1-3; Once the SCA has trained the scanning classifier, the SCA deploys the classifier to any or all of DLAs 400a-400n).

Claim 23:
Vasseur further discloses wherein the processing device is further to:
perform clustering on the network communication data to divide the network communication data into a first subset indicative of normal network communication traffic (“legitimate”) for a communication functionality and a second subset indicative of abnormal network communication traffic (“illegitimate”) for the communication functionality (§ 0080, Lines 13-17; The traffic may be characterized by device classification information about all the sources and destinations, such as from external providers (e.g., ISE or machine learning based clustering)) (Abstract, Lines 4-7; The device receives labeled traffic data associated with a detected anomaly that identifies whether the traffic data is associated with legitimate or illegitimate scanning activity); and
label (“group”) data items in the training dataset based on a result of the clustering (§ 0047, Lines 3-5; Clustering is a family of (machine learning) techniques that seek to group data according to some typically predefined notion of similarity);
wherein the machine learning model is an artificial neural network (§ 0046, Lines 7-13; Example machine learning techniques that may be used to construct and analyze the model include artificial neural networks).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 5 is rejected under 35 U.S.C. 103 as being unpatentable over Vasseur et al. (U.S. Patent Application Publication No. 2017/0279833, hereinafter “Vasseur”) in view of Sharma et al. (U.S. Patent Application Publication No. 2020/0327371, hereinafter “Sharma”).

Claim 5:
Vasseur discloses the method as recited in claims 1, 3, and 4, wherein the network may be a low-power and lossy network (LLN) in which routers and their interconnects are constrained by processing power and/or energy (battery) (§ 0029, Lines 3-7).

Vasseur does not appear to disclose:
determining at least one of a power consumption requirement or a processing power requirement associated with the candidate device;
modifying the machine learning model in view of the at least one of the power consumption requirement or a processing power requirement; and
generating a simplified anomaly detection model for the device type associated with the set of candidate devices in view of the modified machine learning model. 

Sharma discloses a method for intelligent edge computing with machine learning capability comprising:
determining at least one of a power consumption requirement or a processing power requirement associated with the candidate device (§ 0011, Lines 3-6; Provide an edge computing platform with an executable machine learning model that has been adapted or “edge-ified” to operate within the constraints of the edge computing environment) (§ 0152, Lines 10-12; Edge computing platforms typically are resource constrained, especially in terms of compute power, local storage, and others);
modifying the machine learning model in view of the at least one of the power consumption requirement or a processing power requirement (See citation above.  The executable machine learning model is adapted to operate within the constraints of the edge computing environment); and
generating a simplified anomaly detection model for the device type associated with the set of candidate devices in view of the modified machine learning model (§ 0010, Lines 11-14; Machine learning application are able to execute efficiently and effectively within IoT environments that have limited compute and storage resource available). 

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Vasseur’s anomaly detection model to take into account the device’s resources, as taught by Sharma, in order to successfully incorporate typical machine learning models at the edge (Sharma, § 0152, Lines 6-14; Typical ML models are developed with an assumption that essentially unlimited compute power will be available and thus few or no constraints are typically placed on model size and weights, which makes it difficult or impossible to successfully incorporate typical ML models at the edge.  Sharma seeks to address this by adapting ML models for execution at the edge, which typically have resource constraints). 

Claim(s) 6 is rejected under 35 U.S.C. 103 as being unpatentable over Vasseur et al. (U.S. Patent Application Publication No. 2017/0279833, hereinafter “Vasseur”) in view of Kopp et al. (U.S. Patent No. 10230747, hereinafter “Kopp”).

Claim 6:
Vasseur discloses the method as recited in claim 1, wherein machine learning models are generated and utilized to perform anomaly detection on monitored data (§ 0050, Lines 12-13). 

Vasseur does not appear to disclose generating a decision tree rule set comprising the one or more one message attributes associated with each networking message of the sequence of networking messages that indicate normal network communication traffic for the network communication functionality.

Kopp discloses generating a decision tree rule set comprising the one or more one message attributes associated with each networking message of the sequence of networking messages that indicate normal network communication traffic for the network communication functionality (Column 17, Lines 47-49 and 54-58; A security analysis system generates a binary decision tree allowing separating normal samples from anomalous samples.  One of the objectives in generating a binary decision tree is to derive rules for determining a minimal set of features that are indicative of an anomaly.  A minimal set of features that are indicative of an anomaly is a set of features that uniquely distinguishes one anomaly from non-anomalies). 

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Vasseur’s machine learning models by integrating the use of Kopp’s decision trees because decision trees can be generated rapidly and with less data than other techniques, which means that anomalous samples can be evaluated without large amounts of data using less compute power, network resources, and memory (Kopp, Column 26, Lines 9-13). 

Claim(s) 13-16 are rejected under 35 U.S.C. 103 as being unpatentable over Vasseur et al. (U.S. Patent Application Publication No. 2017/0279833, hereinafter “Vasseur”) in view of Wilken et al. (U.S. Patent No. 7716737, hereinafter “Wilken”).

Claim 13:
Vasseur discloses the method as recited in claim 10, wherein performing the anomaly detection operation further comprises executing an instruction that performs at least one of disabling network communications for the computing device or powering down the computing device (§ 0065, Lines 7-11; NCC 418 may send mitigation instructions 422 to one or more nodes that instruct the receivers to reroute certain anomalous traffic, perform traffic shaping, drop or otherwise “black hole” the traffic, or take other mitigation steps). 

Vasseur does not appear to disclose wherein performing the anomaly detection operation further comprises:
determining a severity value of the determined network communication anomaly condition;
determining that the severity value satisfies a high severity threshold;
sending a notification to a wide area network (WAN) accessible service that indicates that a high severity anomaly condition has been detected.

Wilken discloses wherein performing the anomaly detection operation further comprises:
determining a severity value of the determined network communication anomaly condition (Column 10, Lines 1-8; Process 60 determines if incoming packet count is above a certain threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.  If the condition is satisfied, then the process 60 increases the severity of the reported event);
determining that the severity value satisfies a high severity threshold (Column 26, Lines 35-36; Severity is bucketed into various categories such as low, medium, and high); and 
sending a notification to a wide area network (WAN) accessible service that indicates that a high severity anomaly condition has been detected (Column 10, Lines 8-10; Process 60 reports the event to the operator to reflect a high degree of certainty that this is a DoS attack).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Vasseur’s anomaly detection by integrating Wilken’s severity features in order to provide an operator/administrator with an aggregated view of network status (Wilken, Column 26, Lines 26-28). 

Claim 14:
Vasseur discloses the method as recited in claim 10. 

Vasseur does not appear to disclose wherein performing the anomaly detection operation further comprises:
determining a severity value of the determined network communication anomaly condition;
determining that the severity value does not satisfy a high severity threshold;
sending a notification to a wide area network (WAN) accessible service that indicates that a low severity anomaly condition has been detected.

Wilken discloses wherein performing the anomaly detection operation further comprises:
determining a severity value of the determined network communication anomaly condition (Column 10, Lines 1-8; Process 60 determines if incoming packet count is above a certain threshold to filter out new or low-traffic hosts that suddenly receive a low but still larger than normal amount of traffic.  If the condition is satisfied, then the process 60 increases the severity of the reported event);
determining that the severity value does not satisfy a high severity threshold (Column 26, Lines 35-36; Severity is bucketed into various categories such as low, medium, and high); and 
sending a notification to a wide area network (WAN) accessible service that indicates that a low severity anomaly condition has been detected (Column 14, Lines 59-60; There are a few rules that will decrease a likely event severity or make a potential event a non-event) (Column 26, Lines 30-34; The overview GUI 302 shows information such as indicating whether the events are new events and includes parametric information pertaining to the event such as Severity (where severity is bucketed into categories such as low, medium, and high), Date, Time, Duration, Type of event, Source, Destination, and Action Taken).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Vasseur’s anomaly detection by integrating Wilken’s severity features in order to provide an operator/administrator with an aggregated view of network status (Wilken, Column 26, Lines 26-28). 

Claim 15:
Vasseur discloses the method as recited in claim 10.

Vasseur does not appear to disclose:
monitoring a number of detected network communication anomaly conditions over a period of time;
determining that the number of detected network communication anomaly conditions satisfies a threshold; and
sending a request to a wide area network (WAN) accessible service for an update to the one or more network communication anomaly conditions.

Wilken discloses: 
monitoring a number of detected network communication anomaly conditions over a period of time (Column 12, Line 63 – Column 13, Line 1; If the number of ports used in the historical profile is considerably smaller than the current number of ports and the current number is greater than some lower-bound threshold, then the aggregator will record the anomaly and report a port scan);
determining that the number of detected network communication anomaly conditions satisfies a threshold (See citation above); and
sending a request to a wide area network (WAN) accessible service for an update to the one or more network communication anomaly conditions (Column 13, Lines 1-2; The reported severity varies as a function of the deviation from historical norm, which infers updating said historical norm).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Vasseur’s anomaly detection by integrating Wilken’s severity features in order to provide an operator/administrator with an aggregated view of network status (Wilken, Column 26, Lines 26-28). 

Claim 16:
Vasseur discloses the method as recited in claim 10.

Vasseur does not appear to disclose:
detecting a change to at least one of a hardware component of the computing device or a software component of the computing device; and
sending a request to a wide area network (WAN) accessible service for an update to the one or more network communication anomaly conditions in view of the change.

Wilken discloses: 
detecting a change to at least one of a hardware component of the computing device or a software component of the computing device (Column 14, Line 62 – Column 15, Line 3; Connection habits for hosts that have appeared on the network recently or are new will not be known and potential events with an associated severity may be detected and reported.  As such, the historical norm for these hosts will be determined as time passes); and
sending a request to a wide area network (WAN) accessible service for an update to the one or more network communication anomaly conditions in view of the change (Column 13, Lines 1-2; The reported severity varies as a function of the deviation from historical norm, which infers updating said historical norm).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Vasseur’s anomaly detection by integrating Wilken’s severity features in order to provide an operator/administrator with an aggregated view of network status (Wilken, Column 26, Lines 26-28). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
U.S. Patent Application Publication No. 2019/0327271 (Saxena et al.) – Ongoing or current activity is analyzed using trained model profiles to identify anomalies such as abnormal action types or abnormal activities performed by entities.  Metadata anomalies may be determined by learning the metadata associated with entity connections (e.g., type of device used for connection and the user agent used for access). 
U.S. Patent Application Publication No. 2019/0007447 (Barnes) – A security device applies one or more data evaluation utilities (e.g., decision logic, rule sets, machine learning models, etc.) to monitored data.  Evaluate feature vectors where feature vector data may be compared to expected login events and network activity for a peer device or peer device type. 
U.S. Patent No. 9860257 (Kumar et al.) – The system monitors several power and network data parameters and develops machine learning models to detect correlations and patterns between the power and network data parameters.  The initial learning phase will create two types of portable models:  the first model detects patterns to classify the type of device while the second model identifies behaviors (and detects anomalies) in classified devices. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NAM T TRAN whose telephone number is (408)918-7553. The examiner can normally be reached Monday-Friday 7AM-3PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NAM T TRAN/Primary Examiner, Art Unit 2452