DETAILED ACTION
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
The application has been amended as follows: 

1.  (Currently Amended)  A method, comprising: 
A method, comprising: 
obtaining anomaly analysis data integrated from a plurality of data sources of an organization, wherein the plurality of data sources comprises at least one set of labeled anomaly data comprising information related to transactions that have been labeled as anomalous transactions; 
extracting features from the integrated anomaly analysis data that correlate with an indication of an anomaly, based on predefined correlation criteria; 
initiating a training, using at least one processing device, of a plurality of machine learning models using the extracted features, wherein each of the plurality of machine learning models is trained using different combinations of the extracted features, wherein one or more of the trained machine learning models comprise at least one decision tree, wherein the at least one decision tree comprises a plurality of paths to an anomaly classification, wherein each path comprises a logical combination of conditions to a leaf node; 
evaluating a performance of the plurality of trained machine learning models; and
extracting one or more rules from one or more of the trained machine learning models based on the performance, wherein the extracted one or more rules are used to classify transactions as anomalous, wherein each extracted rule is associated with a given leaf node of the at least one decision tree and is extracted by aggregating the conditions associated with at least some of the nodes in the at least one decision tree along the respective path to the given leaf node; 
wherein the method is performed by at least one processing device comprising a processor coupled to a memory.

Reasons for Allowance
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
Wang et al (U.S. 20150373043 A1), “Collaborative And Adaptive Threat Intelligence For Computer Security”, teaches about collaborative and adaptive threat intelligence for computer security. It also teaches about entity group behavior modeling is performed where multiple entities in a group are profiled and monitored for anomalous behavior (e.g., abnormal group behavior, abnormal individual entity as compared to other entities of the group). An entity group includes entities that typically share at least a same characteristic such as: type, location, purpose, organization, or the like. The anomalous behavior is detected based on abnormal behavior of an entity of an entity group as compared to other entities of that same entity group and behavior of an entity of a first entity group abnormally matching behavior of entities of a second entity group.
Cristianini (U.S. 20030041041 A1), “Spectral Kernels For Learning Machines”, teaches about learning machines and more particularly to kernel-based machines for data analysis. It also teaches about eigenvectors of the kernel matrix may be used to assign unlabeled data to clusters, merge information from labeled and unlabeled data by transduction, provide model selection information for other kernels, detect novelties or anomalies and/or clean data, and perform supervised learning tasks such as classification. In applying SGT methods to kernel methods, the dataset is regarded as nodes of a fully connected graph. A weight equal to the kernel between the two nodes is assigned to each edge of the graph. The adjacency matrix of the graph is equivalent to the Gram matrix. The eigenvectors and their corresponding eigenvalues provide information about the properties of the graph. The second eigenvector can be thresholded to approximate the class assignment of graph nodes, minimizing the cost of a cut of a clustering. Looking at the random walk on the graph associated with the Gram matrix, the stationary distribution will provide information about the "popularity" of a point based on how many other points are similar to it. This allows anomalous points to be easily spotted.
Eberhardt, III et al (U.S. 20130198119 A1), “Application of Machine Learned Bayesian Networks To Detection of Anomalies in Complex Systems”, teaches about A Bayesian belief network (BBN) is a directed graph and an associated set of probability tables. The graph consists of nodes and arcs. The nodes represent variables, input data for which can be discrete or continuous; however the BBN must segment continuous data into parameterized ranges. The arcs represent causal or influential relationships between variables. More specifically, a BBN is a probabilistic graphical model that represents a set of random variables and their conditional independencies. machine-learned Bayesian Belief Networks (BBNs) are utilized to identify anomalous events in complex systems. One such application is determining the likelihood that software executables are malware. Another application is examining internet protocol packets to determine if the traffic they represent is legitimate or part of an attack. Another application would be quality control in complex manufacturing processes in order to detect products out of variance, such as electronics or chemicals. Another application would be studying biomarkers or physiology to detect subtle shifts in biology that would allow the user to detect when a patient is about to become dysregulated or ill. Since these are very complex systems, classical rules based systems often require simplification of the system in order to make the rules tractable.

However, the combination of Wang et al , Cristianini and Eberhardt, III et al, either alone or in combination, fails to discloses:
A method, comprising: 
obtaining anomaly analysis data integrated from a plurality of data sources of an organization, wherein the plurality of data sources comprises at least one set of labeled anomaly data comprising information related to transactions that have been labeled as anomalous transactions; 
extracting features from the integrated anomaly analysis data that correlate with an indication of an anomaly, based on predefined correlation criteria; 
initiating a training, using at least one processing device, of a plurality of machine learning models using the extracted features, wherein each of the plurality of machine learning models is trained using different combinations of the extracted features, wherein one or more of the trained machine learning models comprise at least one decision tree, wherein the at least one decision tree comprises a plurality of paths to an anomaly classification, wherein each path comprises a logical combination of conditions to a leaf node; 
evaluating a performance of the plurality of trained machine learning models; and
extracting one or more rules from one or more of the trained machine learning models based on the performance, wherein the extracted one or more rules are used to classify transactions as anomalous, wherein each extracted rule is associated with a given leaf node of the at least one decision tree and is extracted by aggregating the conditions associated with at least some of the nodes in the at least one decision tree along the respective path to the given leaf node; 
wherein the method is performed by at least one processing device comprising a processor coupled to a memory

Accordingly, the features identified, in combination with other claim limitations, are
neither suggested nor discussed by the prior art of record.
Any comments considered necessary by applicant must be submitted no later than the
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue
fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for
Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Duy A Tran whose telephone number is (571)272-4887. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Edward F Urban can be reached on (571)-272-7899. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DUY TRAN/Examiner, Art Unit 2665                                


/BOBBAK SAFAIPOUR/Primary Examiner, Art Unit 2665