Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communication received 8/22/2022. Claims 1-3, 5-13, 15-20 are pending. Claims 4 and 14 are cancelled.

Response to Arguments
Applicant’s arguments received on 8/22/2022 are respectfully addressed as follows:
Regarding the rejection of claims 1-10 under 35 USC 112 b, the amendments to said claims obviate the 112f interpretation of said claims, and the subsequent 112b rejection.  The 112 b rejection is therefore withdrawn.
Regarding the prior art rejection, the arguments are respectfully considered but are moot in view of the new ground of rejection.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2,5-12,15-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20050125195 to Brendel, hereinafter Brendel, in view of US 10599635 to Gunn et al., hereinafter Gunn, and further in view of US 20190132343 to Chen et al., hereinafter Chen.
Regarding claim 1, Brendel discloses 
A system for detecting malware in a network comprising: a database for storing current data and historical data obtained from the network ([0051], Fig. 1: database 103 includes data relating to existing activities as well as historical data); and a computation engine including at least one processor and non-transitory memory, the computation engine including a detection module configured to run on the computation engine (Fig. 2, [0051]: apparatus 100 comprising processor 101 and memory 103) and adapted and configured to perform the steps of filtering the current data to obtain filtered data based on at least one criterion ([0063]-[0066]: filter data based on transport protocol for instance); loading a previously filtered data ([0091]: data stored in database is extracted); determining values of a plurality of features; computing an outlier score for each of values of the plurality of features; and merging the outlier scores to obtain an output score used to detect malware ([0091]: extract values from tables, compute deviation between an actual value and a model, sum all the deviations ) (degree of abnormality) used to classify traffic as normal or abnormal).  
Brendel does not explicitly teach loading the current data from the database, filtering ... and saving the filtered data to the database.
In an analogous art, Gunn discloses a database system (Fig. 1, 120) storing raw data and staging tables created based on command scripts (col.3:25-32). Gunn discloses loading the current data from the database; filtering the current data to obtain filtered data based on at least one criterion ( col.7:18-28 fetch raw data from the database, transform or filter the fetched data to generate staging tables , the filtering criterion can be an activity specified at a time period (col.5:40-52); saving the filtered data to the database (col.3:25-32: staging tables stored in the database) and loading a previously filtered data (col.8:43-53: use classifiers to identify anomalies in the staging tables and take corrective actions; col.10:59-67: validate staging tables each time the staging table is refreshed to determine data of staging table is valid). It would have been obvious to a skilled artisan before the instant application was effectively filed to apply the loading/filtering techniques of Gunn to the data saved in the database as taught by Brendel and teach the claim because it would “improve the quality, efficiency, and speed of data processing systems, offering improved performance and reduced computational overhead, by generating staging data independently from the execution of control scripts which process the staging data” (Gunn col.1:32-40).
While Brendel teaches a learning system to continually update the traffic profile ([0113]), Brendel in view of Gunn does not explicitly disclose obtain an output score, comprising using a supervised machine learning model algorithm to obtain the output score, wherein the output score is used to detect malware.
In an analogous art, Chen discloses converting outliers score to top scores, combined to output and label a single top score, using a supervised learning model to continuously update identified threats labels ([0022]), therefore Chen teaches the limitation. It would have been obvious to a skilled artisan before the instant application was effectively filed to define the outliers using a supervised learning model  as taught by Chen, because it provides for a continuous learning system with a feedback mechanism to detect threats in real-time and reduce false positives ([0010][0016]). 

Regarding claim 2, Brendel in view of Gunn and Chen discloses the system of claim 1, wherein the at least one criterion is one of a file path information, file name, a content type, a content length, and a file extension type (Brendel [0070]-[0071]: filter based on content length of packet).

Regarding claim 5, Brendel in view of Gunn and Chen discloses the system of claim 1, wherein the current data and the historical data includes metadata of a transfer protocol (Brendel [0064]-[0066]: TCP, UDP, ICMP ...). 

Regarding claim 6, Brendel in view of Gunn and Chen discloses the system of claim 5, wherein the transfer protocol is one of HTTP, FTP, SMB, and SMTP (Brendel does not explicitly teach HTTP, FTP, SMB, or SMTP but teaches TCP which is used by HTTP, FTP  [0064]-[0065]; Brendel also teaches identifying HTTP packets [0054]; it would have been obvious to a skilled artisan before the instant application was filed to include HTTP oFTP ... as a transfer protocol without undue testing).

Regarding claim 7, Brendel in view of Gunn and Chen discloses the system of claim 1, further comprising at least one sensor for parsing out the metadata from the current data and the historical data (Brendel [0084]: observe the current traffic parameter (example volume) compared to stored historical data; Brendel [0145]: use a parser to filter metadata (header data)).  

Regarding claim 8, Brendel in view of Gunn and Chen discloses the system of claim 1, wherein the detection module is further adapted and configured to perform the step of creating an alert for each of the output scores at or above a predetermined threshold (Brendel [0095]: compute deviation ... determine whether to issue an alert at a value of the deviation; Brendel [0105]: threshold specified for different alerts, issue alert if threshold is exceeded).  

Regarding claim 9, Brendel in view of Gunn and Chen discloses the system of claim 8, further comprising a display for displaying the alert received from the detection module (Brendel [0061: display alert).

Regarding claim 10, Brendel in view of Gunn and Chen discloses the system of claim 1, wherein the plurality of features includes at least one of: a count of a number of times downloads are made from an observed protocol host over a time interval, a count of a number of times an observed transfer protocol path is downloaded over a time interval, an amount by which the value of one feature within the plurality of features is abnormal relative to other file downloads with a same extension as the one feature, and a determination of how strongly a downloaded file name within the current data correlates with a list of known malware file names (Brendel table 1, [0089][0090]: timestamp indicates a period of time, to which corresponds a feature such as the number of packets to port 80 (i.e HTTP) from a certain address, [0121] the number of files can be counted meaning a count of number of time files are downloaded from a certain address using HTTP protocol).  
Regarding claim 11, the claim recites substantially the same content as claim 1 and is rejected as claim 1.
Regarding claim 12, the claim recites substantially the same content as claim 2 and is rejected as claim 2.
Regarding claim 15, the claim recites substantially the same content as claim 5 and is rejected as claim 5.
Regarding claim 16, the claim recites substantially the same content as claim 6 and is rejected as claim 6.
Regarding claim 17, the claim recites substantially the same content as claim 7 and is rejected as claim 7.
Regarding claim 18, the claim recites substantially the same content as claim 8 and is rejected as claim 8.
Regarding claim 19, the claim recites substantially the same content as claim 9 and is rejected as claim 9.
Regarding claim 20, the claim recites substantially the same content as claim 10 and is rejected as claim 10.

Claims 3 and 13 are rejected under 35 USC 103 as being unpatentable over Brendel, Gunn and Chen, in view of publication titled “Detection of Spatial Outlier by Using Improved ZScore Test”, 2019, IEEE, 788-790, by Aggarwal et al., hereinafter Aggarwal.

  Regarding claim 3, Brendel in view of Gunn and Chen discloses the system of claim 1, but does not disclose: wherein the step of computing an outlier score includes performing at least one of a Z-score and a p-value calculation of each of the plurality of features.
In an analogous art, Aggarwal teaches calculating z-score for each observation in a dataset to determine outliers (p.788, under IV). It would have been obvious to a skilled artisan before the instant application was filed to apply the z-score calculation as taught by Aggarwal because z-scores are well-known and easy to calculate to measure the divergence of observations to the mean. 
Regarding claim 13, the claim recites substantially the same content as claim 3 and is rejected as claim 3.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Compton 20210112091 disclose detecting DOS using supervised machine learning for finding anomalous flows and their deviation from normal behavior.
Little et al 20200302074 disclose a fine grained access control that measures abnormality or deviation from normal user behavior using supervised machine learning.
Rajeswari, A. M., Yalini, S. K., Janani, R., Rajeswari, N., & Deisy, C. (2018, April). A comparative evaluation of supervised and unsupervised methods for detecting outliers. In 2018 Second International Conference on Inventive Communication and Computational Technologies (ICICCT) (pp. 1068-1073). IEEE.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        9/9/2022