DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The Amendment filed on July 08, 2022 has been entered. Claims 1, 4, 6-8, 11, 13-15, 18, and 20-21 were amended. No claims were added. As a result, claims 1-21 are pending, of which claims 1, 8 and 15 are in independent form.

Applicant’s amendment regarding claims 7, 14 and, 21 obviates the claim rejection, therefore the claim rejection under 35 USC § 112 lack of antecedent basis is withdrawn.

                                                    Response to Arguments
On Pages 10- 13 of remarks by the applicant, the Applicant argues that the combination of the references does not appear to teach or suggest the limitations of amended independent claims 1, 8, and 15 “wherein a system event feature represents a semantic relationship between or among a grouping of system events that are observed by the model to co-occur in an observation sample”.
the applicant argues the scope and content of the prior art Zadeh describes “analyzing data regarding activity in an IT environment to determine information regarding the entities associated with the activity, and then using the information to detect anomalous activity that may be indicative of malicious activity”. Also, the secondary art Jin describes “techniques for anomaly detection using frequent pattern”. Furthermore, there is no explicit teaching of using “system event” data per se in particular.
Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied and rationale in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Regarding claims 2, 9, and 16, the applicant argues that the combination of the references do not appear to teach or suggest “there is no processing of [any set of events] into a reduced set of “system event”, let alone “prior to” training a model”.
However, the Examiner is relying on a new ground of rejection referenced by Eaton to teach the independent claims. As to the dependent claims 5, and 12-19, these claims remain rejected by virtue of dependency to their independent claims.

Regarding claims 4, 11, and 18 the applicant argues that the combination of the references do not appear to teach or suggest the limitations of amended dependent claims “wherein training the model utilizes a semantic analysis that determines co-occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event, and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample”.
Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied and rationale in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Regarding claims 5, 12, and19 the applicant argues that the combination of the references do not appear to teach or suggest “there is no model training in this process, let alone with respect to “one or more semantic prototypes defined as representative events for the observation sample.””.
However, the Examiner is relying on a new ground of rejection referenced by Eaton to teach the independent claims. As to the dependent claims 5, and 12-19, these claims remain rejected by virtue of dependency to their independent claims.

Regarding claims 6, 13, and 20 the applicant argues that the combination of the references does not appear to teach or suggest the limitations of amended dependent claims “prototype is associated with a vector space, and wherein the system event feature is observed by the model to co-occur in the observation sample by system events being close in the vector space”.
Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied and rationale in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7, 14, and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 

       Claims 7, 14, and 21 recites the limitation “an observable sample” renders the claim indefinite because it is unclear the difference between “an observation sample” in claim 1 and “an observable sample”. 

Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of 
the claimed invention.


Claims 1-3, 5-10, 12-17, 19-20 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by EATON et al.  (US 2015/0110388 A1), herein after Eaton.

In regards to claim 1, a method to detect anomalous behavior in an execution environment, comprising: 
receiving a set of system events captured from a monitored computing system (Eaton, Para. 0080, the long-term memory 715 captures long-term data describing (or generalizing) events and/or behaviors observed in the scene); 
training a model to automatically extract one or more features for the received set of system events (Eaton, Para. 0066, over a period of time, data describing behaviors observed in the scene is collected, clusters of vectors representing similar observed behaviors are built, and a formal language model is trained), wherein a system event feature represents a semantic relationship between or among a grouping of system events that are observed by the model to co-occur in an observation sample (Eaton, Para. 0021, The cognitive model may be configured to identify patterns of behavior, leading to a “learning” of what events occur within a scene. Thus, the cognitive model may, over time, develop semantic labels to apply to observed behavior); and 
detecting anomalous behavior using the model (Eaton, Para. 0021, as these events are observed (and labeled) the machine learning engine may identity which ones fall into a range of expected behaviors for a scene and which ones represent an unusual (or new) pattern of behavior).  

In regards to claim 2, the method as described in claim 1 further including processing the set of system events into a reduced set of system events prior to the training (Eaton, Para. 0061, the semantic representation module 205 reduces kinematic and posture data received from a computer-vision engine 135 regarding objects tracked in the scene into a manageable size and format such that the data may be processed by other modules of the machine-learning engine 140).  

In regards to claim 3, the method as described in claim 2 wherein the processing includes one of: applying domain knowledge, and applying one or more statistical methods (Eaton, Para. 0059, the LSA training module 410 gathers data regarding a scene until a layout for the scene is determined with sufficient statistical certainty).  

In regards to claim 5, the method as described in claim 1 wherein the system event feature is determined by measuring a similarity of the set of system events with respect to one or more semantic prototypes defined as representative events for the observation sample (Eaton, Para. 0061, the similarity measure may be used to compare incoming behaviors against the learned behaviors represented by the clusters of low-dimensional vectors. In this manner, the semantic representation module 205 reduces kinematic and posture data received from a computer-vision engine 135 regarding objects tracked in the scene into a manageable size and format such that the data may be processed by other modules of the machine-learning engine 140).  

In regards to claim 6, the method as described in claim 5 wherein a semantic prototype is associated with a vector space, and wherein the system event feature is observed by the model to co-occur in the observation sample by system events being close in the vector space (Eaton, Para. 0066, initial training of a module for forming the semantic representations of behaviors observed in the scene, such as the semantic representation module 205. More specifically, over a period of time, data describing behaviors observed in the scene is collected, clusters of vectors representing similar observed behaviors are built, and a formal language model is trained).  

In regards to claim 7, the method as described in claim 1 wherein [[the]] an observable sample is associated with an operating scenario in the execution environment (Eaton, Para. 0050, the semantic representations are provided to the perception module 210 and analyzed for recognizable patterns, i.e., the perception model 210 is generally configured to perceive what is occurring in the scene).  

In regards to claim 8, an apparatus, comprising:
 a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions configured to detect anomalous behavior in an execution environment, the computer program instructions comprising (Eaton, Para. 0023): 
program code configured to receive a set of system events captured from a monitored computing system (Eaton, Para. 0080, the long-term memory 715 captures long-term data describing (or generalizing) events and/or behaviors observed in the scene);
 program code to train a model to automatically extract one or more features for the received set of system events (Eaton, Para. 0066, over a period of time, data describing behaviors observed in the scene is collected, clusters of vectors representing similar observed behaviors are built, and a formal language model is trained), wherein a system event feature represents a semantic relationship between or among a grouping of system events that are observed by the model to co-occur in an observation sample (Eaton, Para. 0021, The cognitive model may be configured to identify patterns of behavior, leading to a “learning” of what events occur within a scene. Thus, the cognitive model may, over time, develop semantic labels to apply to observed behavior); and 
program code to detect anomalous behavior using the model (Eaton, Para. 0021, as these events are observed (and labeled) the machine learning engine may identity which ones fall into a range of expected behaviors for a scene and which ones represent an unusual (or new) pattern of behavior).  

In regards to claim 9, the apparatus as described in claim 8 further including program code configured to process the set of system events into a reduced set of system events prior to the training (Eaton, Para. 0061, the semantic representation module 205 reduces kinematic and posture data received from a computer-vision engine 135 regarding objects tracked in the scene into a manageable size and format such that the data may be processed by other modules of the machine-learning engine 140).  

In regards to claim 10, the apparatus as described in claim 9 wherein the program code configured to process includes program code configured to apply domain knowledge, or to apply one or more statistical methods (Eaton, Para. 0059, the LSA training module 410 gathers data regarding a scene until a layout for the scene is determined with sufficient statistical certainty).  

In regards to claim 12, the apparatus as described in claim 8 wherein the system event feature is determined by program code configured to measure a similarity of the set of system events with respect to one or more semantic prototypes defined as representative events for the observation sample (Eaton, Para. 0061, the similarity measure may be used to compare incoming behaviors against the learned behaviors represented by the clusters of low-dimensional vectors. In this manner, the semantic representation module 205 reduces kinematic and posture data received from a computer-vision engine 135 regarding objects tracked in the scene into a manageable size and format such that the data may be processed by other modules of the machine-learning engine 140).  

In regards to claim 13, the apparatus as described in claim 12 wherein a semantic prototype is associated with a vector space, and wherein the system event feature is observed by the model to co-occur in the observation sample by system events being close in the vector space (Eaton, Para. 0066, initial training of a module for forming the semantic representations of behaviors observed in the scene, such as the semantic representation module 205. More specifically, over a period of time, data describing behaviors observed in the scene is collected, clusters of vectors representing similar observed behaviors are built, and a formal language model is trained).  

In regards to claim 14, the apparatus as described in claim 8 wherein an observable sample is associated with an operating scenario in the execution environment (Eaton, Para. 0050, the semantic representations are provided to the perception module 210 and analyzed for recognizable patterns, i.e., the perception model 210 is generally configured to perceive what is occurring in the scene).  

In regards to claim 15, a computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to detect anomalous behavior in an execution environment, the computer program instructions comprising (Eaton, Para. 0023): 
program code configured to receive a set of system events captured from a monitored computing system (Eaton, Para. 0080, the long-term memory 715 captures long-term data describing (or generalizing) events and/or behaviors observed in the scene); 
program code to train a model to automatically extract one or more features for the received set of system events (Eaton, Para. 0066, over a period of time, data describing behaviors observed in the scene is collected, clusters of vectors representing similar observed behaviors are built, and a formal language model is trained), wherein a system event feature is determined by a semantic relationship between or among a grouping of system events that are observed by the model to co-occur in an observation sample (Eaton, Para. 0021, The cognitive model may be configured to identify patterns of behavior, leading to a “learning” of what events occur within a scene. Thus, the cognitive model may, over time, develop semantic labels to apply to observed behavior); and 
program code to detect anomalous behavior using the model (Eaton, Para. 0021, as these events are observed (and labeled) the machine learning engine may identity which ones fall into a range of expected behaviors for a scene and which ones represent an unusual (or new) pattern of behavior).  

In regards to claim 16, the computer program product as described in claim 15 further including program code configured to process the set of system events into a reduced set of system events prior to the training (Eaton, Para. 0061, the semantic representation module 205 reduces kinematic and posture data received from a computer-vision engine 135 regarding objects tracked in the scene into a manageable size and format such that the data may be processed by other modules of the machine-learning engine 140).  

In regards to claim 17, the computer program product as described in claim 16 wherein the program code configured to process includes program code configured to apply domain knowledge, or to apply one or more statistical methods (Eaton, Para. 0059, the LSA training module 410 gathers data regarding a scene until a layout for the scene is determined with sufficient statistical certainty).  

In regards to claim 19, the computer program product as described in claim 15 wherein the system event feature is determined by program code configured to measure a similarity of the set of system events with respect to one or more semantic prototypes defined as representative events for the observation sample (Eaton, Para. 0061, the similarity measure may be used to compare incoming behaviors against the learned behaviors represented by the clusters of low-dimensional vectors. In this manner, the semantic representation module 205 reduces kinematic and posture data received from a computer-vision engine 135 regarding objects tracked in the scene into a manageable size and format such that the data may be processed by other modules of the machine-learning engine 140).  

In regards to claim 20, the computer program product as described in claim 19 wherein a semantic prototype is associated with a vector space, and wherein the system event feature is observed by the model to co-occur in the observation sample by system events being close in the vector space (Eaton, Para. 0066, initial training of a module for forming the semantic representations of behaviors observed in the scene, such as the semantic representation module 205. More specifically, over a period of time, data describing behaviors observed in the scene is collected, clusters of vectors representing similar observed behaviors are built, and a formal language model is trained).  

In regards to claim 21, the computer program product as described in claim 15 wherein an observable sample is associated with an operating scenario in the execution environment (Eaton, Para. 0050, the semantic representations are provided to the perception module 210 and analyzed for recognizable patterns, i.e., the perception model 210 is generally configured to perceive what is occurring in the scene).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over EATON et al.  (US 2015/0110388 A1), herein after Eaton in view of Muddu et al. (US 2017/0223036A1), hereinafter Muddu.

In regards to claim 4, Eaton fails to disclose the method as described in claim 1 wherein training the model utilizes a semantic analysis that determines co-occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event, and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample. 
However, Muddu teaches wherein training the model utilizes a semantic analysis that determines co-occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event (Muddu, Paras. 0273 and 0274, which the ML-based CEP engine monitors for computer security issues. The target-side computer system collects machine data from the target computer network as the raw event data. The data intake and preparation stage create an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events), and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample (Muddu, Para. 0273, the data intake and preparation stage create an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events, and Para.409- 410, Each of the mini-graphs 3522, 3524 and 3526 includes nodes and one or more edges each interconnecting a pair of the nodes. The nodes represent the entities involved in the particular event). Eaton and Muddu are both considered to be analogous to the claim invention because they are in the same field of determining by a semantic analysis the system event features and a semantic relationship between a grouping of system events. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Eaton to incorporate the teachings of Muddu to include wherein training the model utilizes a semantic analysis that determines co-occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event (Muddu, Paras. 0273 and 0274), and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample (Muddu, Para. 0273). Doing so would aid the behavior analytics leverage machine learning data to process procedures and do not require any preexisting knowledge such as known signatures or rules. The security platform can also improve threat detection and targeted response by using a variety of threat indicators. Further, the security platform supplies supporting evidence within context of the kill chain to enable targeted remediation of any detected anomaly or threat (Muddu, Para. 0137).

In regards to claim 11, Eaton fails to disclose the apparatus as described in claim 8 wherein the program code configured to train the model utilizes a semantic analysis that determines co- occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event, and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample.  
However, Muddu teaches wherein the program code configured to train the model utilizes a semantic analysis that determines co- occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event (Muddu, Paras. 0273 and 0274, which the ML-based CEP engine monitors for computer security issues. The target-side computer system collects machine data from the target computer network as the raw event data. The data intake and preparation stage create an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events), and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample (Muddu, Para. 0273, the data intake and preparation stage create an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events, and Para.409- 410, Each of the mini-graphs 3522, 3524 and 3526 includes nodes and one or more edges each interconnecting a pair of the nodes. The nodes represent the entities involved in the particular event). Eaton and Muddu are both considered to be analogous to the claim invention because they are in the same field of determining by a semantic analysis the system event features and a semantic relationship between a grouping of system events. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Eaton to incorporate the teachings of Muddu to include wherein the program code configured to train the model utilizes a semantic analysis that determines co- occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event (Muddu, Paras. 0273 and 0274), and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample (Muddu, Para. 0273). Doing so would aid the behavior analytics leverage machine learning data to process procedures and do not require any preexisting knowledge such as known signatures or rules. The security platform can also improve threat detection and targeted response by using a variety of threat indicators. Further, the security platform supplies supporting evidence within context of the kill chain to enable targeted remediation of any detected anomaly or threat (Muddu, Para. 0137).

In regards to claim 18, Eaton fails to disclose the computer program product as described in claim 15 wherein the program code configured to train the model utilizes a semantic analysis that determines co-occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event, and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample. 
However, Muddu teaches wherein the program code configured to train the model utilizes a semantic analysis that determines co-occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event (Muddu, Paras. 0273 and 0274, which the ML-based CEP engine monitors for computer security issues. The target-side computer system collects machine data from the target computer network as the raw event data. The data intake and preparation stage create an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events), and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample (Muddu, Para. 0273, the data intake and preparation stage create an event feature set from raw event data pertaining to a single machine-observed event or a sequence of machine-observed events, and Para.409- 410, Each of the mini-graphs 3522, 3524 and 3526 includes nodes and one or more edges each interconnecting a pair of the nodes. The nodes represent the entities involved in the particular event). Eaton and Muddu are both considered to be analogous to the claim invention because they are in the same field of determining by a semantic analysis the system event features and a semantic relationship between a grouping of system events. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Eaton to incorporate the teachings of Muddu to include wherein the program code configured to train the model utilizes a semantic analysis that determines co- occurrence for a target system event in the observation sample by defining all system events other than the target system event as a context of the target system event (Muddu, Paras. 0273 and 0274), and performing pairwise enumeration of the target system event with respect to each other system event in the observation sample (Muddu, Para. 0273). Doing so would aid the behavior analytics leverage machine learning data to process procedures and do not require any preexisting knowledge such as known signatures or rules. The security platform can also improve threat detection and targeted response by using a variety of threat indicators. Further, the security platform supplies supporting evidence within context of the kill chain to enable targeted remediation of any detected anomaly or threat (Muddu, Para. 0137).

                                                                Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496