Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a reply to the application filed on 3/23/2021, in which, claims 1-19 are pending. Claims 1, 3, 12, and 17 are independent.
When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments.

Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings filed on 3/23/2021 are accepted.

Specification
The disclosure filed on 3/23/2021 is accepted.

Double Patenting
1. 	A rejection based on double patenting of the "same invention" type finds its support in the language of 35 U.S.C. 101 which states that "whoever invents or discovers any new and useful process ... may obtain a patent therefor ..." (Emphasis added). Thus, the term "same invention," in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957); and In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970).

2.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claims 1, 3, 12, and 17 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 3, 12, and 17 of US 10992696 B2. Although the conflicting claims are not identical, they are not patentably distinct from each other because all the limitations recited in the independent claims 1, 3, 12, and 17 of the present application and are broader than limitations recited in independent claims 1, 3, 12, and 17 of US 10992696 B2.      
Claims 2, 4-11, 13-16, and 18-19 of the present application are not patentably distinct from respective claims 1-17 of US 10992696 B2 because the claims recite substantially the same features.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  Claim(s) 1, 3, 12, 17 and dependent claims is/are directed to a method. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more. Based upon consideration of all of the relevant factors with respect to the claims as a whole, claims are held to claim an unpatentable abstract idea, and are therefore rejected as ineligible subject matter under 35 U.S.C. § 101. When considering subject matter eligibility under 35 U.S.C. § 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter (i.e., Step 1). If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea) (i.e., Step 2A), and if so, it must additionally be determined whether the claim contains any additional elements that transform the exception into patent-eligible subject matter. If an abstract idea is present in the claim, any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to significantly more than the abstract idea itself (i.e., Step 2B). See 2014 Interim Guidance on Patent Subject Matter Eligibility, 79 Fed. Reg. 74618 (December 16, 2014) (“2014 IEG”) and Alice Corporation Pty. Ltd. i/. CLS Bank International, et al., 573 U.S._ (2014).Step 1: Identifying Statutory Categories              In the case, claim(s) is/are directed to method to determine likelihood of malicious behavior based on comparison of characteristics (“receiving pivot feature information for an aspect of the system at at least one anomaly detection unit; for a snapshot interval, generating a frequency structure interrelating a pivot feature, a binning feature and counts; using the frequency structure, generating a two-dimensional graphical image, wherein the graphical image is of a first specified dimension and a second specified dimension, and wherein first specified dimension corresponds to a cyclical repeating interval made up of multiple bins, the graphical image having been generated such that a bin of the multiple bins, is the bin having a highest count, and the bin is scaled to the specified second dimension, and wherein counts of all other bins in the interval are scaled relative to that highest count; graphically comparing the generated graphical image to an immediately preceding graphical image for similarity relative to a pre-specified similarity threshold; and when a result of the comparison fails to satisfy the pre-specified similarity threshold, automatically triggering an appropriate anomaly detection-based follow-on action”) – falls into one of the four statutory categories (i.e., method). Nevertheless, the claims fall within the judicial exception of an abstract idea.
Step 2A (prong 1): Identifying a Judicial Exception
The Supreme Court and Federal Circuit have identified abstract ideas in patent claims by making comparisons to concepts found in past decisions to be judicial exceptions to eligibility. July 2015 Update on Subject Matter Eligibility, 80 Fed. Reg. 45429 (July 30, 2015) (“IEG Update”). The July Update summarizes concepts the courts have considered to be abstract ideas by associating eligibility decisions with judicial descriptors (e.g., “an idea of itself,” “certain methods of organizing human activities”, “mathematical relationships and formulas”) based on common characteristics. These associations define the judicial descriptors in a manner that stays within the confines of the judicial precedent, with the understanding that these associations are not mutually exclusive, i.e., some concepts may be associated with more than one judicial descriptor.
The abstract functions of the claims in the case are representative claim(s) is/are directed to method to detect anomaly based on comparison of characteristics (claims 1, 3: “receiving pivot feature information for an aspect of the system at at least one anomaly detection unit; for a snapshot interval, generating a frequency structure interrelating a pivot feature, a binning feature and counts; using the frequency structure, generating a two-dimensional graphical image, wherein the graphical image is of a first specified dimension and a second specified dimension, and wherein first specified dimension corresponds to a cyclical repeating interval made up of multiple bins, the graphical image having been generated such that a bin of the multiple bins, is the bin having a highest count, and the bin is scaled to the specified second dimension, and wherein counts of all other bins in the interval are scaled relative to that highest count; graphically comparing the generated graphical image to an immediately preceding graphical image for similarity relative to a pre-specified similarity threshold; and when a result of the comparison fails to satisfy the pre-specified similarity threshold, automatically triggering an appropriate anomaly detection-based follow-on action”). Claims 12, 17 additionally recites (“a) receiving pivot feature information for users from software agents running on computers within the enterprise computing environment; b) for a snapshot interval, on a per user basis, generating a frequency structure, the frequency structure interrelating a pivot feature, a binning feature and counts; c) using the frequency structure, generating a two-dimensional graphical image, wherein the graphical image is of a first dimension in one direction and a second dimension in another direction orthogonal to the first dimension, and wherein the first dimension corresponds to a cyclical repeating interval made up of multiple bins, the graphical image having been generated such that a bin of the multiple bins having a highest count is scaled to the second dimension and counts of all other bins in the interval are scaled relative to that highest count; d) on a per user basis, graphically comparing the generated graphical image to an immediately preceding graphical image for similarity relative to a pre-specified similarity threshold; e) determining that graphical images for a set of users is stable; f) for an individual user, predicting which of multiple clusters a specific graphical image for that user falls into; g) for the individual user, calculating which of the multiple clusters the specific graphical image for that user falls into; h) comparing a result of the predicting and a result of the calculating to determine whether a predicted cluster and a calculated cluster for the specific graphical image match; and i) when the predicted cluster and the calculated cluster for the specific graphical image do not match, triggering an automatic security response”). 
As such, the abstract idea is collecting data, analyzing the data, manipulating data further through mathematical correlations, comparing the data to detect anomaly as defined by the claimed steps listed above. As such, the claims fall under at least the category of “an idea of itself”, “mathematical relations / formulas”. The phrase “an idea of itself is used to describe an idea standing alone such as an instantiated concept, plan or scheme, as well as a mental process (thinking) that “can be performed in the human mind, or by a human using a pen and paper." Looking at the steps of the claims, for each of the claims, data is simply being collected, categorized, organized mathematically and compared mathematically (i.e., graphical comparison, clustering steps). This is simply collecting, organizing and comparing information which was ruled abstract in: 
         a. Collecting and comparing known information (Classen); 
         b. Comparing information regarding a sample or test subject to a control or target data (Ambry/Myriad CAFC); 
         c. Collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning); 
         d. Data recognition and storage (Content Extraction);
         e. Obtaining and comparing intangible data (Cybersource); 
         f. Collecting information, analyzing it, and displaying certain results of the collection and analysis (Electric Power Group);
         g. Organizing and manipulating information through mathematical correlations (Digitech);
         h. Virus Screening (Int. Ventures v. Symantec ‘610 patent);
         i. A mathematical formula for calculating parameters indicating an abnormal condition (Grams);
The steps are similar to concepts and ideas that have been identified as abstract by the courts. For example, collecting information, analyzing it, and displaying certain results of the collection and analysis (Electric Power Group); a mathematical formula for calculating parameters indicating an abnormal condition (Grams); Collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning); Virus Screening (Int. Ventures v. Symantec ‘610 patent); and Obtaining and comparing intangible data (Cybersource). While the specific facts of the case differ from these cases, the claims are still directed to collecting and providing known information and comparing new and stored information. A computer is not necessary to generate, receive and correlate/compare data. Even further still, any steps that deal with generating, receiving, analyzing/comparing are insignificant, extra solution activity because receiving, analyzing and transmitting device data, comparing collected data and taking action based on matching/comparison are all well-known in the computer network security arts.
Step 2A (prong 2) Identifying an integrated practical application
Under step 2A (prong 1) of the 101 analysis, claims recite abstract idea of is collecting data, analyzing the data, manipulating further through mathematical correlations, comparing the data to detect an anomaly as defined by the claimed steps listed above. As such, the claims fall under at least the category of “an idea of itself”, “mathematical relations / formulas”. Claims do not integrate a practical application of the abstract idea in the claims (step 2A, prong 2)
Finding the claims to be directed toward an abstract idea, however, is not the end of the inquiry. See Mayo Collaborative Servs. v. Prometheus Labs. Inc., 132 S. Ct. 1289, 1297 (2012). Rather, the second step requires determining whether additional substantive limitations narrow, confine, or otherwise tie down the claim so that, in practical terms, it does not cover the full abstract idea itself. Another way of stating the test is whether the claim language provides “significantly more” than the abstract idea itself.                    
 Step 2B: Considering Additional Elements
The considerations are whether the claim includes:
•    Improvements to another technology or technical field;
•    Improvements to the functioning of the computer itself;
•    Applying the judicial exception with, or by use of, a particular machine;
•    Effecting a transformation or reduction of a particular article to a different state or thing;
•    Adding a specific limitation other than what is well-understood, routine and conventional in the field, or adding unconventional steps that confine the claim to a particular useful application;
•    Other meaningful limitations beyond generally linking the use of the judicial exception to a particular technological environment. 
Applying the test to the claims in the application, the structural elements of the claims, which include a computer when taken in combination with the functional elements claim(s) is/are directed to method collecting data, analyzing the data, manipulating data further through mathematical correlations, comparing the data to detect anomaly, together do not offer “significantly more” than the abstract idea itself because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of any computer itself, or provide meaningful limitations beyond generally linking an abstract idea (collecting data at a system) to a particular technological environment (a general purpose computer and/or environment of the user). When considered as an ordered combination, the Examiner does not find any combination of the additional elements that amounts to more than the sum of the parts. The Examiner finds that the Individual elements of the claims are performing their intended roles and functions. In most cases, the additional elements are applied merely to carry out data processing, as discussed above, receiving, comparing and responding which fall under well-understood, routine, and conventional functions of generic computers – in our common day-to-day interactions. Note: Applicant’s disclosure (see ¶31) states the various computing elements used to implement the claimed invention are routine, commonly used computing elements. Therefore, the claimed interactions of the various generically recited methods / devices lacks an unconventional step that confines the claim to a particular useful application in the sense that the result is equivalent to purely mental activity, e.g., data, comparison and output/updates/response. Therefore all corresponding dependent claims are also rejected.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED A ZAIDI/Primary Examiner, Art Unit 2432