DETAILED ACTION

This communication is in response to Application No. 16/892,182 filed on 6/3/2020. The amendment presented on 8/9/2022, which amends claims 1-12 and 22-23, is hereby acknowledged. Claims 1-23 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The amendment presented on 8/9/2022 amending claims 2-11 and 22-23 obviates the outstanding 35 USC 112 rejections, and they are hereby withdrawn. 

Response to Arguments
Applicant’s arguments with respect to claims 1-23 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 4, 8-12, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (hereinafter Chari)(US 2018/0359270) in view of Engel et al. (hereinafter Engel)(US 2016/0234167), and further in view of Cohen et al. (hereinafter Cohen)(US 2013/0282331).
Regarding claim 1, Chari teaches as follows:
an anomaly detection (server 104 and server 106 also provide a service for detecting anomalous user behavior in network data processing system 100 based on clustering numerical representations of user activities, see, para. [0022] and figure 1) comprising: 
defining a computing device group comprising a plurality of networked computing devices associated with a computer network (user peer groups 234 represent a plurality of different peer groups of users, each different peer group of users performing a similar set of activities within the network of data processing systems during a respective time interval, see, para. [0034] and figure 2); 
calculating one or more statistical parameters associated with the computing device group (anomalous user behavior detector 218 utilizes clustering process 222 to cluster the generated numerical representations of users' activities for each respective interval of time to form a plurality of peer groups of users performing similar patterns of activities or tasks in a network of data processing systems during each respective interval of time, see, para. [0031] and figure 2); 
receiving a set of communication data associated with a networked computing device (anomalous user behavior detector 218 utilizes machine learning process 220 to generate user activities numerical representations 232. User activities numerical representations 232 represent a numerical representation, such as a numeric feature vector, for each user activity in user activities 230 that corresponds to each user in users 224, see, para. [0034] and figure 2); 
computing an operating point geometric distance of the networked computing device relative to the one or more statistical parameters based at least in part on the set of communication data (the computer compares each user's peer group within the current time interval to one of that user's peer group in a previous time interval or aggregated user peer groups corresponding to that user over a predetermined number of previous time intervals (step 512). Afterward, the computer generates a distance metric for each user within the current time interval based on comparing (step 514), see, para. [0070] and figure 5); and 
detecting an anomaly based on the operating point geometric distance (if the computer determines that the distance metric corresponding to one or more respective users within the current time interval is greater than or equal to the defined distance metric threshold value, yes output of step 516, then the computer sends an alert to a security analyst of the enterprise regarding the one or more respective users within the current time interval meeting or exceeding the defined distance metric threshold value, see, para. [0071] and figure 5).
Chari teaches of generating numerical representations of users’ activities to form peer groups of users (see, para. [0031]) but does not explicitly teach of calculating statistical parameters associated with the computing device group.
Engel teaches as follows:
a system for detection of anomaly action and deviation from the normal behavior pattern of the computer network. The anomaly action may be caused by a generic malware of by a more targeted cyber-attack such as APT and may be detected by statistical modeling of the computer network that enables differentiating the anomaly action from the normal behavior (see, para. [0026]);
statistical models may be built over time based on parameters of actions in the computer network or based on groups of parameters of actions in the computer network. The system may continuously receive data and may continuously update the statistical model quantitatively as well as qualitatively (see, para. [0087]); and
in order to build a statistical model for each entity in the computer network over time, protocols and interaction with other entities may be continuously examined to store statistics for each entity (see, para. [0089]).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari with Engel to include utilizing statistical modeling of the computer network as taught by Engel in order to efficiently differentiate the anomaly action from the normal behavior.
	Chari in view of Engel does not teach the specific statistical parameters including a forget-factor.
	Cohen teaches as follows:
method for detecting abnormal behavior may include calculating a mean and a standard deviation of the metric at the current time interval by assigning the first sample the adjusted first weight and by assigning the mean and the sum of squares at a previous time interval the adjusted second weight and detecting abnormal behavior by comparing the first sample to an outlier threshold, e.g., outlier value, that can be based on the mean and the standard deviation at the previous time interval (see, para. [0006]); and
a first weight and a second weight can function as a forgetting factor which determines the rate at which the past samples of a metric are forgotten. Past samples of a metric are forgotten as the influence of the past samples in updating a normal model of a metric is diminished (see, para. [0024] and figure 1).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel with Cohen to include the forgetting factor as taught by Cohen in order to efficiently adjust weighting for samples collected from different time windows (time intervals).
Regarding claim 2, Chari teaches as follows:
wherein defining a computing device group comprising a plurality of networked computing devices (interpreted as client 11-116 in figure 1) associated with a computer network (102 in figure 1) comprises including the network computing device in the computing device group (anomalous user behavior detector 218 identifies anomalous behavior of client device users based on clustering numerical features extracted from activities performed by the client device users into peer groups of users performing similar activities within a defined interval of time, see, para. [0031]).
Regarding claim 3, Chari teaches as follows:
wherein receiving a set of communication data associated with a networked computing device comprises receiving a set of communication data associated with a networked computing device that is outside of the computing device group; and further comprising: receiving another set of communication data associated with the networked computing device that is outside of the computing device group; analyzing the other set of communication data; and sorting the networked computing device into the computing device group responsive to the analysis.
Regarding claim 4, Chari teaches as follows:
Alert 248 represents a notification that anomalous user behavior detector 218 sends to a security analyst of the enterprise regarding anomalous user behavior 244 (see, para. [0036] and figure 2).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel to include sending alert level (equivalent to applicant’s anomaly severity) in order to effectively present the alert to the security analyst. 
Regarding claims 8-11, Chari teaches as follows:
time interval 226 represents a predefined period of time, such as, for example, one day (equivalent to applicant’s short-term), one week, or one month (equivalent to applicant’s long term), or finer grained time intervals, such as, for example, hours (equivalent to applicant’s substantially real-time). Anomalous user behavior detector 218 utilizes time interval 226 to segment or divide system logs 228 into discrete time periods (see, para. [0033]).
Engel teaches as follows:
statistical models may be built over time based on parameters of actions in the computer network or based on groups of parameters of actions in the computer network. The system may continuously receive data and may continuously update the statistical model quantitatively as well as qualitatively (see, para. [0087]).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel to include building statistical models over various time interval in order to efficiently detect anomaly compared to statistical parameters collected from various time interval. 
Regarding claim 12, Chari in view of Engel and Cohen teaches similar limitations as presented above in the rejections regarding claim 1. Chari further teaches as follows:
an anomaly detection apparatus (interpreted as network data processing system 100 in figure 1) comprising: 
a computer network (102 in figure 1) including a plurality of networked computing devices (interpreted as clients 112-116 in figure 1)(see, para. [0023]); 
a network gateway communicatively coupled to the computer network; and 
a computing system communicatively coupled to the network gateway and configured to receive network data associated with the computer network via the network gateway (the network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers, see, para. [0013] and figure 1).
Chari does not explicitly show a gateway utilized in the network data processing system in figure 1 but it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel and Cohen to include the well-known gateway in order to efficiently communicate between network devices via the network.
Regarding claim 15, Chari teaches as follows:
wherein the networked computing devices are communicatively coupled via any combination of wireless communication protocols and wired communication protocols (network data processing system 100 contains network 102, which is the medium used to provide communications links between the computers, data processing systems, and other devices connected together within network data processing system 100. Network 102 may include connections, such as, for example, wire communication links, wireless communication links, and fiber optic cables, see, para. [0020] and figure 1).
Regarding claim 16, Chari teaches as follows:
wherein the wired communication protocols include Ethernet (network data processing system 100 may be implemented as a number of different types of communication networks, such as, for example, an internet, an intranet, a local area network (LAN), a wide area network (WAN), or any combination thereof, see, para. [0026] and figure 1).
Regarding claim 17, Chari teaches as follows:
wherein the wireless communication protocols include any combination of WiFi, Bluetooth, Bluetooth Low Energy (BLE), ZigBee, Long-Term Evolution (LTE), Lorawan, and zwave (the wireless communications link may utilize, for example, shortwave, high frequency, ultra-high frequency, microwave, near field communication (NFC), Wi-Fi, Bluetooth® technology, global system for mobile communications (GSM), code division multiple access (CDMA), second-generation (2G), third-generation (3G), fourth-generation (4G), 4G Long Term Evolution (LTE), LTE Advanced, or any other wireless communication technology or standard to establish a wireless communications link for data processing system 200, see, para. [0037] and figure 2).
Regarding claim 18, Chari teaches as follows:
wherein the networked computing devices are any combination of a desktop computer, a laptop computer, a mobile device, a tablet, and an IoT device (clients 112, 114, and 116 (equivalent to applicant’s networked computing devices) may represent other types of data processing systems, such as, for example, smart phones, smart watches, handheld computers, laptop computers, personal digital assistants, and the like, with wired or wireless communication links to network 102, see, para. [0023] and figure 1).

Claims 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (hereinafter Chari)(US 2018/0359270) in view of Engel et al. (hereinafter Engel)(US 2016/0234167) and Cohen et al. (hereinafter Cohen)(US 2013/0282331), and further in view of Vasseur et al. (hereinafter Vasseur)(US 2020/0358794).
Regarding claim 5, Chari in view of Engel and Cohen teaches all limitations as presented above except for defining computing device group based on hyper context parameters and the tag set.
Vasseur teaches as follows:
the components 502-510 of device classification process 248 may leverage active learning, to assign device type classifications 514 to the devices under scrutiny. To do so, clustering module 502 may assign the devices under scrutiny to device clusters 504, based on their telemetry data 512 (equivalent to applicant’s hyper context). For example, a device cluster 504 may include those devices that exhibit the same or similar traffic or other behavioral features. If a device type is then associated with a device cluster 504, device labeler 506 may apply that type to a device as device type classification 514 (see. para. [0071] and figure 5); and
at step 620, the service may generate a device type classification rule using the device type labels (equivalent to applicant’s tag set) and the telemetry data (equivalent to applicant’s hyper context), as described in greater detail above. The rule may, for example, assign one of the device type labels from step 615 to a device, based on its associated telemetry data (see, para. [0100]).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel and Cohen with Vasseur to include the device classification by assigning device type labels based on its associated telemetry data as taught by Vasseur in order to group devices with similar features together. 
Regarding claims 6 and 7, Vasseur does not explicitly teach defining tag set (labels) but it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel and Cohen with Vasseur to include pre-defining the labels (tag set) before assigning to each device. 

Claims 13, 14, 22, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (hereinafter Chari)(US 2018/0359270) in view of Engel et al. (hereinafter Engel)(US 2016/0234167) and Cohen et al. (hereinafter Cohen)(US 2013/0282331), and further in view of Yamashita et al. (hereinafter Yamashita)(US 2007/0156373).
Regarding claims 13, 14, 22, and 23, Chari in view of Engel and Cohen teaches all limitations as presented above except for calculating Mahalanobis distance with statistical parameters of an average and a standard deviation.
Yamashita teaches as follows:
the distance between each abnormal space and the normal space can be calculated by obtaining the Mahalanobis distance between the representative data (mean value data) of the normal reference space and the abnormal space (see, para. [0175]); and
FIG. 5 is a computation flowchart of the Mahalanobis distance. Firstly, the mean value (equivalent to applicant’s average), the standard deviation, the inverse matrix of the correlation matrix, and the number of items for the reference data are set (ST1)(see, para. [0097] and figure 5).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel and Cohen with Yamashita to include the well-known Mahalanobis distance as taught by Yamashita in order to efficiently detect abnormality in the early stage.

Claims 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (hereinafter Chari)(US 2018/0359270) in view of Engel et al. (hereinafter Engel)(US 2016/0234167) and Cohen et al. (hereinafter Cohen)(US 2013/0282331), and further in view of Felemban et al. (hereinafter Felemban)(US 2017/0244635). 
Regarding claim 19-21, Chari in view of Engel and Cohen teaches the wireless sensor array nor network traffic sensor array.
Felemban teaches as follows:
FIG. 3 shows the proposed Multi-Protocol Gateway 118 Architecture where devices connected to various protocols can interconnect and communicate between each other without requiring expensive gadgets in between. The Gateway offers the link level translation between various protocols, both wired and wireless. For example, a device connected through WiFi AC 202 can print using a printer connected through a serial port 306, and communicate to another device connected over Zigbee 302. The translation happens between multiple protocols and hence the frustration of incompatibility is reduced. The system and method accommodate both a wired and a wireless protocol, and the resource connectivity such as an USB, Ethernet and Serial port (see, para. [0033] and figure 3).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari in view of Engel and Cohen with Felemban to include the Multi-Protocol Gateway as taught by Felemban in order to efficiently reduce incompatibility.

	
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeong S Park whose telephone number is (571)270-1597. The examiner can normally be reached Monday through Friday 8:00-4:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEONG S PARK/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        
September 30, 2022