Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 4-5, 9-10, and 14-16 are rejected under 35 U.S.C. 102(a)(1)/102(a)(2) as being anticipated by Urmanov et al. (US 2018/0322363).

Regarding Claim 1, Urmanov discloses a computer-implemented method comprising: 
receiving a request to1 perform anomaly detection using clusters ([0077], “a device that sent the electronic communication in an attempt to access the user account,” Urmanov); 
initializing one or more clusters on a set of samples that have been labeled as normal ([0055],Urmanov);
receiving a data point from a sensor ([0043] and [0078], Urmanov); 
determining when the received data point is a part of one of the one or more clusters
utilizing a distance to centers of the one or more clusters ([0043], [0045], and [0078], Urmanov), wherein: 
when the received data point is determined to belong to a normal cluster ([0083], “allowed communication pool,” [0084], “multi-distance clustering into clusters of known/safe/expected data points of such features,” and “can be clustered by multi-distances clustering to see if such features are clustered into the safe clusters,” Urmanov), assigning the received data point to the determined cluster ([0062], Urmanov), updating the cluster ([0062], Urmanov), and updating a history for the cluster ([0061]-[0062], Urmanov), 
when the received data point is determined to belong to an anomalous cluster ([0078], “If the data point, representing the location of the device, is dissimilar beyond a threshold amount from the known locations, then the data point is identified as the anomaly data point indicative of malicious activity. The data point is determined to be dissimilar beyond the threshold amount based upon the multi-distance clustering process clustering the data point into a cluster dissimilar from clusters of safe/normal/expected data points,” [0084], “and/or the malicious clusters (e.g., known malicious features),” Urmanov), raising an anomaly ([0079], [0081], [0083], “blocked communications pool,” Urmanov), updating the cluster ([0079] and [0081], Urmanov), and updating a history for the cluster ([0061]-[0062], Urmanov), and 
when the received data point is determined to not belong to any cluster ([0078], [0083], [0084], “clusters dissimilar from the safe clusters (e.g., new malicious features),” Urmanov), raising an anomaly ([0079], Urmanov).

Regarding Claim 2, Urmanov discloses a computer-implemented method of claim 1, wherein the request includes at least one or more of: an identifier of a location of an initial labeled data set to2 be used to generate clusters, an identifier of a location of testing data to3 test the clustering algorithm or model; actual initial labeled data and/or testing data; an identifier of the clustering algorithm or model to4 be used; an identifier of a location to5 store a cluster history; an identifier of a location to6 store clusters; one or more identifiers of users allowed to7 provide feedback; identifiers of execution and memory resources, or types of resources, to8 use for clustering; an identifier of what criteria to9 use to estimate a number of clusters to initialize and how to perform the initialization; and/or one or more identifiers of users allowed to10 receive anomaly data ([0075], [0086], Urmanov).

Regarding Claim 4, Urmanov discloses a computer-implemented method comprising: 
receiving a request to11 perform anomaly detection using a plurality of clusters ([0077], “a device that sent the electronic communication in an attempt to access the user account,” Urmanov); 
receiving a data point ([0043] and [0078], Urmanov); 
determining when the received data point is a part of one of the plurality of clusters utilizing a distance to centers of the one or more clusters ([0043], [0045], and [0078], Urmanov), wherein: 
when the received data point is determined to belong to a normal cluster ([0083], “allowed communication pool,” [0084], “multi-distance clustering into clusters of known/safe/expected data points of such features,” and “can be clustered by multi-distances clustering to see if such features are clustered into the safe clusters,” Urmanov), assigning the received data point to the determined cluster ([0062], Urmanov), updating the cluster ([0062], Urmanov), and updating a history for the cluster ([0061]-[0062], Urmanov), 
when the received data point is determined to belong to an anomalous cluster ([0078], “If the data point, representing the location of the device, is dissimilar beyond a threshold amount from the known locations, then the data point is identified as the anomaly data point indicative of malicious activity. The data point is determined to be dissimilar beyond the threshold amount based upon the multi-distance clustering process clustering the data point into a cluster dissimilar from clusters of safe/normal/expected data points,” [0084], “and/or the malicious clusters (e.g., known malicious features),”Urmanov), raising an anomaly ([0079], [0081], [0083], “blocked communications pool,” Urmanov), updating the cluster ([0079] and [0081], Urmanov), and updating a history for the cluster ([0061]-[0062], Urmanov), and 
when the received data point is determined to not belong to any cluster ([0078], [0083], [0084], “clusters dissimilar from the safe clusters (e.g., new malicious features),” Urmanov), raising an anomaly ([0079], Urmanov).

Regarding Claim 5, Urmanov discloses a computer-implemented method of claim 4, wherein the request includes at least one or more of: an identifier of a location of an initial labeled data set to12 be used to generate clusters, an identifier of a location of testing data to13 test the clustering algorithm or model; actual initial labeled data and/or testing data; an identifier of the clustering algorithm or model to14 be used; an identifier of a location to15 store a cluster history; an identifier of a location to16 store clusters; one or more identifiers of users allowed to17 provide feedback; identifiers of execution and memory resources, or types of resources, to18 use for clustering; an identifier of what criteria to19 use to estimate a number of clusters to initialize and how to perform the initialization; and/or one or more identifiers of users allowed to20 receive anomaly data ([0075], [0086], Urmanov).

Regarding Claim 9, Urmanov discloses a computer-implemented method of claim 4, further comprising: initializing the plurality of clusters in an ad-hoc manner ([0055], “the clustering process itself determines the number of clusters. When multi-distance tri-point arbitration similarity is the basis for the multi-distance clustering, each data point contributes to the determination of the similarity of all other pairs of data points. Thus, the data, rather than the analyst, controls the cluster formation.,” Urmanov).

Regarding Claim 10, Urmanov discloses a computer-implemented method of claim 4, further comprising: determining a number of clusters to21 initialize using an initialization criteria ([0055], “the clustering process itself determines the number of clusters. When multi-distance tri-point arbitration similarity is the basis for the multi-distance clustering, each data point contributes to the determination of the similarity of all other pairs of data points. Thus, the data, rather than the analyst, controls the cluster formation.,” Urmanov); and 
initializing the number of clusters as the plurality of clusters ([0055], “the clustering process itself determines the number of clusters. When multi-distance tri-point arbitration similarity is the basis for the multi-distance clustering, each data point contributes to the determination of the similarity of all other pairs of data points. Thus, the data, rather than the analyst, controls the cluster formation,” Urmanov).

Regarding Claim 14, Urmanov discloses a computer-implemented method of claim 4, wherein the received data point is produced by a sensor of a managed device ([0075], [0079], [0092], [0099], Fig. 8, Urmanov).

Regarding Claim 15, Urmanov discloses a system comprising: 
a first one or more electronic devices to be managed by a cluster-based anomaly detection service in a multi-tenant provider network (Fig. 8, Urmanov); and 
a second one or more electronic devices to22 implement the cluster-based anomaly detection service in the multi-tenant provider network, the cluster-based anomaly detection service including instructions that upon execution cause the cluster-based anomaly detection service to (Fig. 8, Urmanov): 
receive a request to23 perform anomaly detection for the first one or more electronic devices using a plurality of clusters ([0077], “a device that sent the electronic communication in an attempt to access the user account,” Urmanov); 
receive a data point from one of the first one or more electronic devices ([0043] and [0078], Urmanov);
determine when the received data point is a part of one of the plurality of clusters utilizing a distance to centers of the one or more clusters ([0043], [0045], and [0078], Urmanov), wherein: 
when the received data point is determined to belong to a normal cluster ([0083], “allowed communication pool,” [0084], “multi-distance clustering into clusters of known/safe/expected data points of such features,” and “can be clustered by multi-distances clustering to see if such features are clustered into the safe clusters,” Urmanov), assigning the received data point to the determined cluster ([0062], Urmanov), updating the cluster ([0062], Urmanov), and updating a history for the cluster ([0061]-[0062], Urmanov), 
when the received data point is determined to belong to an anomalous cluster ([0078], “If the data point, representing the location of the device, is dissimilar beyond a threshold amount from the known locations, then the data point is identified as the anomaly data point indicative of malicious activity. The data point is determined to be dissimilar beyond the threshold amount based upon the multi-distance clustering process clustering the data point into a cluster dissimilar from clusters of safe/normal/expected data points,” [0084], “and/or the malicious clusters (e.g., known malicious features),” Urmanov), raising an anomaly ([0079], [0081], [0083], “blocked communications pool,” Urmanov), updating the cluster ([0079] and [0081], Urmanov), and updating a history for the cluster ([0061]-[0062], Urmanov), and 
when the received data point is determined to not belong to any cluster ([0078], [0083], [0084], “clusters dissimilar from the safe clusters (e.g., new malicious features),” Urmanov), raising an anomaly ([0079], Urmanov).

Regarding Claim 16, Urmanov discloses a system of claim 15, wherein the request includes at least one or more of: an identifier of a location of an initial labeled data set to24 be used to generate clusters, an identifier of a location of testing data to25 test the clustering algorithm or model; actual initial labeled data and/or testing data; an identifier of the clustering algorithm or model to26 be used; an identifier of a location to27 store a cluster history; an identifier of a location to28 store clusters; one or more identifiers of users allowed to29 provide feedback; identifiers of execution and memory resources, or types of resources, to30 use for clustering; an identifier of what criteria to31 use to estimate a number of clusters to initialize and how to perform the initialization; and/or one or more identifiers of users allowed to32 receive anomaly data ([0075], [0086], Urmanov).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 6 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Urmanov et al. (US 2018/0322363) in view of Fayyad et al. (US 6,581,058).

Regarding Claim 6, Urmanov discloses all the limitations as discussed above including a mean of the cluster ([0053]-[0054], Umanov) but does not expressly disclose a covariance.  Fayyad discloses wherein when the cluster is updated, a mean and covariance of the cluster are updated (Col. 20, lines 32-44, Fayyad).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Urmanov by incorporating the step of when the cluster is updated, a mean and covariance of the cluster are updated, as disclosed by Fayyad, in order to perform density estimation over a database and data mining (Col. 1, lines 64-67, and Col. 2, lines 1-7, Fayyad).  See: KSR International Co. v. Teleflex Inc., 82 USPQ 1385, 1396 (US 2007); MPEP § 2143.

Regarding Claim 17, Urmanov/Fayyad discloses a system of claim 15, wherein when the cluster is updated, a mean and covariance of the cluster are updated ([0053]-[0054], Umanov; and Col. 20, lines 32-44, Fayyad).

Claims 11-13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Urmanov et al. (US 2018/0322363) in view of Galle et al. (US 2013/0262465).

Regarding Claim 11, Urmanov discloses all the limitations as discussed above but does not expressly disclose: maintaining a history for metadata regarding usage of each cluster.  Galle discloses maintaining a history for metadata regarding usage of each cluster ([0089], Galle).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Urmanov by incorporating the step of maintaining a history for metadata regarding usage of each cluster, as disclosed by Galle, in order to be able to accumulate cluster’s information over time so that the system can discover that two clusters discussed the same event ([0089], Galle).  See: KSR International Co. v. Teleflex Inc., 82 USPQ 1385, 1396 (US 2007); MPEP § 2143.

Regarding Claim 12, Urmanov/Galle discloses a computer-implemented method of claim 11, further comprising: 
detecting drift based at least in part on the maintained history ([0087], Galle); and 
raising an alert ([0079], [0081], [0083], Urmanov; and [0087], Galle).

Regarding Claim 13, Urmanov/Galle discloses a computer-implemented method of claim 11, further comprising: 
displaying the maintained history (Fig. 4-6, Galle).

Regarding Claim 20, Urmanov/Galle discloses a system of claim 15, wherein the cluster-based anomaly detection service is further to: 
detect a drift based at least in part on the maintained history ([0087], Galle); and 
raise an alert ([0079], [0081], [0083], Urmanov; and [0087], Galle).

Claims 3, 7-8, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Urmanov et al. (US 2018/0322363) in view of Singh et al. (US 11,430,065).
Regarding Claim 7, Urmanov discloses all the limitations as discussed above but does not expressly disclose: receiving user feedback about a false positive; and resetting a label of the cluster in response to the feedback.  Singh discloses: receiving user feedback about a false positive; and resetting a label of the cluster in response to the feedback (Col. 12, lines 66-67, and Col. 13, lines 1-7, Singh).  It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the system of Urmanov by incorporating the step of receiving user feedback about a false positive; and resetting a label of the cluster in response to the feedback, as disclosed by Singh, in order to avoid missing important information (Col. 2, lines 26-30, Singh).  See: KSR International Co. v. Teleflex Inc., 82 USPQ 1385, 1396 (US 2007); MPEP § 2143.

Regarding Claim 8, Urmanov/Singh discloses a computer-implemented method of claim 4, further comprising: 
receiving user feedback about a false negative (Col. 12, lines 66-67, and Col. 13, lines 1-7, Singh); and 
retraining a clustering algorithm (Col. 12, lines 66-67, and Col. 13, lines 1-7, Singh).

Regarding Claim 3, Urmanov/Singh discloses a computer-implemented method, further comprising: receiving user feedback and updating a cluster in response to the received feedback (Col. 12, lines 66-67, and Col. 13, lines 1-7, Singh).

Regarding Claim 18, Urmanov/Singh discloses a system of claim 15, wherein the cluster-based anomaly detection service is further to: 
receive user feedback about a false positive (Col. 12, lines 66-67, and Col. 13, lines 1-7, Singh); and 
reset a label of the cluster in response to the feedback (Col. 12, lines 66-67, and Col. 13, lines 1-7, Singh).

Regarding Claim 19, Urmanov/Singh discloses a system of claim 15, wherein the cluster-based anomaly detection service is further to: receive user feedback about a false negative; and retrain a clustering algorithm.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GIOVANNA B COLAN whose telephone number is (571)272-2752.  The examiner can normally be reached on Mon - Fri 8:30-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571) 270-1760.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/GIOVANNA B COLAN/Primary Examiner, Art Unit 2165
September 27, 2022



    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 The limitation “to perform anomaly detection using clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        2 The limitation “to be used to generate clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        3 The limitation “to test the clustering algorithm or model” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        4 The limitation “to be used” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        5 The limitation “to store a cluster history” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        6 The limitation “to store clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        7 The limitation “to provide feedback” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        8 The limitation “to use for clustering” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        9 The limitation “to use to estimate a number of clusters to initialize and how to perform the initialization” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        10 The limitation “to receive anomaly data” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        11 The limitation “to perform anomaly detection using a plurality of clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        12 The limitation “to be used to generate clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        13 The limitation “to test the clustering algorithm or model” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        14 The limitation “to be used” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        15 The limitation “to store a cluster history” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        16 The limitation “to store clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        17 The limitation “to provide feedback” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        18 The limitation “to use for clustering” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        19 The limitation “to use to estimate a number of clusters to initialize and how to perform the initialization” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        20 The limitation “to receive anomaly data” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        21 The limitation “to initialize using an initialization criteria” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        22 The limitation “to implement the cluster-based anomaly detection service in the multi-tenant provider network” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        23 The limitation “to perform anomaly detection for the first one or more electronic devices using a plurality of clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        24 The limitation “to be used to generate clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        25 The limitation “to test the clustering algorithm or model” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        26 The limitation “to be used” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        27 The limitation “to store a cluster history” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        28 The limitation “to store clusters” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        29 The limitation “to provide feedback” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        30 The limitation “to use for clustering” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        31 The limitation “to use to estimate a number of clusters to initialize and how to perform the initialization” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)
        
        32 The limitation “to receive anomaly data” has not been given patentable weight since it is a statement of intended use which does not limit the scope of the claim. See MPEP 2103 C. and 2111.04(I)