DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendments and arguments filed 06/28/2022 have been fully considered by the examiner.
Regarding applicant’s remarks directed to the claim rejections under USC § 102 and USC § 103 made in the pervious rejection, have been fully considered.
With respect to the argument directed to the rejection of claims under USC §102, specifically the amended claim limitations, the Applicant has presented arguments regarding claim language that have not been previously examined. Therefore, applicants arguments are rendered moot. See current office action regarding the rejection of the amended claim limitations.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-3, 5-6, 8, 10-12, 14-15, 17,  and 19-20 and are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Heimann et al. (US Pat. No. 10,685,293, hereinafter ‘Heiman’).

Independent claims 1, 10, and 19:
Regarding claim 10, Heiman teaches a method, an apparatus comprising: 
receiving, at a service, relevancy feedback from a user that is indicative of one or more  anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors deem relevant and one or more anomalies detected in the network by one or more unsupervised learning-based anomaly detectors deemed irrelevant; (user input  as claimed received relevancy feedback, as depicted in Fig. 3 element 302 and Fig. 21, in Col. 5 line 65 – Col. 6 line 15: FIG. 3 is an overview of the platform 300, as executed by at least one platform server 100, according to an embodiment of the invention. Unsupervised learning core 302 [including claimed one or more unsupervised learning-based anomaly detectors] may use network-based behavioral analytics and/or user-based entity behavioral analytics to score observations and produce score events. Outlier detection algorithm(s) 304 may produce a filtered set of outliers [i.e. indicative of one or more anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors]. For example, filtration and output are illustrated in detail below in FIGS. 17-20 and accompanying description. AI engine 306 may produce machine curated results using the filtered set of outliers [i.e. indicative of one or more anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors] as input. For example, yellow dots indicate steps in a self-learning process, and blue dots indicate steps in an active learning process [claimed receiving, at a service, relevancy feedback from a user that is indicative of one or more anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors], explained in greater detail with respect to FIG. 21 and accompanying description. Human curation interface 308 may allow users to feed knowledge back to AI engine 306 [claimed receiving, at a service, relevancy feedback from a user that is indicative of a relevance of  anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors] in the form of labels.; And as depicted in Fig.21, receiving user feedback on data that has been scored:

    PNG
    media_image1.png
    581
    674
    media_image1.png
    Greyscale

And wherein the unsupervised learning process scores as depicted in Fig. 3 the anomalies to determine if they are deep relevant and irrelevant based on their respective score, in 5:65-6:15: FIG. 3 is an overview of the platform 300, as executed by at least one platform server 100, according to an embodiment of the invention. Unsupervised learning core 302 may use network-based behavioral analytics and/or user-based entity behavioral analytics to score observations and produce score events [claimed one or more  anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors deem relevant and one or more anomalies detected in the network by one or more unsupervised learning-based anomaly detectors deemed irrelevant]. Outlier detection algorithm(s) 304 may produce a filtered set of outliers [claimed one or more  anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors deem relevant and one or more anomalies detected in the network by one or more unsupervised learning-based anomaly detectors deemed irrelevant]. For example, filtration and output are illustrated in detail below in FIGS. 17-20 and accompanying description. AI engine 306 may produce machine curated results using the filtered set of outliers as input... Human curation interface 308 may allow users to feed knowledge back to AI engine 306 in the form of labels.

    PNG
    media_image2.png
    659
    978
    media_image2.png
    Greyscale


In 5:22-30  While each algorithm in the unsupervised core may model observations differently, the platform may standardize outlier definition for the sake of automation in some embodiments. TailJumps may involve a transformation of the outlier scores from each algorithm. TailJumps may break up the transformed outlier score into three distinct regions (Inliers, Analysis, and Forecast) [claimed one or more  anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors deem relevant and one or more anomalies detected in the network by one or more unsupervised learning-based anomaly detectors deemed irrelevant; Examiner notes that the unsupervised algorithms are used to detected relevant and irrelevant outliners (i.e. anomalies) based on the scores in the detected forest regions as depicted in Fig. 3] and then look at Support Vectors in the Forecast region from the convex hull in the Analysis region to predict the outliers in the Forecast region…) 
generating, by the service, a set of rules used to collect training data for training a supervised learning-based classifier based on those of the anomalies detected by the one or more unsupervised learning-based anomaly detectors deemed relevant by the relevancy feedback; (random forest classifier probabilities for each training data class based on detected outliers, claimed generated rules, as depicted in Fig. 3 & Fig. 21, in Col. 25 line 4 - Col. 26 line 18:  In 2102, platform 300 may analyze periodicity of data. In cyber finding, a periodic behavior may be indicative machine-like behavior, and thus several features of Janus may incorporate periodicity… In 2104, platform 300 may score periodicity of data. Janus may use a score s=1−E, so that a larger s corresponds to more periodic. For validity, set s=0 if m≤2. In 2106, platform 300 may determine whether the score is above a confidence threshold. If so, in 2108, platform 300 may classify the data and, in 2110, perform self-training, which is discussed in greater detail below. If not, in 2112, platform 300 may receive user input regarding the classification of the data. In 2114, platform 300 may classify [claimed generating, by the service, a set of rules used to collect training data for training a supervised learning-based classifier based on those of the anomalies detected by the one or more unsupervised learning-based anomaly detectors deemed relevant by the relevancy feedback] the data according to the user input [claimed receiving, at a service, relevancy feedback from a user that is indicative of a relevance of  anomalies detected in a  network by one or more unsupervised learning-based anomaly detectors] and, in 2116, perform self-training. Platform 300 may perform self-training to improve classification and require less user intervention moving forward. Just as an SOC analyst has a knowledge base of past threats that he or she relies on, so must Janus. This may come in the form of training data, which are behaviors that SOC analysts have already looked at and determined whether or not those behaviors are potentially nefarious [claimed generating, by the service, a set of rules used to collect training data for training a supervised learning-based classifier based on those of the anomalies detected by the one or more unsupervised learning-based anomaly detectors deemed relevant by the relevancy feedback]. The training data  for Janus may represent a diverse range of user behavior, allowing Janus to cover a wide threat space as well as a large amount of good behavior so that it can tell the difference between the two. To train Janus, the behaviors within the training data may be transformed into the features Janus recognizes. Those behaviors may have a label that has been generated by an SOC analyst ….; And probability produced with each class, as claimed generated rules, in Col. 26 line 33 – Col.27 line 30:  Janus may use a random forest classifier as its machine learning algorithm [claimed a supervised learning-based classifier]. The classifier may produce a probability for each class which may be used for active learning and self-training [claimed generating, by the service, a set of rules used to collect training data for training a supervised learning-based classifier based on those of the anomalies detected by the one or more unsupervised learning-based anomaly detectors deemed relevant by the relevancy feedback]. Potential Janus output 2600, 2650 is shown in the example of FIG. 26. Output may include correct predictions 2600 and incorrect predictions 2650. Each of correct predictions 2600 and incorrect predictions 2650 in FIG. 26 is represented as a histogram of p.sub.1-p.sub.2 for Janus LOO cross-validation. Thus, just as an SOC analyst makes associations from the behavior it sees to things it has seen earlier, Janus uses the previous knowledge (training data) [claimed generating, by the service, a set of rules used to collect training data for training a supervised learning-based classifier based on those of the anomalies detected by the one or more unsupervised learning-based anomaly detectors deemed relevant by the relevancy feedback] to classify behaviors (features) it sees now…Janus may determine that it is uncertain about a decision (that that decision is on the decision boundary of the classifier, and thus should be tagged “Decision Boundary”), if p.sub.1−p.sub.2<=0.2…This labeling of data as “Decision Boundary” may be a form of active learning, since those data points may be sent to an SOC analyst to label and add to the training set …;

    PNG
    media_image3.png
    665
    773
    media_image3.png
    Greyscale


)
using, by the service, the set of rules to trigger collection of data features from the network to be used as the training data (And probability produced with each class, as claimed rules, in Col. 26 line 33 – Col.27 line 30:  Janus may use a random forest classifier as its machine learning algorithm. The classifier may produce a probability for each class [claimed the set of rules] which may be used for active learning and self-training [using, by the service, the set of rules to trigger collection of data features from the network to be used as the training data] …. Thus, just as an SOC analyst makes associations from the behavior it sees to things it has seen earlier, Janus uses the previous knowledge (training data [claimed using, by the service, the set of rules to trigger collection of data features from the network to be used as the training data]) to classify behaviors (features) it sees now…Janus may determine that it is uncertain about a decision (that that decision is on the decision boundary of the classifier, and thus should be tagged “Decision Boundary”), if p.sub.1−p.sub.2<=0.2…This labeling of data as “Decision Boundary” may be a form of active learning, since those data points may be sent to an SOC analyst to label and add to the training set [claimed using, by the service, the set of rules to trigger collection of data features from the network to be used as the training data]…)
and training, by the service, the supervised learning-based classifier using the training  data. (Janus, as claimed supervised learning-based classifier, as depicted in Fig. 21 and in  Col. 25 line 48 – Col. 25 line 55: … . For validity, set s=0 if m≤2. In 2106, platform 300 may determine whether the score is above a confidence threshold. If so, in 2108, platform 300 may classify the data and, in 2110, perform self-training, which is discussed in greater detail below. If not, in 2112, platform 300 may receive user input regarding the classification of the data. In 2114, platform 300 may classify the data according to the user input [claimed the supervised learning-based classifier using the training  data] and, in 2116, perform self-training [claimed training, by the service, the supervised learning-based classifier using the training  data]. )
Examiner notes the claimed service, as the software instructions (e.g. functions) executed in networked server environment claimed functions, in Heiman Col. 3 Lines 37 – Col. 4 Line 36 : … The described features may be implemented in one or more computer programs that may be executable on a programmable system [claimed service]  including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device… Suitable processors for the execution of a program of instructions may include, by way of example, both general and special purpose microprocessors, and the sole processor or one of multiple processors or cores, of any kind of computer. Generally, a processor may receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer may include a processor for executing instructions and one or more memories for storing instructions and data… One or more features or steps of the disclosed embodiments may be implemented using an API. An API may define one or more parameters that are passed between a calling application and other software code (e.g., an operating system, library routine, function) that provides a service, that provides data, or that performs an operation or a computation.
Examiner also notes the Heiman references teaches the combination of the disclosed functions in one embodiment to perform elements noted above, in Col.2 Lines 23-40: Some embodiments may include some or all of the following components which are described in detail below: Analytics Core: Unsupervised Learning :Network-based Behavioral Analytics The Community …User-based Entity Behavioral Analytics …Supervised Learning Targeted Behavioral Analytics Outlier Detection Algorithm(s) TailJumps Computerized Adaptive Detection Semi-Supervised Engine Janus Autonomous Machine Analyst Active Machine Analyst.

For claim 10, Heiman teaches an  apparatus comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: (in  Col. 3 Lines 37 – Col. 4 Line 36 : … The described features may be implemented in one or more computer programs that may be executable on a programmable system including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device… Suitable processors for the execution of a program of instructions may include, by way of example, both general and special purpose microprocessors, and the sole processor or one of multiple processors or cores, of any kind of computer. Generally, a processor may receive instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer may include a processor for executing instructions and one or more memories for storing instructions and data… One or more features or steps of the disclosed embodiments may be implemented using an API. An API may define one or more parameters that are passed between a calling application and other software code (e.g., an operating system, library routine, function) that provides a service, that provides data, or that performs an operation or a computation.)
The claim 10 limitations being similar to claim 1 limitations are rejected under the same rationale.

For claim 19, Heiman teaches a non-transitory computer-readable medium respectively comprising (processor and CRM, in  Col. 3 Lines 37 – Col. 4 Line 36 : … The described features may be implemented in one or more computer programs that may be executable on a programmable system including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device… Suitable processors for the execution of a program of instructions may include, by way of example, both general and special purpose microprocessors, and the sole processor or one of multiple processors or cores, of any kind of computer. Generally, a processor may receive instructions and data from a read-only memory or a random access memory [claimed a non-transitory computer-readable medium] or both. The essential elements of a computer may include a processor for executing instructions and one or more memories for storing instructions and data… One or more features or steps of the disclosed embodiments may be implemented using an API. An API may define one or more parameters that are passed between a calling application and other software code (e.g., an operating system, library routine, function) that provides a service, that provides data, or that performs an operation or a computation.)
The claim 19 limitations being similar to claim 1 limitations are rejected under the same rationale.

Regarding Claims 2 and 11, the rejection of claims 1 and 10 are respectively incorporated; and Heiman further teaches the claim limitation: wherein the trained classifier is a decision tree classifier. (Janus random forest classifier as trained decision tree classifier, in Col. 26 Line 33 – Col. 26 line 36: Janus may use a random forest classifier [claimed the trained classifier is a decision tree classifier] as its machine learning algorithm. The classifier may produce a probability for each class which may be used for active learning and self-training; And as depicted in Fig. 3)

Regarding Claims 3 and 12, the rejection of claims 1 and 10 are respectively incorporated; and Heiman further teaches the claim limitation: wherein receiving the relevancy feedback regarding the detected anomalies comprises: sending, by the service, data indicative of the anomalies to a user interface, wherein the data indicative of a particular one of the anomalies comprises measurements from the network associated with the particular anomaly;  and receiving, by the service, the relevancy feedback from the user interface. (User input as SOC feedback as claimed relevancy feedback received as depicted in Fig. 3 and Fig. 21, and n Col. 5 line 65 – Col. 6 line 15: FIG. 3 is an overview of the platform 300, as executed by at least one platform server 100, according to an embodiment of the invention. Unsupervised learning core 302 may use network-based behavioral analytics and/or user-based entity behavioral analytics [claimed wherein receiving the relevancy feedback regarding the detected anomalies comprises: sending, by the service, data indicative of the anomalies to a user interface, wherein the data indicative of a particular one of the anomalies comprises measurements from the network associated with the particular anomaly] to score observations and produce score events… AI engine 306 may produce machine curated results using the filtered set of outliers as input. For example, yellow dots indicate steps in a self-learning process, and blue dots indicate steps in an active learning process, explained in greater detail with respect to FIG. 21 and accompanying description. Human curation interface 308 [claimed and receiving, by the service, the relevancy feedback from the user interface] may allow users to feed knowledge back to AI engine 306 in the form of labels.; And in Col. 25 line 4 - Col. 26 line 18:  In 2102, platform 300 may analyze periodicity of data. In cyber finding, a periodic behavior may be indicative machine-like behavior, and thus several features of Janus may incorporate periodicity… In 2104, platform 300 may score periodicity of data. Janus may use a score s=1−E, so that a larger s corresponds to more periodic. For validity, set s=0 if m≤2. In 2106, platform 300 may determine whether the score is above a confidence threshold. If so, in 2108, platform 300 may classify the data and, in 2110, perform self-training, which is discussed in greater detail below. If not, in 2112, platform 300 may receive user input [claimed and receiving, by the service, the relevancy feedback from the user interface] regarding the classification of the data [claimed sending, by the service, data indicative of the anomalies to a user interface, wherein the data indicative of a particular one of the anomalies comprises measurements from the network associated with the particular anomaly]. In 2114, platform 300 may classify  the data according to the user input and, in 2116, perform self-training.) 

Regarding claims 5, 14, and 20 the rejection of claims 1, 10, and 19 are respectively incorporated; and Heiman further teaches the claim limitation: wherein generating the set of rules based on those of the detected anomalies deemed relevant by the relevancy feedback comprises: identifying, by the service, a pattern of data features across multiple ones of the detected anomalies;  (identifying claimed pattern across multiple ones as periodic measure of a detected anomalies, as depicted in Fig. 3 & Fig. 21, in Col. 25 line 4 - Col. 26 line 18:  In 2102, platform 300 may analyze periodicity of data. In cyber finding, a periodic behavior may be indicative machine-like behavior, and thus several features of Janus may incorporate periodicity [claimed wherein generating the set of rules based on those of the detected anomalies deemed relevant by the relevancy feedback comprises: identifying, by the service, a pattern of data features across multiple ones of the detected anomalies]… In 2104, platform 300 may score periodicity of data. Janus may use a score s=1−E, so that a larger s corresponds to more periodic [claimed wherein generating the set of rules based on those of the detected anomalies deemed relevant by the relevancy feedback comprises: identifying, by the service, a pattern of data features across multiple ones of the detected anomalies]. For validity, set s=0 if m≤2. In 2106, platform 300 may determine whether the score is above a confidence threshold. If so, in 2108, platform 300 may classify the data and, in 2110, perform self-training, which is discussed in greater detail below. If not, in 2112, platform 300 may receive user input regarding the classification of the data. In 2114, platform 300 may classify  and, in 2116, perform self-training. Platform 300 may perform self-training to improve classification and require less user intervention moving forward. Just as an SOC analyst has a knowledge base of past threats that he or she relies on, so must Janus. This may come in the form of training data, which are behaviors that SOC analysts have already looked at and determined whether or not those behaviors are potentially nefarious. The training data  for Janus may represent a diverse range of user behavior, allowing Janus to cover a wide threat space as well as a large amount of good behavior so that it can tell the difference between the two. To train Janus, the behaviors within the training data may be transformed into the features Janus recognizes. Those behaviors may have a label that has been generated by an SOC analyst …)
and translating, by the service, the identified pattern of features into a particular one of the rules, wherein the particular rule comprises one or more thresholds for the data features in the pattern. (in Col. 25 line 4 - Col. 26 line 18:  In 2102, platform 300 may analyze periodicity of data. In cyber finding, a periodic behavior may be indicative machine-like behavior, and thus several features of Janus may incorporate periodicity [claimed wherein generating the set of rules based on those of the detected anomalies deemed relevant by the relevancy feedback comprises: identifying, by the service, a pattern of data features across multiple ones of the detected anomalies]… In 2104, platform 300 may score periodicity of data. Janus may use a score s=1−E, so that a larger s corresponds to more periodic [claimed wherein generating the set of rules based on those of the detected anomalies deemed relevant by the relevancy feedback comprises: identifying, by the service, a pattern of data features across multiple ones of the detected anomalies]. For validity, set s=0 if m≤2. In 2106, platform 300 may determine whether the score is above a confidence threshold [claimed and translating, by the service, the identified pattern of features into a particular one of the rules, wherein the particular rule comprises one or more thresholds for the data features in the pattern]. … The training data  for Janus may represent a diverse range of user behavior, allowing Janus to cover a wide threat space as well as a large amount of good behavior so that it can tell the difference between the two. To train Janus, the behaviors within the training data may be transformed into the features Janus recognizes. Those behaviors may have a label that has been generated by an SOC analyst…; And in Col. 26 line 33 – Col.27 line 30:  Janus may use a random forest classifier as its machine learning algorithm. The classifier may produce a probability for each class which may be used for active learning and self-training. Potential Janus output 2600, 2650 is shown in the example of FIG. 26. Output may include correct predictions 2600 and incorrect predictions 2650. Each of correct predictions 2600 and incorrect predictions 2650 in FIG. 26 is represented as a histogram of p.sub.1-p.sub.2 for Janus LOO cross-validation. Thus, just as an SOC analyst makes associations from the behavior it sees to things it has seen earlier, Janus uses the previous knowledge (training data) to classify behaviors (features) it sees now…Janus may determine that it is uncertain about a decision (that that decision is on the decision boundary of the classifier, and thus should be tagged “Decision Boundary”), if p.sub.1−p.sub.2<=0.2 [claimed wherein generating the set of rules based on those of the detected anomalies deemed relevant by the relevancy feedback comprises: identifying, by the service, a pattern of data features across multiple ones of the detected anomalies and translating, by the service, the identified pattern of features into a particular one of the rules, wherein the particular rule comprises one or more thresholds for the data features in the pattern]…This labeling of data as “Decision Boundary” may be a form of active learning, since those data points may be sent to an SOC analyst to label and add to the training set …)

Regarding Claims 6 and 15, the rejection of claims 3 and 12 are respectively incorporated; and Heiman further teaches the claim limitation: wherein the data features collected from the network comprise at least one data features that was not used assessed by the one or more unsupervised learning-based anomaly detectors. (data of  the not used region as claimed data features not used as depicted in Fig. 3, in Col. 5 lines 22-34: While each algorithm in the unsupervised core may model observations differently, the platform may standardize outlier definition for the sake of automation in some embodiments. TailJumps may involve a transformation of the outlier scores from each algorithm. TailJumps may break up the transformed outlier score into three distinct regions (Inliers [claimed wherein the data features collected from the network comprise at least one data features that was not used assessed by the one or more unsupervised learning-based anomaly detectors.], Analysis, and Forecast) and then look at Support Vectors in the Forecast region from the convex hull in the Analysis region to predict the outliers in the Forecast region. This may allow outlier detection to be defined with some often met assumptions in a universal manner to work across implementations, data sources, and algorithms without the need for adjustment; And in Col. 23 line 56- Col 24 line 6 :  …For instance, suppose platform 300 cycles through ten iterations of varying Analysis Regions. If the cycle that produces the smallest outlier cut-off indicates there are five outliers, then only the five most extreme values in the original data set may be labeled outliers [claimed wherein the data features collected from the network comprise at least one data features that was not used assessed by the one or more unsupervised learning-based anomaly detectors]. TailJumps leverages a very general principle of statistics in that most probably distributions have smoothly decreasing tail regions…)

Regarding Claims 8 and 17, the rejection of claims 1 and 10 are respectively incorporated; and Heiman further teaches the claim limitation: further comprising: receiving, by the service, relevancy feedback regarding additional anomalies detected in the network by the one or more anomaly detectors; (user input  as claimed received relevancy feedback, as depicted in Fig. 3 element 302 and Fig. 21, in Col. 5 line 65 – Col. 6 line 15: FIG. 3 is an overview of the platform 300, as executed by at least one platform server 100, according to an embodiment of the invention. Unsupervised learning core 302 [including claimed one or more unsupervised learning-based anomaly detectors] may use network-based behavioral analytics and/or user-based entity behavioral analytics to score observations and produce score events… AI engine 306 may produce machine curated results using the filtered set of outliers as input. For example, yellow dots indicate steps in a self-learning process, and blue dots indicate steps in an active learning process [claimed further comprising: receiving, by the service, relevancy feedback regarding additional anomalies detected in the network by the one or more anomaly detectors], explained in greater detail with respect to FIG. 21 and accompanying description. Human curation interface 308 may allow users to feed knowledge back to AI engine 306 in the form of labels.; And additional samples set to the SOC analyst on periodic data having a score of periodicity, in Col. 25 lines 46-66  In 2104, platform 300 may score periodicity of data. Janus may use a score s=1−E, so that a larger s corresponds to more periodic. For validity, set s=0 if m≤2. In 2106, platform 300 may determine whether the score is above a confidence threshold. If so, in 2108, platform 300 may classify the data and, in 2110, perform self-training, which is discussed in greater detail below. If not, in 2112, platform 300 may receive user input regarding the classification of the data. In 2114, platform 300 may classify the data according to the user input and, in 2116, perform self-training… his may come in the form of training data, which are behaviors that SOC analysts have already looked at and determined whether or not those behaviors are potentially nefarious. The training data for Janus may represent a diverse range of user behavior, allowing Janus to cover a wide threat space as well as a large amount of good behavior so that it can tell the difference between the two…
and retraining, by the service, the supervised learning-based classifier based on the received relevancy feedback regarding the additional anomalies.  (in Col. 27 Lines 10- 59 Labeling data as “Decision Boundary” in this way may ensure that unknown threats brought up by the unsupervised core are not incorrectly treated as Janus confidently labeling them. This may have particular significance in a cyber security landscape since the cyber security landscape is constantly changing. Without this active learning component, new threats may arbitrarily be assigned a Forward or Do Not Send, while with the active learning component, Janus can indicate that these automatically need special attention. This may allow new training data of Janus to be focused solely on decisions that Janus is uncertain about while also focusing SOC efforts only on things Janus needs help with… As Janus becomes more confident in its predictions, it may be also more likely right. For p1≥0.9 we see that Janus is correct 96.5% of the time (98.7% when not including Unknown), which is incredibly accurate. Because of this, data that Janus labels with p1≥0.9 may be taken as ground truth and added to Janus' training set (e.g., in 2106-2108) [claimed further comprising: receiving, by the service, relevancy feedback regarding additional anomalies detected in the network by the one or more anomaly detectors]. This technique is known as self-training, and in many applications has been shown to over time increase the overall accuracy of the classifier. By adding ground truth to the training set, on successive iterations Janus [claimed and retraining, by the service, the supervised learning-based classifier based on the received relevancy feedback regarding the additional anomalies] may have more base knowledge with which to make associations, thus allowing it to be more accurate. In cybersecurity, there is an alternate desire as well. Cyber threats change constantly, and Janus's training set may evolve with evolving threats at a faster rate than simply active learning can allow. Having a self-training aspect as well as an active learning [claimed and retraining, by the service, the supervised learning-based classifier based on the received relevancy feedback regarding the additional anomalies] aspect to the system may allow Janus to evolve with the evolving threat space while having minimal SOC involvement:)


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Heimann et al. (US Pat. No. 10,685,293, hereinafter ‘Heiman’) in view of Lin et al. (US Pub. No. 2015/0052090, hereinafter ‘Lin’).

Regarding Claims 4 and 13, the rejection of claims 1 and 10 are respectively incorporated; and Heiman further teaches the claim limitation: wherein the relevancy feedback specifies one or more relevancy thresholds, the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant satisfied the one or more relevancy thresholds, and the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant fail to satisfied the one or more relevancy thresholds. (the unsupervised learning process scores as depicted in Fig. 3 the anomalies to determine if they are deep relevant and irrelevant based on their respective score, in 5:65-6:15: FIG. 3 is an overview of the platform 300, as executed by at least one platform server 100, according to an embodiment of the invention. Unsupervised learning core 302 (claimed one or more unsupervised learning based anomaly detectors)  use network-based behavioral analytics and/or user-based entity behavioral analytics to score observations and produce score events [claimed the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant satisfied the one or more relevancy thresholds, and the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant fail to satisfied the one or more relevancy thresholds]. Outlier detection algorithm(s) 304 may produce a filtered set of outliers. For example, filtration and output are illustrated in detail below in FIGS. 17-20 and accompanying description. AI engine 306 may produce machine curated results using the filtered set of outliers as input... 

    PNG
    media_image2.png
    659
    978
    media_image2.png
    Greyscale


And the use of the detected anomalies using the unsupervised algorithms are classified using user feedback using the Janus classifier learning process, depicted in Fig. 3 and Fig. 21, for receiving the user feedback as thresholds, in 25:56-26:: Platform 300 may perform self-training to improve classification and require less user intervention moving forward. Just as an SOC analyst has a knowledge base of past threats that he or she relies on, so must Janus. This may come in the form of training data, which are behaviors that SOC analysts have already looked at and determined whether or not those behaviors are potentially nefarious [claimed wherein the relevancy feedback specifies one or more relevancy thresholds]. The training data for Janus may represent a diverse range of user behavior, allowing Janus to cover a wide threat space as well as a large amount of good behavior so that it can tell the difference between the two. To train Janus, the behaviors within the training data may be transformed into the features Janus recognizes… An observation from Table 1 2200, which can be gleaned from all of the feature sets of Janus, is that the values are normalized to allow Janus to work with different customers and different time slices. This may allow Janus to be truly generalizable across customers, industries, and timespans. This may be a distinction from training sets used in other cybersecurity classifiers.; And the use of user feedback using for performing classification as depicted in Fig. 3)
While Heiman teaches that user can provide feedback for classifying data used by the classifier system and using cutoff parameters to classify data used for the separating the detected data; and does not expressly disclose the user feedback as the cutoff parameters used to classifier the data sets as claimed wherein the relevancy feedback specifies one or more relevancy thresholds. 
Lin teaches the user feedback as the cutoff parameters used to classifier the data sets as claimed wherein the relevancy feedback specifies one or more relevancy thresholds. (in 0026: …  The training dataset includes, for example, one or more temporal data sequences that are from a single known class (one-class). The training data can, in some embodiments, contain true anomalies that have yet to be labeled as anomalous. In the depicted embodiment, after collection, a one-class sequence classifier f(x) ("classifier") is learned in Step 104. The classifier is statistically learned, for example, in a solution space .OMEGA., with a mathematical optimization such that the classifier accepts most of the sequences in the training dataset as normal, while keeping the solution space as tight as possible. As used herein and throughout the application "as tight as possible," in reference to the solution space means that the solution vector has a small norm. In some embodiments, the tightness is determined relatively by two parameters: a user defined parameter [claimed wherein the relevancy feedback specifies one or more relevancy thresholds], such as a difference threshold, which specifies the minimum difference between whether a sequence is predicted as normal versus abnormal; and L.sub.2 norm, which is described further below, for example with respect to Equations 9-11. Keeping the solution space as tight as possible can, in some embodiments, prevent over-fitting or tailoring of the solution to the training data… In other words, during training, most of the sequences in the training dataset are forced to have a higher probability of being normal. The higher probability may be determined by the user defined parameter [claimed wherein the relevancy feedback specifies one or more relevancy thresholds], which may dictate the relative importance of the hinge loss and the L.sub.2 norm, as will be described further below. During the learning process, the classifier obtains, for example, a decision boundary or threshold [claimed wherein the relevancy feedback specifies one or more relevancy thresholds] as to whether the sequence is normal or abnormal….)
The Heiman and Lin are references would have been recognized by those of ordinary skill in the art as useful for applicant’s purpose in developing information retrieval techniques of data in network environments and patter detection techniques using semi-supervised machine learning algorithms.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to integrate the method for user provided parameters of classification thresholds as disclosed by Lin with the method of developing information retrieval of time-based data in networked environments and classifying data that represents cyber threats in time-based data logs using machine learning algorithms as disclosed by Heiman.
One of ordinary skill in the arts would have been motivated to combine the disclosed methods by Heiman and Lin in order to provide user feedback to help to manage the solution space and prevent over-fitting of data to be more generalizable to unseen data (Lin, 0026).

Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Heimann et al. (US Pat. No. 10,685,293, hereinafter ‘Heiman’) in view of Miller et al. (US Pub. No. 20190188212, hereinafter ‘Mil’).

Regarding Claims 4 and 13, the rejection of claims 1 and 10 are respectively incorporated; and Heiman further teaches the claim limitation: wherein the relevancy feedback specifies one or more relevancy thresholds, the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant satisfied the one or more relevancy thresholds, and the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant fail to satisfied the one or more relevancy thresholds. (the unsupervised learning process scores as depicted in Fig. 3 the anomalies to determine if they are deep relevant and irrelevant based on their respective score, in 5:65-6:15: FIG. 3 is an overview of the platform 300, as executed by at least one platform server 100, according to an embodiment of the invention. Unsupervised learning core 302 (claimed one or more unsupervised learning based anomaly detectors)  use network-based behavioral analytics and/or user-based entity behavioral analytics to score observations and produce score events [claimed the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant satisfied the one or more relevancy thresholds, and the one or more anomalies detected by the one or more unsupervised learning based anomaly detectors deemed irrelevant fail to satisfied the one or more relevancy thresholds]. Outlier detection algorithm(s) 304 may produce a filtered set of outliers. For example, filtration and output are illustrated in detail below in FIGS. 17-20 and accompanying description. AI engine 306 may produce machine curated results using the filtered set of outliers as input... 

    PNG
    media_image2.png
    659
    978
    media_image2.png
    Greyscale


And the use of the detected anomalies using the unsupervised algorithms are classified using user feedback using the Janus classifier learning process, depicted in Fig. 3 and Fig. 21, for receiving the user feedback as thresholds, in 25:56-26:: Platform 300 may perform self-training to improve classification and require less user intervention moving forward. Just as an SOC analyst has a knowledge base of past threats that he or she relies on, so must Janus. This may come in the form of training data, which are behaviors that SOC analysts have already looked at and determined whether or not those behaviors are potentially nefarious [claimed wherein the relevancy feedback specifies one or more relevancy thresholds]. The training data for Janus may represent a diverse range of user behavior, allowing Janus to cover a wide threat space as well as a large amount of good behavior so that it can tell the difference between the two. To train Janus, the behaviors within the training data may be transformed into the features Janus recognizes… An observation from Table 1 2200, which can be gleaned from all of the feature sets of Janus, is that the values are normalized to allow Janus to work with different customers and different time slices. This may allow Janus to be truly generalizable across customers, industries, and timespans. This may be a distinction from training sets used in other cybersecurity classifiers.; And the use of user feedback using for performing classification as depicted in Fig. 3)
While Heiman teaches that user can provide feedback for classifying data used by the classifier system and using cutoff parameters to classify data used for the separating the detected data; and does not expressly disclose the user feedback as the cutoff parameters used to classifier the data sets as claimed wherein the relevancy feedback specifies one or more relevancy thresholds. 
Mil teaches the user feedback as the cutoff parameters used to classifier the data sets as claimed wherein the relevancy feedback specifies one or more relevancy thresholds. (in 0037-00381: …  Use of these irrelevant features may confound the clustering's ability to achieve accurate estimation of anomalous clusters. Second, [Portnoy et al., 2001] presupposes anomalous clusters are much less populous than “normal” clusters in the batch and requires user setting of a threshold on the percentage of normal samples [claimed wherein the relevancy feedback specifies one or more relevancy thresholds]. Proper choice of this threshold will not be known in practice and may require lots of trial and error setting., …)
The Heiman and Mil are references would have been recognized by those of ordinary skill in the art as useful for applicant’s purpose in developing information retrieval techniques of data in network environments and patter detection techniques using semi-supervised machine learning algorithms.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to integrate the method for user provided parameters of classification thresholds as disclosed by Mil with the method of developing information retrieval of time-based data in networked environments and classifying data that represents cyber threats in time-based data logs using machine learning algorithms as disclosed by Heiman.
One of ordinary skill in the arts would have been motivated to combine the disclosed methods by Heiman and Mil in order to provide user feedback to for processing imbalanced data sets having a known percentage anomalous data set for classifying datasets (Mill, 0038).

Claims 7, 9, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Heimann et al. (US Pat. No. 10,685,293, hereinafter ‘Heiman’) in view of Sang et al. (NPL: “Privacy-Preserving Tuple Matching in Distributed Databases”, hereinafter ‘Sang’).


Regarding Claims 7 and 16, the rejection of claims 1 and 10 are respectively incorporated; and Heiman does not expressly  teach the limitation: at least one of the detected anomalies comprises a wireless roaming failure anomaly or a low throughput anomaly.
However, Sang expressly teach the limitation: at least one of the detected anomalies comprises a wireless roaming failure anomaly or a low throughput anomaly. (in pg. 1770: Left Col.: 2nd full para.: … In order to escape the detection of PPTAM, an attacker may deliberately generate high traffic in some former time units inside one TW, and low traffic (lower than the given threshold) [claimed at least one of the detected anomalies comprises … a low throughput anomaly] in the latter intervals. We can use S to limit the possible high traffic in the former intervals and a lower d and a longer g to give the server enough time to recover in the latter intervals.)
The Heiman and Sang are references would have been recognized by those of ordinary skill in the art as useful for applicant’s purpose in developing information retrieval techniques of data in network environments and patter detection techniques using machine learning algorithms in a network computing environment.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to integrate the method for anomaly detection based on patterns using machine learning based on retrieved data sets as disclosed by Sang with the method of developing information retrieval of time-based data in networked environments and detection of outliers that represents cyber threats in time-based data logs using machine learning algorithms as disclosed by Heiman.
One of ordinary skill in the arts would have been motivated to combine the disclosed methods by Heiman and Sang in order to automate the detection of anomalous traffic patterns associated with an attackers deliberate attempt to generate high and low traffic patterns; doing so will determining detection parameters that can be  configured according to the attack types and the network’s normal profile based on statistical observations (Sang, pg. 1770: Left Col.: 2nd full para.).

Regarding Claims 9 and 18, the rejection of claims 1 and 10 are respectively incorporated; and Heiman further teaches the claim limitation wherein at least one of the data features comprises: an interference measurement, wireless channel information, or a wireless signal strength metric. (cyber threat as claimed interference measurement, in Col. 6 Lines 16-30 :  FIG. 4 is a platform process 400 according to an embodiment of the invention. Platform 300, as executed by the at least one platform server 100, may perform process 400 to identify cybersecurity threats and/or other events of interest [claimed wherein at least one of the data features comprises: an interference measurement …]. In 402, platform 300 may receive log data (e.g., from devices 20 through network 10). In 404, platform 300 may identify statistical outliers [claimed wherein at least one of the data features comprises: an interference measurement …] in the log data. As described in greater detail below, the identification may be performed using Community (process 500), X-Files (process 900), and/or Ghost (process 1200) processing. In 406, platform 300 may analyze statistical outliers. The analysis may include TailJumps (process 1600) and/or Janus (process 2100) processing. In 408, platform 300 may report identified threats [claimed wherein at least one of the data features comprises: an interference measurement …] and/or other events of interest…)
Heiman does not expressly teach cyber threats including denial of service events as claimed the data features comprises: an interference measurement,…  Sang does expressly teaches cyber threats including denial of service events as claimed the data features comprises: an interference measurement,… (traffic measurement in a distributed denial of service (DDOS) as claimed interference measurement, in 1768: Left Col.: …However, an attacker can easily generate a zero aggregate by commanding a traffic lower than t on each “slave” machine it controls, yet make a successful attack by commanding enough number of slave machines (Distributed Denial-of-Service (DDOS) attack). For an accurate measurement, all traffic need to be summarized…; And pg. 1769 Right Col  Sec. 2.3: …We give a simple example on monitoring the numeric traffic, based on a typical DDOS attack [cyber threats including denial of service events as claimed the data features comprises: an interference measurement] which should keep generating 100 SYNs/sec for at least 5 minutes [claimed interference measurement]. Suppose five routers are not compromised and owned by different ISPs link to the server under this attack (N ¼ 5) [claimed wherein at least one of the data features comprises: an interference measurement]. TW is one minute, g is 10 seconds, then six successive data are observed in each g (M ¼ 6). The numeric observed data can be transformed to a multiset as following: 1.	The data are denoted at a scale of 50 and then truncated by a ceiling function, e.g., 210 is denoted by 4:2 ….=50Þ and truncated as 5. 2. Given a truncated value x, a multiset of cardinality x is generated with all “1” elements. All routers negotiate a secure S, e.g., S ¼ 20, and pad random numbers into the multiset to fulfill the size S (if x 􀀄 S, the router directly reports an anomaly without executing PPTAM).)…)
The Heiman and Sang are references would have been recognized by those of ordinary skill in the art as useful for applicant’s purpose in developing information retrieval techniques of data in network environments and patter detection techniques using machine learning algorithms in a network computing environment.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to integrate the method for anomaly detection based on patterns using machine learning based on retrieved data sets as disclosed by Sang with the method of developing information retrieval of time-based data in networked environments and detection of outliers that represents cyber threats in time-based data logs using machine learning algorithms as disclosed by Heiman.
One of ordinary skill in the arts would have been motivated to combine the disclosed methods by Heiman and Sang in order to automate the detection of anomalous traffic patterns associated with an attackers deliberate attempt to generate high and low traffic patterns; doing so will determining detection parameters that can be  configured according to the attack types and the network’s normal profile based on statistical observations (Sang, pg. 1770: Left Col.: 2nd full para.).



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure listed below:
Yamanishi et al. (NPL: Discovering Outlier Filtering Rules from Unlabeled Data): teaches using probability for generating the labeling and classification rules of outliers conditioned on selected regional group.
Vasseur et al (US Pat. Pub. 2016/0219070, hereinafter ‘Vas’): teaches the system for detecting anomalies in networked/distributed system environments
Yong et al (US 20070245420 A1) teaches LAN-based network anomaly detection system
O'Neil et al (US 20180234385 A1) teaches a supervised/unsupervised learning system for network health that implements decision trees 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUWATOSIN ALABI whose telephone number is (571)272-0516.  The examiner can normally be reached on Monday-Friday, 8:00am-5:00pm EST..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael Huntley can be reached on (303) 297-4307.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/O.O.A./Examiner, Art Unit 2129                                                                                                                                                                                                                                                                                                                                                                                                              


                                                                                                                                                                                                   
/MICHAEL J HUNTLEY/Supervisory Patent Examiner, Art Unit 2129