DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
In determining whether the claims are subject matter eligible, the Examiner applies the 2019 USPTO Patent Eligibility Guidelines. (2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, Jan. 7, 2019.)
Regarding claim 1. 
Step 1: Is the claim to a process, machine, manufacture, or composition of matter? Yes—claim 1 recites a method, which is a process.
Step 2A, prong one: Does the claim recite an abstract idea, law of nature or natural phenomenon? Yes—the limitations identified below each, under its broadest reasonable interpretation, covers performance of the limitation in the mind:
“receiving an input stream of data instances for a time series, where the data instances in the input stream are time stamped, each of the data instances comprising at least one principle value and a set of categorical attributes”;
“generating anomaly scores for each of the data instances over time intervals”;
“detecting a change in the anomaly scores over the time intervals for the data instances”;
“identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis”;
“the counterfactual analysis comprising: removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances over the time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity”; 
Therefore, the claim recites a mental process.
Step 2A, prong two: Does the claim recite additional elements that integrate the judicial exception into a practical application? No—the judicial exception is not integrated into a practical application. Model interpretation has long been performed by humans, and the claim does not recite even generic computer hardware.
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception? No—there are no additional limitations beyond the mental processes identified above, and not even generic computer hardware is recited.
For the reasons above, claim 1 is rejected as being directed to non-patentable subject matter under §101. Dependent claims 2-11 recite similar functionality that is analogous to that of claim 1. The additional limitations of the dependent claims are addressed briefly below:
Dependent claim 2 recites additional mental processes: “wherein the change in the anomaly scores is indicative of malicious behavior in the computing environment”.
Dependent claim 3 recites additional mental processes: “generating recommendations for remediating the set of categorical attributes to remediate the malicious behavior”.
Dependent claim 4 recites additional mental processes: “wherein at least one of the generated recommendations comprises a recommendation that all devices accessing a database use a higher level of authentication with respect to the database”.
Dependent claim 5 each recite additional mental process: “wherein the set of categorical attributes comprises a tuple created from at least two categorical attributes”.
Dependent claim 6 recites an additional mental process: “grouping the data instances into groups based on the time intervals, each of the groups having a time length for its corresponding time interval”.
Dependent claim 7 recites an additional mental process: “wherein the at least one principle value is categorical or numerical”.
Dependent claim 8 recites an additional mental process: “wherein, for the numerical principle value, a set function is applied to calculate a mean value”.
Dependent claim 9 recites an additional mental process: “wherein, for the categorical principle value, a set function is applied to calculate any of an equivalence class count or a distinct count”.
Dependent claim 10 recites an additional mental process: “wherein generating the anomaly scores comprises: creating features for a current group of the data instances; applying an anomaly detection algorithm that takes as inputs the features for the current group, and group features calculated using set functions for groups earlier than the current group; and generating the anomaly scores, the anomaly scores being indicative of how anomalous are the features for the current group”.
Dependent claim 11 recites an additional mental process: “enacting changes in the computing environment relative to at least a portion of the categorical attributes to prevent future instances of the anomalous activity”.

Regarding claim 12. 
Step 1: Is the claim to a process, machine, manufacture, or composition of matter? Yes—claim 12 recites a method, which is a process.
Step 2A, prong one: Does the claim recite an abstract idea, law of nature or natural phenomenon? Yes—the limitations identified below each, under its broadest reasonable interpretation, covers performance of the limitation in the mind:
“receiving an input stream of data instances, the data instances in the input stream being time stamped”;
“separating the data instances into at least one principle value and a set of categorical attributes”;
“grouping the data instances into groups based on time intervals, each of the time intervals having a length”;
“applying set functions to each of the groups; generating an anomaly score for each of the groups using the set functions”;
“applying a counterfactual analysis or a regularity analysis to identify which of the set of categorical attributes for a group is influencing one or more anomalies in the groups that are indicative of the anomalous activity in the computing environment”
“wherein the counterfactual analysis comprises: determining a change in the anomaly score; removing at least a portion of the data instances, the at least a portion of the data instances being associated with one or more categorical attributes of the set of categorical attributes identified as influencing the one or more anomalies; regenerating the anomaly score for each of the data instances which remain after the removing; and comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score”; 
Therefore, the claim recites a mental process.
Step 2A, prong two: Does the claim recite additional elements that integrate the judicial exception into a practical application? No—the judicial exception is not integrated into a practical application. Model interpretation has long been performed by humans, and the claim does not recite even generic computer hardware.
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception? No—there are no additional limitations beyond the mental processes identified above, and not even generic computer hardware is recited.
For the reasons above, claim 12 is rejected as being directed to non-patentable subject matter under §101. Dependent claims 13-16 recite similar functionality that is analogous to that of claim 12. The additional limitations of the dependent claims are addressed briefly below:
Dependent claim 13 recites additional details about the mental processes identified in claim 12: “remediating the computing environment to remedy the anomalous activity”.
Dependent claim 14 recites additional details about the mental processes identified in claim 12: “applying an anomaly detection algorithm to values generated using the set function to detect changes in the groups over the time intervals”.
Dependent claim 15 recites additional details about the mental processes identified in claim 12: “generating recommendations for remediating the set of categorical attributes to remediate the anomalous activity”.
Dependent claim 16 recites additional details about the mental processes identified in claim 12: “wherein the regularity analysis further comprises identifying when a categorical attribute of the set of categorical attributes influences the anomaly score for the set of categorical attributes if an output of an anomaly detection algorithm is approximately identical to alternative instances in which the set of categorical attributes exists”.

Regarding claim 17. 
Step 1: Is the claim to a process, machine, manufacture, or composition of matter? Yes—claim 17 recites a system, which is a machine.
Step 2A, prong one: Does the claim recite an abstract idea, law of nature or natural phenomenon? Yes—the limitations identified below each, under its broadest reasonable interpretation, covers performance of the limitation in the mind:
“generating anomaly scores for data instances of an input stream received over time intervals”;
“detecting a change in the anomaly scores over the time intervals for the data instances”;
“identifying which of a set of categorical attributes of the data instances caused the anomaly scores using a counterfactual analysis or a regularity analysis”;
“wherein the counterfactual analysis comprises: removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances, that remained after the removing, over the time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity”; 
Therefore, the claim recites a mental process.
Step 2A, prong two: Does the claim recite additional elements that integrate the judicial exception into a practical application? No—the judicial exception is not integrated into a practical application. Model interpretation has long been performed by humans, Claim 17 further comprise a processor; and a memory for storing executable instructions, the processor executing the instructions to perform an unsupervised machine learning method. The judicial exception is not integrated into a practical application of the idea. The claims recite various computing hardware components, which are recited at a high level of generality and recited so generically that they represent no more than mere instructions to apply the judicial exception on a computer (see MPEP 2106.05(f)). These limitations can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer (see MPEP 2106.05(h)).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception? No—there are no additional limitations beyond the mental processes identified.

For the reasons above, claim 17 is rejected as being directed to non-patentable subject matter under §101. Dependent claims 18-20 recite similar functionality that is analogous to that of claim 17. The additional limitations of the dependent claims are addressed briefly below:
Dependent claims 18 recite additional details about the mental processes identified in claim 17: “wherein the data instances correspond to selected features to be analyzed for anomalous behavior”.
Dependent claims 19 recite additional details about the mental processes identified in claim 17: “remediating the computing environment to remedy the anomalous activity associated with the anomalous behavior”.
Dependent claims 20 recite additional details about the mental processes identified in claim 17: “generating recommendations for remediating the set of categorical attributes to remediate the anomalous activity associated with the anomalous behavior”.
Taken alone, the additional elements of the dependent claims above do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide conventional computer implementation.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 non-provisionally rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-17 of Patent Application No. US 10,986,110 B2. This is a non-provisional nonstatutory double patenting rejection.

Although the conflicting claims are not identical, they are not patentably distinct from each other because all the claimed limitations recited in the instant application are found in the Patent Application No. US 10,986,110 B2.

Instant Application No. 17/192,787
Patent Application No. US 10,986,110 B2
1. A method for detecting anomalous activity in a computing environment, the method comprising: receiving an input stream of data instances for a time series, 
where the data instances in the input stream are time stamped, each of the data instances comprising at least one principle value and a set of categorical attributes; 

generating anomaly scores for each of the data instances over time intervals; detecting a change in the anomaly scores over the time intervals for the data instances; 





and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis, the counterfactual analysis comprising: removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances over the time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity.

2. The method of claim 1, wherein the change in the anomaly scores is indicative of malicious behavior in the computing environment.

3. The method of claim 2, further comprising generating recommendations for remediating the set of categorical attributes to remediate the malicious behavior.

4. The method of claim 3, wherein at least one of the generated recommendations comprises a recommendation that all devices accessing a database use a higher level of authentication with respect to the database.

5. The method of claim 1, wherein the set of categorical attributes comprises a tuple created from at least two categorical attributes.

6. The method of claim 1, further comprising grouping the data instances into groups based on the time intervals, each of the groups having a time length for its corresponding time interval.

7. The method of claim 1, wherein the at least one principle value is categorical or numerical.

8. The method of claim 7, wherein, for the numerical principle value, a set function is applied to calculate a mean value.

9. The method of claim 7, wherein, for the categorical principle value, a set function is applied to calculate any of an equivalence class count or a distinct count.

10. The method of claim 1, wherein generating the anomaly scores comprises: creating features for a current group of the data instances; applying an anomaly detection algorithm that takes as inputs the features for the current group, and group features calculated using set functions for groups earlier than the current group; and generating the anomaly scores, the anomaly scores being indicative of how anomalous are the features for the current group.

11. The method of claim 1, further comprising enacting changes in the computing environment relative to at least a portion of the categorical attributes to prevent future instances of the anomalous activity.

12. A method for detecting anomalous activity in a computing environment, the method comprising: receiving an input stream of data instances, the data instances in the input stream being time stamped; separating the data instances into at least one principle value and a set of categorical attributes; grouping the data instances into groups based on time intervals, each of the time intervals having a length; applying set functions to each of the groups; generating an anomaly score for each of the groups using the set functions; and applying a counterfactual analysis or a regularity analysis to identify which of the set of categorical attributes for a group is influencing one or more anomalies in the groups that are indicative of the anomalous activity in the computing environment, wherein the counterfactual analysis comprises: determining a change in the anomaly score; removing at least a portion of the data instances, the at least a portion of the data instances being associated with one or more categorical attributes of the set of categorical attributes identified as influencing the one or more anomalies; regenerating the anomaly score for each of the data instances which remain after the removing; and comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score.

13. The method of claim 12, further comprising remediating the computing environment to remedy the anomalous activity.

14. The method of claim 12, wherein generating the anomaly score further comprises applying an anomaly detection algorithm to values generated using the set function to detect changes in the groups over the time intervals.

15. The method of claim 12, further comprising generating recommendations for remediating the set of categorical attributes to remediate the anomalous activity.

16. The method of claim 12, wherein the regularity analysis further comprises identifying when a categorical attribute of the set of categorical attributes influences the anomaly score for the set of categorical attributes if an output of an anomaly detection algorithm is approximately identical to alternative instances in which the set of categorical attributes exists.

17. A system for detecting anomalous activity in a computing environment, comprising: a processor; and a memory for storing executable instructions, the processor executing the instructions to perform an unsupervised machine learning method that comprises: generating anomaly scores for data instances of an input stream received over time intervals; detecting a change in the anomaly scores over the time intervals for the data instances; and identifying which of a set of categorical attributes of the data instances caused the anomaly scores using a counterfactual analysis or a regularity analysis, wherein the counterfactual analysis comprises: removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances, that remained after the removing, over the time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity.

18. The system of claim 17, wherein the data instances correspond to selected features to be analyzed for anomalous behavior.

19. The system of claim 17, further comprising remediating the computing environment to remedy the anomalous activity associated with the anomalous behavior.

20. The system of claim 17, further comprising generating recommendations for remediating the set of categorical attributes to remediate the anomalous activity associated with the anomalous behavior.- 30 - PA7605US
1. A method for detecting anomalous activity in a computing environment, the method comprising: receiving an input stream of data instances obtained from a computing environment, for a time series, 
where the data instances in the input stream are time stamped to create a chronological order of the data instances, each of the data instances comprising at least one principal value and a set of categorical attributes; 
generating anomaly scores for each of the data instances over continuous time intervals, the anomaly scores being indicative of malicious activity or other deleterious computing environment issues within the computing environment; detecting a change in the anomaly scores over the continuous time intervals for the data instances as compared to the anomaly scores for the data instances standing earlier in the chronological order; 
and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores using a counterfactual analysis, the counterfactual analysis comprising: removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances over the continuous time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the set of categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity.
2. The method of claim 1, wherein the change in the anomaly scores is indicative of malicious behavior in the computing environment.

3. The method of claim 2, further comprising generating recommendations for remediating the set of categorical attributes to remediate the malicious behavior.

4. The method of claim 1, wherein the set of categorical attributes comprises a tuple created from at least two categorical attributes.

5. The method of claim 1, further comprising grouping the data instances into groups based on the continuous time intervals, each of the groups having a time length for its corresponding continuous time interval.

6. The method of claim 1, wherein the at least one principal value is categorical or numerical.

7. The method of claim 6, wherein, for the numerical principal value, a set function is applied to calculate a mean value.

8. The method of claim 6, wherein, for the categorical principal value, a set function is applied to calculate any of an equivalence class count or a distinct count.

9. The method of claim 1, wherein generating the anomaly scores comprises: creating features for a current group of the data instances; applying an anomaly detection algorithm that takes as inputs the features for the current group, and group features calculated using set functions for groups earlier than the current group; and generating the anomaly scores, the anomaly scores being indicative of how anomalous are the features for the current group.

10. The method of claim 1, further comprising enacting changes in the computing environment relative to at least a portion of the set of categorical attributes to prevent future instances of the anomalous activity.





11. A method for detecting anomalous activity in a computing environment, the method comprising: receiving an input stream of data instances obtained from a computing environment, the data instances in the input stream being time stamped to create a chronological order of the data instances; separating the data instances into at least one principal value and a set of categorical attributes; grouping the data instances into groups based on continuous time intervals, each of the continuous time intervals having a length; applying set functions to each of the groups; generating an anomaly score for each of the groups using the set functions, the anomaly score being indicative of malicious activity or other deleterious computing environment issues within the computing environment; and applying a counterfactual analysis or a regularity analysis to identify which of the set of categorical attributes for a group causes a change in the anomaly score for the group as compared to the anomaly score for the groups standing earlier in the chronological order and is influencing one or more anomalies in the groups that are indicative of the anomalous activity in the computing environment, wherein the counterfactual analysis comprises: determining a change in the anomaly score; removing at least a portion of the data instances, the at least a portion of the data instances being associated with one or more categorical attributes of the set of categorical attributes identified as influencing the one or more anomalies; regenerating the anomaly score for each of the data instances which remain after the removing; and comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score.

12. The method of claim 11, further comprising remediating the computing environment to remedy the anomalous activity.

13. The method of claim 11, wherein generating the anomaly score further comprises applying an anomaly detection algorithm to values generated using the set functions to detect changes in the groups over the continuous time intervals.

14. The method of claim 11, wherein the regularity analysis further comprises identifying when a categorical attribute of the set of categorical attributes influences the anomaly score for the set of categorical attributes if an output of an anomaly detection algorithm is substantially identical to alternative instances in which the set of categorical attributes exists.

15. A system for detecting anomalous activity in a computing environment, comprising: a processor; and a memory for storing executable instructions, the processor executing the instructions to perform an unsupervised machine learning method that comprises: generating anomaly scores for data instances of an input stream obtained from a computing environment and received over continuous time intervals; detecting a change in the anomaly scores over the continuous time intervals for the data instances as compared to the anomaly scores for the data instances standing earlier in a chronological order of the data instances, the anomaly scores being indicative of malicious activity or other deleterious computing environment issues within the computing environment; and identifying which of a set of categorical attributes of the data instances caused the anomaly scores using a counterfactual analysis or a regularity analysis, wherein the counterfactual analysis comprises: removing at least a portion of the data instances; regenerating the anomaly scores for each of the data instances, that remained after the removing, over the continuous time intervals; and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the set of categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity.

16. The system of claim 15, wherein the data instances correspond to selected features to be analyzed for anomalous behavior.

17. The system of claim 15, further comprising remediating the computing environment to remedy the anomalous activity associated with anomalous behavior.



in addition, Claims 1-20 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of co-pending Application No. 15855748. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims corresponding to the copending application contain the scope of the invention of the instant application’s claims. For example, the combination of claims 1, 2 and 3 of the co-pending application corresponds to claim 1 of the instant application. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-20 are rejected under 35 USC 103 as being unpatentable over Bernstein (US 2016/0142435 A1) in view of Bogaty et al. (US 2013/0325584 A1).

Regarding Claim 1, 
Bernstein discloses a method for detecting anomalous activity in a computing environment (see e.g. ¶ 0001, “methods for detection of anomalous behavior based on network activity”), the method comprising:
receiving an input stream of data instances for a time series ( see e.g. ¶ 0008, “receiving data representing the at least one network activity over a period of time”), where the data instances in the input stream are time stamped ( see e.g. ¶ 0008, “generating a diversity time series by organizing the at least one relevant diversity value based on chronological sequence of the respective time slices”), each of the data instances comprising at least one principle value and a set of categorical attributes ( see e.g. ¶ 0008, “receiving data representing the at least one network activity over a period of time; retrieving, for each respective time slice of multiple time slices of the period of time, at least one relevant diversity value [principle value] from the network behavior model; generating a diversity time series by organizing the at least one relevant diversity value based on chronological sequence of the respective time slices” also see e.g. ¶ 0015 “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word... associating a certain context with each respective group”, also see e.g. ¶ 0088 “The systems and methods are described herein with reference to entity types U, S, T, and C”, also see e.g. ¶ 0090 “Network 202 may be monitored to detect network activities, based on behavior interactions between different network entities”, also see e.g. ¶ 0106 “At 308, one or more diversity functions are calculated for the various entity-entity type relationships” [category attributes], also see e.g. ¶ 0254 “At 712, a new diversity value ...is identified during network monitoring and/or received. The additional diversity value may be the next diversity value in the time series”); 
generating anomaly scores for each of the data instances over time intervals (see Fig 5 A-B, also see e.g. ¶ 0012 calculating the abnormality score comprises calculating the abnormality score from the diversity values based on a function that increases the abnormality score when the retrieved at least one diversity value are relatively lower [change in the anomaly scores over the continuous time intervals for the data instances] and also see e.g. ¶ 53 “an abnormality score is calculated based on the diversity value, the analysis being performed based on the abnormality score.”, also see e.g. ¶ 0247, “network activity data is received over a period of time, to identify one or more entity based network activity sessions. The received network activity data is divided into time slices”);
detecting a change in the anomaly scores over the time intervals for the data instances (see Fig 5 A-B, also see e.g. ¶ 0012 calculating the abnormality score comprises calculating the abnormality score from the diversity values based on a function that increases the abnormality score when the retrieved at least one diversity value are relatively lower [change in the anomaly scores over the continuous time intervals for the data instances] and also see e.g. ¶ 53 “an abnormality score is calculated based on the diversity value, the analysis being performed based on the abnormality score.”);
and identifying which of the set of categorical attributes of the data instances caused the change in the anomaly scores (see e.g. ¶ 0015 “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word” [categorical attributes of the data instances], also see e.g. ¶ 0099 “As described herein, an activity word represents a sequence of the entities which take part in the received activity” also see e.g. ¶ 0102 words are removed [set of categorical attributes of the data instances caused the change in the anomaly scores], also see ¶ 0173 “The abnormality score may then be analyzed to determine whether the new activity is an abnormality or normal, for example, by comparing the abnormality score”, also see e.g. ¶ 0234 “activity is identified as being anomalous”, also see ¶ 0239 “the related activity is determined to be associated with normal behavior”, also see ¶ 0250 re-calculating the diversity functions based on the...activity) 
removing at least a portion of the data instances (see e.g. ¶ 0015, “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word” [data instances], also see e.g. ¶ 0099, “As described herein, an activity word represents a sequence of the entities which take part in the received activity”, also see e.g. ¶ 0102, words [data instances] are removed);
regenerating the anomaly scores for each of the data instances over the time intervals (see e.g. ¶ 0012, “calculating the abnormality score comprises calculating the abnormality score from the diversity values” also see e.g. ¶ 0250, “re-calculating the diversity functions based on the...activity”); 
and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity (see e.g. ¶ 0012, “decreases the abnormality score when the retrieved at least one diversity values are relatively higher” [compared to the anomaly scores], also see e.g. ¶ 0173,  “The abnormality score may then be analyzed to determine whether the new activity is an abnormality or normal, for example, by comparing the abnormality score”, also see e.g. ¶ 0239, “the related activity is determined to be associated with normal behavior”).

Bernstain does not teach applying counterfactual analysis.
Bogaty teaches applying counterfactual analysis (see e.g. ¶ 0025 and 0033, 56, , performing counterfactual analysis to determine which one of the matrix or impacts has the most impact value).
Both Bernstain and Bogaty pertain to the problem of identifying online network activities and impact of attribute changes, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Bernstain and Bogaty to use counterfactual analysis as taught by Bogaty to identify which of the attributes caused the changes in the scores as taught Bernstain. The motivation for performing counterfactual analysis helps determine an exact numerical value for each impact of plurality of impacts and is sufficient to enable sufficiently accurate calculation of the impact (See Bogaty e.g. ¶ 0056).

Regarding Claim 2, 
Bernstain and Bogaty teaches the method of claim 1, 
Bernstein further discloses, wherein the change in the anomaly scores is indicative of malicious behavior in the computing environment (see e.g. ¶ 0052 “Abnormal activity including data access events, which may be malicious”).

Regarding Claim 3,
Bernstain and Bogaty teaches the method of claim 2, 
 Bernstein further discloses, further comprising generating recommendations for remediating the set of categorical attributes to remediate the malicious behavior (see e.g. ¶ 0072, “reallocation of monitoring resources, to allocate limited resources to network portions that are deemed to be at higher risk of attack”, also see e.g. ¶ 0074 “abnormal activity that shuts down computers is reduced or prevented, abnormal activity that ties us network resources such as malicious code accessing bandwidth to repeatedly attempt to break into a host is reduced or prevented, and/or degradation of network performance due to malicious code infected computers is reduced or prevented”, also see e.g. ¶ 0076, “improved memory usage by removal of the improper code”, also see e.g. ¶ 232 “Optionally, when the activity is identified as being related to anomalous behavior, an alarm and/or other event is sent to the originating client, a management server, and/or other controller which may take further action to investigate and/or prevent further malicious activity”).

Regarding Claim 4,
Bernstain and Bogaty teaches the method of claim 3, 
Bernstein further discloses wherein at least one of the generated recommendations comprises a recommendation that all devices accessing a database use a higher level of authentication with respect to the database (see e.g. ¶ 0072, “reallocation of monitoring resources, to allocate limited resources to network portions that are deemed to be at higher risk of attack”, also see e.g. ¶ 0074 “abnormal activity that shuts down computers is reduced or prevented, abnormal activity that ties us network resources such as malicious code accessing bandwidth to repeatedly attempt to break into a host is reduced or prevented, and/or degradation of network performance due to malicious code infected computers is reduced or prevented”, also see e.g. ¶ 0076, “improved memory usage by removal of the improper code”, also see e.g. ¶ 232 “Optionally, when the activity is identified as being related to anomalous behavior, an alarm and/or other event is sent to the originating client, a management server, and/or other controller which may take further action to investigate and/or prevent further malicious activity”).

Regarding Claim 5, 
Bernstain and Bogaty teaches the method of claim 1, 
Bernstein discloses wherein the set of categorical attributes comprises a tuple created from at least two categorical attributes (see e.g. ¶ 0110, “combinations of a single entity in relation to another single entity type: DU(T), DT(U), DU(S)”).

Regarding Claim 6, 
Bernstain and Bogaty teaches the method of claim 1, 
Bernstein further discloses, comprising grouping the data instances into groups based on the time intervals, each of the groups having a time length for its corresponding time interval (see e.g. ¶ 0250, “At 708, for each of the entities or entity combinations involved in these activity words, one or more diversity values are calculated based on respective diversity functions, as described herein, for example, as described with reference to block 308 of FIG. 3. Respective diversity values are calculated for each time slice”, also see e.g. ¶ 0251, “At 710, the diversity values are arranged as a diversity time series based on chronological order of the related times slices”).

Regarding Claim 7, 
Bernstain and Bogaty teaches the method of claim 1, 
Bernstein further discloses, wherein the at least one principle value is categorical or numerical (see e.g. ¶ 0011 “average of the retrieved diversity values” [numerical], also see e.g. ¶ 0043, “the term diversity means a quantifiable measure”).

Regarding Claim 8, 
Bernstain and Bogaty teaches the method of claim 7, 
Bernstein further discloses, wherein, for the numerical principle value, a set function is applied to calculate a mean value (see e.g. ¶ 0011 calculating the abnormality score comprises calculating based on a member selected from a group consisting of: average of the retrieved diversity values, also see ¶ 0255, “standard deviations above the mean value of the diversity time series, for example, about 1, 2, or 3 standard deviations.”).

Regarding Claim 9, 
Bernstain and Bogaty teaches the method of claim 7, 
Bernstein further discloses, wherein, for the categorical principle value, a set function is applied to calculate any of an equivalence class count or a distinct count (see e.g. ¶ 0099, “two activities of the entities Ui, Sj and Tk which occurred at different times, are both translated into the same activity word w=UiSjTk”, also see e.g. ¶ 0111, “Each diversity function represents a calculated property of a certain entity in relation with another entity type”).

Regarding Claim 10, 
Bernstain and Bogaty teaches the method of claim 1, 
Bernstein further discloses, wherein generating the anomaly scores comprises: creating features for a current group of the data instances (see e.g. ¶ 0015, “Optionally, the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word”); 
applying an anomaly detection algorithm that takes as inputs the features for the current group, and group features calculated using set functions for groups earlier than the current group (see Fig 7 and see e.g. ¶  0013, “classifying the at least one network activity as anomalous or normal based on the calculated abnormality score is based on comparing the abnormality score to a predefined threshold” also see e.g. ¶ 0048, “The low diversity value may be calculated for a certain context, for example, access at a predefined pattern of time such as once a week, or access at any time using any protocol.” also see e.g. ¶ 0108, “The plurality of diversity functions are calculated based on combinations of observed relationships of each entity to every other entity. For a case of n entity types the set includes subgroups of sizes 1 to n-1.”);
 and generating the anomaly scores, the anomaly scores being indicative of how anomalous are the features for the current group (see e.g. ¶ 0021, “classify the at least one network activity as anomalous or normal based on a calculated abnormality score”).

Regarding Claim 11, 
Bernstain and Bogaty teaches the method of claim 1, 
Bernstein further discloses, comprising enacting changes in the computing environment relative to at least a portion of the categorical attributes to prevent future instances of the anomalous activity (see e.g. ¶ 0072, reallocation of monitoring resources [changes], to allocate limited resources to network portions that are deemed to be at higher risk of attack, also see e.g. ¶ 0076, improved memory usage by removal [changes] of the improper code).

Regarding Claim 12, 
Bernstein discloses a method for detecting anomalous activity in a computing environment (see e.g. ¶ 0001, “methods for detection of anomalous behavior based on network activity”), the method comprising: receiving an input stream of data instances, the data instances in the input stream being time stamped (see e.g. ¶ 0008, “receiving data representing the at least one network activity over a period of time; retrieving, for each respective time slice of multiple time slices of the period of time, at least one relevant diversity value from the network behavior model; generating a diversity time series by organizing the at least one relevant diversity value based on chronological sequence of the respective time slices”, also see e.g. ¶ 0254, “At 712, a new diversity value ...is identified during network monitoring and/or received. The additional diversity value may be the next diversity value in the time series”);
separating the data instances into at least one principle value and a set of categorical attributes (see e.g. ¶ 0008 receiving data representing the at least one network activity over a period of time; retrieving, for each respective time slice of multiple time slices of the period of time, at least one relevant diversity value [principle value] from the network behavior model, also see e.g. ¶ 0015, “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word... associating a certain context with each respective group”, also see e.g. ¶ 0088, “The systems and methods are described herein with reference to entity types U, S, T, and C”, also see e.g. ¶ 0090, “Network 202 may be monitored to detect network activities, based on behavior interactions between different network entities”, also see e.g. ¶ 0106, “At 308, one or more diversity functions are calculated for the various entity-entity type relationships” [category attributes]);
grouping the data instances into groups based on time intervals, each of the time intervals having a length (see e.g. ¶ 0008, “receiving data representing the at least one network activity over a period of time”, also see e.g. ¶ 0015, “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word... associating a certain context with each respective group...the certain context is a member selected from a group consisting of: a number of occurrences of activities within the respective group, a time of first occurrence of activities within the respective group, and a time of last occurrence of activities within the respective group”, also see e.g. ¶ 0088, “The systems and methods are described herein with reference to entity types U, S, T, and C”, also see e.g. ¶ 0090, “Network 202 may be monitored to detect network activities, based on behavior interactions between different network entities”);
applying set functions to each of the groups (see e.g. ¶ 0111, “Each diversity function represents a calculated property of a certain entity in relation with another entity type. The calculated property represents diversity of behavior of the certain entity in relation to the other entity type. For example, the Diversity of U1 in relation to T is the diversity of the usage of different target machines by user U1, which may be represented as: DT(Ui)=function of the number of distinct targets to which Ui has connected”, also see e.g. ¶ 0112, “For example, the Diversity of U in relation to T is calculated as follows”, also see e.g. ¶ 0113, “Let U be the unique U values which appear in any word in W”, also see e.g. ¶ 0114, “Calculate d=distinct function”);
generating an anomaly score for each of the groups using the set functions (see e.g. ¶ 0158, “At 312, a network behavior model is generated based on the calculated diversity values, and the generated model is outputted. The generated model may be stored (e.g., on a memory in communication with server 204, and/or on remote server) and/or transmitted (e.g., to multiple clients, to a remote server, to anomaly detecting server 208). The general model is provided for receiving network activity data from the network to identify abnormal activity”, also see e.g. ¶ 0173, “The abnormality score is calculated based on the respective diversity values of the entities of the activity, based on the model”); 

 identify which of the set of categorical attributes for a group is influencing one or more anomalies in the groups that are indicative of the anomalous activity in the computing environment (see Fig 5 A-B, also see e.g. ¶ 0012 calculating the abnormality score comprises calculating the abnormality score from the diversity values based on a function that increases the abnormality score when the retrieved at least one diversity value are relatively lower [change in the anomaly scores over the continuous time intervals for the data instances] and also see e.g. ¶ 53 “an abnormality score is calculated based on the diversity value, the analysis being performed based on the abnormality score.”, also see e.g. ¶ 0015, “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word” [categorical attributes of the data instances]; also see e.g. ¶ 0099, “As described herein, an activity word represents a sequence of the entities which take part in the received activity”, also see e.g. ¶ 0234, “activity is identified as being anomalous”, also see e.g. ¶ 0102, words are removed [set of categorical attributes for a group is influencing one or more anomalies in the groups], also see e.g. ¶ 0250, “re-calculating the diversity functions based on the...activity”, also see e.g. ¶ 0173, “The abnormality score may then be analyzed to determine whether the new activity is an abnormality or normal, for example, by comparing the abnormality score”, also see e.g. ¶ 0239, “the related activity is determined to be associated with normal behavior”), 
determining a change in the anomaly score; removing at least a portion of the data instances, the at least a portion of the data instances being associated with one or more categorical attributes of the set of categorical attributes identified as influencing the one or more anomalies (see e.g. ¶ 0015, “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word” [data instances], also see e.g. ¶ 0099, “As described herein, an activity word represents a sequence of the entities which take part in the received activity”, also see e.g. ¶ 0102, words [data instances] are removed); 
regenerating the anomaly score for each of the data instances which remain after the removing (see e.g. ¶ 0012, “calculating the abnormality score comprises calculating the abnormality score from the diversity values” also see e.g. ¶ 0250, “re-calculating the diversity functions based on the...activity”); 
and comparing the regenerated anomaly score to the anomaly score to identify if at least a portion of the categorical attributes caused the change in the anomaly score (see e.g. ¶ 0012, “decreases the abnormality score when the retrieved at least one diversity values are relatively higher” [compared to the anomaly scores], also see e.g. ¶ 0173,  “The abnormality score may then be analyzed to determine whether the new activity is an abnormality or normal, for example, by comparing the abnormality score”, also see e.g. ¶ 0239, “the related activity is determined to be associated with normal behavior”).
Bernstain does not teach applying counterfactual analysis.
Bogaty teaches applying counterfactual analysis (see e.g. ¶ 0025 and 0033, 56, , performing counterfactual analysis to determine which one of the matrix or impacts has the most impact value).
Both Bernstain and Bogaty pertain to the problem of identifying online network activities and impact of attribute changes, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Bernstain and Bogaty to use counterfactual analysis as taught by Bogaty to identify which of the attributes caused the changes in the scores as taught Bernstain. The motivation for performing counterfactual analysis helps determine an exact numerical value for each impact of plurality of impacts and is sufficient to enable sufficiently accurate calculation of the impact (See Bogaty e.g. ¶ 0056).

Regarding Claim 13, 
Bernstain and Bogaty teaches the method of claim 12, 
Bernstein further discloses, comprising remediating the computing environment to remedy the anomalous activity (see e.g. ¶ 0072, “reallocation of monitoring resources, to allocate limited resources to network portions that are deemed to be at higher risk of attack”, also see e.g. ¶ 0074, “abnormal activity that shuts down computers is reduced or prevented, abnormal activity that ties us network resources such as malicious code accessing bandwidth to repeatedly attempt to break into a host is reduced or prevented”).

Regarding Claim 14, 
Bernstain and Bogaty teaches the method of claim 12, 
Bernstein further discloses, wherein generating the anomaly score further comprises applying an anomaly detection algorithm to values generated using the set function to detect changes in the groups over the time intervals (see e.g. ¶ 0008, “retrieving, for each respective time slice of multiple time slices of the period of time, at least one relevant diversity value from the network behavior model”, also see e.g. ¶ 0012, “calculating the abnormality score comprises calculating the abnormality score from the diversity values based on a function that increases the abnormality score when the retrieved at least one diversity value are relatively lower and decreases the abnormality score when the retrieved at least one diversity values are relatively higher”)

Regarding Claim 15, 
Bernstain and Bogaty teaches the method of claim 12, 
Bernstein further discloses, further comprising generating recommendations for remediating the set of categorical attributes to remediate the anomalous activity (see e.g. ¶ 0072, “reallocation of monitoring resources, to allocate limited resources to network portions that are deemed to be at higher risk of attack”, also see e.g. ¶ 0074 “abnormal activity that shuts down computers is reduced or prevented, abnormal activity that ties us network resources such as malicious code accessing bandwidth to repeatedly attempt to break into a host is reduced or prevented, and/or degradation of network performance due to malicious code infected computers is reduced or prevented”, also see e.g. ¶ 0076, “improved memory usage by removal of the improper code”, also see e.g. ¶ 232 “Optionally, when the activity is identified as being related to anomalous behavior, an alarm and/or other event is sent to the originating client, a management server, and/or other controller which may take further action to investigate and/or prevent further malicious activity”).

Regarding Claim 16, 
Bernstain and Bogaty teaches the method of claim 12, 
Bernstein further discloses, wherein the regularity analysis further comprises identifying when a categorical attribute of the set of categorical attributes influences the anomaly score for the set of categorical attributes if an output of an anomaly detection algorithm is approximately identical to alternative instances in which the set of categorical attributes exists (see e.g. ¶ 0173, “abnormality score reflects the extent to which the new activity deviates from normal behavior” also see e.g. ¶ 0177, “Received network activities translated into words are analyzed to determine when the respective activity word already exists within the network behavior model. The analysis may be performed by an activity record analysis module 206C stored on in communication with anomaly detecting server 208 and/or learning server 204, for example, by looking up the respective activity word in a dataset of existing words to determine whether the word is present in the dataset or not. Details of generating the activity word are provided with reference to blocks 302 and 304 of FIG. 3”, also see e.g. ¶ 0183, [the table], also see e.g. ¶ 0185 “The 2.sup.nd row depicts the case in which the pair U.sub.iT.sub.k is normal but U.sub.iS.sub.jT.sub.k is not normal.  The diversity of U.sub.iT.sub.k in relation to entity type S is informative. Diversity function D.sub.S(U.sub.iT.sub.k) is designated”, also see e.g. ¶ 0186, “The 3.sup.rd row is similar to the 2.sup.nd row, with the information that U.sub.iS.sub.j is not normal”, [approximately identical to alternative instances in which the set of categorical attributes exists]).

Regarding Claim 17, 
Bernstein discloses a system for detecting anomalous activity in a computing environment (see e.g. ¶ 0001 “systems... for detection of anomalous behavior based on network activity”), comprising: a processor (see e.g. ¶ 0058, a processor); and a memory for storing executable instructions (see e.g. ¶ 0058, “The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention”, also see e.g. ¶ 0059, “computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM)”), the processor executing the instructions to perform an unsupervised machine learning (see ¶ 77 and figure 2, learner server 204) method that comprises:  
generating anomaly scores for data instances of an input stream received over time intervals (see Fig 5 A-B, also see e.g. ¶ 0012 calculating the abnormality score comprises calculating the abnormality score from the diversity values based on a function that increases the abnormality score when the retrieved at least one diversity value are relatively lower [change in the anomaly scores over the continuous time intervals for the data instances] and also see e.g. ¶ 53 “an abnormality score is calculated based on the diversity value, the analysis being performed based on the abnormality score.”, also see e.g. ¶ 0247, “network activity data is received over a period of time, to identify one or more entity based network activity sessions. The received network activity data is divided into time slices”);
detecting a change in the anomaly scores over the time intervals for the data instances (see Fig 5 A-B, also see e.g. ¶ 0012 calculating the abnormality score comprises calculating the abnormality score from the diversity values based on a function that increases the abnormality score when the retrieved at least one diversity value are relatively lower [change in the anomaly scores over the continuous time intervals for the data instances] and also see e.g. ¶ 53 “an abnormality score is calculated based on the diversity value, the analysis being performed based on the abnormality score”), 
and identifying which of a set of categorical attributes of the data instances caused the anomaly scores (see e.g. ¶ 0015 “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word” [categorical attributes of the data instances], also see e.g. ¶ 0099 “As described herein, an activity word represents a sequence of the entities which take part in the received activity” also see e.g. ¶ 0102 words are removed [set of categorical attributes of the data instances caused the change in the anomaly scores], also see ¶ 0173 “The abnormality score may then be analyzed to determine whether the new activity is an abnormality or normal, for example, by comparing the abnormality score”, also see e.g. ¶ 0234 “activity is identified as being anomalous”, also see ¶ 0239 “the related activity is determined to be associated with normal behavior”, also see ¶ 0250 re-calculating the diversity functions based on the...activity)  
removing at least a portion of the data instances (see e.g. ¶ 0015, “the network activities are organized into multiple groups, each group including network activities having at least one shared network entity type, each group represented by a certain word” [data instances], also see e.g. ¶ 0099, “As described herein, an activity word represents a sequence of the entities which take part in the received activity”, also see e.g. ¶ 0102, words [data instances] are removed); 
regenerating the anomaly scores for each of the data instances, that remained after the removing, over the time intervals (see e.g. ¶ 0012, “calculating the abnormality score comprises calculating the abnormality score from the diversity values” also see e.g. ¶ 0250, “re-calculating the diversity functions based on the...activity”); 
and wherein if the regenerated anomaly scores are improved compared to the anomaly scores, at least a portion of the categorical attributes are identified as anomalous categorical attributes and a cause of the anomalous activity (see e.g. ¶ 0012, “decreases the abnormality score when the retrieved at least one diversity values are relatively higher” [compared to the anomaly scores], also see e.g. ¶ 0173,  “The abnormality score may then be analyzed to determine whether the new activity is an abnormality or normal, for example, by comparing the abnormality score”, also see e.g. ¶ 0239, “the related activity is determined to be associated with normal behavior”).

Bernstain does not teach applying counterfactual analysis.
Bogaty teaches applying counterfactual analysis (see e.g. ¶ 0025 and 0033, 56, , performing counterfactual analysis to determine which one of the matrix or impacts has the most impact value).
Both Bernstain and Bogaty pertain to the problem of identifying online network activities and impact of attribute changes, thus being analogous. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine Bernstain and Bogaty to use counterfactual analysis as taught by Bogaty to identify which of the attributes caused the changes in the scores as taught Bernstain. The motivation for performing counterfactual analysis helps determine an exact numerical value for each impact of plurality of impacts and is sufficient to enable sufficiently accurate calculation of the impact (See Bogaty e.g. ¶ 0056).

Regarding Claim 18,
Bernstain and Bogaty teaches the system of claim 17, 
Bernstein further discloses, wherein the data instances correspond to selected features to be analyzed for anomalous behavior (see e.g. ¶ 0075, detecting a system failure, which might otherwise not be detected or be more difficult to detect. The system failure may be due to, for example improperly written code [selected features] which may not necessarily be malicious. The diversity values may be analyzed to detect, for example, improperly written code that excessively ties up network resources, such as repeatedly accessing bandwidth to try and connect with a certain server).

Regarding Claim 19, 
Bernstain and Bogaty teaches the system of claim 17, 
Bernstein further discloses, comprising remediating the computing environment to remedy the anomalous activity associated with the anomalous behavior (see e.g. ¶ 0072, “reallocation of monitoring resources, to allocate limited resources to network portions that are deemed to be at higher risk of attack”, also see e.g. ¶ 0074, “abnormal activity that ties us network resources such as malicious code accessing bandwidth to repeatedly attempt to break into a host is reduced or prevented”, also see e.g. ¶ 0076, “improved memory usage by removal of the improper code”)

Regarding Claim 20, 
Bernstain and Bogaty teaches the system of claim 17, 
Bernstein further discloses further comprising generating recommendations for remediating the set of categorical attributes to remediate the anomalous activity associated with the anomalous behavior (see e.g. ¶ 0072, “reallocation of monitoring resources, to allocate limited resources to network portions that are deemed to be at higher risk of attack”, also see e.g. ¶ 0074 “abnormal activity that shuts down computers is reduced or prevented, abnormal activity that ties us network resources such as malicious code accessing bandwidth to repeatedly attempt to break into a host is reduced or prevented, and/or degradation of network performance due to malicious code infected computers is reduced or prevented”, also see e.g. ¶ 0076, “improved memory usage by removal of the improper code”, also see e.g. ¶ 232 “Optionally, when the activity is identified as being related to anomalous behavior, an alarm and/or other event is sent to the originating client, a management server, and/or other controller which may take further action to investigate and/or prevent further malicious activity”).

Related arts not used in the above rejection; 
Leon et al. (US 20120158488 A1): Counterfactual analysis can be performed "offline", or "after the fact", based on data collected during a trial in which random variations are applied to the output of the system whose parameters are to be the subject of the counterfactual analysis. A weighting factor can be derived and applied to data collected during the trial to emphasize that data obtained when the random variations most closely resembled the output that would be expected if counterfactual parameters were utilized to generate the output.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to IMAD M KASSIM whose telephone number is (571)272-2958. The examiner can normally be reached mon-fri 730-500.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael J. Huntley can be reached on (303) 297 - 4307. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/IMAD KASSIM/Examiner, Art Unit 2129                                                                                                                                                                                                        
/MICHAEL J HUNTLEY/Supervisory Patent Examiner, Art Unit 2129