DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continuation
This application is a continuation application of US 16/389,861 (filed on Apr. 19, 2019 – now US Patent No. 11,025,653), which is a continuation application of US 15/256,483 (filed on Sept. 2, 2016 – now US Patent No. 10,270,788). The prosecution history and references cited in the above application have been fully considered.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-8, 10-12, 16, 22-27 of US Patent No. 10,270,788 and claims 1-20 of US Patent No. 11,025,653. Although the claims at issue are not identical, they are not patentably distinct from each other because claims of the conflicting patents contain every element of claims 1-20 of the instant application and thus anticipates the claims of the instant application. Therefore, claims 1-20 of the instant application are not patentably distinct from the earlier patent claims and is unpatentable over obvious-type double patenting. “A later patent claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus)." ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001). 
For example, see the following claim comparison table between two corresponding methods:
Instant application (17/332,879)
Conflicting patent (10,270,788)
1. A method of responding to a detected anomaly event that has not frequently been observed in an ongoing event stream of security-related events of one or more organizations, the method including: 
1. A method of detecting an anomaly event that has not frequently been observed in an ongoing event stream of security-related events of one or more organizations, the method including: 

the strikethrough limitations are recited as part of a “wherein” clause of the instant application; see below)
obtaining an evaluation of a plurality of production events with production space IDs, including for a production event, wherein the evaluation has been prepared for a production event by:
then evaluating a plurality of production events with production space IDs, including for a production event:
transforming features of the production event into categorical bins of a hash-space;
transforming features of the production event into the categorical bins of the hash-space;
applying a hash function to the production space ID and the features of the production event as transformed to retrieve likelihood coefficients for the transformed features of the production event and a standard candle for the production space ID;
applying a hash function to the production space ID and the transformed features of the production event to retrieve the likelihood coefficients for the transformed features of the production event and the standard candle for the production space ID,
calculating an anomaly score; and
then calculating an anomaly score;
when the anomaly score represents a detected anomaly event, accessing history associated with the production space ID to construct a contrast between feature-event pairs of the detected anomaly event and non-anomalous feature-value pairs of prior events for the production space ID;
when the anomaly score represents a detected anomaly event, accessing history associated with the production space ID to construct a contrast between feature-event pairs of the detected anomaly event and non-anomalous feature-value pairs of prior events for the production space ID;
based upon the evaluation as obtained, invoking one or more security actions including at least one of a quarantine, and an encryption, to be performed when anomalies are detected; 
and invoking one or more security actions including at least one of a quarantine, and an encryption, to be performed when anomalies are detected.
wherein the likelihood coefficients had been calculated by space ID and a standard candle and mapped into the hash-space using a loosely supervised machine learning of observed features in security-related events using a loss function analyzer and recording the standard candle.
 (recited in the strikethrough limitations of the claim as previously noted)


Instant application (17/332,879)
Conflicting patent (11,025,653)
1. A method of responding to a detected anomaly event that has not frequently been observed in an ongoing event stream of security-related events of one or more organizations, the method including: 
1. A method of detecting an anomaly event that has not frequently been observed in an ongoing event stream of security-related events of one or more organizations, the method including: 
obtaining an evaluation of a plurality of production events with production space IDs, wherein the evaluation has been prepared for a production event by:
evaluating a plurality of production events with production space IDs, including for a production event:
transforming features of the production event into categorical bins of a hash-space;
transforming features of the production event into categorical bins of a hash-space;
applying a hash function to the production space ID and the features of the production event as transformed to retrieve likelihood coefficients for the transformed features of the production event and a standard candle for the production space ID;
applying a hash function to the production space ID and the features of the production event as transformed to retrieve likelihood coefficients for the transformed features of the production event and a standard candle for the production space ID;
calculating an anomaly score;
calculating an anomaly score;
and when the anomaly score represents a detected anomaly event, accessing history associated with the production space ID to construct a contrast between feature-event pairs of the detected anomaly event and non-anomalous feature-value pairs of prior events for the production space ID;
when the anomaly score represents a detected anomaly event, accessing history associated with the production space ID to construct a contrast between feature-event pairs of the detected anomaly event and non-anomalous feature-value pairs of prior events for the production space ID;
and based upon the evaluation as obtained, invoking one or more security actions including at least one of a quarantine, and an encryption, to be performed when at least one detected anomaly event is represented in the evaluation as obtained;
and invoking one or more security actions including at least one of a quarantine, and an encryption, to be performed when anomalies are detected;
wherein the likelihood coefficients had been calculated by space ID and a standard candle and mapped into the hash-space using a loosely supervised machine learning of observed features in security-related events using a loss function analyzer and recording the standard candle.
wherein the likelihood coefficients had been calculated by space ID and a standard candle and mapped into the hash-space using a loosely supervised machine learning of observed features in security-related events using a loss function analyzer and recording the standard candle.



Notes on Prior Art
No prior art rejections are asserted for the claims as currently presented. However, the Examiner notes several relevant prior arts to the claimed invention.
The cited prior arts are generally directed to implementing machine learning algorithms to train models of user behavior, or activity patterns, for detecting anomalous network events. For example, US 9,338,187 discloses creating a model on collected user activities in a network and using that model to detect abnormal patterns over a period of time. The model contains temporal patterns of activity within a network and assigns a risk score to alerts of inconsistent activities. In another example, US 2015/0067845 discloses generating a model by taking a set of user activity over a given time period as input and producing a model of roles defined by said set of user activities. The models are used to detect deviations from normal user activities. In another example, US 2011/0276828 discloses extracting historic state data representing normal operations and categorizing the state data items into objective-variable item (y) and explanatory-variable item (x). A predictive model is created from the variables after further categorizing them in to collinearity mode and independency mode. Therefore, generating network behavior-based models and enforcing said models to detect abnormal activities on a network were well-known concepts in the art. However, none of the prior arts teach, disclose, or reasonably suggest the “evaluation” steps presented in the independent claims.
Other prior arts with scope of the claimed invention include:
US 2007/0245420: Discloses defining a group profile by logically grouping network users who have similar or common network usage attributes. The application of the group profile can be used to effectively detect network anomalies.
US 2015/0088791: Discloses the problem of the lack of anomalous data to fully train a classification model. Data class imbalance may be addressed by injected generated samples of a minority data class to an imbalance data set.
US 9,185,095: Discloses using historical usage data of a user to develop a behavioral profile, wherein the profile is used to identify deviations from current sessions.
US 9,275,345: Discloses recording user interactions to obtain features for developing a behavior model for each user in a computer system, wherein the model is used to continuously verify the authenticity of a user using the computer system.
Y. Zhao, Z. Zheng and H. Wen, "Bayesian Statistical Inference in Machine Learning Anomaly Detection," 2010 International Conference on Communications and Intelligence Information Security, Nanning, 2010, pp. 113-116, doi: 10.1109/ICCIIS.2010.48. (Machine learning anomaly detection, which is based on Bayesian statistics to determine whether a network intrusion has occurred.)
US 7,743,003: Discloses identifying a feature from a plurality of features in a repository and applying a number of hash functions to the feature to generate a corresponding number of different hash values. A group of buckets in memory is identified based on the hash values and updated, thereby generating rules for a model based on the values in the group of buckets.
Zhu, Xiaojin Jerry. "Semi-supervised learning literature survey." (2005). (Provides background disclosure to semi-supervised machine learning (akin to the “loosely supervised machine learning of observed features”). Semi-supervised learning method uses both unlabeled and labeled data to train models.)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        11-14-2022