Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments

Applicant argues that the prior art fails to teach comparing a current usage to a local trend line and a global trend line.  Examiner asserts that the prior office action contained references that anticipate this limitation.
Applicant argues that the prior art failed to teach based on detecting an anomaly by comparing to both local and global trend lines, and then taking a malware remediation action.
Examiner points to Boyapalle, Mullarkey Pecht which teach comparing to both local and global trend lines, and taking remediation actions, including quarantine, but do not explicitly teach malware.
Examiner has incorporated De Lima Junior from the prior office action which teaches determining malware and taking remediation actions.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 26 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 26 states “a local trend line”, “a historical trend line”, “a global trend line”, and “periodically updating the local trend line to a short-term trend line”.  
It is unclear what the applicant intends by “updating a local trend line to a short-term trend line”.    
Additionally, Examiner could not find the term “short-term trend line” in the specification.    
Examiner is interpreting the updating as that the local trend line, and short term trend line are roughly the equivalent trend, and periodically updated at different intervals.    Examiner notes that the local trend line is not utilized in claim 26 to detect an anomaly.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15, 21-23, 26, 27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Boyapalle US 11,269,750 in view of Mullarkey US 2016/0292026 in view of Pecht US 2010/0191503 in view of De Lima Junior US 2019/0354680.


As per claim 1. Boyapalle teaches A computing apparatus, comprising: a hardware platform comprising a processor and a memory; and an anomaly detection engine comprising instructions encoded within the memory to instruct the processor to: periodically collect local telemetry for a performance parameter; based on the local telemetry compute and maintain a local trend line for the performance parameter; receive from a cloud service a global trend line for the performance parameter for device classes that the computing apparatus belongs to; and perform anomaly detection comprising analyzing the local trend line and the global trend line to detect an anomaly. (Column 4 lines 14-26; Column 4 line 64 to Column 5 line 53)(Column 6 lines 25-65) (Column 7 lines 18-33) (Column 7 line 63-Column 8 line 10) ( Column 9 lines 20-62) (Column 22 lines 38-56) (additional mapping/classification parameters to monitor) (Teaches periodically collecting telemetry for a plurality of performance parameters to compute a baseline, that the collection may be local, that the telemetry is uploaded from a plurality of clients to a hub to compute a global baseline of similarly mapped client systems; analyzing local trend line/baseline to global baseline/trend line to determine anomalies and detecting an anomaly if the current usage deviates substantially from the local trend line; additional mapping/classification parameters to monitor)
Boyapalle receive a device class assignment from the cloud service, the device class assignment comprising an associated performance parameter to monitor. (Column 5 lines 5-19) (classifications)

Mullarkey more explicitly teaches trends and deviation of the local trend line where the determination of an anomaly may be comparison of data may be current behavior data to local trend (historical performance data) and global (compared to similar peer historical performance data from the cloud)  [0031]-[0036] [0043]
It would have been obvious to one of ordinary skill in the art to use the trends of Mullarkey with the systems of Boyapalle because it helps detect anomalous readings.

Pecht teaches comparing a current usage of the performance parameters to the local trend line and global trend line, and detecting an anomaly based on the current usage causes the local trend line to deviate substantially from the global trend line, or the current usage deviates substantially from the local trend line. [0026][0027][0029][0031]  (teaches comparing current usage to a local baseline, and further, a global baseline, teaches comparing a local baseline falls within global baseline)  
It would have been obvious to one of ordinary skill in the art to use the teachings of Pecht with the prior art combination because it assists in determining reliability [0004]

De Lima Junior teaches the application is treated as malicious or misconfigured according to the anomaly detection. [0032][0049]-[0051] (monitors performance and determines if malicious and if so taking remedial action)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the malware detection of De Lima, with the prior art combination because it increases security against malicious threats.


As per claim 2. Boyapalle teaches The computing apparatus of claim 1, wherein the computing apparatus is a mobile computing apparatus. (Column 8 lines 42-55) (mobile device)As per claim 3.  Byoapalle teaches The computing apparatus of claim 1, wherein a period for collecting the telemetry is between two minutes and five minutes.  (Column 6 lines 19-65) (teaches a vast array of reading times and measurements)
Mullarkey teaches monitoring performance in realtime [0033].
Examiner asserts that the plurality of teachings here reads on the limitation “two to five minutes”.As per claim 4. Boyapalle teaches The computing apparatus of claim 1, wherein periodically collecting the telemetry comprises collecting telemetry for a plurality of performance parameters. (Column 6 lines 25-67) (plurality of parameters including battery, CPU, network, etc)As per claim 10. Boyapalle teaches The computing apparatus of claim 1, wherein detecting the anomaly in the performance parameter comprises detecting a deviation in the local trend line relative to the global trend line. (Column 4 line 64 to Column 5 line 53) (local baseline to cloud baseline)

Mullarkey more explicity teaches trends and that the comparison of data may be current behavior data to local trend (historical performance data) and global (compared to similar peer historical performance data from the cloud)  [0031]-[0036]
As per claim 11. Boyapalle teaches The computing apparatus of claim 1, wherein the instructions are to periodically perform anomaly detection on an anomaly detection period of approximately one day. (Column 6 lines 19-65) (teaches a vast array of reading times and measurements)
Mullarkey teaches monitoring performance in realtime [0033].
Examiner asserts that the plurality of teachings here reads on the limitation of daily anomaly detection.As per claim 12. Mullarkey teaches The computing apparatus of claim 1, wherein the instructions are further to infer a source event of a detected anomaly comprising correlating a time of the source event with a beginning of the detected anomaly. [0036] (teaches correlating an event with an anomaly at a specific time)As per claim 13. Boyapalle teaches One or more tangible, non-transitory computer readable storage media having stored thereon executable instructions to instruct a processor to: receive from a cloud service a class assignment; periodically collect local telemetry of data relevant to the class assignment; compute a local trend from the local telemetry; receive a global trend, based on global data collected, from the cloud service; and perform anomaly detection based on detecting substantial deviations in the local trend or the global trend. (Column 4 line 64 to Column 5 line 53)(Column 6 lines 25-65) (Column 7 lines 18-33) ( Column 9 lines 20-62)  (Teaches periodically collecting telemetry for a plurality of performance parameters to compute a baseline, that the collection may be local, that the telemetry is uploaded from a plurality of clients to a hub to compute a global baseline of similarly mapped client systems; analyzing local trend line/baseline to global baseline/trend line to determine anomalies)
Mullarkey more explicitly teaches trends and deviation of the local trend line where the determination of an anomaly may be comparison of data may be current behavior data to local trend (historical performance data) and global (compared to similar peer historical performance data from the cloud)  [0031]-[0036] [0043]
It would have been obvious to one of ordinary skill in the art to use the trends of Mullarkey with the systems of Boyapalle because it helps detect anomalous readings.

Pecht teaches comparing a current usage of the performance parameters to the local trend line and global trend line, and detecting an anomaly based on the current usage causes the local trend line to deviate substantially from the global trend line, or the current usage deviates substantially from the local trend line. [0026][0027][0029][0031]  (teaches comparing current usage to a local baseline, and further, a global baseline, teaches comparing a local baseline falls within global baseline)  
It would have been obvious to one of ordinary skill in the art to use the teachings of Pecht with the prior art combination because it assists in determining reliability [0004]

De Lima Junior teaches the application is treated as malicious or misconfigured according to the anomaly detection. [0032][0049]-[0051] (monitors performance and determines if malicious and if so taking remedial action)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the malware detection of De Lima, with the prior art combination because it increases security against malicious threats.

As per claim 14. Boyapalle teaches The one or more tangible, non-transitory computer readable storage media of claim 13, wherein periodically collecting the local telemetry comprises collecting telemetry for a plurality of performance parameters.  (Column 6 lines 30-67)As per claim 15. Boyapalle teaches The one or more tangible, non-transitory computer readable storage media of claim 14, wherein the plurality of performance parameters comprises processor utilization and memory usage. (Column 6 lines 60-67) 
As per claim 21, Boyapalle teaches the device classes are a subset comprising fewer than all classes to which the computer apparatus could be correctly assigned(Column 5 lines 5-19) (classifications) (Column 6 lines 35-65)(Column 22 lines 38-56) (additional mapping/classification parameters to monitor)  (classification must be compared to similar baselines and thus a subset of all baselines)


As per claim 22, De Lima Junior teaches the application is treated as malicious or misconfigured according to the anomaly detection. [0032][0049]-[0051] (monitors performance and determines if malicious)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the malware detection of De Lima, with the prior art combination because it increases security against malicious threats.


As per claim 23, Boyapalle teaches the device classes are a subset comprising fewer than all classes to which the computer apparatus could be correctly assigned(Column 5 lines 5-19) (classifications) (Column 6 lines 35-65)(Column 22 lines 38-56) (additional mapping/classification parameters to monitor) (classification must be compared to similar baselines and thus a subset of all baselines)

As per claim 24, De Lima Junior teaches the application is treated as malicious or misconfigured according to the anomaly detection. [0032][0049]-[0051] (monitors performance and determines if malicious)

As per claim 26,  Boyapalle teaches collecting local telemetry for a performance parameter; based on the local telemetry compute and maintain a local trend line for the performance parameter; receive from a cloud service a global trend line for the performance parameter for device classes that the computing apparatus belongs to; periodically updating the local trend line to a short term trend line; and perform anomaly detection comprising analyzing the local trend line and the global trend line to detect an anomaly. (Column 4 lines 14-26; Column 4 line 64 to Column 5 line 53)(Column 6 lines 25-65) (Column 7 lines 18-33) (Column 7 line 63-Column 8 line 10) ( Column 9 lines 20-62) (Column 22 lines 38-56) (additional mapping/classification parameters to monitor) (Teaches periodically collecting telemetry for a plurality of performance parameters to compute a baseline, that the collection may be local, that the telemetry is uploaded from a plurality of clients to a hub to compute a global baseline of similarly mapped client systems; analyzing local trend line/baseline to global baseline/trend line to determine anomalies and detecting an anomaly if the current usage deviates substantially from the local trend line; additional mapping/classification parameters to monitor)
Boyapalle receive a device class assignment from the cloud service, the device class assignment comprising an associated performance parameter to monitor. (Column 5 lines 5-19) (classifications)

Mullarkey more explicitly teaches trends and deviation of the local trend line where the determination of an anomaly may be comparison of data may be current behavior data to local trend (historical performance data) and global (compared to similar peer historical performance data from the cloud) and does not change a global trend line [0031]-[0036] [0043]
It would have been obvious to one of ordinary skill in the art to use the trends of Mullarkey with the systems of Boyapalle because it helps detect anomalous readings.

Pecht teaches comparing a current usage of the performance parameters to the local trend line and global trend line, and detecting an anomaly based on the current usage causes the local trend line to deviate substantially from the global trend line, or the current usage deviates substantially from the local trend line and does not change a global trend line for a class. [0026][0027][0029][0031]  (teaches comparing current usage to a local baseline, and further, a global baseline, teaches comparing a local baseline falls within global baseline)  
It would have been obvious to one of ordinary skill in the art to use the teachings of Pecht with the prior art combination because it assists in determining reliability [0004]

De Lima Junior teaches the application is treated as malicious or misconfigured according to the anomaly detection. [0032][0049]-[0051] (monitors performance and determines if malicious and if so taking remedial action)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the malware detection of De Lima, with the prior art combination because it increases security against malicious threats.

As per claim 27, Boyapalle teaches updating the local trend line comprises updating between 5 and 10 min (Column 28 lines 10-15)  (states updating telemetry from ongoing to periodic, this reads on every 5 to 10 min)



Claims 28, 29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Boyapalle US 11,269,750 in view of Mullarkey US 2016/0292026 in view of Pecht US 2010/0191503 in view of De Lima Junior US 2019/0354680 in view of in view of Fan 2021/0209486

As per claim 28, Fan teaches that the short term trend line is computed less frequently than the local trend line. [0031][0032] (period of time controlled by user, daily)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the control of Fan with the previous combination because less frequent computation uses less resources.

As per claim 29, Fan teaches that the short term trend line is computed daily or at a time of low resource usage. [0031][0032] (period of time controlled by user, daily)


Claims 30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Boyapalle US 11,269,750 in view of Mullarkey US 2016/0292026 in view of Pecht US 2010/0191503 in view of De Lima Junior US 2019/0354680 in view of in view of Carnes III US 2020/0067935.

As per claim 30, Boyapalle teaches the device classes are a subset comprising fewer than all classes to which the computer apparatus could be correctly assigned(Column 5 lines 5-19) (classifications) (Column 6 lines 35-65)(Column 22 lines 38-56) (additional mapping/classification parameters to monitor) (classification must be compared to similar baselines and thus a subset of all baselines)
Carnes III teaches classifying endpoints by machine learning [0054][0058][0059]. (teaches fingerprinting and machine learning classification of endpoints by behavior)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the machine learning of Carnes III with Boyapalle because it is more efficient. 

Claims 31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Boyapalle US 11,269,750 in view of Mullarkey US 2016/0292026 in view of Pecht US 2010/0191503 in view of De Lima Junior US 2019/0354680 in view of Grace JR US 2018/0189292.

As per claim 31 Boyapalle teaches the device classes are a subset comprising fewer than all classes to which the computer apparatus could be correctly assigned(Column 5 lines 5-19) (classifications) (Column 6 lines 35-65)(Column 22 lines 38-56) (additional mapping/classification parameters to monitor) (classification must be compared to similar baselines and thus a subset of all baselines)Grace JR teaches k list of selecting a subset of n most important classes for trend line tracking where n<k and n<10 [0075]  (teaches in general organizing the best subset of matches, and specifically the top 5)
	It would have been obvious at the time the invention was filed to use the selection method of Grace JR with the prior art because it optimizes efficienct trend line classification.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439