Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	This Office Action is in response to an amendment application received on 08/23/2022. In the amendment, Applicant has amended claims 1, 10, 19, 21 and 25. Claims 4, 7-8, 13  and 16-17 remain cancelled. Claims 2-3, 5-6, 9, 11-12, 14-15, 18 and 20, 22-24 and 26 remain original. No new claim has been added. 
	For this Office Action, claims 1-4, 5-6, 9-12, 14-15 and 18-26 have been received for consideration and have been examined. 
Response to Arguments
Claims Rejections under 35 USC § 112
	Applicant’s amendment to second limitation of claims 1 and 10 have been reviewed by the examiner and appear to overcome the 35 USC § 112(b) indefiniteness rejection. Therefore this rejection has been withdrawn. 
Claim Rejections under 35 USC § 103
	Applicant’s remarks regarding rejection of claims under 35 USC § 103 have been fully considered and have been summarized as follows:
Schimert fails to disclose or suggest determining a plurality of baseline event clusters using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems. Schimert detects anomalies, not advanced persistent threat cyber-attacks. In addition, Schimert fails to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems, as recited by amended claim 1 (Page # 14).
Wang fails to satisfy the deficiencies of Schimert with respect to amended claim 1. For example, the combination of Schimert and Wang fails to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks. In fact, the word “baseline” doesn’t appear anywhere in Wang. Schimert and Wang further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems, as recited by amended claim 1 (Page # 15). 
Gonsalves fails to satisfy the deficiencies of Schimert and Wang with respect to amended independent claim 1. For example, the combination of Schimert, Wang, and Gonsalves fails to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks. In fact, the word “baseline” doesn’t appear anywhere in Wang and Gonsalves. Schimert, Wang, and Gonsalves further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems, as recited by amended claim 1 (Page # 15).
Giordano fails to satisfy the deficiencies of Schimert, Wang, and Gonsalves with respect to amended independent claim 1. For example, the combination of Schimert, Wang, Gonsalves, and Giordano fails to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks. In fact, the word “baseline” doesn’t appear anywhere in Wang, Gonsalves, and Giordano. Schimert, Wang, Gonsalves, and Giordano further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems, as recited by amended claim 1 (Page # 16).
Amit fails to satisfy the deficiencies Schimert, Wang, Gonsalves, and Giordano. For example, Amit, as well as Schimert, Wang, Gonsalves, and Giordano fail to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks, as recited in claims 1, 10, and 19. In fact, the word “baseline” doesn’t appear anywhere in Wang, Gonsalves, Giordano, and Amit. Schimert, Wang, Gonsalves, Giordano, and Amit further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems, as recited by amended claim 1 (Page # 17).
Examiner’s Response
	Regarding remark # 1, that “Schimert fails to disclose or suggest determining a plurality of baseline event clusters using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems. Schimert detects anomalies, not advanced persistent threat cyber-attacks. In addition, Schimert fails to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems”, examiner respectfully disagree. 
	Schimert clearly teaches ‘determining baseline event clusters’ by disclosing collection and processing of data to generate training data sets of sensor data corresponding to a baseline or normal operating conditions (NOC) for specific parameters of interest (Schimert: [0031-0032]). With respect to the remark that Schimert fails to disclose data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems, examiner relied upon Gonsalves reference which discloses in light of FIG. 15 that security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c) (Gonsalves: [0065]).
	Examiner would like to note that claims have been rejected under obviousness guidelines and, one cannot show nonobviousness by considering references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
	Regarding remark # 2, that “the combination of Schimert and Wang fails to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks. In fact, the word “baseline” doesn’t appear anywhere in Wang. Schimert and Wang further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems”, examiner respectfully disagree.
	Examiner would like to note that Schimert clearly discloses receiving and processing normal operating condition data [baseline event data] and new sensor data [operational event data] which contains time of data corresponding to a parameter of interest occurred within a predetermined time period (Schimert: [0032-0033] & [0043]). Examiner would like to note that secondary reference of Wang also discloses processing events in a computing environment in which events contains timestamps indicative of a time at which the event occurred associated with the events (Wang: Col. 4; Line # 34-42). With respect to Applicant’s remark that Schimert and Wang fails to disclose “baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems”, examiner notes that third reference of Gonsalves discloses this concept where security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c) (Gonsalves: [0065] & [0077]).
	Regarding remark # 3, that the combination of Schimert, Wang, and Gonsalves fails to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks. In fact, the word “baseline” doesn’t appear anywhere in Wang and Gonsalves, examiner respectfully disagree. Examiner notes that primary reference of Schimert has been relied upon to disclose receiving and processing normal operating condition data [baseline event data] and new sensor data [operational event data] which contains time of data corresponding to a parameter of interest occurred within a predetermined time period (Schimert: [0032-0033] & [0043]). Examiner would like to note that secondary reference of Wang also discloses processing events in a computing environment in which events contains timestamps indicative of a time at which the event occurred associated with the events (Wang: Col. 4; Line # 34-42). Additionally, Schimert discloses the term baseline and operational events in reference to baseline event data and operational event data (Schimert: [0041-0042] & [0058], [0061-0062]).
	Furthermore, regarding remarks that “Schimert, Wang, and Gonsalves further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems”, examiner respectfully disagree. Examiner notes that third reference of Gonsalves discloses this concept where security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c) (Gonsalves: [0065] & [0077]).
	Regarding remark # 4, that Giordano fails to satisfy the deficiencies of Schimert, Wang, and Gonsalves with respect to amended independent claim 1. For example, the combination of Schimert, Wang, Gonsalves, and Giordano fails to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks. In fact, the word “baseline” doesn’t appear anywhere in Wang, Gonsalves, and Giordano, examiner respectfully disagree. Examiner notes that primary reference of Schimert has been relied upon to disclose receiving and processing normal operating condition data [baseline event data] and new sensor data [operational event data] which contains time of data corresponding to a parameter of interest occurred within a predetermined time period (Schimert: [0032-0033] & [0043]). Examiner would like to note that secondary reference of Wang also discloses processing events in a computing environment in which events contains timestamps indicative of a time at which the event occurred associated with the events (Wang: Col. 4; Line # 34-42). Additionally, Schimert discloses the term baseline and operational events in reference to baseline event data and operational event data (Schimert: [0041-0042] & [0058], [0061-0062]).
	Furthermore, regarding remarks that “Schimert, Wang, and Gonsalves further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems”, examiner respectfully disagree. Examiner notes that third reference of Gonsalves discloses this concept where security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c) (Gonsalves: [0065] & [0077]).
	Regarding remark # 5, that “Amit fails to satisfy the deficiencies Schimert, Wang, Gonsalves, and Giordano. For example, Amit, as well as Schimert, Wang, Gonsalves, and Giordano fail to disclose or suggest that the baseline event data is time-stamped information of predefined types of data processing events that are indicative of advanced persistent threat cyber-attacks, as recited in claims 1, 10, and 19. In fact, the word “baseline” doesn’t appear anywhere in Wang, Gonsalves, Giordano, and Amit”, examiner respectfully disagree. Examiner notes that primary reference of Schimert has been relied upon to disclose receiving and processing normal operating condition data [baseline event data] and new sensor data [operational event data] which contains time of data corresponding to a parameter of interest occurred within a predetermined time period (Schimert: [0032-0033] & [0043]). Examiner would like to note that secondary reference of Wang also discloses processing events in a computing environment in which events contains timestamps indicative of a time at which the event occurred associated with the events (Wang: Col. 4; Line # 34-42). Additionally, Schimert discloses the term baseline and operational events in reference to baseline event data and operational event data (Schimert: [0041-0042] & [0058], [0061-0062]).
	Furthermore, regarding remarks that “Schimert, Wang, and Gonsalves further fail to disclose or suggest determining one or more pairs of complementary baseline events recorded in baseline event data that are related to activities performed during an advanced persistent threat cyber-attack to elicit a response from the plurality of target systems”, examiner respectfully disagree. Examiner notes that third reference of Gonsalves discloses this concept where security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c) (Gonsalves: [0065] & [0077]).
Examiner would like to again note that claims have been rejected under obviousness guidelines and, one cannot show nonobviousness by considering references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
	Based on above explanations, the amended claims are still taught by the combination of cited references and therefore the rejection has been maintained. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 9-12, 14, 18-19, 21-23 and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Schimert  (US20090216393A1) in view of Wang et al., (US8910188B1) in view of Gonsalves et al., (US20110264608A1) and further in view of Giordano et al., (US9686173B1).
Regarding claim 1, Schimert discloses:
	A method comprising: 
receiving, by a processor, baseline event data during operation of a plurality of target systems directly after one of being initially fielded (i.e., initial training data such as data collected under normal operating conditions interpreted as ‘receiving baseline event data after being initially fielded’) or directly after being upgraded ([0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0041] FIG. 2A is a flow chart of an example of a method 200 to extract initial training data or baseline data),
the baseline event data being time-stamped information (Schimert: [0032-0033] & [0043]);
determining, by the processor, a plurality of baseline event clusters (see [0042] i.e. cluster of normal operating conditions (NOC) such as sensor data from various aircraft systems) using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that correspond to activities performed during the alert condition (See [0036] i.e., alert whether an anomaly is likely to occur) ([0033] Also in block 104, limits for monitoring quantities may be determined based on typical ranges of values under NOC. Such a limit is called a NOC limit. A monitoring chart displays the monitoring quantities versus time. A NOC limit may be represented in the monitoring chart by a horizontal line. A monitoring result is the decision at any one time whether a quantity exceeds the limit (alert); [0036] In block 110 the monitoring results from block 108 may be fused or consolidated to produce a consensus decision, i.e. alert/normal on whether an anomaly is likely to occur. A monitoring result can be viewed as a decision, i.e., whether a monitoring quantity at a particular time exceeds the limit (alert));
determining, by the processor, a baseline cumulative trajectory (see [0052] i.e. dashed diagonally straight line 406 in FIG. 4 which is construed as baseline cumulative trajectory) of each of the plurality of baseline event clusters by partitioning the each of the plurality of baseline event clusters into a plurality of first discrete time intervals (see FIG. 2; i.e. timeline) within a first time period ([0041] In block 206, a timeline of flight deck effects 204 of interest may be determined from the observed training data; [0044] In block 218, additional criteria may be applied to further extract data to produce the initial training data 220 based substantially on normal operating conditions; [0048] In block 228, models are fit to the final training data to generate NOC or baseline models 230; [0052] The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers) that is longer than an expected length of the alert condition (See FIG. 8; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
receiving, by the processor and from the plurality of the target systems, operational event data (i.e., new sensor data is construed as operational event data) (see FIG. 5; [0058] In block 502, new sensor data in contrast to initial training data may be collected; [0061] In block 510 monitoring results may be fused or consolidated to form a single consensus result, alert/no alert; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert), the operational event data being time-stamped information (Schimert: [0032-0033] & [0043]);
determining, by the processor, a plurality of operational event clusters (i.e. sensor data from flight control) using the operational event data (i.e. new sensor data) by determining one or more pairs of complementary operational events recorded (see FIG. 5; i.e. collected new data) in the operational event data that correspond to activities performed during the alert condition; ([0059] In block 504, the new data may be projected onto models of NOC, such as models 230 developed in FIG. 2B; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516); 2Application No. :14/839,327Attorney Docket No.: 15-0849-US-NP/0192.0034
determining, by the processor, an operational cumulative trajectory (see [0033] i.e. exceeds the limit) of each of the plurality of operational event clusters by partitioning each of the plurality of operational event clusters into a plurality of second discrete time intervals (see FIG. 8; i.e. respective date, set of dates) within a second time period ([0059] In block 506, quantities to be monitored may be calculated … One type of quantity represents a distance of a parameter observation to a center within a space spanned by a chosen number of components. Another type of quantity is a residual or an orthogonal distance of the parameter observation to the model space. Thus the two types of quantities measure closeness of an observation to NOC according to what the NOC model describes, and in addition measures any left over distance that the model does not describe. These quantities can be compared to their corresponding limit determined earlier using baseline data. At any time point, if the quantity exceeds the limit, an alert is generated; [0063] FIG. 8 illustrates an example of a contribution plot 800 including a trellis of four contribution plots or sub-charts 802 a-802 d. Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence) that is longer than an expected length of the alert condition (See FIG. 8 for observing data for various length of time; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit),
detecting, by the processor, the alert condition (i.e., detection of an anomaly based on comparing new sensor data with baseline data) occurring within the plurality of target systems by comparing the baseline cumulative trajectories of the plurality of baseline event clusters with the operational cumulative trajectories of the plurality of operational event clusters and determining that the baseline cumulative trajectories and the operational cumulative trajectories diverge by more than a predetermined distance ([0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0034] In block 106, parameters collected from sensors coupled to the various systems may be monitored by calculating quantities from the collected parameter data and NOC models and comparing with NOC limits established in block 104 for NOC data; [0039] In block 118, which parameter or parameters are most likely to have caused the alert may be determined from the contribution plot or plots. This is done by comparing each parameter contribution to the monitored quantity, relative to the parameter contribution under baseline or normal operation conditions); and 
outputting, by the processor, an indication regarding the detected alert condition ([0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert).
Schimert fails to disclose:
	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems; detected alert condition is a cyber-attack by determining baseline event data which corresponds to activities performed during the cyber-attack to elicit a response from the target systems; determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals; and wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Wang discloses:
	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems (Col. 2, Line # 34-53; discloses receiving, processing and logging event batch data from first computing system and second computing system; Col. 4, Line # 2-8; teaches “Deterministic data processing” for event batch data before proceeding to a next processing cycle; Col. 4; Line # 34-42; describes Deterministic processing of events in a distributed (or parallel) computing environment is achieved by creating batches of events based on timestamps (e.g., indicative of a time at which the event occurred) associated with the events, and specifying operations that must occur in order for processing of the events to continue at a next processing stage)).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert reference and include deterministic data processing system for processing event data, as disclosed by Wang.
	The motivation to include deterministic data processing system for processing event data is to ensure that event data processed by the deterministic system contains no randomness when data is retrieved in the development of future states of the system.
The combination of Schimert and Wang fails to disclose:
	detected alert condition is a cyber-attack by determining baseline event data which corresponds to activities performed during the cyber-attack to elicit a response from the target systems; determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals.
However, Gonsalves discloses:
	detected alert condition is a cyber-attack by determining event data [correlating historical security event information with current situation state] which corresponds to activities performed during the cyber-attack (i.e., consequences of such events 322 in FIG. 10) to elicit a response [i.e., as disclosed in FIG. 15, security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c)] from the target systems ([0065] discloses predicting cyber-attack in light of FIG. 10 by analyzing Fuse Data which is stored in persistent database; Also see [0077] Various ontologies for gathering data will now be described. An embodiment of the Security Event ontology is illustrated in FIG. 15 … Security Event objects are also used by retrieval agents 316 if and when the INAFS system needs access to historical security event data in order to correlate that data with the current situation state. The security event information includes information regarding the security event 318, payload 320, consequences of such events 322 and their pattern information 324).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Schimert and Wang reference and include an improved security system and method of detecting cyber-attacks on a network or network element, as disclosed by Gonsalves. 
	The motivation to include a device for detecting a cyber-attack is to rapidly and accurately detect various forms of cyber-attacks by monitoring and analyzing events generated in a real time.
The combination of Schimert, Wang and Gonsalves fails to disclose:
	determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals.
However, Giordano discloses:
	the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: 
determining a first centroid (See FIG. 3C; 121 a) of the baseline event data at the each of the plurality of first discrete time intervals (Col. 12, Line #66-67 – Col. 13, Line # 1-5; the point may be the centroid or a geometric center of the cluster. Accordingly, the clusters are represented by their centroids or geometric centers, thus forming a hyper-map to represent the server groups of the CDN; Col. 15; Line # 58-61; The collection of points representing the feature vectors of all servers of the CDN form a hyper-map in this 5-dimensional hyperspace, such as the hyper-map A (121 a) shown in FIG. 3C), and 
determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using a sum of the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330);
determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: 
determining a second centroid (See FIG. 3C; 122 a) of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330); Col. 16, Line # 9-20; To track the evolution of a clustering (i.e., a collection of clusters) over time, two clusterings C(i) and C(i+1) are generated from two snapshots X(i) and X(i+1), one subsequent to another. In particular, X(i) and C(i) correspond to the hyper-map A (212 a) and hyper-map (212 b), respectively, shown in FIG. 3C. In addition, the subsequent hyper-map A (122 a) and subsequent hyper-map B (122 b) are evolved versions of the hyper-map A (212 a) and hyper-map (212 b), respectively, that correspond to a subsequent snapshot (referred to as snapshot i+1) of the network traffic flows captured from the CDN shown in FIG. 3A).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang and Gonsalves and detect a centroid of clusters of collected data, as disclosed by Giordano.
The motivation to detect a centroid of clusters of collected data is to find a mean position of collected data and display that in the form a graph.
Regarding claim 2, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 1, wherein:
the plurality of deterministic target systems include a plurality of types, and the plurality of types include a plurality of configurations (Schimert: [0072]);
the baseline event data includes a plurality of records that associate baseline events, respectively, with a timestamp, one of the plurality of types, and one of the plurality of configurations (Schimert: [0032]);
the operational event data includes a plurality of records that associate operational events, respectively, with a timestamp, one of the plurality of types, and one of the plurality of configurations (Schimert: [0043]).
Regarding claim 3, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 2, wherein: the plurality of types comprise a plurality of aircraft fleets; and the plurality of configurations comprise configurations of data processing systems in the plurality of aircraft fleets (Schimert: [0005]).
Regarding claim 5, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 2, further comprising: determining a number of configurations included in the plurality of types (Schimert: [0004]);
	and determining initial baseline event clusters by partitioning pairs of complementary baseline events into a first plurality of sets corresponding to the number of configurations (Schimert: [0005] & [0056]); and
	determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0005] & [0056]).
Regarding claim 9, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 1, wherein comparing the baseline cumulative trajectory with operational cumulative trajectory comprises plotting a graph comparing the first centroid for a cumulative rolling wave over the plurality of discrete time intervals with the second centroid for the cumulative rolling wave over the plurality of discrete time intervals (Schimert: [0052] FIG. 4).
Regarding claim 10, Schimert discloses:
A system detecting a cyber-attacks comprising: a processor; a computer-readable hardware storage device; program instructions stored on the computer-readable hardware storage device for execution by the processor that control the system to perform operations comprising:
	receiving, by a processor, baseline event data during operation of a plurality of target systems directly after one of being initially fielded (i.e., initial training data such as data collected under normal operating conditions interpreted as ‘receiving baseline event data after being initially fielded’) or directly after being upgraded ([0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0041] FIG. 2A is a flow chart of an example of a method 200 to extract initial training data or baseline data),
the baseline event data being time-stamped information (Schimert: [0032-0033] & [0043]);
determining, by the processor, a plurality of baseline event clusters (see [0042] i.e. cluster of normal operating conditions (NOC) such as sensor data from various aircraft systems) using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that correspond to activities performed during the alert condition (See [0036] i.e., alert whether an anomaly is likely to occur) ([0033] Also in block 104, limits for monitoring quantities may be determined based on typical ranges of values under NOC. Such a limit is called a NOC limit. A monitoring chart displays the monitoring quantities versus time. A NOC limit may be represented in the monitoring chart by a horizontal line. A monitoring result is the decision at any one time whether a quantity exceeds the limit (alert); [0036] In block 110 the monitoring results from block 108 may be fused or consolidated to produce a consensus decision, i.e. alert/normal on whether an anomaly is likely to occur. A monitoring result can be viewed as a decision, i.e., whether a monitoring quantity at a particular time exceeds the limit (alert));
determining, by the processor, a baseline cumulative trajectory (see [0052] i.e. dashed diagonally straight line 406 in FIG. 4 which is construed as baseline cumulative trajectory) of each of the plurality of baseline event clusters by partitioning the each of the plurality of baseline event clusters into a plurality of first discrete time intervals (see FIG. 2; i.e. timeline) within a first time period ([0041] In block 206, a timeline of flight deck effects 204 of interest may be determined from the observed training data; [0044] In block 218, additional criteria may be applied to further extract data to produce the initial training data 220 based substantially on normal operating conditions; [0048] In block 228, models are fit to the final training data to generate NOC or baseline models 230; [0052] The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers) that is longer than an expected length of the alert condition (See FIG. 8; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
receiving, by the processor and from the plurality of the target systems, operational event data (i.e., new sensor data is construed as operational event data) (see FIG. 5; [0058] In block 502, new sensor data in contrast to initial training data may be collected; [0061] In block 510 monitoring results may be fused or consolidated to form a single consensus result, alert/no alert; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert);
determining, by the processor, a plurality of operational event clusters (i.e. sensor data from flight control) using the operational event data (i.e. new sensor data) by determining one or more pairs of complementary operational events recorded (see FIG. 5; i.e. collected new data) in the operational event data that correspond to activities performed during the alert condition; ([0059] In block 504, the new data may be projected onto models of NOC, such as models 230 developed in FIG. 2B; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516); 2Application No. :14/839,327Attorney Docket No.: 15-0849-US-NP/0192.0034
determining, by the processor, an operational cumulative trajectory (see [0033] i.e. exceeds the limit) of each of the plurality of operational event clusters by partitioning each of the plurality of operational event clusters into a plurality of second discrete time intervals (see FIG. 8; i.e. respective date, set of dates) within a second time period ([0059] In block 506, quantities to be monitored may be calculated … One type of quantity represents a distance of a parameter observation to a center within a space spanned by a chosen number of components. Another type of quantity is a residual or an orthogonal distance of the parameter observation to the model space. Thus the two types of quantities measure closeness of an observation to NOC according to what the NOC model describes, and in addition measures any left over distance that the model does not describe. These quantities can be compared to their corresponding limit determined earlier using baseline data. At any time point, if the quantity exceeds the limit, an alert is generated; [0063] FIG. 8 illustrates an example of a contribution plot 800 including a trellis of four contribution plots or sub-charts 802 a-802 d. Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence) that is longer than an expected length of the alert condition (See FIG. 8 for observing data for various length of time; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit),
detecting, by the processor, the alert condition (i.e., detection of an anomaly based on comparing new sensor data with baseline data) occurring within the plurality of target systems by comparing the baseline cumulative trajectories of the plurality of baseline event clusters with the operational cumulative trajectories of the plurality of operational event clusters and determining that the baseline cumulative trajectories and the operational cumulative trajectories diverge by more than a predetermined distance ([0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0034] In block 106, parameters collected from sensors coupled to the various systems may be monitored by calculating quantities from the collected parameter data and NOC models and comparing with NOC limits established in block 104 for NOC data; [0039] In block 118, which parameter or parameters are most likely to have caused the alert may be determined from the contribution plot or plots. This is done by comparing each parameter contribution to the monitored quantity, relative to the parameter contribution under baseline or normal operation conditions); and 
outputting, by the processor, an indication regarding the detected alert condition ([0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert).
Schimert fails to disclose:
	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems; detected alert condition is a cyber-attack by determining baseline event data which corresponds to activities performed during the cyber-attack to elicit a response from the target systems; determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals; and wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Wang discloses:
	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems (Col. 2, Line # 34-53; discloses receiving, processing and logging event batch data from first computing system and second computing system; Col. 4, Line # 2-8; teaches “Deterministic data processing” for event batch data before proceeding to a next processing cycle; Col. 4; Line # 34-42; describes Deterministic processing of events in a distributed (or parallel) computing environment is achieved by creating batches of events based on timestamps (e.g., indicative of a time at which the event occurred) associated with the events, and specifying operations that must occur in order for processing of the events to continue at a next processing stage)).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert reference and include deterministic data processing system for processing event data, as disclosed by Wang.
	The motivation to include deterministic data processing system for processing event data is to ensure that event data processed by the deterministic system contains no randomness when data is retrieved in the development of future states of the system.
The combination of Schimert and Wang fails to disclose:
	detected alert condition is a cyber-attack by determining baseline event data which corresponds to activities performed during the cyber-attack to elicit a response from the target systems; determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals.
However, Gonsalves discloses:
	detected alert condition is a cyber-attack by determining event data [correlating historical security event information with current situation state] which corresponds to activities performed during the cyber-attack (i.e., consequences of such events 322 in FIG. 10) to elicit a response [i.e., as disclosed in FIG. 15, security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c)] from the target systems ([0065] discloses predicting cyber-attack in light of FIG. 10 by analyzing Fuse Data which is stored in persistent database; Also see [0077] Various ontologies for gathering data will now be described. An embodiment of the Security Event ontology is illustrated in FIG. 15 … Security Event objects are also used by retrieval agents 316 if and when the INAFS system needs access to historical security event data in order to correlate that data with the current situation state. The security event information includes information regarding the security event 318, payload 320, consequences of such events 322 and their pattern information 324).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Schimert and Wang reference and include an improved security system and method of detecting cyber-attacks on a network or network element, as disclosed by Gonsalves. 
	The motivation to include a device for detecting a cyber-attack is to rapidly and accurately detect various forms of cyber-attacks by monitoring and analyzing events generated in a real time.
The combination of Schimert, Wang and Gonsalves fails to disclose:
	determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals.
However, Giordano discloses:
	the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: 
determining a first centroid (See FIG. 3C; 121 a) of the baseline event data at the each of the plurality of first discrete time intervals (Col. 12, Line #66-67 – Col. 13, Line # 1-5; the point may be the centroid or a geometric center of the cluster. Accordingly, the clusters are represented by their centroids or geometric centers, thus forming a hyper-map to represent the server groups of the CDN; Col. 15; Line # 58-61; The collection of points representing the feature vectors of all servers of the CDN form a hyper-map in this 5-dimensional hyperspace, such as the hyper-map A (121 a) shown in FIG. 3C), and 
determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using a sum of the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330);
determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: 
determining a second centroid (See FIG. 3C; 122 a) of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330); Col. 16, Line # 9-20; To track the evolution of a clustering (i.e., a collection of clusters) over time, two clusterings C(i) and C(i+1) are generated from two snapshots X(i) and X(i+1), one subsequent to another. In particular, X(i) and C(i) correspond to the hyper-map A (212 a) and hyper-map (212 b), respectively, shown in FIG. 3C. In addition, the subsequent hyper-map A (122 a) and subsequent hyper-map B (122 b) are evolved versions of the hyper-map A (212 a) and hyper-map (212 b), respectively, that correspond to a subsequent snapshot (referred to as snapshot i+1) of the network traffic flows captured from the CDN shown in FIG. 3A).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang and Gonsalves and detect a centroid of clusters of collected data, as disclosed by Giordano.
The motivation to detect a centroid of clusters of collected data is to find a mean position of collected data and display that in the form a graph.
Regarding claim 11, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The system of claim 10, wherein: the plurality of deterministic target systems include a plurality of types, and the plurality of types include one or more configurations; the baseline event data includes a plurality of records that associate baseline events, respectively, with a timestamp, one of the plurality of types, and one of a plurality of configurations; and the operational event data includes a plurality of records that associate operational events, respectively, with a timestamp, one of the plurality of types and one of the plurality of configurations (Schimert: [0043]).
Regarding claim 12, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The system of claim 11, wherein: the plurality of types comprise a plurality of aircraft fleets; and the plurality of configurations comprise configurations of data processing systems in the plurality of aircraft fleets (Schimert: [0005]).
Regarding claim 14, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The system of claim 12, further comprising: determining a number of configurations included in the plurality of types; and determining initial baseline event clusters by partitioning pairs of complementary baseline events into a first plurality of sets corresponding to the number of configurations; and determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0004-0005] & [0056]).
Regarding claim 18, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The system of claim 10, wherein comparing the baseline cumulative trajectories with the operational cumulative trajectories comprises plotting a graph comparing the first centroid for a cumulative rolling wave over the plurality of discrete time intervals with the second centroid for the cumulative rolling wave over the plurality of discrete time intervals (Schimert: [0052]).
Regarding claim 19, Schimert discloses:
A computer-program product comprising computer-readable program instructions stored on a computer-readable data storage device that, when executed by a processor, controls a computing device to perform operations comprising:
receiving, by a processor, baseline event data during operation of a plurality of target systems directly after one of being initially fielded (i.e., initial training data such as data collected under normal operating conditions interpreted as ‘receiving baseline event data after being initially fielded’) or directly after being upgraded ([0005] In accordance with a further embodiment of the present invention, a data-driven method for detecting anomalies in sensor data from an aircraft may include two main steps. The first step may define data sets collected under normal operating conditions from a plurality of aircraft systems, and determines limits. Empirical models may be applied to reduce a possible high dimension of sensor data. These models and limits may be called “baseline” models and limits; [0041] FIG. 2A is a flow chart of an example of a method 200 to extract initial training data or baseline data),
the baseline event data being time-stamped information (Schimert: [0032-0033] & [0043]);
determining, by the processor, a plurality of baseline event clusters (see [0042] i.e. cluster of normal operating conditions (NOC) such as sensor data from various aircraft systems) using the baseline event data by determining one or more pairs of complementary baseline events recorded in the baseline event data that correspond to activities performed during the alert condition (See [0036] i.e., alert whether an anomaly is likely to occur) ([0033] Also in block 104, limits for monitoring quantities may be determined based on typical ranges of values under NOC. Such a limit is called a NOC limit. A monitoring chart displays the monitoring quantities versus time. A NOC limit may be represented in the monitoring chart by a horizontal line. A monitoring result is the decision at any one time whether a quantity exceeds the limit (alert); [0036] In block 110 the monitoring results from block 108 may be fused or consolidated to produce a consensus decision, i.e. alert/normal on whether an anomaly is likely to occur. A monitoring result can be viewed as a decision, i.e., whether a monitoring quantity at a particular time exceeds the limit (alert));
determining, by the processor, a baseline cumulative trajectory (see [0052] i.e. dashed diagonally straight line 406 in FIG. 4 which is construed as baseline cumulative trajectory) of each of the plurality of baseline event clusters by partitioning the each of the plurality of baseline event clusters into a plurality of first discrete time intervals (see FIG. 2; i.e. timeline) within a first time period ([0041] In block 206, a timeline of flight deck effects 204 of interest may be determined from the observed training data; [0044] In block 218, additional criteria may be applied to further extract data to produce the initial training data 220 based substantially on normal operating conditions; [0048] In block 228, models are fit to the final training data to generate NOC or baseline models 230; [0052] The robust distances 402 are determined from the robust principal components and the usual distances 404 are determined from the usual principal components. Deviations from the dotted diagonal line 406 indicate candidate outliers) that is longer than an expected length of the alert condition (See FIG. 8; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit), 
receiving, by the processor and from the plurality of the target systems, operational event data (i.e., new sensor data is construed as operational event data) (see FIG. 5; [0058] In block 502, new sensor data in contrast to initial training data may be collected; [0061] In block 510 monitoring results may be fused or consolidated to form a single consensus result, alert/no alert; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert);
determining, by the processor, a plurality of operational event clusters (i.e. sensor data from flight control) using the operational event data (i.e. new sensor data) by determining one or more pairs of complementary operational events recorded (see FIG. 5; i.e. collected new data) in the operational event data that correspond to activities performed during the alert condition; ([0059] In block 504, the new data may be projected onto models of NOC, such as models 230 developed in FIG. 2B; [0062] In block 512, a determination may be made if there is a consensus alert from the fused results … If there is a determination in block 512 that there is a consensus alert, the method 500 may advance to block 516); 2Application No. :14/839,327Attorney Docket No.: 15-0849-US-NP/0192.0034
determining, by the processor, an operational cumulative trajectory (see [0033] i.e. exceeds the limit) of each of the plurality of operational event clusters by partitioning each of the plurality of operational event clusters into a plurality of second discrete time intervals (see FIG. 8; i.e. respective date, set of dates) within a second time period ([0059] In block 506, quantities to be monitored may be calculated … One type of quantity represents a distance of a parameter observation to a center within a space spanned by a chosen number of components. Another type of quantity is a residual or an orthogonal distance of the parameter observation to the model space. Thus the two types of quantities measure closeness of an observation to NOC according to what the NOC model describes, and in addition measures any left over distance that the model does not describe. These quantities can be compared to their corresponding limit determined earlier using baseline data. At any time point, if the quantity exceeds the limit, an alert is generated; [0063] FIG. 8 illustrates an example of a contribution plot 800 including a trellis of four contribution plots or sub-charts 802 a-802 d. Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence) that is longer than an expected length of the alert condition (See FIG. 8 for observing data for various length of time; [0063] Each sub-chart 802 or sub-plot illustrates a level 804 (0-4 in this example) of contribution for each different parameter 806 observed for each respective date, set of dates or occurrence; [0064] In the example illustrated in FIG. 8, for the specific date or dates corresponding to sub-chart 802 a, parameter 10 had the highest level of contribution to causing the alert in the monitoring chart exceeding the predetermined NOC limit),
detecting, by the processor, the alert condition (i.e., detection of an anomaly based on comparing new sensor data with baseline data) occurring within the plurality of target systems by comparing the baseline cumulative trajectories of the plurality of baseline event clusters with the operational cumulative trajectories of the plurality of operational event clusters and determining that the baseline cumulative trajectories and the operational cumulative trajectories diverge by more than a predetermined distance ([0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits; [0034] In block 106, parameters collected from sensors coupled to the various systems may be monitored by calculating quantities from the collected parameter data and NOC models and comparing with NOC limits established in block 104 for NOC data; [0039] In block 118, which parameter or parameters are most likely to have caused the alert may be determined from the contribution plot or plots. This is done by comparing each parameter contribution to the monitored quantity, relative to the parameter contribution under baseline or normal operation conditions); and 
outputting, by the processor, an indication regarding the detected alert condition ([0062] In block 512, a determination may be made if there is a consensus alert from the fused results. Since the fused results are a consolidation or fusion of multiple decisions, the alert may be referred to as a consensus alert).
Schimert fails to disclose:
	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems; detected alert condition is a cyber-attack by determining baseline event data which corresponds to activities performed during the cyber-attack to elicit a response from the target systems; determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals; and wherein receiving baseline event data is a data which contains initial computer system configuration.
However, Wang discloses:
	receiving event data [baseline and operational] including records logged by deterministic data processing systems operated by the plurality of target systems (Col. 2, Line # 34-53; discloses receiving, processing and logging event batch data from first computing system and second computing system; Col. 4, Line # 2-8; teaches “Deterministic data processing” for event batch data before proceeding to a next processing cycle; Col. 4; Line # 34-42; describes Deterministic processing of events in a distributed (or parallel) computing environment is achieved by creating batches of events based on timestamps (e.g., indicative of a time at which the event occurred) associated with the events, and specifying operations that must occur in order for processing of the events to continue at a next processing stage)).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Schimert reference and include deterministic data processing system for processing event data, as disclosed by Wang.
	The motivation to include deterministic data processing system for processing event data is to ensure that event data processed by the deterministic system contains no randomness when data is retrieved in the development of future states of the system.
The combination of Schimert and Wang fails to disclose:
	detected alert condition is a cyber-attack by determining baseline event data which corresponds to activities performed during the cyber-attack to elicit a response from the target systems; determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals.
However, Gonsalves discloses:
	detected alert condition is a cyber-attack by determining event data [correlating historical security event information with current situation state] which corresponds to activities performed during the cyber-attack (i.e., consequences of such events 322 in FIG. 10) to elicit a response [i.e., as disclosed in FIG. 15, security event information such as payload and pattern are correlated to detect cyber-attack which is interpreted as “elicit/produce” a response from victim computer 246 (a-c)] from the target systems ([0065] discloses predicting cyber-attack in light of FIG. 10 by analyzing Fuse Data which is stored in persistent database; Also see [0077] Various ontologies for gathering data will now be described. An embodiment of the Security Event ontology is illustrated in FIG. 15 … Security Event objects are also used by retrieval agents 316 if and when the INAFS system needs access to historical security event data in order to correlate that data with the current situation state. The security event information includes information regarding the security event 318, payload 320, consequences of such events 322 and their pattern information 324).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Schimert and Wang reference and include an improved security system and method of detecting cyber-attacks on a network or network element, as disclosed by Gonsalves. 
	The motivation to include a device for detecting a cyber-attack is to rapidly and accurately detect various forms of cyber-attacks by monitoring and analyzing events generated in a real time.
The combination of Schimert, Wang and Gonsalves fails to disclose:
	determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: determining a first centroid of the baseline event data at the each of the plurality of first discrete time intervals, and determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using the a sum of first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals; the determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: determining a second centroid of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using a sum of the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals.
However, Giordano discloses:
	the determining the baseline cumulative trajectory of the each of the plurality of baseline event clusters further comprising: 
determining a first centroid (See FIG. 3C; 121 a) of the baseline event data at the each of the plurality of first discrete time intervals (Col. 12, Line #66-67 – Col. 13, Line # 1-5; the point may be the centroid or a geometric center of the cluster. Accordingly, the clusters are represented by their centroids or geometric centers, thus forming a hyper-map to represent the server groups of the CDN; Col. 15; Line # 58-61; The collection of points representing the feature vectors of all servers of the CDN form a hyper-map in this 5-dimensional hyperspace, such as the hyper-map A (121 a) shown in FIG. 3C), and 
determining a centroid for a baseline cumulative rolling wave at the each of the plurality of first discrete time intervals using a sum of the first centroid of the baseline event data at the each of the plurality of first discrete time intervals and the first centroids of the baseline event data from all previous first discrete time intervals of the each of the plurality of first discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330);
determining the operational cumulative trajectory of the each of the plurality of operational event clusters further comprising: 
determining a second centroid (See FIG. 3C; 122 a) of the operational event data at each of the plurality of second discrete time intervals, and determining a centroid for an operational cumulative rolling wave at the each of the plurality of second discrete time intervals using the second centroid of the operational event data at the each of the plurality of second discrete time intervals and the second centroids of the operational event data from all previous second discrete time intervals of the each of the plurality of second discrete time intervals (Col. 10, Line # 11-16; the flows are captured and parsed throughout a pre-configured time interval recurring on a periodic basis (e.g., every minute, hourly, daily, etc.) or triggered in response to an event. Such pre-configured time interval correspond to the aforementioned time window of a snapshot in the network traffic data (330); Col. 16, Line # 9-20; To track the evolution of a clustering (i.e., a collection of clusters) over time, two clusterings C(i) and C(i+1) are generated from two snapshots X(i) and X(i+1), one subsequent to another. In particular, X(i) and C(i) correspond to the hyper-map A (212 a) and hyper-map (212 b), respectively, shown in FIG. 3C. In addition, the subsequent hyper-map A (122 a) and subsequent hyper-map B (122 b) are evolved versions of the hyper-map A (212 a) and hyper-map (212 b), respectively, that correspond to a subsequent snapshot (referred to as snapshot i+1) of the network traffic flows captured from the CDN shown in FIG. 3A).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang and Gonsalves and detect a centroid of clusters of collected data, as disclosed by Giordano.
The motivation to detect a centroid of clusters of collected data is to find a mean position of collected data and display that in the form a graph.
Regarding claim 21, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 1, wherein: 
the operational event data includes activities of the advanced persistent threat cyber-attack that determine network information of the target systems (Gonsalves: [0116]).
Regarding claim 22, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 1, wherein the baseline event data and the operational event data consist of information describing the deterministic target systems and event data generated by the deterministic target systems (Schimert: [0005] & [0031]).
Regarding claim 23, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 21, wherein: 
The plurality of target systems include a plurality of target system types (Schimert: [0072]);
the plurality of target system types include one or more target system configurations (Schimert: [0032]);
the baseline event data and the operational event data associate the activities of the advanced persistent threat cyber-attack with the plurality of the target system types, the one more target system configurations, and the timestamps (Schimert: [0043]).
Regarding claim 25, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The system of claim 10, wherein: 
the operational event data includes activities of the advanced persistent threat cyber-attack that determine network information of the target systems (Gonsalves: [0116]).
Regarding claim 26, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The system of claim 10 wherein the baseline event data and the operational event data include information describing the target systems and event data generated by the target systems (Schimert: [0005] & [0031]).


Claims 6, 15, 20 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Schimert (US20090216393A1) in view of Wang et al., (US8910188B1) in view of Gonsalves et al., (US20110264608A1) in view of Giordano et al., (US9686173B1) and further in view of Amit et al., (US20140283026A1).
Regarding claim 6, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 5, wherein: 
determining, using the initial baseline event clusters (Schimert: [0057] In block 310, a determination may be made if an observation belongs to a cluster of NOC; [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4); and 
determining, using the initial operational event clusters (Schimert: [0057] In block 314, all remaining observations may be added to the final training data 224 in FIG. 2B; [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4).
The combination of Schimert, Wang, Gonsalves and Giordano fails to disclose:
using a K-means clustering algorithm.
However, Amit discloses:
	using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Gonsalves and Giordano and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building visual event graphs.
Regarding claim 15, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The system of claim 14, wherein: determining, using the initial baseline event clusters (Schimert: [0057] In block 310, a determination may be made if an observation belongs to a cluster of NOC; [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4);
and determining, using the initial operational event clusters (Schimert: [0057] In block 314, all remaining observations may be added to the final training data 224 in FIG. 2B; [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4).
The combination of Schimert, Wang, Gonsalves and Giordano fails to disclose:
using a K-means clustering algorithm.
However, Amit discloses:
	using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Gonsalves and Giordano and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building visual event graphs.
Regarding claim 20, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The computer program product of claim 19, wherein the operations further comprise:
determining a number of configurations included in the plurality of deterministic target systems (Schimert: [0057] In block 310, a determination may be made if an observation belongs to a cluster of NOC; [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4);		
determining initial baseline event clusters by partitioning pairs of complementary baseline events into a first plurality of sets corresponding to the number of configurations (Schimert: [0057] In block 314, all remaining observations may be added to the final training data 224 in FIG. 2B; [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4);
	determining, using the initial baseline event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision);
	determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0005] The second step may detect any anomalies in new sensor data by projecting onto the baseline models, and comparing monitored quantities to baseline limits. At any time, if the baseline limit is exceeded, an alert is generated. Otherwise the observation is considered normal; [0056] In general, clustering algorithms determine structure within data by organizing it into groups or clusters. Many algorithms exist, but no single algorithm can handle all sorts of cluster shapes and structures. Each algorithm has its own bias and assumptions. Different clustering algorithms may partition a given data set differently. Even a single clustering algorithm may produce several partitions for different initializations or design parameters);
	and determining, using the initial operational event clusters (Schimert: [0068] In block 604, a clustering ensemble methodology may be applied to the matrices of block 602 to reach a consensus decision or consensus alert. Blocks 602 and 604 together apply a clustering ensemble methodology similar to that described with respect to FIG. 4. Since monitoring algorithms partition a data set into alert/normal (or its fuzzy clustering equivalent), this invention takes the novel step of applying the cluster ensemble methodology of generating a variety of partitions (or alert/normal decisions) and then combining the results to reach a consensus decision).
The combination of Schimert, Wang, Gonsalves and Giordano fails to disclose:
using a K-means clustering algorithm.
However, Amit discloses:
	using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Gonsalves and Giordano and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building visual event graphs.
Regarding claim 24, the combination of Schimert, Wang, Gonsalves and Giordano discloses:
The method of claim 23, further comprising
determining a number of configurations included in the plurality of deterministic target systems (Schimert: [0004]);		
determining initial baseline event clusters by partitioning pairs of complementary baseline events into a first plurality of sets corresponding to the number of configurations (Schimert: [0005] & [0056]);
	determining, using the initial baseline event clusters (Schimert: [0068]);
	determining initial operational event clusters by partitioning pairs of complementary operational events into a second plurality of sets corresponding to the number of configurations (Schimert: [0005] & [0056]);
	and determining, using the initial operational event clusters (Schimert: [0068]).
The combination of Schimert, Wang, Gonsalves and Giordano fails to disclose:
using a K-means clustering algorithm.
However, Amit discloses:
	using a K-means clustering algorithm ([0081] On step 232, an event graph may be built using the determined distances, and event clusters may be identified from the graph using any clustering methods such as K-means clustering, Graph K-Means, Information bottleneck, Page-Rank clustering or others).
It would have been obvious to one of the ordinary person skill in the art before the effective filing date of the claimed invention to modify the references of Schimert, Wang, Gonsalves and Giordano and have a system which uses various clustering algorithm techniques to build event graphs to determine anomalies in computer systems based on event data, as taught by Amit.
The motivation is to prevent data loss from the computer network based on monitoring and analyzing data patterns from different sources through building visual event graphs.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.M.A./Patent Examiner, Art Unit 2432                  

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432