DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/28/2022 has been entered.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 6-7, 13, 14-15 and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Herwadkar et al. (US PGPUB No. 2019/0102553; Pub. Date: Apr. 4, 2019) in view of Vasseur et al. (US PGPUB No. 2017/0279833; Pub. Date: Sep. 28, 2017) and Zhao et al. (US PGPUB No. 2018/0096410; Pub. Date: Apr. 5, 2018).
Regarding independent claim 1,
	Herwadkar discloses a system for false positive detection comprising: an interface configured to receive a transaction data; See Paragraph [0041], (Disclosing a method for detecting an anomaly in queries of a relational database. The method including a monitoring apparatus for analyzing queries received by the RDBMS, i.e. an interface configured to receive transaction data.).
and a processor configured to: determine whether the transaction data is a statistical outlier; See Paragraph [0041], (The monitoring apparatus analyzes queries received by the RDBMS in order to determine anomalies. Note [0151] wherein the method extracts attribute values from a query in order to identify outlier values, i.e. determine whether transaction data is a statistical outlier.).
and in response to the transaction data being the statistical outlier: query database data to determine whether the transaction data is a false positive; See FIG. 3 and Paragraph [0117]-[0118], (FIG.3  illustrating steps for performing frequency-based anomaly detection in relational database queries. An incoming query may be matched to one or more non-anomalous queries at step 302, i.e. querying a database. If a query matches one or more non-anomalous queries, the frequency of said query is determined and compared to a frequency threshold. The frequency threshold may reflect a false positive tolerance, i.e. determining whether the transaction data is a false positive.).
in response to the transaction data being the false positive, indicate that the transaction data is normal. See Paragraph [0119], (If the query's frequency meets the frequency threshold, the query may be identified as non-anomalous and no further output and/or analysis is required, i.e. indicating that the transaction data is normal.).
Herwadkar does not disclose the step comprising to: select an object graph associated with the transaction data, wherein the object graph comprises a set of relationships that exist amongst a set of objects;
and in response to the transaction data not being the false positive, indicate that the transaction data is an unknown potential error.
Vasseur discloses the step comprising to: select an object graph associated with the transaction data, wherein the object graph comprises a set of relationships that exist amongst a set of objects; See Paragraph [0049], (Disclosing a system for anomaly detection of a graph-based model. A self-learning network (SLN) infrastructure may use graph-based models, i.e. selecting an object graph (e.g. the SLN anomaly detection process is directed to a graph-based model), for anomaly detection purposes wherein said graph-based models represent relationships between entities as a graph of nodes interconnected by edges, i.e. an object graph comprising a set of relationships that exist among a set of objects.)
and in response to the transaction data not being the false positive, indicate that the transaction data is an unknown potential error. See Paragraph [0069], (Disclosing a system for anomaly detection of a graph-based model. The anomaly detection may employ classifiers trained to recognize legitimate scanning behaviors in order to reduce the rate of false positives by correctly recognize legitimate scanners. Anomalies may be flagged as legitimate and subsequently processed by a central controller, i.e. in response to the transaction data not being the false positive, indicate that the transaction data is an unknown potential error (e.g. determining that the anomaly is legitimate).)
Herwadkar and Vasseur are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Herwadkar to include the method of detecting anomalies using graph-based models as disclosed by Vasseur. Doing so would allow the system to discover anomalies for a graph via machine learning techniques that become more accurate over time, thereby improving the detection of legitimate anomalies for a graph model.
Herwadkar-Vasseur does not disclose the step of determin[ing] whether relation types originating from the transaction data conform with the set of relationships, comprising to: select a relation type of the relation types;
and determine whether the relation type conforms with at least one relationship of the set of relationships;
and in response to a determination that the relation types originating from the transaction data do not conform with the set of relationships, determine the transaction data is not a false positive;
Zhao discloses the step of determin[ing] whether relation types originating from the transaction data conform with the set of relationships, comprising to: select a relation type of the relation types; See Paragraph [0047], (Disclosing a system for providing matching information of a business object. The method includes determining a matching relationship between business objects corresponding to a target category.) See Paragraph [0042], (Target categories are determined based on preset category matching information and a category to which a first object belongs, i.e. select a relation type of the relation types (e.g. determining a target is a form of selection).)
and determine whether the relation type conforms with at least one relationship of the set of relationships; See Paragraph [0047], (The method may determine if two objects have a matching relationship with a target category based on a clustering methodology employed to avoid false-positives.)
and in response to a determination that the relation types originating from the transaction data do not conform with the set of relationships, determine the transaction data is not a false positive; See Paragraph [0047], (A clustering technique may be applied to determine whether the matching category may be used based on historical activity records of a number of users in order to avoid false-positives, i.e. in response to a determination that the relation types originating from the transaction data do not conform with the set of relationships, determine the transaction data is not a false positive (e.g. the clustering technique may determine that the target match is not a false positive).)
Herwadkar-Vasseur and Zhao are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Herwadkar-Vasseur to include the method of determining matching relations as disclosed by Zhao. Paragraph [0047] of Zhao discloses that the clustering techniques employed prevent misidentifying matching target categories for objects by avoiding false positives via the use of historical records. This represents an improvement due to the reduction in false positives by ensures that matches are correctly identified according to preceding matches.

Regarding dependent claim 2,
As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar further discloses the step wherein the processor is further configured to determine whether there is an error detected using a classifier. See Paragraph [0037], (The anomaly detection system classifies queries as anomalous based on an adaptive thresholding process, i.e. an anomaly is equivalent to an error, detecting an anomaly is equivalent to detecting an error.).

Regarding dependent claim 3,
As discussed above with claim 2, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar further discloses the step wherein the classifier comprises a multi-category classifier. See Paragraph [0155], (Queries may be classified as anomalous, otherwise they may be classified as normal, i.e. multiple categories of classification.)


Regarding dependent claim 4,
As discussed above with claim 2, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar further discloses the step wherein the classifier comprises a model-based classifier. See Paragraph [0152], (The query evaluation process of FIG. 6 includes comparing attribute values extracted from a query to a corresponding distribution model used to identify outlier values, i.e. the classifier and/or classification process are based on distribution models, i.e. a model-based classifier.)

Regarding dependent claim 6,
As discussed above with claim 2, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar further discloses the step wherein the processor is further configured to determine whether the transaction data is a statistical outlier in response to determining that the error is not detected using the classifier. See Paragraph [0155], (The query evaluation process includes determining a probability cutoff based on how many of the feature attributes in a query are outliers, i.e. determining whether transaction data is a statistical outlier. If the probability is greater than the threshold, the query is classified as normal, i.e. an error is not detected using the classifier.)



Regarding dependent claim 7,
As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar further discloses the step wherein the processor is further configured to indicate that the transaction data does not comprise an unknown potential error in response to the transaction data not being the statistical outlier. See Paragraph [0155], (The query evaluation process includes determining a probability cutoff based on how many of the feature attributes in a query are outliers, i.e. determining whether transaction data is a statistical outlier. If the probability is greater than the threshold, the query is classified as normal, i.e. a query that is classified as "normal" does not comprise an unknown potential error and does not represent a statistical outlier.)

Regarding dependent claim 13,
As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar further discloses the step wherein the database data is stored using a database system. See FIG. 1 and Paragraph [0040], (RDBMS 122 manages and/or maintains relational databases 128, 130, i.e. database data stored using a database system.)


Regarding dependent claim 14,
As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Vasseur further discloses the step wherein the database data comprises an object graph. See Paragraph [0049], (Graph-based models may be used for the purposes of anomaly detection and may represent information between objects. For example, an ego-centric graph may represent the relationship between a social networking profile and other profiles connected to it, i.e. database data comprising an object graph (e.g. social networking data maintained in storage representing profile data objects).)

Regarding dependent claim 15,
	As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar further discloses the step wherein the database data comprises relational database data. See FIG. 1 and Paragraph [0040], (RDBMS 122 manages and/or maintains relational databases 128, 130, i.e. data stored in a relational database is relational database data.)


Regarding dependent claim 18,
As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Vasseur further discloses the step wherein the transaction data comprises at least one of: financial data, journal line data, record-based data, or human resources system data. See Paragraph [0061], (Graph-based models may be used to detect anomalies by comparing models with current network characteristics such as traffic patterns, etc.) Note [0044] wherein traffic record inputs may be used to perform anomaly detection in a network environment, i.e. record-based data (e.g. network traffic records).)
	The examiner notes that the step " at least one of: financial data, journal line data, record-based data, or human resources system data. " is optional due to the use of the terms “at least one of” and "or", the claim requires selection of an element from a list of alternatives, the prior art teaches the element if one of the alternatives is taught by the prior art, see MPEP 2143.03.

Regarding independent claim 19,
	The claim is analogous to the subject matter of independent claim 1 directed to a method or process and is rejected under similar rationale.

Regarding independent claim 20,
	The claim is analogous to the subject matter of independent claim 1 directed to a non-transitory, computer readable medium and is rejected under similar rationale.
Claims 9-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Herwadkar in view of Vasseur and Zhao as applied to claim 1 above, and further in view of Baradaran et al. (US PGPUB No. 2017/0126718; Pub. Date: May 4, 2017).
Regarding dependent claim 9,
As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
Herwadkar-Vasseur-Zhao does not disclose the step wherein the processor is further configured to determine using feedback whether the unknown potential error is an actual error in response to the transaction data not being the false positive.
Baradaran discloses the step wherein the processor is further configured to determine using feedback whether the unknown potential error is an actual error in response to the transaction data not being the false positive. See Paragraph [0323], (Univariate and multivariate rules may be updated based on user input received for a particular anomaly in order to generate further information about said anomaly, i.e. users may provide feedback to further explain and/or encompass all possible anomaly explanations, i.e. determining whether an error is an actual error.). The examiner notes that the process of [0323] is performed if an anomaly is detected, i.e. no false positives are detected.
	Herwadkar, Vasseur, Zhao and Baradaran are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Herwadkar- Vasseur-Zhao to include the anomaly detection and method of output as described by Baradaran. Doing so would allow users to receive indication of anomalies the potential reason(s) for said anomalies. The method may also provide outputs following determination that network traffic is not anomalous, including false positives, and similarly generating output information for a user as described in Paragraph [0323] of Baradaran. The resulting improvement would be the delivery of anomaly and/or false positive information to a user allowing them to react accordingly.

Regarding dependent claim 10,
As discussed above with claim 9, Herwadkar-Vasseur-Zhao-Baradaran discloses all of the limitations.
Baradaran further discloses the step wherein feedback comprises active feedback or passive feedback. See Paragraph [0323], (Univariate and multivariate rules may be updated based on user input received for a particular anomaly in order to generate further information about said anomaly, i.e. users input is active feedback.) The examiner notes that Paragraph [0037] of Applicant's Specification describe "active feedback" as a user response that is provided via user interface, therefore the user input responses of Baradaran comprise "active feedback".
	Herwadkar, Vasseur, Zhao and Baradaran are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Herwadkar-Vasseur-Zhao to include the anomaly detection and method of output as described by Baradaran. Doing so would allow users to receive indication of anomalies the potential reason(s) for said anomalies. The method may also provide outputs following determination that network traffic is not anomalous, including false positives, and similarly generating output information for a user as described in Paragraph [0323] of Baradaran. The resulting improvement would be the delivery of anomaly and/or false positive information to a user allowing them to react accordingly.

Regarding dependent claim 11,
As discussed above with claim 9, Herwadkar-Vasseur-Zhao-Baradaran discloses all of the limitations.
Herwadkar further discloses the step wherein the processor is further configured to use the feedback to train a false positive screen. See Paragraph [0061], (The management apparatus may obtain user feedback relating to queries identified as anomalous by the system. User feedback may identify non-anomalous queries previously identified as anomalous.) See Paragraph [0143], (The training process allows for user feedback which may modify and/or manage outlier classifications.). See Paragraph [0196], (Users may efficiently and effectively control the false positives generated by the anomaly detection system by providing threshold cutoffs, timeframes, etc., i.e. feedback for training false positive screens.).

Regarding dependent claim 12,
As discussed above with claim 9, Herwadkar-Vasseur-Zhao-Baradaran discloses all of the limitations.
	Vasseur further discloses the step wherein the processor is further configured to use the feedback to train a classifier. See Paragraph [0073], (Disclosing a method for detecting anomalies in a network. Users may provide feedback regarding any detected anomalies to distributed learning agent (DLA) via supervisory and control agent (SCA), i.e. using feedback to train a classifier.). Note [0074] wherein SCA is configured to interface with DLA to train and deploy classifiers.

Claim 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Herwadkar in view of Vasseur and Zhao as applied to claim 2 above, and further in view of Pang et al. (US PGPUB No. 2016/0359880; Pub. Date; Dec. 8, 2016).
Regarding dependent claim 5,
As discussed above with claim 2, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar-Vasseur-Zhao does not disclose the step wherein the processor is further configured to indicate that the transaction data comprises a known error in response to determining that the error is detected using the classifier.
	Pang discloses the step wherein the processor is further configured to indicate that the transaction data comprises a known error in response to determining that the error is detected using the classifier. See Paragraph [0036], (Disclosing an analytics engine for identifying outlier observations. If a training set of example data with known outlier labels exists, supervised anomaly detection techniques may be used to train a classifier, i.e. the known outlier label is a known error that may be detected using the classifier.)
	Herwadkar, Vasseur, Zhao and Pang are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Herwadkar-Vasseur-Zhao to include the supervised training techniques using known outlier labels as described by Pang. Doing so would allow the system to recognize previously learned and/or identified anomalous conditions using supervised training techniques that can be further refined via additional training datasets.

Claim 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Herwadkar in view of Vasseur and Zhao as applied to claim 1 above, and further in view of BLAKE et al. (US PGPUB No. 2018/0267741; Pub. Date: Sep. 20, 2018).
Regarding dependent claim 16,
As discussed above with claim 1, Herwadkar-Vasseur-Zhao discloses all of the limitations.
	Herwadkar-Vasseur-Zhao does not disclose the step wherein querying the database data to determine whether the transaction data is a false positive comprises querying the database data to determine whether the transaction data comprises a short edit distance to transaction data not comprising a statistical outlier.
	BLAKE discloses the step wherein querying the database data to determine whether the transaction data is a false positive comprises querying the database data to determine whether the transaction data comprises a short edit distance to transaction data not comprising a statistical outlier. See Paragraph [0054], (Disclosing a method for monitoring a data store. The method including detecting false positives in response to a determination that an address of a queried region of data has changed, i.e. a short edit distance comprising a changed field of an address.)	Herwadkar, Vasseur, Zhao, Baradaran and BLAKE are analogous art because they are in the same field of endeavor, data monitoring and analysis. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Herwadkar-Vasseur-Zhao to include the method of detecting false positives in response to changes in addresses for data records as described by BLAKE. Paragraph [0054] of BLAKE disclosing that the process reduces storage overhead for monitoring data.

Regarding dependent claim 17,
As discussed above with claim 16, Herwadkar-Vasseur-Zhao-BLAKE discloses all of the limitations.
	BLAKE further discloses the step wherein the short edit distance comprises at least one of: a changed tag, a changed field of an address, or a changed digit of an identification number. See Paragraph [0054], (Disclosing a method for monitoring a data store. The method including detecting false positives in response to a determination that an address of a queried region of data has changed, i.e. a short edit distance comprising a changed field of an address.)
	Herwadkar, Vasseur, Zhao and BLAKE are analogous art because they are in the same field of endeavor, data monitoring and analysis. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Herwadkar-Vasseur-Zhao to include the method of detecting false positives in response to changes in addresses for data records as described by BLAKE. Paragraph [0054] of BLAKE disclosing that the process reduces storage overhead for monitoring data.	
Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 19 and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant’s amendments necessitated the new grounds of rejection presented in this Office Action.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fernando M Mari whose telephone number is (571)272-2498. The examiner can normally be reached Monday-Friday 6am-3pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mariela Reyes can be reached on (571) 270-1006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/FERNANDO M MARI VALCARCEL/Examiner, Art Unit 2159