DETAILEDA ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.This action is responsive to the communication filed on June 6, 2022. At this time, claims 1-20 are pending and addressed below.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)          the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)          the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)         the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
One device configured to (claim 11 and 12-18)  
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 
                                                                    Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.
A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998}; in re Goodman. 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); in re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1885): In re Van Qmum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982): In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970): and in re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer In compliance with 37 CFR 1,321 (c) or 1,321 (d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1984, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1, 4-7, 9-11, 13-15, 18-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-5, 7, 10-12, 16, and 18-20 of US Patent number 11381586. The conflicting claims are not identical, they are not patentably distinct from each other because the current application contains claims that are broader in scope than the claims of the patent number 11381586 and are anticipated by the claims  1-5, 7, 10-12, 16, and 18-20.     
This is a non- provisional double patenting rejection since the conflicting claims have in fact been patented.  
                                               Claims Comparison Table
Application Number
17/832,985
Patent Number
11381586
1. A method, comprising: aggregating, by a processing device, information regarding behavior associated with each of a plurality of user devices with respect to activity on a network; determining, by the processing device, whether the aggregated information corresponds to an anomaly with respect to usage of the network; determining, by the processing device and when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly; and identifying, by the processing device and when the anomaly meets the threshold, an area affected by the anomaly.

1. A method, comprising: monitoring, by a processing device, at least one of calls or traffic on a network; identifying, by the processing device, behavior associated with each of a plurality of user devices with respect to activity on the network; aggregating, by the processing device, information about the behavior associated with the plurality of user devices; determining, by the processing device, whether the aggregated information corresponds to an anomaly with respect to usage of the network; determining, by the processing device and when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly; identifying, by the processing device and when the anomaly meets the threshold, an area affected by the anomaly; identifying, when the aggregated information corresponds to the anomaly, user devices in the area affected by the anomaly; generating a notification in response to determining that the aggregated information corresponds to the anomaly; and transmitting the notification to the identified user devices in the area affected by the anomaly. 




4. The method of claim 1, further comprising: identifying personnel associated with operating the network in the area affected by the anomaly; and transmitting a notification to the identified personnel.

2. The method of claim 1, further comprising: identifying personnel associated with operating the network in the area affected by the anomaly; and transmitting the notification to the identified personnel. 
5. The method of claim 1, further comprising: generating at least one of a public service announcement or a link to a public service announcement in response to determining that the aggregated information corresponds to the anomaly.
 
3. The method of claim 1, wherein the generating a notification comprises generating at least one of a public service announcement or a link to a public service announcement.
6. The method of claim 1, further comprising: identifying at least one of a source or destination associated with the anomaly.

4. The method of claim 1, further comprising: identifying at least one of a source or destination associated with the anomaly. 
7. The method of claim 6, further comprising: determining a range of telephone numbers associated with the source or destination associated with the anomaly.

5. The method of claim 4, further comprising: determining a range of telephone numbers associated with the source or destination associated with the anomaly. 


9. The method of claim 1, wherein the determining whether the anomaly meets the threshold comprises: comparing, based on the aggregated information, activity associated with a number of the plurality of user devices over a period of time to a threshold number of user devices associated with the type of anomaly. 
7. The method of claim 1, wherein the determining whether the anomaly meets a threshold comprises: comparing, based on the aggregated information, a number of the plurality of user devices over a period of time to a threshold number of user devices associated with the type of anomaly.
10. The method of claim 1, further comprising: generating a baseline of user behavior for each of a plurality of types of network related behavior. 
10. The method of claim 1, further comprising: generating a baseline of user behavior for each of a plurality of types of network related behavior. 
11. A system, comprising: at least one device configured to: aggregate information regarding behavior associated with each of a plurality of user devices with respect to activity on a network, determine whether the aggregated information corresponds to an anomaly with respect to usage of the network, determine, when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly, and identify, when the aggregated information corresponds to the anomaly, an area affected by the anomaly. 
11. A system, comprising: a memory; and at least one device comprising a processor configured to execute instructions stored in the memory to: monitor at least one of calls or traffic on a network, identify behavior associated with each of a plurality of user devices with respect to activity on the network, aggregate information about the behavior associated with the plurality of user devices, determine whether the aggregated information corresponds to an anomaly with respect to usage of the network, determine, when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly, identify, when the anomaly meets the threshold, an area affected by the anomaly, identify, when the aggregated information corresponds to the anomaly, user devices in the area affected by the anomaly, generate a notification in response to determining that the aggregated information corresponds to the anomaly, and transmit the notification to the identified user devices in the area affected by the anomaly. 


13. The system of claim 12, wherein the at least one device is further configured to: generate a notification in response to determining that the anomaly meets the threshold, and transmit the notification to the identified user devices located in the area affected by the anomaly.
 
11. A system, comprising: a memory; and at least one device comprising a processor configured to execute instructions stored in the memory to: monitor at least one of calls or traffic on a network, identify behavior associated with each of a plurality of user devices with respect to activity on the network, aggregate information about the behavior associated with the plurality of user devices, determine whether the aggregated information corresponds to an anomaly with respect to usage of the network, determine, when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly, identify, when the anomaly meets the threshold, an area affected by the anomaly, identify, when the aggregated information corresponds to the anomaly, user devices in the area affected by the anomaly, generate a notification in response to determining that the aggregated information corresponds to the anomaly, and transmit the notification to the identified user devices in the area affected by the anomaly. 
14. The system of claim 11, wherein the at least one device is further configured to: identify personnel associated with operating the network in the area affected by the anomaly, and transmit a notification to the identified personnel.

12. The system of claim 11, wherein the at least one device is further configured to: identify personnel associated with operating the network in the area affected by the anomaly, and transmit the notification to the identified personnel. 
15. The system of claim 11, wherein the at least one device is further configured to: identify at least one of a source or destination associated with the anomaly, and determine a range of telephone numbers associated with the source or destination associated with the anomaly.

16. The system of claim 11, wherein the at least one device is further configured to: identify at least one of a source or destination associated with the anomaly, and determine a range of telephone numbers associated with the source or destination associated with the anomaly. 




18. The system of claim 11, wherein at least one device is further configured to: generate a baseline of user behavior for each of a plurality of types of network related behavior.

18. The system of claim 11, wherein at least one device is further configured to: generate a baseline of user behavior for each of a plurality of types of network related behavior. 
19. A non-transitory computer-readable medium having stored thereon sequences of instructions which, when executed by at least one processor, cause the at least one processor to: aggregate information regarding behavior associated with each of a plurality of user devices with respect to activity on a network; determine whether the aggregated information corresponds to an anomaly with respect to usage of the network; determine, when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly; and identify, when the aggregated information corresponds to the anomaly, an area affected by the anomaly.

19. A non-transitory computer-readable medium having stored thereon sequences of instructions which, when executed by at least one processor, cause the at least one processor to: monitor at least one of calls or traffic on a network; identify behavior associated with each of a plurality of user devices with respect to activity on the network; aggregate information about the behavior associated with the information corresponds to an anomaly with respect to usage of the network; determine, when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly; identify, when the anomaly meets the threshold, an area affected by the anomaly, identify, when the aggregated information corresponds to the anomaly, user devices in the area affected by the anomaly; generate a notification in response to determining that the aggregated information corresponds to the anomaly; and transmit the notification to the identified user devices in the area affected by the anomaly. plurality of user devices, determine whether the aggregated 
20. The non-transitory computer-readable medium of 19, wherein the instructions further cause the at least one processor to: identify personnel associated with operating the network in the area affected by the anomaly; and transmit a notification to the identified personnel.  
20. The non-transitory computer-readable medium of 19, wherein the instructions further cause the at least one processor to: identify personnel associated with operating the network in the area affected by the anomaly; and transmit the notification to the identified personnel. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2-3, 9, 10, 11, 12-13, 16, and 19 are rejected under 35 U.S.C 103 as being unpatentable over Doyle, US pat. No 20100031156 (IDS Submitted, 06/10/2022) in view of Karin, US pat. No 20200287921.
 
Claims 1, 11, 19. Doyle discloses a method, (See Doyle, [0002]; detect anomalies in network traffic) comprising: aggregating, by a processing device, information regarding behavior associated with each of a plurality of user devices with respect to activity on a network; (See Doyle, [0077] If X is the number of data points in a week and the input time-series has 4*X data points (e.g., 4 weeks of data) where each is aggregated over T minute intervals for a total duration of 4*X*T minutes. For certain metrics, such as response time or number of unique hosts) 
determining, by the processing device, whether the aggregated information corresponds to an anomaly with respect to usage of the network; (See [0049] and Figs 16A-16D Based on the results of comparison 64, system 30 determines 66 if an abnormal spike or dip in network traffic or usage is present indicating an operational problem. If multiple anomalies are observed, the system 30 generates 67 an event report that provides information about the anomalous event.) 
                                       determining, by the processing device and when the aggregated information corresponds to the anomaly, whether the anomaly meets a threshold based on a type of anomaly and a number of user devices affected by the anomaly; (See Doyle, [0055] The system 30 determines 80 if an outlier has been detected. If an outlier has not been detected, the system 30 continues to generate 74 forecasted values for subsequent time periods, receive 76 information about the network traffic, and compare 78 the network traffic to the forecasted values. On the other hand, if an outlier has been detected, the system 30 updates 82 an outlier count and determines 84 if the outlier count exceeds a threshold number of outliers for a particular time period. If the outlier count does not exceed the threshold, the system 30 continues to generate 74 forecasted values for subsequent time periods, receive 76 information about the network traffic and compare 78 the network traffic to the forecasted values. On the other hand, if the count does exceed the threshold, the system 30 identifies an anomaly in the network traffic 86. As noted above, an anomaly is an aggregation of multiple outliers that have occurred in a close enough time frame to be potentially significant. The threshold number of outliers sets the sensitivity of anomaly detection since an anomaly is not triggered based on observed outliers until the threshold is met. See [0107]; the summary portion 202 includes a short paragraph summary of the type of anomaly detected on the network and the impact of the anomaly on the network. See also [0107]; The summary portion 202 also provides information about the percentage increase/decrease in network traffic that resulted in the event and the actual network traffic numbers from the time period of the anomalous event and a previous time period. Providing both the percentage and the actual values can allow a user to determine the actual impact of the event on the network. See also [0077])
Doyle does not appear to explicitly disclose and identifying, by the processing device and when the anomaly meets the threshold, an area affected by the anomaly.
However, Karin discloses and identifying, by the processing device and when the anomaly meets the threshold, an area affected by the anomaly. (See Karin, [0069]; the alert may identify the particular network anomaly detected, the type of detected anomaly, the network entity (or entities) affected by the anomaly, a location of the detected anomaly (e.g., based on a geographic location or a network topology), an IP address of an attacker, or any other information that may be associated with the detected anomaly.)
Doyle and Karin are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle with the teaching of Karin to include the geographic location because it would have allowed administrator to address the area affected by the attack.  
  
The combination of Doyle and Karin discloses the method of claim 1, further comprising: identifying, when the aggregated information corresponds to the anomaly, user devices located in the area affected by the anomaly. (See Karin, [0069]; the alert may identify the particular network anomaly detected, the type of detected anomaly, the network entity (or entities) affected by the anomaly, a location of the detected anomaly (e.g., based on a geographic location or a network topology), an IP address of an attacker, or any other information that may be associated with the detected anomaly.)
Doyle and Karin are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle with the teaching of Karin to include the geographic location because it would have allowed administrator to address the area affected by the attack.  
3. The combination of Doyle and Karin discloses the method of claim 2, further comprising: generating a notification in response to determining that the anomaly meets the threshold;(See Karin, [0068]) and transmitting the notification to the identified user devices located in the area affected by the anomaly. (See Karin, [0069]; the alert may identify the particular network anomaly detected, the type of detected anomaly, the network entity (or entities) affected by the anomaly, a location of the detected anomaly (e.g., based on a geographic location or a network topology), an IP address of an attacker, or any other information that may be associated with the detected anomaly.)
Doyle and Karin are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle with the teaching of Karin to include the geographic location because it would have allowed administrator to address the area affected by the attack.  
9. The combination of Doyle and Karin discloses the method of claim 1, wherein the determining whether the anomaly meets the threshold comprises: comparing, based on the aggregated information, activity associated with a number of the plurality of user devices over a period of time to a threshold number of user devices associated with the type of anomaly. (See Doyle, [0055] and [0107])
10. The combination of Doyle and Karin discloses the method of claim 1, further comprising: generating a baseline of user behavior for each of a plurality of types of network related behavior. (See Doyle, figs 2 and 16B and [0048-0049]) 
12. As to claim 12, the claim is rejected under the same rationale 2. See the rejection of claim 2 above. 

13. As to claim 13, the claim is rejected under the same rationale 3. See the rejection of claim 3 above. 
 
16. The combination of Doyle and Karin discloses the system of claim 11, wherein the at least one device is 
further configured to: identify emails from a 
particular domain or location associated with the anomaly. (See Karin, [0069])
Doyle and Karin are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle with the teaching of Karin to include the geographic location because it would have allowed administrator to address the area affected by the attack.  
18. The combination of Doyle and Karin discloses the system of claim 11, wherein at least one device is further configured to: generate a baseline of user behavior for each of a plurality of types of network related behavior. (See Doyle, figs 2 and 16B and [0048-0049]) 

Claims 4, 6 and 7, 8, 14, 15, 17 and 20 are rejected under 35 U.S.C 103 as being unpatentable over Doyle, US pat. No 20100031156 (IDS Submitted, 06/10/2022)   in view of Karin, US pat. No 20200287921 in further view of SRIVASTAVA, US pat. No 20160261621(IDS Submitted, 06/10/2022). 
 
4.The combination of Doyle and Karin does not appear to explicitly disclose the method of claim 1, further comprising: identifying personnel associated with operating the network in the area affected by the anomaly; and transmitting a notification to the identified personnel. However, SRIVASTAVA discloses identifying personnel associated with operating the network in the area affected by the anomaly;(See SRIVASTAVA, [0126]) and transmitting a notification to the identified personnel. (See SRIVASTAVA, [0997]) 
Doyle, Karin and SRIVASTAVA are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle and Karin with the teaching of SRIVASTAVA to include the notification system because it would have allowed users in affected area to be notified of anomalous activity. 
6. The combination of Doyle and Karin does not appear to explicitly the method of claim 1, further 
comprising: identifying at least one of a source or destination associated with the anomaly.
However, SRIVASTAVA discloses identifying at least one of a source or destination associated with the anomaly. (See SRIVASTAVA, [0106]) 
Doyle, Karin and SRIVASTAVA are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle and Karin with the teaching of SRIVASTAVA to include the notification system because it would have allowed users in affected area to be notified of anomalous activity. 
7. The combination of Doyle, Karin and SRIVASTAVA discloses the method of claim 6, further comprising: determining a range of telephone numbers associated with the source or destination associated with the anomaly. (See SRIVASTAVA [[0113]) 
 Doyle, Karin and SRIVASTAVA are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle and Karin with the teaching of SRIVASTAVA to include the notification system because it would have allowed users in affected area to be notified of anomalous activity. 
8. The combination of Doyle, Karin discloses the method of claim 1, further comprising: and determining, based on the monitoring whether the at least some of the plurality of user devices are at least one of generating or receiving traffic associated with suspicious or anomalous activity. (See   [0055]) The combination of Doyle and Karin does not appear to explicitly disclose monitoring, by the processing device, behavior associated with each of the plurality of user devices with respect to activity on a network; 
However, SRIVASTAVA discloses monitoring, by the processing device, behavior associated with each of the plurality of user devices with respect to activity on a network; (See SRIVASTAVA, [0113]) 
Doyle, Karin and SRIVASTAVA are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle and Karin with the teaching of SRIVASTAVA to include the monitoring because it would have allowed users in affected area to be notified of anomalous activity. 
14. As to claim 14, the claim is rejected under the same rationale as claim 4. See the rejection of claim 4 above.  

15. As to claim 15, the claim is rejected under the same rationale as claim 6. See the rejection of claim 6 above.  

17. The combination of Doyle and Karin  discloses the system of claim 11, wherein the at least one device is further configured to: the at least one device is configured to: aggregate the monitored at least one of telephone call records or network usage associated with the plurality of network devices. (See Doyle, [0077])
The combination of Doyle and Karin does not appear to explicitly disclose monitor at least one of telephone call records or network usage associated with the plurality of user devices, and wherein when aggregating information regarding behavior,
However, SRIVASTAVA discloses monitor at least one of telephone call records or network usage associated with the plurality of user devices, and wherein when aggregating information regarding behavior, (See SRIVASTAVA, [0113]) 
Doyle, Karin and SRIVASTAVA are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle and Karin with the teaching of SRIVASTAVA to include the monitoring because it would have allowed users in affected area to be notified of anomalous activity.   
20. As to claim 20, the claim is rejected under the same rationale as claim 4. See the rejection of claim 4 above.

Claim 5 is rejected under 35 U.S.C 103 as being unpatentable over Doyle, US pat. No 20100031156 (IDS Submitted, 06/10/2022)   in view of Karin, US pat.No 20200287921 in further view of  Chen, US pat. No 5832208. 

5. The combination of Doyle and Karin does not appear to explicitly disclose the method of claim 1, further comprising: generating at least one of a public service announcement or a link to a public service announcement in response to determining that the aggregated information corresponds to the anomaly. 
However, Chen discloses generating at least one of a public service announcement or a link to a public service announcement in response to determining that the aggregated information corresponds to the anomaly. (See Chen, col 7, lines 1-2 and col 7, lines 57-65)
Doyle and Karin and Chen are analogous art because they are from the same field of endeavor which is intrusion detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doyle and Karin with the teaching of Chen to include the notification system because it would have allowed users in affected area to be notified of anomalous activity. 
                                                      Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Singh, US20170302691, title “ Systems and Methods for Detecting and Tracking Adversary Trajectory”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476. The examiner can normally be reached M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service  Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Date: 12/13/2022
/JOSNEL JEUDY/Primary Examiner, Art Unit 2438