Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Remarks
This Office Action is responsive to Applicants' Amendment filed on October 7, 2022, in which claims 1, 8, and 16 are currently amended. Claims 1-20 are currently pending.

Response to Arguments
The rejections to claims 1-20 under 35 U.S.C. § 112(a) are hereby withdrawn, as necessitated by applicant's amendments and remarks made to the rejections.
Applicant’s arguments with respect to rejection of claims 1-20 under 35 U.S.C. 101 based on amendment have been considered and are persuasive.  The rejections to claims 1-20 under 35 U.S.C. § 101 are hereby withdrawn, as necessitated by applicant's amendments and remarks made to the rejections.
Applicant’s arguments with respect to rejection of claims 1-20 under 35 U.S.C. 103 based on amendment have been considered. The argument is moot in view of a new ground of rejection set forth below.

Specification
The disclosure is objected to because of the following informalities: 
In paragraph 0019 of the published instant specification “Backend server 100” should be “backend server 110” with respect to remainder of the specification and figure 1.

Claim Objections
Claims 1, 8, and 15 objected to because of the following informalities:  "adjust how first neural network" should read "adjust how the first neural network".  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.



	Claims 1, 4-5, 7-8, 11-12, 14-15, and 18-19 are rejected under U.S.C. §103 as being unpatentable over the combination of Cabrera (“Ensemble methods for anomaly detection and distributed intrusion detection in Mobile Ad-Hoc Networks”, 2008) and Mestha (US 20180159879 A1).

	 Regarding claim 1, Cabrera teaches in response to determining that the anomaly impacts for a first cluster exceed an alerting threshold:([p. 100 §3.1] "If the density of anomalous data p(X^k|w_1) is a monotonically decreasing function of the density of normal data p(X^kw_0) or if p(X^kw_1) is uniform along a large region of the feature subspaces falling to zero outside this region, then the Bayesian decision condition for Xk being normal: Prob(w_0|X^k)>= Pro(w_1|X^k) – can be characterized by a threshold l^k , i.e., X^k is assigned to the normal class if Prob(w_0|X^k)<=l^k , and to the anomalous class otherwise")
	identifying a first shared node in the first cluster;([p. 107 §5.4] "This list is constructed by listening to the beacon messages broadcast by all nodes of the network. It also requires each node to have a unique ID number. If a node’s ID is the lowest ID number on its neighbor list, it becomes a cluster head")
	wherein the first shared node comprises a lowest-tiered device in a network topology of the network where communications pathways of devices in the first cluster pass through the lowest-tiered device;([p. 98 §2] "As depicted in Fig. 1, the top layer of the hierarchy is the manager. The nodes constitute the bottom layer. The intermediate layer is formed by clusters of nodes...Fusion at two levels: cluster heads and manager: Anomaly indexes are transmitted to cluster heads every T seconds and combined there, producing a cluster head anomaly index. By the same token, cluster head anomaly indexes are transmitted to the manager every T seconds and combined there, producing a manager anomaly index" See also FIG. 1 which shows communication pathways going through the cluster head and then through the manager.  Top layer of hierarchy interpreted as synonymous with lowest-tiered device in the network.  Cluster head interpreted as lowest-tiered device in the cluster.)
	identifying a second cluster including a second shared node matching the first shared node that has not been determined to exceed the alerting threshold; and([p. 107 §5.4] "This list is constructed by listening to the beacon messages broadcast by all nodes of the network. It also requires each node to have a unique ID number. If a node’s ID is the lowest ID number on its neighbor list, it becomes a cluster head" See FIG. 1 on p. 98 where two clusters have cluster heads.  Cluster head in second cluster interpreted as synonymous with a second shared node matching the first shared node (which is also a cluster head).)
	wherein the second shared node comprises the lowest-tiered device, wherein the communications pathways of devices in the second cluster pass through the lowest-tiered device;([p. 98 §2] "As depicted in Fig. 1, the top layer of the hierarchy is the manager. The nodes constitute the bottom layer. The intermediate layer is formed by clusters of nodes...Fusion at two levels: cluster heads and manager: Anomaly indexes are transmitted to cluster heads every T seconds and combined there, producing a cluster head anomaly index. By the same token, cluster head anomaly indexes are transmitted to the manager every T seconds and combined there, producing a manager anomaly index" See also FIG. 1 which shows communication pathways going through the cluster head and then through the manager.  Top layer of hierarchy interpreted as synonymous with lowest-tiered device in the network.  Cluster head interpreted as lowest-tiered device in the cluster.)
	and transmitting an alert for the first cluster and the second cluster; and([p. 98 §2] "Mobile nodes within each other’s radio range communicate directly via wireless links. Nodes far apart utilize other nodes as routers to relay messages" [p. 107 §5.4] "Fig. 4b shows the procedure when a non-clustered node attempts to join an existing cluster. It broadcasts a message requesting admission to any neighboring cluster. A member of a cluster that receives the request (either the cluster head or a cluster member) will send a message requesting the node that it join the cluster. The node will send a reply to the cluster head, and the cluster head will finalize the process by sending an acknowledgment to the node. To prevent a node from joining several clusters, any node involved in the clustering process will reply to the first join message it receives and will ignore any subsequent requests until it has finished joining the cluster" First join message interpreted as synonymous with alert for first cluster.  Ignored subsequent request interpreted as synonymous with alert for the second cluster.)
	and in response to receiving a response to the alert, updating, via the fourth neural network, the anomaly filtering engine.(See FIG. 4 update cluster list is performed after a response is received from the node in both examples a and b. [p. 115 §7] "we describe clustering algorithms to update cluster centers and machine learning algorithms for computing the local anomaly indexes")
	wherein the updates to anomaly filtering engine adjust how first neural network, the second neural network, and the third neural network identify clusters in the operational data(See FIG. 4 update cluster list is performed after a response is received from the node in both examples a and b. [p. 106 §5.2] "The cluster heads compute the average of the anomaly indexes, and transmit these to the manager" [p. 115 §7] "we describe clustering algorithms to update cluster centers and machine learning algorithms for computing the local anomaly indexes" First, second, and third neural network interpreted as synonymous with the classifiers used to determine anomaly indexes. Cabrera teaches that cluster head is updated and that the cluster head is responsible for determining local anomaly index, which is interpreted as synonymous with adjusting how the neural networks identify clusters in the operational data.)
	A first neural network, a second neural network, and a third neural network([p. 97 §1] "Classifier fusion is now a well established topic of research in pattern recognition [1,2] for early representative references [3] for a unified presentation [4] for asymptotic results associated with a large number of base classifiers, and [5] and references therein for recent developments. Earlier applications of classifier fusion involve situations where classifier ensembles are obtained by training multiple classifiers (the base classifiers) with different datasets, randomly selected, or by using diverse feature sets to build the individual classifiers" [p. 97 §1] "Ensemble sizes are typically small, with ensembles consisting of at most 5–10 base classifiers." With respect to the instant specification neural networks are interpreted as synonymous with classifiers.).
	However, Cabrera does not explicitly teach A method, comprising: training a [first] neural network to identify geographic clusters in a data set, a [second] neural network to identify topological clusters in a data set, and a [third] neural network to identify call flow clusters in a data set, wherein the [first] neural network, the [second]neural network, and the [third] neural network form an anomaly filtering engine;
	clustering, using the anomaly filtering engine, operational data reported from a network into a plurality of anomalies organized into geographic clusters, topological clusters, and call flow clusters;
	correlating, via the anomaly filtering engine, alerts received from devices in the network according to the geographic clusters, the topological clusters, and the call flow clusters;
	detecting, via a fourth neural network, anomaly impacts in the geographic clusters, the topological clusters, and the call flow clusters from the alerts, wherein anomaly impacts comprise network conditions affecting an operation of the network.

	Mestha, in the same field of endeavor, teaches A method, comprising: training a [first] neural network to identify geographic clusters in a data set, a [second] neural network to identify topological clusters in a data set, and a [third] neural network to identify call flow clusters in a data set, wherein the [first] neural network, the [second]neural network, and the [third] neural network form an anomaly filtering engine;([Abstract] "At least some received monitoring node values may be processed with a deep learning model to determine parameters of the deep learning model" [¶0032] "a training method may be used for supervised learning to teach decision boundaries. This type of supervised learning may take into account on operator's knowledge about system operation (e.g., the differences between normal and abnormal operation)." [¶0036] "Note that many different types of features may be utilized in accordance with any of the embodiments described herein...include deep learning features... include logical features (with semantic abstractions such as “yes” and “no”), geographic/position locations, and interaction features (mathematical combinations of signals from multiple threat nodes and specific locations)" Deep learning model in Mestha interpreted as synonymous with anomaly filtering engine. Interaction feature location identification interpreted as synonymous with topological clustering, interaction feature signal identification interpreted as synonymous with call flow clustering.)
	clustering, using the anomaly filtering engine, operational data reported from a network into a plurality of anomalies organized into geographic clusters, topological clusters, and call flow clusters;([Abstract] "At least some received monitoring node values may be processed with a deep learning model to determine parameters of the deep learning model" [¶0036] "Note that many different types of features may be utilized in accordance with any of the embodiments described herein...include deep learning features... include logical features (with semantic abstractions such as “yes” and “no”), geographic/position locations, and interaction features (mathematical combinations of signals from multiple threat nodes and specific locations)" Interaction feature location identification interpreted as synonymous with topological clustering, interaction feature signal identification interpreted as synonymous with call flow clustering.)
	correlating, via the anomaly filtering engine, alerts received from devices in the network according to the geographic clusters, the topological clusters, and the call flow clusters;([¶0038] "The decision boundary algorithms 746 may generate a threat model including decision boundaries for various monitoring nodes in accordance with any of the embodiments described herein. " Determining threat boundary interpreted as synonymous with correlating alert clusters.)
	detecting, via a fourth neural network, anomaly impacts in the geographic clusters, the topological clusters, and the call flow clusters from the alerts, wherein anomaly impacts comprise network conditions affecting an operation of the network(([¶0039] "A real-time threat detection platform 750 may receive the boundaries along with streams of data from the monitoring nodes. The platform 750 may include a feature extraction on each monitoring node element 752 and a normalcy decision 754 with an algorithm to detect attacks in individual signals using sensor specific decision boundaries, as well rationalize attacks on multiple signals, to declare which signals were attacked, and which became anomalous due to a previous attack on the system via a localization module 756. An accommodation element 758 may generate outputs 770, such as an anomaly detection indication" An algorithm to detect attacks interpreted as synonymous with a fourth neural network).

	Cabrera as well as Mestha are directed towards using classifiers for anomaly detection.  Therefore, Cabrera as well as Mestha are analogous art in the same field of endeavor.  It would have been obvious before the effective filing date of the claimed invention to combine the teachings of Cabrera with the teachings of Mestha by using the specific categorical classifiers in Mestha as the classifiers taught in Cabrera.  Mestha provides as additional motivation for combination ([¶0031] "Some embodiments described herein may take advantage of the physics of a control system by learning a priori from tuned high fidelity equipment models and/or actual “on the job” data to detect single or multiple simultaneous adversarial threats to the system. Moreover, according to some embodiments, monitoring node data may be converted to features using advanced feature-based methods, and the real-time operation of the control system may be monitoring in substantially real-time.").  This motivation for combination also applies to the remaining claims which depend on this combination. 

	 Regarding claim 4, the combination of Cabrera, and Mestha teaches The method of claim 1, further comprising: prior to clustering the operational data: normalizing the operational data by removing outliers from the operational data; and(Mestha [¶0087] "Note that the feature-based approaches described herein may allow for extended feature vectors and/or incorporate new features into existing vectors as new earnings and alternate sources of data become available.  As a result, embodiments may detect a relatively wide range of cyber-threats (e.g., stealth, replay, covert, injection attacks, etc.) as the systems learn more about their characteristics. Embodiments may also reduce false positive rates as systems incorporate useful key new features and remove ones that are redundant or less important" Mestha does not teach clustering the operational data, therefore removing outliers from the data is interpreted as explicitly synonymous with removing outliers from operational data prior to clustering.)
	smoothing the operational data by adding predicted data points to represent data points missing from the operational data.(Mestha [¶0032] "multiple algorithmic methods (e.g., support vector machines or machine learning techniques) may be used to generate decision boundaries. Since boundaries may be driven by measured data (or data generated from high fidelity models), defined boundary margins may help to create a threat zone in a multi-dimensional feature space" Generating decision boundaries driven by measured data is interpreted as synonymous with smoothing the data by adding predicted data points.).
	
	 Regarding claim 5, the combination of Cabrera, and Mestha teaches The method of claim 1, wherein the fourth neural network generates the response to the alert without user input, further comprising:(Cabrera See FIG. 4 update cluster list is performed after a response is received from the node in both examples a and b. [p. 115 §7] "we describe clustering algorithms to update cluster centers and machine learning algorithms for computing the local anomaly indexes" [p. 106 §5.2] "During the run, each node is equipped with the local anomaly detector built in the training stage, i.e., 28 C4.5 classifiers in the case of AODV, and 18 C4.5 classifiers in the case of OLSR. As the run proceeds, clustering is effected as described in Section 5.4, and the anomaly indexes computed in each node are transmitted to the cluster heads using the infrastructure described in Section 5.3. The cluster heads compute the average of the anomaly indexes, and transmit these to the manager. The manager, by its turn, averages the anomaly indexes transmitted by the cluster heads" Sending message interpreted as synonymous with alerting.  Cabrera teaches that the alert and response occur without user input. C.45 classifier interpreted as synonymous with fourth neural network.)
	transmitting the response to at least one device included in the first cluster.(Mestha [¶0024] "calculate at least one “feature” for each monitoring node based on the received data, and “automatically” output a threat alert signal to one or more remote monitoring devices 150 when appropriate (e.g., for display to a user)").
	
	 Regarding claim 7, the combination of Cabrera, and Mestha teaches The method of claim 1, wherein the call flow clusters group devices connected to the network together based on characteristics selected from a group comprising: mode of operation.(Mestha [¶0036] "Note that many different types of features may be utilized in accordance with any of the embodiments described herein, including...interaction features (mathematical combinations of signals from multiple threat nodes and specific locations)" Featurizing based on signals from multiple threat nodes interpreted as synonymous with clustering based on mode of operation.).

Regarding claims 8, 11, 12, and 14, claims 8, 11, 12, and 14 are directed towards a device for performing the method of claims 1, 4, 5, and 7, respectively.  Therefore, the rejection applied to claims 1, 4, 5, and 7 also apply to claims 8, 11, 12, and 14.  Similarly, claims 15, 18, and 19 are directed towards a non-transitory computer readable medium for performing the method of claims 1, 4, and 5.  Therefore, the rejection applied to claims 1, 4, and 5 also apply to claims 15, 18, and 19.

	Claims 2, 9, and 16 are rejected under U.S.C. §103 as being unpatentable over the combination of Cabrera and Mestha and Scherger (US 20200112489 A1).

	 Regarding claim 2, the combination of Cabrera, and Mestha teaches The method of claim 1.
	However, the combination of Cabrera, and Mestha doesn't explicitly teach the operational data is gathered via data pipelines defined in the network for associated Key Performance Indicators that store the operational data in a data lake accessible to the anomaly filtering engine for a predetermined length of time.

	Scherger, in the same field of endeavor, teaches The method of claim 1, wherein the operational data is gathered via data pipelines defined in the network for associated Key Performance Indicators that store the operational data in a data lake accessible to the anomaly filtering engine for a predetermined length of time.([¶0041] "Data collected from the network elements 215 by the collector 220 may be provided to a processing system 225 for further pre-processing before delivery to the ML system 230. For example, in various embodiments, the processing system 225 may be configured to perform sorting, organizing, and other data processing of the data obtained by the collector 220. In some embodiments, the processing system 225 may be configured to obtain, from a data lake compiled by the collector 220, various KPIs considered by the ML system 230 to predict failures in individual network elements" Storing data as disclosed in Scherger without an expected storage life is interpreted as anticipating an infinite storage length.).

	The combination of Cabrera and Mestha as well as Scherger are directed towards anomaly detection.  Therefore, the combination of Cabrera and Mestha and Scherger are analogous art in the same field of endeavor.  It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Cabrera, Mestha, and Scherger by implementing a data lake for storage. Mestha teaches as motivation ([¶0063] “An operating mode database may then be used to store the normalization function and/or normalized signals at S1230”).  The disclosure of Scherger would then make it obvious to one of ordinary skill in the art that the operational data to be used in the neural network for the anomaly detection may be stored in a data lake, and gathered via a data collection pipeline. Scherger explains the benefit to this would be ([¶0041] “to predict failures in individual network elements”) which is consistent with the interpreted intent of the instant.

Regarding claim 9, claim 9 is directed towards a device for performing the method of claim 2.  Therefore, the rejection applied to claim 2 also apply to claim 9.  Similarly, claim 16 is directed towards a non-transitory computer readable medium for performing the method of claim 2.  Therefore, the rejection applied to claim 2 also applies to claim 16.

	Claims 3, 6, 10, 13, 17, and 20 are rejected under U.S.C. §103 as being unpatentable over the combination of Cabrera and Mestha and Leibman (US20200007563A1).

	 Regarding claim 3, the combination of Cabrera, and Mestha teaches wherein the alert does not include the third cluster.(Mestha [¶0039] "The platform 750 may include a feature extraction on each monitoring node element 752 and a normalcy decision 754 with an algorithm to detect attacks in individual signals using sensor specific decision boundaries, as well rationalize attacks on multiple signals, to declare which signals were attacked, and which became anomalous due to a previous attack on the system via a localization module 756. An accommodation element 758 may generate outputs 770, such as an anomaly detection indication (e.g., threat alert signal)" Mestha explicitly teaches that threat alerts may be output in response to nodes relative to a decision boundary.  While Mestha does not explicitly teach wherein the alert does not include the third cluster, it would be obvious to one of ordinary skill in the art that Mestha implicitly teaches not alerting relative to a decision boundary, and that this would lead to a predictable and expected outcome.).
	However, the combination of Cabrera, and Mestha doesn't explicitly teach The method of claim 1, wherein a device represented by the first shared node in the first cluster is also included as a non-shared node in a third cluster,.

	Leibman, in the same field of endeavor, teaches The method of claim 1, wherein a device represented by the first shared node in the first cluster is also included as a non-shared node in a third cluster,(See FIG. 2 Element 218B is a first shared node in a first cluster in 200A which is also included as a non-shared node in a third cluster in 200B).

	The combination of Cabrera and Mestha as well as Liebman are directed towards anomaly detection. Therefore, the combination of Cabrera and Mestha as well as Liebman are analogous art in the same field of endeavor.  It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the third cluster in Leibman with the methods in Mestha and Cabrera. Cabrera teaches that the anomaly detection is dependent on multiple categorical cluster boundaries similar to Leibman.  Mestha further teaches that the anomaly detection involves sending alerts to a monitoring device similar to Leibman.  It would therefore be implied and obvious that a device represented by the first shared node could be a non-shared node in a third cluster.  The combination of Leibman is included to reinforce and explicitly teach the node being a non-shared node in a third cluster.

	 Regarding claim 6, the combination of Cabrera, and Mestha teaches The method of claim 1.
	However, the combination of Cabrera, and Mestha doesn't explicitly teach the alerting threshold is dynamically adjusted based on a number of end users affected by a given alert..

	Leibman, in the same field of endeavor, teaches The method of claim 1, wherein the alerting threshold is dynamically adjusted based on a number of end users affected by a given alert.([¶0029] " In some embodiments, components 130-134 can represent a plurality of user accounts operating within a social media network (i.e., an example of system 120)"[¶0038] "a parameter may include a size of the cluster (i.e., a number of grouped components)" [¶0046] "clustering unit 108 groups components 211A-219A into one or more clusters 202 based on the analyzed measurement information where each of clusters 202 includes at least a threshold number of components. This threshold number may be input by a user or a default parameter as set by a clustering algorithm" See also ¶0028 for a detailed explanation of the effect of users on anomaly perception.).

	The combination of Cabrera and Mestha as well as Liebman are directed towards anomaly detection. Therefore, the combination of Cabrera and Mestha as well as Liebman are analogous art in the same field of endeavor.  It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the third cluster in Leibman with the methods in Mestha and Cabrera. Cabrera teaches that the anomaly detection is dependent on multiple categorical cluster boundaries similar to Leibman.  Mestha further teaches that the anomaly detection involves sending alerts to a monitoring device similar to Leibman.  It would therefore be implied and obvious that a device represented by the first shared node could be a non-shared node in a third cluster.  The combination of Leibman is included to reinforce and explicitly teach the node being a non-shared node in a third cluster.

Regarding claims 10, 13, 17, and 20: Claims 10 and 13 are directed towards a device for performing the method of claims 3 and 6, and claims 17 and 20 are directed towards a non-transitory computer readable medium for performing the method of claims 3 and 6.  Therefore, the rejection applied to claim 3 also applies to claims 10 and 17.  Similarly, the rejection applied to claim 6 also applies to claims 13 and 20.  


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Pividori (“Cluster Ensembles for Big Data Mining Problems”, 2015) describes using a consensus for ensemble clustering methods in network systems.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIDNEY VINCENT BOSTWICK whose telephone number is (571)272-4720.  The examiner can normally be reached on M-F 7:30am-5:00pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang can be reached on (571)270-7092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SB/Examiner, Art Unit 2124                                                                                                                                                                                                        
/Vincent Gonzales/
Primary Examiner, Art Unit 2124