FALSE POSITIVE DETECTION FOR ANOMALY DETECTION

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment This action is in response to applicant’s arguments and amendments filed [], which are in response to USPTO Office Action mailed []. Applicant’s arguments have been considered with the results that follow: THIS ACTION IS MADE FINAL. Status of Claims Claims 1-7, 9-20 and 22-23 are currently pending in the present application. Claims 8 and 21 are currently cancelled. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim 1-4, 13-15 and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bedi et al. (US PGPUB No. 2018/0210966; Pub. Date: Jul. 26, 2018) in view of SHULMAN et al. (US PGPUB No. 2017/0244749; Pub. Date; Aug. 24, 2017) and Verma et al. (US PGPUB No. 2019/0132224; Pub. Date: May 2, 2019; Jan. 25, 2018). Regarding independent claim 1, Bedi discloses a system for false positive detection comprising: an interface configured to receive financial transaction data associated with a tenant of a tenanted database, wherein the tenant comprises an organization associated with business functions, and wherein data of the tenanted database is stored in a tenant storage region associated with the tenant; See Paragraph [0035], (Disclosing a system for querying data of a graph database using graph database query languages. Graph database service 100 may be used by clients in varying domains such as social networks, recommendation engines, data management, network and IT management, fraud detection, medical applications, Online Transaction Processing (OLTP) and Online Analytics Processing (OLAP) workloads, etc. Clients in the financial sector may use graph database service 100 to process a stream of credit card transactions as graph queries to identify potential anomalies, i.e. an interface configured to receive financial transaction data associated with a tenant of a tenanted database (e.g. elements of a financial institution may interact with the graph database wherein data is partitioned into a plurality of property-scoped indexes, i.e. tenants of a tenanted database (e.g. the individual indices).) See FIG. 1 & Paragraph [0061], (FIG. 1 illustrates graph database 140 as being organized into a plurality of property-scoped indices 160A-160N which are stored as separate data structures from each other and from triple table 150, i.e. wherein data of the tenanted database is stored in a tenant storage region associated with the tenant;) Bedi does not disclose a processor configured to: determine whether the financial transaction data is a statistical outlier; and in response to the financial transaction data being the statistical outlier: determine a query type based on statistical outlier detector data; query database data, based on the query type, to determine whether the financial transaction data is a false positive, comprising to: select an object graph associated with the financial transaction data, wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects, wherein the set of required relationships are based on the business functions associated with the tenant, retrieve the object graph from the tenant storage region associated with the tenant; and in response to the financial transaction data not being the false positive, end processing the financial transaction data. SHULMAN discloses a processor configured to: determine whether the financial transaction data is a statistical outlier; See Paragraphs [0035] & [0071], (The system may detect/identify deviation or anomalies from established network traffic patterns, i.e. determine whether the financial transaction data is a statistical outlier (e.g. Note [0162] wherein traffic patterns may be associated with a plurality of characteristics including a machine value and account value, wherein the account value may be associated with a finance department of an enterprise (e.g. traffic patterns may relate to enterprise operations including financial transactions).) and in response to the financial transaction data being the statistical outlier: determine a query type based on statistical outlier detector data; See FIG. 6, (Disclosing a system for monitoring traffic patterns of a network. FIG. 6 illustrates method 600 comprising step 620 wherein the system may determine whether a source, time and duration characteristics of a normal activity pattern are matched by an unprocessed access record. Note [0141] wherein unprocessed access records correspond to network traffic originating from one or more enterprise end stations. Additionally, note [0152] wherein traffic events are associated with a traffic type identifier, i.e. determine a query type based on statistical outlier detector data; query database data, based on the query type, to determine whether the financial transaction data is a false positive, comprising to: select an object graph associated with the financial transaction data, See FIG. 6 & Paragraph [0071], (The system may detect/identify deviation or anomalies from established network traffic patterns. FIG 6 illustrates method 600 comprising determining whether an access record conforms to pattern characteristics of normal activity patterns, which include a traffic type (See [0162]). See Paragraph [0149], (The normal activity pattern table 500 may be represented using graph data structures, i.e. query database data, based on the query type, to determine whether the financial transaction data is a false positive (e.g. determining if an access record correctly represents an anomalous access), comprising to: select an object graph associated with the financial transaction data (e.g. pattern data may be implemented as a graph data structure).) wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects, wherein the set of required relationships are based on the business functions associated with the tenant, See FIG. 6, (Method 600 comprises step 610 wherein the system determines whether an unprocessed access record is a complete match to any of the normal activity patterns 522 of the normal activity pattern table 500 Note [0149] wherein the normal activity pattern table 500 may be embodied as a graph data structure, i.e. wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects.) See FIG. 5 & Paragraph [0216], (FIG. 5 illustrates a format of the normal activity pattern table 500 including a pattern characteristic 502 that indicates a type of message associated with an access record that is associated with a source 506, i.e. wherein the set of required relationships are based on the business functions associated with the tenant) retrieve the object graph from the tenant storage region associated with the tenant; See FIG. 6, (Method 600 comprising step 605 of matching unprocessed access records against a pattern characteristics of normal activity patterns of the normal activity pattern table 500. Note [0149] wherein the normal activity pattern table 500 is describes as a model that may be represented as a table or as a graph data structure comprising a set of characteristics.) See FIG. 5, (FIG. 5 illustrates elements of a normal activity pattern table 500 including characteristics indicating a source 506 attribute, i.e. retrieve the object graph from the tenant storage region associated with the tenant (e.g. the method comprises utilizing the normal activity pattern table 500 which includes entries associated with a source characteristic 506 which may include a host, host group, machine account, machine account group, IP address, IP address group, etc.).) and in response to the financial transaction data not being the false positive, end processing the financial transaction data. See FIG. 6, (Method 600 comprises step 650 of generating an alert and designating an access record as being an anomaly, followed by step 655 of designating the access records being processed, i.e. in response to the financial transaction data not being the false positive, end processing the financial transaction data (e.g. the system designates the access record as being and anomaly, indicates the record as being processed and completes processing).) Bedi and SHULMAN are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi to include the method of determining anomalous records from network traffic patterns as disclosed by SHULMAN. Paragraph [0077] of SHULMAN discloses that the use of tunnel token configurations allows the system to support an unlimited variety of protocols, utilizing a simple and stable premise component that may be easily deployed into an enterprise network and may require no changes for adding new protocols or new detection algorithms, is decoupled from any existing activity monitoring deployments/products of the enterprise, allow agile development allowing for the rapid introduction of experimental tokens and detection algorithms, and not affect any existing token distribution mechanisms. Bedi-SHULMAN does not disclose the step wherein the set of required relationships are based on the business functions associated with the tenant, and wherein the object graph is associated with the tenant of the tenanted database; determine whether the financial transaction data conform with the set of required relationships of the object graph; and in response to a determination that the financial transaction data does not conform with the set of required relationships of the object graph, determine the financial transaction data is not a false positive; in response to the financial transaction data being the false positive, indicate that the financial transaction data is normal; Verma discloses the step wherein the set of required relationships are based on the business functions associated with the tenant, and wherein the object graph is associated with the tenant of the tenanted database; See Paragraph [0051], (Disclosing a system for identifying and mitigating outlier network activity. Graph generation involves a set of variables including customer-specific details, account-specific characteristics of a customer, and transaction characteristics aggregated to summarize the activity of each account held by the customer. Note [0037] wherein the activity includes network activity associated with interactions between the network of users such as transactions in which the plurality of users are engaged, user account characteristics, service usage, or other user behaviors that may be observed by the detection device 110. Additionally, note [0043] wherein the system may be embodied as a financial network operated by a financial services provider, i.e. wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects (e.g. Note [0050] wherein transaction characteristics that summarize the activity of an account are used to generate the graph), wherein the set of required relationships are based on the business functions associated with the tenant (e.g. transactions of a financial network system are associated with user accounts ), and wherein the object graph is associated with the tenant of the tenanted database (e.g. As noted in [0050], account-specific details and customer characteristics are used to generate the graph and represents transaction data for a particular customer or customers).) determine whether the financial transaction data conform with the set of required relationships of the object graph; See Paragraph [0143], (A case may be raised because of a change in transaction information that may indicate a suspected outlier node/user transaction history. An end user may review the suspected information to determine if the raised case is legitimate outlier network activity or just an anomaly.) See Paragraph [0073], (Attribute prediction module 130 may evaluate a network model against the set of rules to produce a set of classifications that classify the nodes (representing users) as outliers (or exhibiting behavior similar to an outlier) or non-outlier. Note [0077] wherein after the graph is generated, attribute prediction module 130 may analyze each node's importance using the one or more implemented rules, i.e. determine whether the financial transaction data conform with the set of required relationships of the object graph.) and in response to a determination that the financial transaction data does not conform with the set of required relationships of the object graph, determine the financial transaction data is not a false positive; See Paragraphs [0008] & [0041], (The graph-based analysis may detect abnormal influences present in a group of network users exhibiting behavioral similarities. The graph-based analysis may enable identification of outlier network activity based on abnormal-by-association analysis by performing analysis on behavioral characteristics of users and user groups.) See Paragraph [0143], A case may be raised because of a change in transaction information that may indicate a suspected outlier node/user transaction history. An end user may review the suspected information to determine if the raised case is legitimate outlier network activity (e.g. not a false positive identification of outlier network activity) or just an anomaly. in response to the transaction data being the false positive, indicate that the financial transaction data is normal; See Paragraph [0116], (FIG. 4 illustrates a graphical user interface that a user may use to escalate or convert an investigated case to outlier status such as by confirming that a raised case is outlier network activity or provide feedback that indicates an identified case of outlier network activity was a false positive, i.e. in response to the transaction data being the false positive, indicate that the financial transaction data is normal (e.g. the provided feedback indicates that an outlier element is considered a false positive).) Bedi, SHULMAN and Verma are analogous art because they are in the same field of endeavor, graph-based anomaly detection for enterprise data. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN to include the method of processing network activity information in a graph format as disclosed by Verma. Paragraph [0007] of Verma discloses that the system may provide an improved process of more accurately identifying instances of outlier network activity, which results in a reduction in total analysis time for each individual case indicating a potential anomaly. Regarding dependent claim 2, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Verma further discloses the step wherein the processor is further configured to determine whether there is an error detected using a classifier. See Paragraph [0059], (A user may specifiy that detection device 110 is to perform outlier network activity analysis on one or more datasets to identify outlier network activity.) See Paragraph [0073], (Attribute prediction module 130 is configured to evaluate the network model against a set of one or more attribute prediction rules and may produce a set of classifications that classify the user nodes as outliers, exhibiting behavior similar to outliers or non-outliers, i.e. wherein the processor is further configured to determine whether there is an error detected using a classifier (e.g. an outlier classification representing unusual or anomalous behavior).) Regarding dependent claim 3, As discussed above with claim 2, Bedi-SHULMAN-Verma discloses all of the limitations. Verma further discloses the step wherein the classifier comprises a multi-category classifier. See Paragraph [0073], (Attribute prediction module 130 is configured to evaluate the network model against a set of one or more attribute prediction rules and may produce a set of classifications that classify the user nodes as outliers, exhibiting behavior similar to outliers or non-outliers, i.e. wherein the classifier comprises a multi-category classifier.) Regarding dependent claim 4, As discussed above with claim 2, Bedi-SHULMAN-Verma discloses all of the limitations. Verma further discloses the step wherein the classifier comprises a model-based classifier. See Paragraph [0081], (Attribute prediction model 130 may evaluate a network model against one or more attribute prediction rules to produce a set of classifications. The set of classifications may classify user nodes of a generated graph as outliers or non-outliers, i.e. wherein the classifier comprises a model-based classifier.) Regarding dependent claim 13, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi further discloses the step wherein the database data is stored using a database system. See FIG. 1 & Paragraph [0019], (FIG. 1 illustrates graph database service 100 comprising graph database 140 configured to store elements of data in a graph data store format and triple store format, i.e. wherein the database data is stored using a database system.) Regarding dependent claim 14, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi further discloses the step wherein the database data comprises an object graph. Graph analytics may be performed using the graph database service to provide new insights by processing graphs and mining said graphs for new information, i.e. wherein the database data comprises an object graph (e.g. graph database 140 includes a plurality of data structures including indexes and triple table as in FIG. 1 and graphs having information associated with the plurality of indices and triple table.) Regarding dependent claim 15, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Verma further discloses the step wherein the database data comprises relational database data. See Paragraph [0061], (The graph-centric approach of detection model 110 converts raw relational data of customers into a graph structured based on a set of features, i.e. wherein the database data comprises relational database data.) Regarding dependent claim 18, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Verma further discloses the step wherein the financial transaction data comprises purchase transaction data, payment transaction data, transfer transaction data, ledger data, cost center data, financial data, journal line data, or human resources system data. Paragraph [0035], (Clients in the financial sector may utilize graph database service to process a stream of credit card transactions as graph queries to identify potential anomalies, i.e. wherein the financial transaction data comprises financial data (e.g. credit card transactions are financial data).) Regarding independent claim 19, Bedi discloses a method for false positive detection comprising:receiving financial transaction data associated with a tenant of a tenanted database, wherein the tenant comprises an organization associated with business functions, and wherein data of the tenanted database is stored in a tenant storage region associated with the tenant; See Paragraph [0035], (Disclosing a system for querying data of a graph database using graph database query languages. Graph database service 100 may be used by clients in varying domains such as social networks, recommendation engines, data management, network and IT management, fraud detection, medical applications, Online Transaction Processing (OLTP) and Online Analytics Processing (OLAP) workloads, etc. Clients in the financial sector may use graph database service 100 to process a stream of credit card transactions as graph queries to identify potential anomalies, i.e. an interface configured to receive financial transaction data associated with a tenant of a tenanted database (e.g. elements of a financial institution may interact with the graph database wherein data is partitioned into a plurality of property-scoped indexes, i.e. tenants of a tenanted database (e.g. the individual indices).) See FIG. 1 & Paragraph [0061], (FIG. 1 illustrates graph database 140 as being organized into a plurality of property-scoped indices 160A-160N which are stored as separate data structures from each other and from triple table 150, i.e. wherein data of the tenanted database is stored in a tenant storage region associated with the tenant;) Bedi does not disclose the step of determining, using a processor, whether the financial transaction data is a statistical outlier; and in response to the financial transaction data being the statistical outlier: querying database data to determine whether the financial transaction data is a false positive, comprising: selecting an object graph associated with the financial transaction data, wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects, wherein the set of required relationships are based on the business functions associated with the tenant, retrieving the object graph from the tenant storage region associated with the tenant; SHULMAN discloses the step of determining, using a processor, whether the financial transaction data is a statistical outlier; See Paragraphs [0035] & [0071], (The system may detect/identify deviation or anomalies from established network traffic patterns, i.e. determine whether the financial transaction data is a statistical outlier (e.g. Note [0162] wherein traffic patterns may be associated with a plurality of characteristics including a machine value and account value, wherein the account value may be associated with a finance department of an enterprise (e.g. traffic patterns may relate to enterprise operations including financial transactions).) and in response to the financial transaction data being the statistical outlier: querying database data to determine whether the financial transaction data is a false positive, comprising: selecting an object graph associated with the financial transaction data, See FIG. 6, (Disclosing a system for monitoring traffic patterns of a network. FIG. 6 illustrates method 600 comprising step 620 wherein the system may determine whether a source, time and duration characteristics of a normal activity pattern are matched by an unprocessed access record. Note [0141] wherein unprocessed access records correspond to network traffic originating from one or more enterprise end stations. Additionally, note [0152] wherein traffic events are associated with a traffic type identifier, i.e. determine a query type (e.g. an access record representing a request to interact iwth a network) based on statistical outlier detector data; wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects, wherein the set of required relationships are based on the business functions associated with the tenant, See FIG. 6, (Method 600 comprises step 610 wherein the system determines whether an unprocessed access record is a complete match to any of the normal activity patterns 522 of the normal activity pattern table 500 Note [0149] wherein the normal activity pattern table 500 may be embodied as a graph data structure, i.e. wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects.) See FIG. 5 & Paragraph [0216], (FIG. 5 illustrates a format of the normal activity pattern table 500 including a pattern characteristic 502 that indicates a type of message associated with an access record that is associated with a source 506, i.e. wherein the set of required relationships are based on the business functions associated with the tenant) retrieving the object graph from the tenant storage region associated with the tenant; See FIG. 6, (Method 600 comprising step 605 of matching unprocessed access records against a pattern characteristics of normal activity patterns of the normal activity pattern table 500. Note [0149] wherein the normal activity pattern table 500 is describes as a model that may be represented as a table or as a graph data structure comprising a set of characteristics.) See FIG. 5, (FIG. 5 illustrates elements of a normal activity pattern table 500 including characteristics indicating a source 506 attribute, i.e. retrieve the object graph from the tenant storage region associated with the tenant (e.g. the method comprises utilizing the normal activity pattern table 500 which includes entries associated with a source characteristic 506 which may include a host, host group, machine account, machine account group, IP address, IP address group, etc.).) and in response to the financial transaction data not being the false positive, auto-generating a recommended modification to ending processing the financial transaction data based on the set of required relationships of the object graph, and providing the recommended modification to a device. See FIG. 6 & [0186], (Method 600 comprises step 650 of generating an alert and designating an access record as being an anomaly following the determination that said record is not part of a valid pattern.) See Paragraphs [0071]-[002], (Traffic Monitoring Module (TMM) 104 is configured to generate an alert and send alert data 148 to an enterprise network administrator or management server 108. Generating alert data 184 comprises causing one or more actions to be performed including blocking certain network traffic, sending a notification message to an administrative user, sending a notification message to a security gateway 102, management server 108 and/or servers 111 which allows those recipients to implement further security protections against the intruder 124, i.e. n response to the financial transaction data not being the false positive (e.g. determining that the record represents an anomalous access), auto-generating a recommended modification to ending processing the financial transaction data based on the set of required relationships of the object graph (e.g. the determination that a record comprises an anomaly relies on normal activity pattern table 500 which may be represented using a graph data structure ), and providing the recommended modification to a device (e.g. alert data 184 is transmitted to any of a plurality of users, devices and/or network components for further action). Bedi-SHULMAN does not disclose the step wherein the set of required relationships are based on the business functions associated with the tenant, and wherein the object graph is associated with the tenant of the tenanted database; determine whether the financial transaction data conform with the set of required relationships of the object graph; and in response to a determination that the financial transaction data does not conform with the set of required relationships of the object graph, determine the financial transaction data is not a false positive; in response to the financial transaction data being the false positive, indicate that the financial transaction data is normal; Verma discloses the step wherein the set of required relationships are based on the business functions associated with the tenant, and wherein the object graph is associated with the tenant of the tenanted database; See Paragraph [0051], (Disclosing a system for identifying and mitigating outlier network activity. Graph generation involves a set of variables including customer-specific details, account-specific characteristics of a customer, and transaction characteristics aggregated to summarize the activity of each account held by the customer. Note [0037] wherein the activity includes network activity associated with interactions between the network of users such as transactions in which the plurality of users are engaged, user account characteristics, service usage, or other user behaviors that may be observed by the detection device 110. Additionally, note [0043] wherein the system may be embodied as a financial network operated by a financial services provider, i.e. wherein the object graph comprises a set of required relationships required to conduct a financial transaction that exist amongst a set of objects (e.g. Note [0050] wherein transaction characteristics that summarize the activity of an account are used to generate the graph), wherein the set of required relationships are based on the business functions associated with the tenant (e.g. transactions of a financial network system are associated with user accounts ), and wherein the object graph is associated with the tenant of the tenanted database (e.g. As noted in [0050], account-specific details and customer characteristics are used to generate the graph and represents transaction data for a particular customer or customers).) determine whether the financial transaction data conform with the set of required relationships of the object graph; See Paragraph [0143], (A case may be raised because of a change in transaction information that may indicate a suspected outlier node/user transaction history. An end user may review the suspected information to determine if the raised case is legitimate outlier network activity or just an anomaly.) See Paragraph [0073], (Attribute prediction module 130 may evaluate a network model against the set of rules to produce a set of classifications that classify the nodes (representing users) as outliers (or exhibiting behavior similar to an outlier) or non-outlier. Note [0077] wherein after the graph is generated, attribute prediction module 130 may analyze each node's importance using the one or more implemented rules, i.e. determine whether the financial transaction data conform with the set of required relationships of the object graph.) and in response to a determination that the financial transaction data does not conform with the set of required relationships of the object graph, determine the financial transaction data is not a false positive; See Paragraphs [0008] & [0041], (The graph-based analysis may detect abnormal influences present in a group of network users exhibiting behavioral similarities. The graph-based analysis may enable identification of outlier network activity based on abnormal-by-association analysis by performing analysis on behavioral characteristics of users and user groups.) See Paragraph [0143], A case may be raised because of a change in transaction information that may indicate a suspected outlier node/user transaction history. An end user may review the suspected information to determine if the raised case is legitimate outlier network activity (e.g. not a false positive identification of outlier network activity) or just an anomaly. in response to the transaction data being the false positive, indicate that the financial transaction data is normal; See Paragraph [0116], (FIG. 4 illustrates a graphical user interface that a user may use to escalate or convert an investigated case to outlier status such as by confirming that a raised case is outlier network activity or provide feedback that indicates an identified case of outlier network activity was a false positive, i.e. in response to the transaction data being the false positive, indicate that the financial transaction data is normal (e.g. the provided feedback indicates that an outlier element is considered a false positive).) Bedi, SHULMAN and Verma are analogous art because they are in the same field of endeavor, graph-based anomaly detection for enterprise data. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN to include the method of processing network activity information in a graph format as disclosed by Verma. Paragraph [0007] of Verma discloses that the system may provide an improved process of more accurately identifying instances of outlier network activity, which results in a reduction in total analysis time for each individual case indicating a potential anomaly. Regarding independent claim 20, The claim is analogous to the subject matter of independent claim 19 directed to a non-transitory, computer readable medium and is rejected under similar rationale. Claim 6-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bedi in view of SHULMAN and Verma, as applied to claim 2 above, and further in view of Herwadkar et al. (US PGPUB No. 2019/0102553; Pub. Date: Apr. 4, 2019) Regarding dependent claim 6, As discussed above with claim 2, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi-SHULMAN-Verma does not disclose the step wherein the processor is further configured to determine whether the financial transaction data is a statistical outlier in response to determining that the error is not detected using the classifier. Herwadkar discloses the step wherein the processor is further configured to determine whether the financial transaction data is a statistical outlier in response to determining that the error is not detected using the classifier. See Paragraph [0155], (The query evaluation process includes determining a probability cutoff based on how many of the feature attributes in a query are outliers, i.e. determining whether transaction data is a statistical outlier. If the probability is greater than the threshold, the query is classified as normal, i.e. an error is not detected using the classifier.) The examiner notes that while Herwadkar is not explicitly directed to financial data, the method of Bedi is capable of handling financial records associated with a plurality of users, See [0035]. Bedi, SHULMAN, Verma and Herwadkar are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN-Verma to include the method of processing query outliers according to probability thresholds as disclosed by Herwadkar. Paragraph [0063] of Herwadkar discloses that the techniques employed allow the system to identify anomalies in a more flexible and/or adaptive manner without requiring rules to address all possible correct access paths to a relational database management system, thereby improving the use of relational databases and the detection of anomalous queries directed to said databases. Regarding dependent claim 7, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi-SHULMAN-Verma does not disclose the step wherein the processor is further configured to indicate that the financial transaction data does not comprise an unknown potential error in response to the transaction data not being the statistical outlier. Herwadkar discloses the step wherein the processor is further configured to indicate that the financial transaction data does not comprise an unknown potential error in response to the transaction data not being the statistical outlier. See Paragraph [0155], (The query evaluation process includes determining a probability cutoff based on how many of the feature attributes in a query are outliers, i.e. determining whether transaction data is a statistical outlier. If the probability is greater than the threshold, the query is classified as normal, i.e. a query that is classified as "normal" does not comprise an unknown potential error and does not represent a statistical outlier.) The examiner notes that while Herwadkar is not explicitly directed to financial data, the method of Bedi is capable of handling financial records associated with a plurality of users, See [0035]. Bedi, SHULMAN, Verma and Herwadkar are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN-Verma to include the method of processing query outliers according to probability thresholds as disclosed by Herwadkar. Paragraph [0063] of Herwadkar discloses that the techniques employed allow the system to identify anomalies in a more flexible and/or adaptive manner without requiring rules to address all possible correct access paths to a relational database management system, thereby improving the use of relational databases and the detection of anomalous queries directed to said databases. Claims 9-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bedi in view of SHULMAN and Verma as applied to claim 1 above, and further in view of Baradaran et al. (US PGPUB No. 2017/0126718; Pub. Date: May 4, 2017). Regarding dependent claim 9, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi-SHULMAN-Verma does not disclose the step wherein the processor is further configured to determine using feedback whether the unknown potential error is an actual error in response to the financial transaction data not being the false positive. Baradaran discloses the step wherein the processor is further configured to determine using feedback whether the unknown potential error is an actual error in response to the financial transaction data not being the false positive. See Paragraph [0323], (Univariate and multivariate rules may be updated based on user input received for a particular anomaly in order to generate further information about said anomaly, i.e. users may provide feedback to further explain and/or encompass all possible anomaly explanations, i.e. determining whether an error is an actual error. Note [0323] wherein the method is performed if an anomaly is detected, i.e. no false positives are detected.) The examiner notes that while Baradaran is not explicitly directed to financial data, the method of Bedi is capable of handling financial records associated with a plurality of users, See [0035]. Bedi, SHULMAN, Verma and Baradaran are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN-Verma to include the anomaly detection and method of output as described by Baradaran. Doing so would allow users to receive indication of anomalies the potential reason(s) for said anomalies. The method may also provide outputs following determination that network traffic is not anomalous, including false positives, and similarly generating output information for a user as described in Paragraph [0323] of Baradaran. The resulting improvement would be the delivery of anomaly and/or false positive information to a user allowing them to react accordingly. Regarding dependent claim 10, As discussed above with claim 9, Bedi-SHULMAN-Verma-Baradaran discloses all of the limitations. Verma further discloses the step wherein feedback comprises active feedback or passive feedback. See Paragraph [0108], (End-user system 100 comprises various interactive tools and user interfaces that allow users to provide feedback to the system in order to tune and improve processes executed by the system, i.e. wherein feedback comprises active feedback (e.g. feedback provided by the user).) Regarding dependent claim 11, As discussed above with claim 9, Bedi-SHULMAN-Verma-Baradaran discloses all of the limitations. Verma further discloses the step wherein the processor is further configured to use the feedback to train a false positive screen. See Paragraph [0116], (An end user may escalate or convert an investigated case to outlier status such as by providing feedback indicating that an identified case of outlier network activity is a false positive.) See Paragraph [0114], (The use of decision engine configured to process network models to detect outlier network activity may reduce the number of false positives identified by the system, i.e. wherein the processor is further configured to use the feedback to train a false positive screen.) Regarding dependent claim 12, As discussed above with claim 9, Bedi-SHULMAN-Verma-Baradaran discloses all of the limitations. Verma further discloses the step wherein the processor is further configured to use the feedback to train a classifier. See Paragraph [0130], (An end user may provide feedback to the system indicating whether or not a particular raised case is outlier network activity. The system may employ self-learning processes that utilize the user feedback to tune one or more aspects of the system such as modifying the model, rule sets, decision engine, etc., i.e. wherein the processor is further configured to use the feedback to train a classifier.) Claim 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bedi in view of SHULMAN and Verma as applied to claim 2 above, and further in view of Pang et al. (US PGPUB No. 2016/0359880; Pub. Date; Dec. 8, 2016). Regarding dependent claim 5, As discussed above with claim 2, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi-SHULMAN-Verma does not disclose the step wherein the processor is further configured to indicate that the financial transaction data comprises a known error in response to determining that the error is detected using the classifier. Pang discloses the step wherein the processor is further configured to indicate that the financial transaction data comprises a known error in response to determining that the error is detected using the classifier. See Paragraph [0036], (Disclosing an analytics engine for identifying outlier observations. If a training set of example data with known outlier labels exists, supervised anomaly detection techniques may be used to train a classifier, i.e. the known outlier label is a known error that may be detected using the classifier.) The examiner notes that while Pang is not explicitly directed to financial data, the method of Bedi is capable of handling financial records associated with a plurality of users, See [0035]. Bedi, SHULMAN, Verma and Pang are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN-Verma to include the supervised training techniques using known outlier labels as described by Pang. Paragraph [0030] of Pang discloses that the system may recognize previously learned and/or identified anomalous conditions using supervised training techniques that can be further refined via additional training datasets. Claim 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bedi in view of SHULMAN and Verma as applied to claim 1 above, and further in view of BLAKE et al. (US PGPUB No. 2018/0267741; Pub. Date: Sep. 20, 2018). Regarding dependent claim 16, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi-SHULMAN-Verma does not disclose the step wherein querying the database data to determine whether the financial transaction data is a false positive comprises querying the database data to determine whether the financial transaction data comprises a short edit distance to financial transaction data not comprising a statistical outlier. BLAKE discloses the step wherein querying the database data to determine whether the financial transaction data is a false positive comprises querying the database data to determine whether the financial transaction data comprises a short edit distance to financial transaction data not comprising a statistical outlier. See Paragraph [0054], (Disclosing a method for monitoring a data store. The method including detecting false positives in response to a determination that an address of a queried region of data has changed, i.e. a short edit distance comprising a changed field of an address.) The examiner notes that while BLAKE is not explicitly directed to financial data, the method of Bedi is capable of handling financial records associated with a plurality of users, See [0035]. Bedi, SHULMAN, Verma and BLAKE are analogous art because they are in the same field of endeavor, data monitoring and analysis. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN-Verma to include the method of detecting false positives in response to changes in addresses for data records as described by BLAKE. Paragraph [0054] of BLAKE disclosing that the process reduces storage overhead for monitoring data. Regarding dependent claim 17, As discussed above with claim 16, Bedi-SHULMAN-Verma-BLAKE discloses all of the limitations. BLAKE further discloses the step wherein the short edit distance comprises at least one of: a changed tag, a changed field of an address, or a changed digit of an identification number. See Paragraph [0054], (Disclosing a method for monitoring a data store. The method including detecting false positives in response to a determination that an address of a queried region of data has changed, i.e. a short edit distance comprising a changed field of an address.) Bedi, SHULMAN, Verma and BLAKE are analogous art because they are in the same field of endeavor, data monitoring and analysis. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN-Verma to include the method of detecting false positives in response to changes in addresses for data records as described by BLAKE. Paragraph [0054] of BLAKE disclosing that the process reduces storage overhead for monitoring data. Claim 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bedi in view of SHULMAN and Verma as applied to claim 1 above, and further in view of LEE et al. (US PGPUB No. 2011/0093785; Pub. Date: Apr. 21, 2011). Regarding dependent claim 22, As discussed above with claim 1, Bedi-SHULMAN-Verma discloses all of the limitations. Bedi-SHULMAN-Verma does not disclose the step wherein the processor is further configured to: after determining the query type, determine one or more queries based on the query type, wherein the querying the database data is performed using the one or more queries to determine whether the financial transaction data is a false positive. LEE discloses the step wherein the processor is further configured to: after determining the query type, determine one or more queries based on the query type, wherein the querying the database data is performed using the one or more queries to determine whether the financial transaction data is a false positive. See Paragraph [0022] & [0061], (Disclosing a system for network management including analyzing Internet application traffic. The system may classify internet application traffic via a plug-in scheme and benchmark function. The benchmark methodology includes evaluating transactions using performance metrics defined as: true positive, false positive, true negative, false negative.) See Paragraph [0048], (Classification execution unit 51 identifies and classifies an application associated with an Internet application traffic flow record of each transaction, i.e. after determining the query type, determine one or more queries based on the query type (e.g. the classification system may determine an application related with multiple traffic flow records and multiple transactions), wherein the querying the database data is performed using the one or more queries to determine whether the financial transaction data is a false positive (e.g. Note [0064] wherein a false positive (FP) classification is defined by the number of Internet application flows inaccurately belonging to a given application.) ). Bedi, SHULMAN, Verma and LEE are analogous art because they are in the same field of endeavor, anomaly detection. It would have been obvious to anyone having ordinary skill in the art before the effective filing date to modify the system of Bedi-SHULMAN-Verma to include the method of classifying transaction records in order to assign performance metrics as disclosed by LEE. Paragraph [0077] of LEE discloses that the method for classifying application traffic and framework for providing benchmark information may provide accurate analysis results and improve the efficiency of operation of an internet networks by providing a plug-in scheme that allows for objective and accurate classification evaluation technologies. Response to Arguments Applicant’s arguments with respect to claim(s) 1, 19 and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Applicant’s amendments necessitated the new grounds of rejection presented in this Office Action. Applicant’s amendments modified the scope of the claims, which necessitated the review of new art as well as previously cited references. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fernando M Mari whose telephone number is (571)272-2498. The examiner can normally be reached Monday-Friday 7am-4pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann J. Lo can be reached at (571) 272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /FMMV/Examiner, Art Unit 2159 /ANN J LO/Supervisory Patent Examiner, Art Unit 2159