Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The response filed 7/11/2025 was received and considered.
Claims 21-26 and 28-38 are pending.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/5/2025 has been entered.
Response to Arguments
Applicant's arguments filed 7/11/2025 have been fully considered but they are not persuasive.
Applicant’s remarks (pp. 7-12) summarize the prior art.
Applicant’s remarks (pp. 12-13) summarize the amendments. However, the original specification fails to disclose that the clustering engine “detects non-streaming data”, “detects a change from the non-streaming data to streaming data” and “switches to clustering” (claims 21 and 32) in such a way as to reasonably convey to one skilled in the relevant art that the inventor(s) had possession of the claimed invention at the time the application was filed.
Applicant’s remarks (p. 13, regarding rejections under 35 U.S.C. §103) suggest:
“The cited references, either alone or in combination, have not been shown in the Office Action to teach "wherein, in operation, the clustering engine detects non-streaming data and clusters the non-streaming data, using agglomerative hierarchical clustering comprising a ROCK algorithm that calculates Jaccard similarity, and outputs cluster representations used as baseline behavior for peer groups, together two or more users or entities based on common behavior as a peer group, and wherein, in operation, the peer group changes over time if the user or entity behavior changes according to the concept drift."
Regarding the previously-cited prior art, M’raihi, in an analogous art to Koottayi (detecting anomalous/fraudulent behaviors in networked devices, ¶12), teaches that it was known to cluster behaviors using the ROCK algorithm (robust clustering using links), an agglomerative hierarchical clustering algorithm (¶59), resulting in clusters that aren’t too large or small (¶61) and allows for different clustering configurations for various situations (¶64) and ultimately enabling early fraud detection without false positives or false negatives (¶64). Aggarwal teaches that it was known to use condensation-based stream clustering (Constream) to efficiently cluster large streams of data and detect outliers (p. 173, ¶2) using an algorithm that adapts to concept drift (quickly adapts to the evolution in the data stream to represent behavior within a given temporal locality, p. 182, §5, ¶1 and p. 194, §6, ¶2). Tu teaches that, while algorithms like Clustream are applicable to clustering streams, hierarchical agglomerative clustering is infeasible for clustering streaming data (§1).
Regarding the limitation “comprising a ROCK algorithm that calculates Jaccard similarity, and outputs cluster representations used as baseline behavior for peer groups”, the cited prior art teaches establishing a baseline user behavior for peer groups (clusters) (Koottayi, Fig. 2 and ¶¶84-85, generating behaviors models) and teaches that ROCK is a clustering algorithm (M’raihi, ¶59) and thus, combined with Koottayi, results in outputting cluster representations used as a baseline behavior for peer groups (initial learning, M’raihi, ¶59 and ¶63). Further, “ROCK: A robust clustering algorithm for categorical attributes” (Guha et al.) is cited for teaching implementation of the ROCK algorithm, teaching using Jaccard coefficients as a similarity measure (Example 1.1, ¶3; see also §1.2, ¶1). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Koottayi to calculate Jaccard similarity, to utilize a known measure of similarity in establishing clusters, as taught by Guha.
Applicant’s remarks (p. 13) suggest:
“The cited references, either alone or in combination, have not been shown in the Office Action to teach "wherein, in operation, the clustering engine detects a change from the non- streaming data to streaming data and switches to clustering using a streaming clustering algorithm that adapts to the concept drift, wherein the streaming clustering algorithm comprises a ConStream method that uses a weighted Jaccard coefficient with a fading function, and clusters user or entity data, for comparison to the peer group, based on common attributes and behaviors.”
However, Aggarwal teaches that it was known to utilize ConStream with a weighted Jaccard coefficient (p. 178, §3.1, ¶4 and equation (2)) with a fading function (¶175, ¶1). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the clustering engine uses a streaming clustering algorithm that adapts to concept drift, wherein the streaming clustering algorithm comprises a ConStream method that uses a weighted Jaccard coefficient with a fading function, and clusters the user or entity data. One of ordinary skill in the art would have been motivated to perform such a modification to utilize a known algorithm for clustering data efficiently, as taught by Aggarwal.
Applicant’s remarks (p. 14, regarding independent claim 32 and dependent claims 22-26, 28-31 and 33-38) point to the arguments addressed with respect to claim 21.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 21-26 and 28-38 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding claims 21 and 32, the claims recites that the clustering engine “detects non-streaming data”, “detects a change from the non-streaming data to streaming data” and “switches to clustering”. However, these limitations were not disclosed in the original specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor(s) had possession of the claimed invention at the time the application was filed.
Regarding claim 22-31 and 33-38, the claims inherit the deficiency.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 21, 23-26, 28, 30-32 and 34-38 are rejected under 35 U.S.C. 103 as being unpatentable over US 2018/0288063 A1 to Koottayi et al. (Koottayi), in view of US 2019/0068627 A1 to Thampy, US 2016/0226901 A1 to Baikalov et al. (Baikalov), US 2017/0310691 A1 to Vasseur et al. (Vasseur), US 2007/0220595 A1 to M’raihi et al. (M’raihi), “On clustering massive text and categorical data streams” by Aggarwal et al. (Aggarwal), “Density-based hierarchical clustering for streaming data” by Tu et al. (Tu) and “ROCK: A robust clustering algorithm for categorical attributes” by Guha et al. (Guha).
Regarding claim 21, Koottayi discloses a system for user and entity behavior analysis, the system comprising: a model datastore that stores unsupervised machine learning models (stores a plurality of user models associated with a user, ¶116) that can detect time (time based model, ¶114), pattern (pattern based model, ¶114) anomalies; a model training (generating behavior models, ¶¶84-85) engine (behavioral analytics engine, ¶115) coupled to the model datastore and configured to train the unsupervised machine learning models (¶104, ¶115), using past events with respect to a specific user or entity (historical data of access requests, ¶115), wherein the models, after training, have knowledge regarding a data distribution of the past events (clustering based on historical data regarding times and patterns of accesses, ¶¶114-115); an inference engine coupled to the model datastore (behavioral analytics engine determines distance of instant access to historical access cluster, ¶115); a clustering engine coupled to the inference engine (behavioral analytics engine determines distance of real-time access data to historical access cluster, ¶115; see also ¶116); a risk score modification engine coupled to the clustering engine (risk determination based on distances between access parameters and historical data, ¶115); wherein, in operation, the inference engine: passes an incoming event to a subset of models present in the model datastore (passes access parameters based on models, ¶114, ¶116) to obtain a risk score that is a representation of how anomalous the incoming event is (passes access request 415, ¶115), and passes an expected value associated with an expected event that follows the data distribution of the past events (determines centroid of cluster representing expected behavior, ¶115), wherein the subset of models are automatically updated after inference (system learns and adapts based on a drift in behavior, ¶95, ¶118); automatically updates, with the incoming event after inference, data distributions of the subset of models to which the incoming event was passed (models learn and adapt based on changing behavior to determine new distribution, ¶95, ¶118); adapts concept drift, wherein the concept drift is associated with changes in user or entity behavior (models learn and adapt based on changing behavior to determine new distribution, ¶95, ¶118). Koottayi lacks detecting count anomalies. However, Thampy, in an analogous art (modeling user behavior to detect anomalies, abstract), teaches that it was known to model login activity and detect a variation in login IP addresses as an anomaly (¶161, ¶170; see also ¶233 teaching monitoring the number of occurrences of an action). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Koottayi such that the models can detect count anomalies. One of ordinary skill in the art would have been motivated to perform such a modification to detect anomalies related to an unusual number of logins from a set of IP addresses, as taught by Thampy. As modified, Koottayi discloses clustering based on behavior by to establish a baseline behavior (generating behavioral models, ¶¶84-85), but lacks wherein, in operation, the clustering engine groups together two or more users or entities based on common behavior as a peer group; wherein, in operation, when the incoming event is anomalous, the risk score modification engine modifies a risk score of the incoming event associated with a user or entity by comparison with the peer group to which the user or entity belongs. However, Baikalov, in an analogous art (anomaly and risk detection using machine learning, ¶¶12-13) teaches that it was known to group together two or more users or entities based on common behavior as a peer group (group functionally similar groups of users, ¶15); wherein, in operation, when the incoming event is anomalous (probability of an event being anomalous, ¶23), a risk score modification engine modifies a risk score of the incoming event associated with a user or entity by comparison with the peer group to which the user or entity belongs (probability of the event being anomalous, P, is a function of both the individual anomaly calculation, Pi, and the probability of anomalous behavior with respect to the group, PG (¶¶23-24) to create a normalized anomaly probability (¶17). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that, in operation, the clustering engine groups together two or more users or entities based on common behavior as a peer group; wherein, in operation, when the incoming event is anomalous, the risk score modification engine modifies a risk score of the incoming event associated with a user or entity by comparison with the peer group to which the user or entity belongs. One of ordinary skill in the art would have been motivated to perform such a modification to create a normalized anomaly probability and thus take into consideration whether a user’s potentially anomalous behavior is in fact non-anomalous for a group of similar users, as taught by Baikalov. As modified, Koottayi lacks wherein, in operation, the peer group changes over time if the user or entity behavior changes according to the concept drift. However, Vasseur, in an analogous art (detecting anomalies in networked devices, ¶78), teaches that it was known to cluster devices based on behavioral similarities (¶78) to detect outliers with respect to a clustered peer group (¶78) and further teaches updating feature vectors associated with devices to ignore sporadic variations and to adapt to behavioral changes of the devices (¶82, ¶85). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the peer group changes over time if the user or entity behavior changes according to the concept drift. One of ordinary skill in the art would have been motivated to perform such a modification to maintain accurate device clusters, as taught by Vasseur. As modified, Koottayi lacks that the clustering engine clusters non-streaming data, using agglomerative hierarchical clustering. However, M’raihi, in an analogous art (detecting anomalous/fraudulent behaviors in networked devices, ¶12), teaches that it was known to cluster behaviors using the ROCK algorithm (robust clustering using links), an agglomerative hierarchical clustering algorithm (¶59), resulting in clusters that aren’t too large or small (¶61) and allows for different clustering configurations for various situations (¶64) and ultimately enabling early fraud detection without false positives or false negatives (¶64). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the clustering engine clusters, using agglomerative hierarchical clustering, together two or more users or entities based on common behavior as a peer group, and wherein, in operation, the peer group changes over time if the user or entity behavior changes according to the concept drift. One of ordinary skill in the art would have been motivated to perform such a modification to gain the benefits of clusters that aren’t too large or small (¶61), allowing different clustering configurations for various situations (¶64) and enabling early fraud detection without false positives or false negatives (¶64). Koottayi, as modified, teaches clustering based on common attributes and behaviors (clustering based on historical data regarding times and patterns of accesses, ¶¶114-115) for comparison to the peer group (as modified by Baikalov, ¶¶23-24), but lacks wherein the clustering engine clusters streaming data uses a streaming clustering algorithm that adapts to concept drift, and clusters the user or entity data. However, Aggarwal teaches that it was known to use condensation-based stream clustering (Constream) to efficiently cluster large streams of data and detect outliers (p. 173, ¶2) using an algorithm that adapts to concept drift (quickly adapts to the evolution in the data stream to represent behavior within a given temporal locality, p. 182, §5, ¶1 and p. 194, §6, ¶2). Further, Aggarwal teaches that it was known to utilize ConStream with a weighted Jaccard coefficient (p. 178, §3.1, ¶4 and equation (2)) with a fading function (¶175, ¶1). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the clustering engine uses a streaming clustering algorithm that adapts to concept drift, wherein the streaming clustering algorithm comprises a ConStream method that uses a weighted Jaccard coefficient with a fading function, and clusters the user or entity data. One of ordinary skill in the art would have been motivated to perform such a modification to utilize a known algorithm for clustering data efficiently, as taught by Aggarwal. As modified, Koottayi lacks that the agglomerative hierarchical clustering algorithm (ROCK, per M’raihi) clusters “non-streaming data”. However, Tu teaches that, while algorithms like Clustream are applicable to clustering streams, hierarchical agglomerative clustering is infeasible for clustering streaming data (§1). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the agglomerative hierarchical clustering algorithm clusters non-streaming data. One of ordinary skill in the art would have been motivated to perform such a modification to utilize the algorithms for input data that is known to be appropriate for the algorithms, as taught by Tu. As modified, Koottayi lacks the ROC algorithm (M’raihi) calculating Jaccard similarity. However, Guha teaches an implementation of the ROCK algorithm, teaching using Jaccard coefficients as a similarity measure (Example 1.1, ¶3; see also §1.2, ¶1). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Koottayi to calculate Jaccard similarity. One of ordinary skill in the art would have been motivated to perform such a modification to utilize a known measure of similarity in establishing clusters, as taught by Guha.
Regarding claim 32, the claim is similar in scope to claim 21 and is therefore rejected using a similar rationale.
Regarding claim 23, Koottayi discloses wherein an anomaly is associated with the risk score, the risk score is a function of an expected value associated with the incoming event and an actual value associated with the incoming event, and a level of the risk score is proportionate to a severity of the anomaly (behavioral risk is computed as a deviation of real-time behavior from model, ¶121).
Regarding claim 24, Koottayi discloses wherein the risk score of an incoming event that is flagged as a time anomaly depends on a difference (behavioral risk is computed as a deviation of real-time behavior from model, ¶121) between a time the incoming event was expected to occur and a time the incoming event actually occurred (time-based model takes into consideration when the user normally accesses various applications, ¶114).
Regarding claim 25, Koottayi, as modified, lacks wherein the risk score of an incoming event that is flagged as a count anomaly depends on a difference between a threshold value and total count of the incoming event, aggregated over an interval, and wherein the threshold value is based on past counts of the incoming event over specific intervals. However, Thampy teaches monitoring user events and building a profile representing user activity patterns (¶253, ¶255) over a period of time (such as logins per hour, ¶149, ¶152, ¶252, ¶263) and determining a risk score based on a degree of risk associated with an unrecognized pattern (¶258), where the risk score of the incoming event that is flagged as a count anomaly depends on a difference between a threshold value and total count of the incoming event (classification of the event based on a threshold, ¶305), aggregated over an interval (models are based on a time window, ¶252, ¶263) and wherein the threshold value is based on past counts of the incoming event over specific intervals (thresholds are determined based on previous behavior, ¶161, ¶170). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the risk score of the incoming event that is flagged as a count anomaly depends on a difference between a threshold value and total count of the incoming event, aggregated over an interval, and wherein the threshold value is based on past counts of the incoming event over specific intervals. One of ordinary skill in the art would have been motivated to perform such a modification to monitor a count of events to determine whether a real-time count of events in a given time period is anomalous with respect to a past behavior for a given time period, as taught by Thampy.
Regarding claim 26, Koottayi discloses wherein when the risk score is greater than or equal to a threshold (behavioral risk is computed as a deviation of real-time behavior from model, ¶121) the incoming event is flagged as a pattern anomaly (models include pattern based behavioral model, ¶114) and wherein the threshold is based on past patterns that have occurred (based on historical data, ¶112).
Regarding claims 28, 34 and 35, Koottayi, as modified, teaches a peer group comparison engine that compares the incoming event to the peer group to determine whether the incoming event is anomalous relative to the peer group (as modified by Baikalov; see Baikalov ¶¶23-24).
Regarding claims 30 and 37, Koottayi discloses wherein the inference engine is configured to track first behavior of the user or entity of the two or more users or entities (build models regarding user’s expected behavior, ¶84, ¶85, ¶101, ¶103, ¶112), flag second behavior that is different from the first behavior as anomalous (determine if incoming access request is anomalous, ¶107, ¶117), and assign the risk score to the second behavior (deviation score is assigned, ¶122), wherein expected behavior is one of an expected time of occurrence of the incoming event in the case of time anomalies (time based model is based on a time at which the user normally accesses the system, ¶114), an expected count of events aggregated over a particular interval in the case of count anomalies, and expected values of attributes of the incoming event in the case of pattern anomalies (pattern based model is based on a pattern in which a user accesses the system, ¶114). Further, Koottayi, as modified by Thampy ¶161, ¶170, ¶233 with respect to claim 1, teaches an expected count of events aggregated over a particular interval in the case of count anomalies.
Regarding claims 31 and 38, Koottayi, as modified, teaches wherein the inference engine is configured to detect the time, count, and pattern anomalies, and uses the detected time, count and pattern anomalies, which are generic in nature (user access patterns occur in multiples types of computing domains, such as financial applications, ¶96, ¶116, ¶132) and thereby facilitate deployment in multiple domains, to identify instances of data exfiltration, insider threats (¶82), or compromised accounts (activities monitored include logging-in, access a financial application, downloading software, uploading a program, etc., ¶70, ¶132 and sensor data, network tools, traffic monitoring, ¶219; can be used to monitor for privacy and leakage, ¶62).
Regarding claim 36, Koottayi, as modified by Baikalov (with respect to claim 21), teaches decreasing the risk score associated with the incoming event and the user or entity when the user or entity is in a peer group for which the incoming event is not anomalous (probability of the event being anomalous, P, is a function of both the individual anomaly calculation, Pi, and the probability of anomalous behavior with respect to the group, PG, Baikalov ¶¶23-24, to create a normalized anomaly probability, Baikalov ¶17).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Koottayi, Thampy, Baikalov, Vasseur, M’raihi, Aggarwal, Tu and Guha, as applied to claim 21, in view of US 2020/0186544 A1 to Dichiu et al. (Dichiu), US 2020/0267171 A1 to Mozumdar et al. (Mozumdar) and US 10,097,690 B1 to Henry.
Regarding claim 22, Koottayi, as modified, teaches the machine learning subengine is unsupervised (behavior analytics engine utilized unsupervised machine learning, ¶115), but lacks wherein: the model training engine includes a subengine selected from a group consisting of a Robust Principal Component Analysis (RPCA) engine, a Markov chain engine, an Exponential Moving Average (EMA) engine, and multiple ones of these; wherein, in operation, the RPCA encodes timestamps of incoming events and detects time anomalies; wherein, in operation, the Markov chain engine detects pattern anomalies; wherein, in operation, the EMA engine detects count anomalies. However, Dichiu teaches, in an analogous system (monitoring client behavior to detect anomalies, ¶40), that it was known to utilize principal component analysis to reduce dimensionality (¶67) of timestamped event records identify anomalous behavior (¶66). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi to include a Robust Principal Component Analysis (RPCA) engine, wherein, in operation, the RPCA encodes timestamps of incoming events and detects time anomalies. One of ordinary skill in the art would have been motivated to perform such a modification to determination of anomalies in time-based events using a known construct, as taught by Dichiu. Further, Mozumdar, in an analogous art (detecting communication anomalies, abstract), teaches that it was known to detect pattern anomalies using a Markov chain model (¶61). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the model training engine includes a Markov chain engine, wherein, in operation, the Markov chain engine detects pattern anomalies. One of ordinary skill in the art would have been motivated to perform such a modification to detect pattern anomalies using a known construct, as taught by Mozumdar. Further, Henry, in an analogous art (detecting event anomalies, col. 3, lines 21-26) teaches that it was known to detect anomalies in baseline counts of customer support session events, col. 3, lines 21-33), including computing baseline counts of interaction parameters as an exponential moving average of the counts (col. 15, lines 21-25) to determine whether an event has occurred. Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the model training engine includes an Exponential Moving Average (EMA) engine, wherein, in operation, the EMA engine detects count anomalies. One of ordinary skill in the art would have been motivated to perform such a modification to develop baseline counts for count-related metrics (such as those provided in Thampy, as modified above) using a known construct, as taught by Henry.
Claim 29 is rejected under 35 U.S.C. 103 as being unpatentable over Koottayi, Thampy, Baikalov, Vasseur, M’raihi, Aggarwal, Tu and Guha, as applied to claim 28, in view of US 2021/0142209 A1 to Patil et al. (Patil).
Regarding claim 29, Koottayi, as modified, teaches wherein the risk score modification engine modifies the risk score if the incoming event is anomalous to the peer group (as modified by Baikalov, if the peer probability PG is high, the overall probability will increase in comparison to if PG is low, Baikalov ¶23), but lacks raising the risk score. However, Patil teaches determining an anomalous activity/event based on a peer group to which the user associated with the event is assigned (¶64) and further teaches that it was known to determine an entity risk with respect to multiple peer groups to which a user belongs and to increase a risk score if an event is also considered anomalous with respect to a particular peer group (for example by averaging the individual risk scores for each group, ¶¶65-66). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi such that the risk score modification engine increases the risk score if the incoming event is also anomalous to the peer group (consider the event riskier if the peer group probability is also low). One of ordinary skill in the art would have been motivated to perform such a modification to maintain a high risk, rather than reduce it if the anomalous event is a peer group outlier, as taught by Patil.
Claim 33 is rejected under 35 U.S.C. 103 as being unpatentable over Koottayi, Thampy, Baikalov, Vasseur, M’raihi, Aggarwal, Tu and Guha, as applied to claim 32, in view of US 2017/0010930 A1 to Dutta et al. (Dutta).
Regarding claim 33, Koottayi discloses wherein the subengine is unsupervised (behavior analytics engine utilized unsupervised machine learning, ¶115) and adapts concept drift (engine initially determines an anomaly, but adapts in time based on updated patterns such that no anomaly will be triggered after adapting, ¶95, ¶118), but lacks but lacks a subengine selected from a group consisting of a Robust Principal Component Analysis (RPCA) engine, a Markov chain engine, an Exponential Moving Average (EMA) engine, and multiple ones of these. However, Dutta teaches, in an analogous system (using logs/activity to detect anomalies, ¶2), that it was known to use clustering and a Robust Principal Component Analysis (RPCA) engine to identify anomalous nodes with respect to other nodes (¶71). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Koottayi to include a Robust Principal Component Analysis (RPCA) engine. One of ordinary skill in the art would have been motivated to perform such a modification to enable clustering of entities (users, applications, etc.) and determine outliers, as taught by Dutta.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841. The examiner can normally be reached Monday - Friday, 7:00-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Simitoski/ Primary Examiner, Art Unit 2493
December 29, 2025