MACHINE LEARNING AND STATISTICAL BASED ANOMALY DETECTION ALGORITHM TO REACT TO CORRELATION SHIFTS

§101 §103

DETAILED ACTION 1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 2. Applicant’s submission filed 10 October 2025 [hereinafter Response] has been entered, where: Claims 1-3, 5, 7-9, 12, 13, and 15-20 have been amended. Claims 4 and 11 have been cancelled. Claims 1-3, 5-10, and 12-20 are pending. Claims 1-3, 5-10, and 12-20 are rejected. Drawings 3. The objection to the drawings as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description is WITHDRAWN in view of the Applicant’s amendment to the Specification: Specification 4. The objection to the Specification based on the use of terms that are trade names or a marks used in commerce is WITHDRAWN in view of the Applicant’s amendment to the Specification. Claim Rejections - 35 U.S.C. § 101 5. 35 U.S.C. § 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 6. Claims 1-3, 5-10, and 12-20 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 recites a method, which is a process, and thus one of the statutory categories of patentable subject matter. (35 U.S.C. § 101). However, under Step 2A Prong One, the claim recites the limitations of “[(a)]1 generating, by a processing network computer, a first attribute correlation matrix comprising correlation coefficients, each of correlation coefficient of the first attribute correlation matrix being a correlation value between each set of attributes of a first interaction dataset,” “[(b)] generating, by the processing network computer, a second attribute correlation matrix comprising correlation coefficients, each correlation coefficient of the second attribute correlation matrix being a correlation value between each set of attributes of a second interaction dataset different from the first time period,” “[(c)] identifying, by the processing network computer, sets of attributes from the first attribute correlation matrix and the second attribute correlation matrix for further processing, by identifying the one or more sets of attributes that correspond to one another in the first attribute correlation matrix and the second attribute correlation matrix and have a difference in the correlation coefficients between the first attribute correlation matrix and the second attribute correlation matrix greater than a threshold value,” “[(d)] computing, by the processing network computer, residuals, for the one or more sets of attributes, between the first attribute correlation matrix and the second attribute correlation matrix,” “[(e)] determining, by the processing network computer, one or more interaction anomalies using the residuals,” and “[(f)] determining, by the processing network computer, a first authorizing entity computer that provided interaction data that contributed to the one or more interaction anomalies, among the plurality of authorizing entity computers.” These limitations of “generating,” “identifying,” “computing,” and “determining” are activities that can practically be performed in the human mind, including, for example, observations, evaluations, judgments, and opinions, and accordingly are a mental process, (MPEP § 2106.04(a)(2) sub III), which are one of the groupings of abstract ideas. (MPEP § 2106.04(a)(2)). The claim recites more details or specifics to the abstract ideas of “generating” and “determining,” in that “[generating . . . a first attribute correlation matrix] . . . , [(a.1)] wherein the first interaction dataset comprises interaction data of a plurality of interactions conducted over a first time period, “[generating . . . a second attribute correlation matrix] . . . , “[(b.1)] wherein the second interaction dataset comprises second interaction data of a second plurality of interactions conducted over a second time period,” “[(b.2)] wherein the first interaction data and the second interaction data are provided by a plurality of authorizing entity computers,” and accordingly, are merely more specific to the abstract idea. Still further, the claim limitation of “[(d)] computing, by the processing network computer, residuals between the first attribute correlation matrix and the second attribute correlation matrix,” is a mathematical concept, (MPEP § 2106.04(a)(2) sub I), which is one of the groupings of abstract ideas. Thus, claim 1 recites an abstract idea. Under Step 2A Prong Two, the claim as a whole is not integrated into a practical application, because the additional elements recited in the claim beyond the identified judicial exception include a “processing network computer,” which is a generic computer component used to implement the abstract idea, (MPEP § 2106.05(f)), that does not serve to integrate the abstract idea into a practical application. The claim also recites “[(g)] transmitting, by the processing network computer to the first authorizing entity computer, a message comprising the one or more sets of attributes used to determine the one or more interaction anomalies and one or more identifiers for one or more interactions corresponding to the one or more interaction anomalies,” which is a post-processing insignificant extra-solution activity of announcing a result, (MPEP § 2106.05(g)), that does not serve to integrate the abstract idea into a practical application. Therefore, claim 1 is directed to the abstract idea. Finally, under Step 2B, the additional elements, taken alone or in combination, do not represent significantly more than the abstract idea itself. The additional elements recited in the claim beyond the identified judicial exception include a “processing network computer,” which is a generic computer component used to implement the abstract idea, (MPEP § 2106.05(f)), that does not amount to significantly more than the abstract idea. The claim also recites “[(g)] transmitting, by the processing network computer to the first authorizing entity computer, a message comprising the one or more sets of attributes used to determine the one or more interaction anomalies and one or more identifiers for one or more interactions corresponding to the one or more interaction anomalies,” which is a well-understood, routine, and conventional activity of transmitting data over a network, (MPEP § 2106.05(d) sub II.i), that does not amount to significantly more than the abstract idea. Thus, claim 1 is subject-matter ineligible. Claim 15 recites a processing network computer, which is a machine, and thus one of the statutory categories of patentable subject matter. (35 U.S.C. § 101). However, under Step 2A Prong One, the claim recites the limitations of “[(a)] generating, by a processing network computer, a first attribute correlation matrix comprising correlations between attributes of a first interaction dataset,” “[(b)] generating, by the processing network computer, a second attribute correlation matrix comprising correlations between attributes of a second interaction dataset,” “[(c)] identifying, by the processing network computer, sets of attributes from the first attribute correlation matrix and the second attribute correlation matrix,” “[(d)] computing, by the processing network computer, residuals between the first attribute correlation matrix and the second attribute correlation matrix,” “[(e)] determining, by the processing network computer, one or more interaction anomalies using the residuals, and “[(f)] determining, by the processing network computer, a first authorizing entity computer that provided interaction data that contributed to the one or more interaction anomalies, among the plurality of authorizing entity computers.” These limitations of “generating,” “identifying,” “computing,” and “determining” are activities that can practically be performed in the human mind, including, for example, observations, evaluations, judgments, and opinions, and accordingly are a mental process, (MPEP § 2106.04(a)(2) sub III), which are one of the groupings of abstract ideas. (MPEP § 2106.04(a)(2)). The claim recites more details or specifics to the abstract ideas of “generating” and “determining,” in that “[generating . . . a first attribute correlation matrix] . . . , [(a.1)] wherein the first interaction dataset comprises interaction data of a plurality of interactions conducted over a first time period, “[generating . . . a second attribute correlation matrix] . . . , “[(b.1)] wherein the second interaction dataset comprises second interaction data of a second plurality of interactions conducted over a second time period,” “[(b.2)] wherein the first interaction data and the second interaction data are provided by a plurality of authorizing entity computers,” and “[determining, by the processing network computer, interaction anomalies using the residuals], [(e.1)] wherein an interaction anomaly in the interaction anomalies corresponds to an interaction in the first interaction dataset,” and accordingly, are merely more specific to the abstract idea. Still further, the claim limitation of “[(d)] computing, by the processing network computer, residuals between the first attribute correlation matrix and the second attribute correlation matrix,” is a mathematical concept, (MPEP § 2106.04(a)(2) sub I), which is one of the groupings of abstract ideas. Thus, claim 15 recites an abstract idea. Under Step 2A Prong Two, the claim as a whole is not integrated into a practical application, because the additional elements recited in the claim beyond the identified judicial exception include a “processing network computer,” a “processor,” and “a non-transitory computer readable medium comprising instructions executable by the processor to perform operations,” which are generic computer components used to implement the abstract idea, (MPEP § 2106.05(f)), that do not serve to integrate the abstract idea into a practical application. The claim also recites “[(g)] transmitting, by the processing network computer to the first authorizing entity computer, a message comprising the one or more sets of attributes used to determine the one or more interaction anomalies and one or more identifiers for one or more interactions corresponding to the one or more interaction anomalies,” which is a post-processing insignificant extra-solution activity of announcing a result, (MPEP § 2106.05(g)), that does not serve to integrate the abstract idea into a practical application. Therefore, claim 15 is directed to the abstract idea. Finally, under Step 2B, the additional elements, taken alone or in combination, do not represent significantly more than the abstract idea itself. The additional elements recited in the claim beyond the identified judicial exception include a “processing network computer,” a “processor,” and “a non-transitory computer readable medium comprising instructions executable by the processor to perform operations,” which are generic computer components used to implement the abstract idea, (MPEP § 2106.05(f)), that do not amount to significantly more than the abstract idea. The claim also recites “[(g)] transmitting, by the processing network computer to the first authorizing entity computer, a message comprising the one or more sets of attributes used to determine the one or more interaction anomalies and one or more identifiers for one or more interactions corresponding to the one or more interaction anomalies,” which is a well-understood, routine, and conventional activity of transmitting data over a network, (MPEP § 2106.05(d) sub II.i), that does not amount to significantly more than the abstract idea. Thus, claim 15 is subject-matter ineligible. Claim 2 depends from claim 1. The claim recites the additional element of an “authorizing entity computer,” which is a generic computer component used to implement the abstract idea into a practical application, (MPEP § 2106.05(f)), that does not serve to integrate the abstract idea into a practical application under Step 2A Prong Two, nor amounts to significantly more than the abstract idea into a practical application under Step 2B. Also, the claim recites “[(f)] transmitting, by the processing network computer to an authorizing entity computer, a message comprising the sets of attributes used to determine the anomalies and an identifier for the interaction corresponding to the anomalies that were determined.” Under Step 2A Prong Two, the limitation “transmitting” is a post-solution, insignificant extra-solution activity of outputting data, (MPEP § 2106.05(g)), that does not serve to integrate the abstract idea into a practical application. Under Step 2B, the limitation is a well-understood, routine, and conventional activity of transmitting and receiving data over a network, (MPEP § 2106.05(d) sub II.i), that does not amount to significantly more than the abstract idea. Thus, claim 2 subject-matter ineligible. Claim 3 depends from claim 1. Claim 17 depends from claim 15. The claims provide more details or specifics to the abstract idea of “[(e)] determining interaction anomalies,” “[(e.2)] wherein determining the one or more interaction anomalies in the residuals comprises applying an isolation forest algorithm to the residuals,” and accordingly, are merely more specific to the abstract idea. Thus, claims 3 and 17 are subject-matter ineligible. Claim 5 depends from claim 1. The claim recites the limitation of “[(f)] storing, by the processing network computer, the one or more interaction anomalies and the sets of attributes.” The activity of “storing” is a post-solution, insignificant extra-solution activity of storing data in memory, (MPEP § 2106.05(g)), that does not serve to integrate the abstract idea into a practical application under Step 2A Prong Two, and is a well-understood, routine, and conventional activity of storing and retrieving information in memory, (MPEP § 2106.05(d) sub II.iv), that does not amount to significantly more than the abstract idea. Thus, claim 5 is subject-matter ineligible. Claims 6, 7, 9, 12, and 13 depend from claim 1. Claims 18 and 20 depend from claim 15. The claims recite more details or specifics to the additional elements of “[(a)] generating a first attribute correlation matrix,” and “[(b)] generating a second attribute correlation matrix,” in that (claim 6: “[(a.2), (b.2)] wherein the first interaction dataset and the second interaction dataset comprises data regarding access to host sites by various user devices”; claim 7: “[(a.2), (b.2)] wherein the interaction data comprises at least an interaction amount”; claim 9: “[(a.2), (b.2)] wherein the first time period and the second time period are each at least one month;” claim 12. “[(a.2), (b.2)] wherein the correlations are correlation coefficients, and wherein the correlation coefficients are determined using Spearman's rho or Pearson's r”; claim 13: “[(a.2), (b.2)] wherein the second attribute correlation set is determined in the same manner that the first attribute correlation set is determined”; claim 18: “[(a.2), (b.2)] wherein the first interaction data set and the second interaction dataset are formed using data from a plurality of authorization request messages”; and claim 20: “[(a.2), (b.2)] wherein the first and second interaction datasets include data associated with e-mail communications, and the interaction anomalies are SPAM e-mails”), and accordingly, are merely more specific to the abstract idea. Thus, claims 6, 7, 9, 11-13, 18, and 20 are subject-matter ineligible. Claim 8 depends from claim 1. The claim recites the limitation of “[(a.2), (b.2)] wherein the plurality of interactions are performed by users in association with an authorizing entity computer,” which is the use of a generic computer component (authorizing entity computer) to implement the abstract idea, (MPEP § 2106.05(f)), that does not serve to integrate the abstract idea under Step 2A Prong Two, nor amounts to significantly more than the abstract idea under Step 2B. Thus, claim 8 is subject-matter ineligible. Claim 10 depends from claim 1. The claim recites more details or specifics to the abstract idea of “[(c)] identifying sets of attributes,” “[(c.1)] wherein each set of attributes in the sets of attributes includes exactly two attributes,” and accordingly, is merely more specific to the abstract idea. Thus, claim 10 is subject-matter ineligible. Claim 14 depends from claim 1. The claim recites more details or specifics to the additional element of the “processing network computer,” “wherein the processing network computer is operated by a processing network,” and accordingly, is merely more specific to the additional element. Thus claim 14 is subject-matter ineligible. Claim 16 depends from claim 15. The claim recites the additional element of an “[(f)] interaction database,” which is a generic computer component used to implement the abstract idea, (MPEP § 2106.05(f)), that does not serve to integrate the abstract idea into a practical application under Step 2A Prong Two, nor does it amount to significantly more than the abstract idea under Step 2B. The claim also recites “[(f.1)] wherein the interaction database stores the first interaction dataset, the first attribute correlation set, the second interaction dataset, and the second attribute correlation set,” which is the insignificant extra-solution activity of mere data gathering, (MPEP § 2106.05(g)), that does not serve to integrate the abstract idea into a practical application under Step 2A Prong Two, and further, is the well-understood, routine, and conventional activity of storing and retrieving information in memory, (MPEP § 2106.05(d) sub II.iv), that does not amount to significantly more than the abstract idea under Step 2B. Thus, claim 16 is subject-matter ineligible. Claim 19 depends from claim 15. The claim recites the generic computer component of a “plurality of authorizing entity computers,” (MPEP § 2106.05(f)), that does not serve to integrate the abstract idea into a practical application under Step 2A Prong Two, nor amounts to significantly more than the abstract idea under Step 2B. Also, the limitation recites “[(a.2), (b.2)] wherein the interaction data in the first interaction dataset and the second interaction dataset is received from a plurality of authorizing entity computers.” The activity of “received” is an insignificant extra-solution activity of mere data gathering, (MPEP § 2106.05(g)), that does not serve to integrate the abstract idea into a practical application under Step 2A Prong Two, and is a well-understood, routine, and conventional activity of transmitting and receiving data over a network, (MPEP § 2106.05(d) sub II.i), that does not amount to significantly more than the abstract idea. Thus, claim 19 is subject-matter ineligible. Claim Rejections – 35 U.S.C. § 103 7. The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 8. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. § 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 9. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 10. Claims 1, 2, 4-10, 12, 14-16, 18, and 19 are rejected under 35 U.S.C. § 103 as being unpatentable over US Published Application 20220247773 to Caithness [hereinafter Caithness] in view of US Published Application 20140149806 to Khalastchi et al. [hereinafter Khalastchi]. Regarding claims 1 and 15, Caithness teaches [a] method (Caithness, Abstract, teaches “a computer-implemented method”) of claim 1, and [a] processing network computer comprising: a processor; and a non-transitory computer readable medium comprising instructions executable by the processor to perform operations (Caithness ¶ 0245 teaches “[a] computer comprises one or more computer processors which may take the form of programmable hardware . . . . [P]rogram instructions, whatever form they take, may be stored on transitory or non-transitory media, with examples of non-transitory storage media including optical, magnetic and solid-state storage. A general-purpose processor may be coupled to a memory and be configured to execute instructions stored in the memory) of claim 15, comprising: [(a)] generating, by a processing network computer (Caithness, Fig. 6, teaches anomaly detection [Examiner annotations in dashed-line text boxes]: PNG media_image1.png 592 811 media_image1.png Greyscale Caithness ¶ 0046 teaches “provide a computer system comprising one or more computers programmed or otherwise-configured to carry out any of the method steps herein, and a computer program comprising program instructions for programming a computer or a set of computers to carry out the method steps [(that is, a processing network computer)]”), a first attribute correlation matrix (Caithness ¶ 0174 teaches “[a]t step 602, a data matrix X is determined [(that is, “data matrix X” is generating . . . a first attribute correlation matrix)]. This represents a set of datapoints as rows of the data matrix X, i.e. each row of X constitutes one data point. Each column X represents a particular feature. Hence, an M×N data matrix X encodes M data points as rows, each having N feature values. Component Xij in row i and column j is the value of feature j (feature value) for data point i [(that is, “component Xij” is a first attribute correlation)]. . . . Data may be said to be “structured as a M×N data matrix” or similar, but the only implication of this language is that each datapoint of the M datapoints is expressed as respective values of a common set of N features to allow those features to be interpreted in accordance with the anomaly detection/reasoning techniques disclosed herein”) . . . ; [(b)] generating, by the processing network computer, a second attribute correlation matrix (Caithness ¶ 0166 teaches that, “[i]n the first stage of the described anomaly detection method, a first-pass, truncated SVD is applied (FIG. 6, step 604) to a data matrix X, represented in mathematical notation as PNG media_image2.png 35 249 media_image2.png Greyscale [(that is, “data matrix XK” is generating . . . a second attribute correlation matrix )]) . . . ; [(c)] identifying, by the processing network computer, one or more sets of attributes from the first attribute correlation matrix and the second attribute correlation matrix for further processing (Caithness ¶ 0108 teaches “[o]nce created, cases are developed by matching subsequent events received from the message queue 106 [(that is, “matching” is identifying . . . one or more sets of attributes from the first attribute correlation matrix and the second attribute correlation matrix for further processing)] to existing cases in the experience database 124”), . . .; [(d)] computing, by the processing network computer, residuals, for the one or more sets of attributes, between the first attribute correlation . . . and the second attribute correlation matrix (Caithness, Fig. 6, teaches an anomaly detection phase [Examiner annotations in dashed-line text boxes]: PNG media_image3.png 746 1071 media_image3.png Greyscale Caithness ¶ 0155 teaches a “matrix of residuals R provides both a measure of observation anomaly (the RSS scores) and, by doing a second-pass SVD on R, an interpretation of the driving (causal) features of the anomalies”) [Examiner notes that the “residuals matrix R” is a result of computing residuals between the first attribute correlation matrix and the second attribute correlation matrix because the plain meaning of “between” is positioned in space amongst two entities, where the broadest reasonable interpretation of a first attribute correlation and a second attribute correlation cover the teachings of Caithness, where “incoming events [(that is, a second time period)] can be matched to existing cases [(that is, a first time period)] using defined event association criteria,” which is between the first attribute correlation and the second attribute correlation; moreover, the broadest reasonable interpretation of a “first time period” and a “second time period” is that of each respective “first attribute correlation matrix” and “second attribute correlation matrix”, which is not inconsistent with the Applicant’s disclosure (MPEP § 2111)]); [(e)] determining, by the processing network computer, one or more interaction anomalies using the residuals (Caithness ¶ 0009 teaches “the datapoint may be identified as anomalous based on: a row of the residuals matrix corresponding to the datapoint, or the second-pass coordinate vector for the datapoint [(that is, determining . . . interaction anomalies using the residuals)]” is between ); [(f)] determining, by the processing network computer, a first authorizing entity computer that provided interaction data that contributed to the one or more interaction anomalies, among the plurality of authorizing entity computers (Caithness, Fig. 10, teaches particular endpoints having a hexadecimal identifier [Examiner annotations in dashed-line text boxes]: PNG media_image4.png 511 1057 media_image4.png Greyscale Caithness ¶ 0023 teaches “each datapoint may, for example, correspond to a network endpoint, the method being applied to identify at least one anomalous network endpoint [(that is, determining . . . a first authorizing entity computer that provided interaction data)]. For example, the features may pertain to multiple processes running on each endpoint”; Caithness ¶ 0094 teaches “for the purpose of collecting endpoint data, endpoint monitoring software (code) is provided which is executed on the endpoints of the network 300 to monitor local activity at those endpoints [(that is, “monitoring” is a first authorizing entity computer that provided interaction data that contributed to the one or more interaction anomalies)]. This is shown in the form of endpoint agents 316 a-316 g (corresponding to endpoint agents 316 in FIG. 1) [(that is, among the plurality of authorizing entity computers)] that are executed on the endpoints 312 a-312 g respectively. This is representative of the fact that endpoint monitoring software can be executed on any type of endpoint, including local, remote and/or server endpoints as appropriate. This monitoring by the endpoint agents is the underlying mechanism by which endpoint events are collected within the network 300”); and [(g)] transmitting, by the processing network computer to the first authorizing entity computer, a message comprising the one or more sets of attributes used to determine the one or more interaction anomalies and one or more identifiers for one or more interactions corresponding to the one or more interaction anomalies (Caithness ¶¶ 0122-23 teaches “[a]ccess to the cases via the case UI 126 is controlled based on the threat scores in the case records in the experience database 124. A user interface controller (not shown) has access to the cases in the experience database 124 and their threat scores, and is configured to render a case accessible via the case UI 126 in response to its threat score reaching an applicable significance threshold. Such cases can be accessed via the case UI 126 by a human cyber defence analyst [(that is, the “case UI” provides access to case records, which are comprising the one or more sets of attributes used to determine the one or more interaction anomalies and the one or more identifiers for one or more interactions corresponding to the one or more interaction anomalies)]. In this example, cases are retrieved from the experience database 124 by submitting query requests via a case API (application programming interface) 128 [(that is, “submitting query requests” is transmitting, by the processing network computer to the first authorizing entity computer, a message)]. The case (UI) 126 can for example be a web interface that is accessed remotely via an analyst device 130). Though Caithness teaches detecting potential cybersecurity threats from collected data pertaining to a monitored network; Caithness, however, does not explicitly teach – * * * [(a) generating, by a processing network computer, a first attribute correlation matrix], comprising correlation coefficients, each of correlation coefficient of the first attribute correlation matrix being a correlation value between each set of attributes of a first interaction dataset, [(a.1)] wherein the first interaction dataset comprises first interaction data of a first plurality of interactions conducted over a first time period; [(b) generating, by the processing network computer, a second attribute correlation matrix], comprising correlation coefficients, each correlation coefficient of the second attribute correlation matrix being a correlation value between each set of attributes of a second interaction dataset, [(b.1)] wherein the second interaction dataset comprises interaction data of a plurality of interactions conducted over a second time period different from the first time period, [(b.2)] wherein the first interaction data and the second interaction data are provided by a plurality of authorizing entity computers; and [(c)) identifying . . . one or more sets of attributes] by identifying the one or more sets of attributes that correspond to one another in the first attribute correlation matrix and the second attribute correlation matrix and have a difference in the correlation coefficients between the first attribute correlation matrix and the second attribute correlation matrix greater than a threshold value; * * * But Khalastchi teaches - [(a) generating, by a processing network computer, a first attribute correlation matrix], comprising correlation coefficients, each of correlation coefficient of the first attribute correlation matrix being a correlation value between each set of attributes of a first interaction dataset (Khalastchi ¶ 0091 teaches “a correlation detector, laid out schematically in Algorithm 1 below, which is optionally based on Pearson correlation coefficient calculation . . . . PNG media_image5.png 177 1054 media_image5.png Greyscale Algorithm 1 returns the n sets of correlated attributes, one per each attribute ai ∈ A. Each CSi contains the indices of the other attributes that are correlated to ai. The calculation may be done as follows. The vectors of the last m values of each two attributes ai, aj are extracted from [matrix] H i T and denoted H j T .The Pearson correlation is then applied to them, and denoted as pi,j. If the absolute result |pi,j| is larger than a correlation threshold parameter ct ∈ { 0.1}, then the attributes are declared correlated and aj is added to CS [(that is, comprising correlation coefficients, each of correlation coefficient of the first attribute correlation matrix being a correlation value between each set of attributes of a first interaction dataset )]”), [(a.1)] wherein the first interaction dataset comprises first interaction data of a first plurality of interactions conducted over a first time period (Khalastchi, claim 1, teaches “receiving present real-time readings of multiple sensors [(that is, first interaction data)] associated with the data analysis device [(that is, wherein the first interaction dataset comprises first interaction data of a first plurality of interactions conducted over a first time period)]”; Khalastchi ¶ 0052 teaches “term ‘data analysis device’, as referred to herein, may relate to any device or system, whether having all its elements physically located at one location or being decentralized, which includes multiple data input devices and/or paths, such as sensors, actuators, incoming data originating from external systems, etc. These may be associated with and/or received by a control computer [(that is, the “incoming data” is first interaction data)]. The data analysis device may be aimed at and configured to sense and/or receive data, perform an analysis and optionally indicate the results”); [(b) generating, by the processing network computer, a second attribute correlation matrix], comprising correlation coefficients, each correlation coefficient of the second attribute correlation matrix being a correlation value between each set of attributes of a second interaction dataset (Khalastchi ¶ 0091 teaches “a correlation detector, laid out schematically in Algorithm 1 below, which is optionally based on Pearson correlation coefficient calculation . . . . PNG media_image5.png 177 1054 media_image5.png Greyscale Algorithm 1 returns the n sets of correlated attributes, one per each attribute ai ∈ A. Each CSi contains the indices of the other attributes that are correlated to ai. The calculation may be done as follows. The vectors of the last m values of each two attributes ai, aj are extracted from [matrix] H i T and denoted H j T .The Pearson correlation is then applied to them, and denoted as pi,j. If the absolute result |pi,j| is larger than a correlation threshold parameter ct ∈ { 0.1}, then the attributes are declared correlated and aj is added to CS [(that is, comprising correlation coefficients, each of correlation coefficient of the second attribute correlation matrix being a correlation value between each set of attributes of a second interaction dataset )]”), [(b.1)] wherein the second interaction dataset comprises interaction data of a plurality of interactions conducted over a second time period different from the first time period (Khalastchi, claim 1, “receiving present real-time readings of multiple sensors associated with the data analysis device, and maintaining a history of past real-time readings”; Khalastchi ¶ 0075 teaches “[m]onitored attributes (also “data”) may be collected by internal and/or external sensors [(that is, the second interaction dataset)]), [(b.2)] wherein the first interaction data and the second interaction data are provided by a plurality of authorizing entity computers (Khalastchi ¶ 0075 teaches “[p]ast data H (optionally assumed to be nominal, namely—without anomalies) is also accessible. H is an m×n matrix where the columns denote the n monitored attributes and the rows maintain the values of these attributes over m time steps”; [Examiner notes that the plain term of “authorizing” is to give permission for or approval to an undertaking or an agent; the broadest reasonable interpretation of “authorizing entity computers” are those devices that provide sensor data accessible for anomaly detection, which is not inconsistent with the Applicant’s disclosure, (MPEP § 2111), and covers the real-time and past data received by the data analysis device of Khalastchi and the potential cybersecurity threat detection of Caithness]); [(c)) identifying . . . one or more sets of attributes] by identifying the one or more sets of attributes that correspond to one another in the first attribute correlation matrix and the second attribute correlation matrix and have a difference in the correlation coefficients between the first attribute correlation matrix and the second attribute correlation matrix greater than a threshold value (Khalastchi, Abstract, teaches a “method for detecting an anomaly in operation of a data analysis device, comprising: receiving present real-time readings of multiple sensors associated with the data analysis device and maintaining a history of past real-time readings; determining which of said multiple sensors are correlated; computing a deviation between at least some of said present and at least some of said past real-time readings of said correlated sensors; and declaring an anomaly when said deviation exceeds a predetermined threshold [(that is, “deviation” is a difference in the correlation coefficients between the first attribute correlation matrix and the second attribute correlation matrix greater than a threshold value)]”); * * * Caithness and Khalastchi are from the same or similar field of endeavor. Caithness teaches detecting potential cybersecurity threats from collected data pertaining to a monitored network. Khalastchi teaches receiving present real-time readings of multiple sensors associated with the data analysis device, and maintaining a history of past real-time readings having multiple correlated sensors and declaring an anomaly when a deviation exceeds a predetermined threshold. Thus, it would have been obvious to a person having ordinary skill in the art as of the effective filing date of the Applicant’s invention to modify Caithness pertaining to attribute correlation matrices for anomaly and residuals analysis with the real-time and stored sensor matrices of Khalastchi. The motivation to do so is because “[t]here is still a need in the art for online, light and reliable anomaly detection methods, and for devices, robots and the like which incorporate the same.” (Khalastchi ¶ 0011). Regarding claim 2, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(g.1)] wherein the message further comprises an identifier for the interaction corresponding to the anomalies that were determined (Caithness ¶ 0090 teaches “network event data 208 can for example comprise one or more network event type indicators identifying the type of activity that has occurred. The entity ID 206 is an identifier of an entity involved in the activity, such as a device, user, process etc. [(that is, an identifier for the interaction corresponding to the anomalies that were determined )]”). Regarding claim 5, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - further comprising: storing, by the processing network computer, the one or more interaction anomalies and the sets of attributes (Caithness ¶ 0082 teaches “observation database manager 114 (storage component) is shown having an input connected to receive events from the message queue 106. The observation database manager 114 retrieves events, and in particular enhanced (i.e. enriched and, where appropriate, joined) events from the message queue 106 and stores them in an observation delay line 116 (observation database). The observation delay line 116 may be a distributed database. The observation delay line 116 stores events on a longer time scale than events are stored in the message queue 106 [(that is, storing . . . the sets of attributes)]”; Caithness ¶ 0105 teaches “[c]ases are embodied as case records that are created in an experience database 124 (which may also be a distributed database) [(that is, “cases” pertain to anomalies, which is storing . . . the anomalies)]””). Regarding claim 6, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(a.2), (b.2)] wherein the first interaction dataset and the second interaction dataset comprises data regarding access to host sites by various user devices (Caithness ¶¶ 0111-13 teaches “[i]ncoming events can be matched to existing cases using defined event association criteria, as applied to the content of the events—in particular the timestamps, but also other information such as entity identifiers (device identifier, IP address etc.). These can be events in the event queue 106, the observation delay line 116, or spread across both. Three key pieces of metadata that are used as a basis for linking events in this way are: timestamps, endpoint devices [(that is, by various user devices)], and/or specific endpoint information such as: endpoint host name [(that is, access to host sites)], endpoint open sockets”). Regarding claim 7, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(a.2), (b.2)] wherein each of the first interaction data and the second interaction data comprises at least an interaction amount (Caithness ¶ 0003 teaches “. Other forms of “semantic” attack include, for example, denial-of-service (DOS) attacks which attempt to disrupt network services by targeting large volumes of data at a network; attacks via the unauthorized use of credentials (e.g. brute force or dictionary attacks); or backdoor attacks in which an attacker attempts to bypass network security systems altogether [(that is, a denial-of-service attack” comprises at least an interaction amount)]”). Regarding claim 8, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(a.2), (b.2)] wherein the first plurality of interactions and the second plurality of interactions are performed by users in association with the plurality of authorizing entity computers (Caithness ¶ 0023 teaches that “in a cybersecurity context, each datapoint may, for example, correspond to a network endpoint [(that is, user)], the method being applied to identify at least one anomalous network endpoint. For example, the features may pertain to multiple processes running on each endpoint [(that is, “multiple processes” are the plurality of interactions are performed by users in association with an authorizing entity computer)]”). Regarding claim 9, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(a.2), (b.2)] wherein each of the first time period and the second time period is at least one month (Caithness ¶ 0127 teaches “[t]he event-driven nature of the analysis inherently accommodates different types of threats that develop on different time scales, which can be anything from seconds to months [(that is, the first time period and the second time period are each at least one month)]”). Regarding claim 10, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(c.1)] wherein each set of attributes in the sets of attributes includes exactly two attributes (Caithness ¶ 0174 teaches “M×N data matrix X encodes M data points as rows, each having N feature values. Component Xij in row i and column j is the value of feature j (feature value) for data point i [(that is, “feature j” and “data point i” is each set of attributes in the sets of attributes includes exactly two attributes)]”; see also, e.g., Caithness, Fig. 6 (matrix X)). Regarding claim 12, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(a.2), (b.2)] wherein the correlation coefficients are determined using Spearman's rho or Pearson's r (Caithness ¶ 0205 teaches “[h]aving identified the anomaly detection drivers, at step 708, a causal relationship between each anomalous datapoint i and each contributing feature j is identified, based on an angular relationship between the coordinate vector of that datapoint ui and the coordinate vector of that feature vj [of data matrix XK] . Specifically, a Pearson correlation [(that is, the correlation coefficients are determined using . . . Pearson’s r)] between that datapoint and that feature is determined as the cosine similarity of those vectors (the latter being provably equivalent to the former)). Regarding claim 14, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Caithness teaches - [(a.2)] wherein the processing network computer is operated by a processing network (Caithness ¶ 0144 teaches “a graphical illustration 512 of network components to which those events relate is shown in association with the timeline 510. This can, for example, include endpoints, infrastructure components, software components and also external components which components of the network are in communication with [(that is, “network components” is the processing network computer is operated by a processing network)]”). Regarding claim 16, the combination of Caithness and Khalastchi teaches all of the limitations of claim 15, as described above in detail. Caithness teaches - further comprising [(f)] an interaction database coupled to the processor (Caithness ¶ 0082 teaches “observation database manager 114 (storage component) is shown having an input connected to receive events from the message queue 106 events from the message queue 106 and stores them in an observation delay line 116 (observation database)”; Caithness ¶ 0105 teaches “[c]ases are embodied as case records that are created in an experience database 124 (which may also be a distributed database); Caithness ¶ 0149 teaches “[c]opies of the events from the message queue 106 are stored in a hunting ground 142, which may be a distributed database and which can be queried via the hunting UI 140 [(that is, the “observation database,” “experience database” and “hunting ground” are inherently an interaction database coupled to the processor)]”), [(f.1)] wherein the interaction database stores the first interaction dataset, the first attribute correlation matrix, the second interaction dataset, and the second attribute correlation matrix (Caithness ¶ 0082 teaches “observation database manager 114 (storage component) is shown having an input connected to receive events from the message queue 106 events from the message queue 106 and stores them in an observation delay line 116 (observation database)”; Caithness ¶ 0105 teaches “[c]ases are embodied as case records that are created in an experience database 124 (which may also be a distributed database) [(that is, the ”experience database” stores . . . the first attribute correlation set, . . . and the second attribute correlation set)]”; Caithness ¶ 0149 teaches “[c]opies of the events from the message queue 106 are stored in a hunting ground 142, which may be a distributed database and which can be queried via the hunting UI 140 [(that is, the “observation database” and the “hunting ground” stores the first interaction dataset . . . [and] the second interaction dataset)]”). Regarding claim 18, the combination of Caithness and Khalastchi teaches all of the limitations of claim 15, as described above in detail. Caithness teaches - [(a.2), (b.2)] wherein the first interaction data set and the second interaction dataset are formed using data from a plurality of authorization request messages (Caithness ¶ 0003 teaches “forms of ‘semantic’ attack include, for example, . . . attacks via the unauthorized use of credentials (e.g. brute force or dictionary attacks) [(that is, the “unauthorized use of credentials” is formed using data from a plurality of authorization request messages)] . . . .”). Regarding claim 19, the combination of Caithness and Khalastchi claim 15, as described above in detail. Caithness teaches - wherein the interaction data in the first interaction dataset and the second interaction dataset are performed by a user operating a user device and are authorized by the first authorizing entity computer (Caithness ¶ 0086 teaches that “the term endpoint in relation to a private network includes both local endpoints and remote endpoints that are permitted access to the private network substantially as if they were a local endpoint [(that is, “permitted” is received from a plurality of authorizing entity computers)]”). 11. Claims 3 and 17 are rejected under 35 U.S.C. § 103 as being unpatentable over US Published Application 20220247773 to Caithness [hereinafter Caithness] in view of US Published Application 20140149806 to Khalastchi et al. [hereinafter Khalastchi], and US Published Application 20230054575 to Cohen et al. [hereinafter Cohen]. Regarding claims 3 and 17, the combination of Caithness and Khalastchi teaches all of the limitations of claims 1 and 15, respectively, as described above in detail. Though Caithness and Khalastchi teach the features of determining anomalies in residuals; however, the combination of Caithness and Khalastchi, however, does not explicitly teach – wherein determining the one or more interaction anomalies in the residuals comprises applying an isolation forest algorithm to the residuals. But Cohen teaches - wherein determining the one or more interaction anomalies in the residuals comprises applying an isolation forest algorithm to the residuals (Cohen ¶¶ 0046-47 teaches “[s]econd layer meta model(s) 240 includes any technically feasible machine learning model. In some embodiments, second layer meta model(s) 240 includes one or more anomaly detection models such as neural network autoencoders, isolation forests . . . . Second layer meta models 240 receives, as input, the vectors of errors or residuals or probabilities produced by residual error module 230. . . . Second layer meta model(s) 240 captures the normal combined outcomes of first layer continuous variable model(s) 210, first layer categorical variable model(s) 220, and/or residual error module 230 under diverse operational states of the system, such as computing device 100, and identifies when the common relations between the predictions produced by first layer continuous variable model(s) 210, first layer categorical variable model(s) 220, residual error module 230, and/or the like are disrupted [(that is, applying an isolation forest algorithm to the residuals)]”). Caithness, Khalastchi and Cohen are from the same or similar field of endeavor. Caithness teaches detecting potential cybersecurity threats from collected data pertaining to a monitored network. Khalastchi teaches receiving present real-time readings of multiple sensors associated with the data analysis device, and maintaining a history of past real-time readings having multiple correlated sensors and declaring an anomaly when a deviation exceeds a predetermined threshold. Cohen teaches anomaly or attack detection determining an output value corresponding to at least one of a likelihood that an anomaly or an attack is occurring or a type of the anomaly or the attack. Thus, it would have obvious to a person having ordinary skill in the art as of the effective filing date of the Applicant’s invention to modify the combination of Caithness and Khalastchi pertaining to anomaly detection using an ATT&CK MITRE framework correlation matrix with the isolation forest of Cohen. The motivation to do so is because there is “is need for improved techniques of detecting and mitigating vehicle anomalies and cybersecurity attacks.” (Cohen ¶ 0007). 12. Claim 13 is rejected under 35 U.S.C. § 103 as being unpatentable over US Published Application 20220247773 to Caithness [hereinafter Caithness] in view of US Published Application 20140149806 to Khalastchi et al. [hereinafter Khalastchi], and US Published Application 20180248745 to Ahmed et al. [hereinafter Ahmed]. Regarding claim 13, the combination of Caithness and Khalastchi teaches all of the limitations of claim 1, as described above in detail. Though Caithness and Khalastchi teach the features of determining correlation matrices; however, the combination of Caithness and Khalastchi does not explicitly teach – wherein the second attribute correlation matrix is determined in the same manner that the first attribute correlation matrix is determined. But Ahmed teaches - wherein the second attribute correlation set is determined in the same manner that the first attribute correlation set is determined (Ahmed ¶ 0088 teaches “A020, A030, A040, A070, A080, A090, A100, A110 and A130 as well as optional action A120, is presented below. In this example, Tgood and Tbad are handled in parallel, for each resource metric. Tgood corresponds to the first time interval and Tbad corresponds to the second time interval. “Corr( )” refers to a computation of Pearson correlation of the input values [(that is, through “Corr( ),” the second attribute correlation matrix is determined in the same manner that the first attribute correlation matrix is determined)]”). Caithness, Khalastchi, and Ahmed are from the same or similar field of endeavor. Caithness teaches detecting potential cybersecurity threats from collected data pertaining to a monitored network. Khalastchi teaches receiving present real-time readings of multiple sensors associated with the data analysis device, and maintaining a history of past real-time readings having multiple correlated sensors and declaring an anomaly when a deviation exceeds a predetermined threshold. Ahmed teaches a network node that calculates a first, a second and a third set of correlation values for a first time interval. Similarly, the network node calculates a fourth, fifth and sixth correlation value for a second time interval in which the fault has been detected. The sets of correlation values are taken between resource metrics, virtual execution environments, types of said each resource metric and/or servers. Thus, it would have obvious to a person having ordinary skill in the art as of the effective filing date of the Applicant’s invention to modify the combination of Caithness and Khalastchi pertaining to anomaly detection using an ATT&CK MITRE framework correlation matrix with the first and second sets of attributes through a Pearson correlation of Ahmed. The motivation to do so is where the “object may be to improve accuracy of fault localization, e.g. in terms of true positives and false positives as well as true negatives and false negatives.” (Ahmed ¶ 0007). 13. Claim 20 is rejected under 35 U.S.C. § 103 as being unpatentable over US Published Application 20220247773 to Caithness [hereinafter Caithness] in view of US Published Application 20140149806 to Khalastchi et al. [hereinafter Khalastchi], and Ajmal et al., “Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation,” IEEE (Aug 2021) [hereinafter Ajmal]. Regarding claim 20, , the combination of Caithness and Khalastchi teaches all of the limitations of claim 15, as described above in detail. Though Caithness and Khalastchi teach the features of determining anomalies in residuals via a MITRE ATT&CK framework; however, the combination of Caithness and Khalastchi does not explicitly teach – wherein the first interaction dataset and the second interaction dataset include data associated with e-mail communications, and the one or more interaction anomalies are SPAM e-mails But Ajmal teaches - wherein the first and second interaction datasets include data associated with e-mail communications, and the interaction anomalies are SPAM e-mails (Ajmal, left column of p. 126031, “A. Impact Analysis (Attack Vectors), 1) Phishing,” first paragraph, teaches “[a]nalyzing mail headers yields the use of blind mail with SMTP server IP address and location. The mail was encrypted with TLS during transit and the server we used was a VM on MS Azure. This email landed in the inbox [(that is, the first and second interaction datasets include data associated with e-mail communications)]. We then attached a payload (exe file) with custom UTF encoding during transit. This time mail landed in the spam folder as it was detected as suspicious due to the presence of suspicious file type [(that is, the interaction anomalies are SPAM e-mails)]”). Caithness and Ajmal are from the same or similar field of endeavor. Caithness teaches detecting potential cybersecurity threats from collected data pertaining to a monitored network. Khalastchi teaches receiving present real-time readings of multiple sensors associated with the data analysis device, and maintaining a history of past real-time readings having multiple correlated sensors and declaring an anomaly when a deviation exceeds a predetermined threshold. Ajmal teaches uses threat hunting via adversary emulation and has countervailing effects on hunting advance level threats. Thus, it would have obvious to a person having ordinary skill in the art as of the effective filing date of the Applicant’s invention to modify the combination of Caithness and Khalastchi pertaining to anomaly detection using an ATT&CK MITRE framework correlation matrix with the email interaction and SPAM anomalies of Ajmal. The motivation to do so is for “a novel hybrid model for uncovering tactics, techniques, and procedures (TTPs) through offensive security, specifically threat hunting via adversary emulation . . . based on a novel approach of inducing adversary emulation (mapping each respective phase) model inside the threat hunting approach [that] utilizes minimum resources.” (Ajmal, Abstract). Response to Argument Claim Rejections - 35 U.S.C. § 101 14. Applicant submits that “[t]he claimed invention improves upon conventional anomaly detection systems by providing a technique capable of flexible use of a great number of attributes of the dataset. Therefore, the claimed invention integrates the alleged judicial exception into practical application by using the judicial exception in a meaningful way, instead of tying the judicial exception to a generic technological environment, so that the claim, as a whole, is more than a mere drafting effort to monopolize the judicial exception.” (Response at pp. 9-10 (quoting on Specification ¶ 0051)). Examiner’s Response: Examiner respectfully disagrees because considering the claim as a whole does not serve to integrate the abstract idea into a practical application, as set out above in detail. As explained in MPEP 2106.04(d), subsection III, the Step 2A, ‘‘Prong Two analysis considers the claim as a whole. That is, the limitations containing the judicial exception as well as the additional elements in the claim besides the judicial exception need to be evaluated together to determine whether the claim integrates the judicial exception into a practical application.’’ Further, the instant claims claim do not apply, rely on, or use the abstract idea in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize or preempt the judicial exception. The amended claim limitations merely serve to provide further details or specifics to the abstract ideas and/or additional elements, as set out above in detail, and accordingly, do not cause the claims to recite subject-matter eligible subject-matter. Claim Rejections – 35 U.S.C. §§ 102 & 103 15. Applicant submits that, “in the claimed invention, certain sets of attributes are identified from the matrices for further processing. Caithness does not teach or suggest [(c)] identifying, by the processing network computer, one or more sets of attributes from the first attribute correlation matrix and the second attribute correlation matrix for further processing, by identifying the one or more sets of attributes that correspond to one another in the first attribute correlation matrix and the second attribute correlation matrix and have a difference in the correlation coefficients between the first attribute correlation matrix and the second attribute correlation matrix greater than a threshold value. [(claim 1, lines 14-19 (emphasis added by Applicant)]. Additionally, there is no disclosure in Caithness, whatsoever, regarding [(f)] determining, by the processing network computer, a first authorizing entity computer that provided interaction data that contributed to the one or more interaction anomalies, among the plurality of authorizing entity computers. [(claim 1, lines 26-28)]. Caithness does not describe the above features of claim 1 as amended, as well as other added features.” (Response at pp. 12-13 (citing MPEP § 2131 (“anticipation”)). Examiner’s Response: Examiner agrees that Caithness does not explicitly teach the subject-matter relating to amended aspects of the instant claims. Amended claim 1 recites, inter alia * * * [(c)] identifying, by the processing network computer, one or more sets of attributes from the first attribute correlation matrix and the second attribute correlation matrix for further processing, by identifying the one or more sets of attributes that correspond to one another in the first attribute correlation matrix and the second attribute correlation matrix and have a difference in the correlation coefficients between the first attribute correlation matrix and the second attribute correlation matrix greater than a threshold value; * * * [(f)] determining, by the processing network computer, a first authorizing entity computer that provided interaction data that contributed to the one or more interaction anomalies, among the plurality of authorizing entity computers; and * * * (claim 1, lines 14-19 & 26-28 (emphasis added by Examiner illustrating amended language)). Examiner relies upon the teachings of Khalastchi as teaching these features of the claims, as set out above in detail Conclusion 16. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 17. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: (US Published Application 20180083995 to Sheth et al.) teaches identifies anomalous segments in a metrics dataset having a weight that indicates (i) a similarity between a pair of anomalous segments represented by the nodes connected by the weighted edge and (ii) a relationship between the anomalous segments and the metrics dataset. (Bhuyuan et al., “Network Anomaly Detection: Methods, Systems, and Tools,” IEEE (2014)) teaches a structured and comprehensive overview of various facets of network anomaly detection so that a researcher can become quickly familiar with every aspect of network anomaly detection. 18. Any inquiry concerning this communication or earlier communications from the Examiner should be directed to KEVIN L. SMITH whose telephone number is (571) 272-5964. Normally, the Examiner is available on Monday-Thursday 0730-1730. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, KAKALI CHAKI can be reached on 571-272-3719. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /K.L.S./ Examiner, Art Unit 2122 /KAKALI CHAKI/Supervisory Patent Examiner, Art Unit 2122 1 Examiner adds these limitation identifiers for the limited purpose of evaluating the claims for subject matter eligibility under MPEP § 2106.