DETAILED ACTION
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. This action is in response to amendment filed on 10/10/2025, in which claims 1 – 5 was amended, and claims 1 – 20 was presented for further examination.
3. Claims 1 – 20 are now pending in the application.
Response to Arguments
4 Applicant’s arguments with respect to claims 1 - 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
5. Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dean et al (US 2017/0230392 A1), in view of Bogachev et al (US 2023/0408991 A1).
As per claim 1, Dean et al (US 2017/0230392 A1) discloses,
A computer-implemented method, comprising: receiving a dataset associated with a device (para.[0050]; “network traffic monitor 110
extracts meta-data of packets moving across a network” and para.[0084]; “detecting anomalous behavior of network devices given the values of a collection of real valued metrics Mi, ... , Mn for each device”).
selecting a subset of data from the dataset, the subset including a feature (para.[0013]; “deriving values, m1, ..., mM of a metric, M, representative of data associated with the device” and para.[0050]; “network traffic monitor 110 extracts meta-data of packets moving across a network”).
determining parameters of the selected subset of data (para.[0013]; “deriving values, m1, ..., mM of a metric, M, representative of data associated with
the device”, para.[0043]; “The metrics are representative of data associated with a device of a computer system”, and para.[0051]; “measurements of network
activity are processed to produce behavior metrics”).
implementing an extreme value theory (EVT) algorithm to determine a probability value for the feature based at least in part on the determined parameters (para.[0043]; “modelling the distribution of values of metrics, using extreme value theory …..distribution is then used to calculate the survival
probabilities of observations of values of the metric. The survival probability is the probability of observing a more extreme value than the observed value” and para.[0086]; “extreme value theory is used. In particular, the method of Peaks Over Thresholds (POT) is used for estimating tail probabilities and quantiles from observed data”).
in response to the determined probability value for the feature, generating an outlier score for the feature (para.[0013]; “the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously”, where extreme value is analogous to “outlier score” as claimed, para.[0014]; “probability of observing a more extreme value may be the probability of observing a greater value than the given value, m, when the given value is greater than a suitable quantile point of the values, mi, ... , mN; and/or
wherein the probability of observing a more extreme value is the probability of observing a smaller value than the given value, m, when the given value is less than a suitable quantile point of the values, mi, ... , mN”, and para.[0052]; “compute the values of the corresponding behavioral metrics”).
identifying the subset as anomalous based at least in part on the generated outlier score for the feature (para.[0013]; “wherein the probability is used to determine whether the device is behaving anomalously” and para.[0052]; “These values are then analyzed to see how anomalous the value of each metric is”).
and based on identifying the subset as anomalous, executing an action associated with the device (para.[0012]; “Network system administrators/security officers may be sent alerts about any device whose behavior is determined to be sufficiently anomalous”, where sending an alerts based on anomalous information is analogous to “based on identifying the subset as anomalous, executing an action associated with the device” as claimed).
The examiner believe Dean et al (US 2017/0230392 A1) discloses each and every feature of claim 1. In addition, Bogachev discloses implementing an extreme value theory (EVT) algorithm to determine a probability value for the feature based at least in part on the determined parameters (para.[0085]; “fitting a statistical model of extremes involves using either a block maxima approach or a peaks-over-threshold (POT) approach”, para.[0093]; “determining
values for the plurality of parameters which best model the observed extreme values”, and para.[0104]; “determining the plurality of parameters by estimating
the latent functional dependency of the plurality of parameters upon the one or more covariates”).
Therefore, it would have been obvious to one of ordinary skill in the art before the invention was filed to incorporate probabilistic forecast of extreme values of the system of Bogachev into probability computation of anomalous behavior of a device of the system of Dean to produce a probabilistic forecast of extreme values based on a statistical model of extremes fitted to data.
As per claim 2, the rejection of claim 1 is incorporated and further Bogachev et al (US 2023/0408991 A1) discloses,
wherein the device is an IoT device and the action is to initiate repair or replacement of the IoT device (para.[0214]; “glucose monitoring system comprises a tracking device 1002 comprising at least one sensor 1003 and an output unit 1004 configured to provide an output to a user. The output unit 1004 corresponds to a personal electronic device, such as a smartwatch or the like, and comprises a screen 1006 and a sensor 1008”).
Therefore, it would have been obvious to one of ordinary skill in the art before the invention was filed to incorporate probabilistic forecast of extreme values of the system of Bogachev into probability computation of anomalous behavior of a device of the system of Dean to produce a probabilistic forecast of extreme values based on a statistical model of extremes fitted to data.
As per claim 3, the rejection of claim 1 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
wherein: the subset includes a plurality of features (para.[0012]; “processing the new network activity measurement of each device to compute the values of the corresponding behavioral metrics”).
and the computer-implemented method further comprises: implementing the EVT algorithm to determine a probability value for each of the plurality of features (para.[0043]; “modelling the distribution of values of metrics, using extreme value theory …..distribution is then used to calculate the survival probabilities of observations of values of the metric. The survival probability is the probability of observing a more extreme value than the observed value” and para.[0086]; “extreme value theory is used. In particular, the method of Peaks Over Thresholds (POT) is used for estimating tail probabilities and quantiles from observed data”).
generating an outlier score for each of the plurality of features (para.[0013]; “the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously” and para.[0014]; “probability of observing a more extreme value may be the probability of observing a greater value than the given value, m, when the given value is greater than a suitable quantile point of the values, mi, ... , mN; and/or wherein the probability of observing a more extreme value is the probability of observing a smaller value than the given value, m, when the given value is less than a suitable quantile point of the values, mi, ... , mN”).
and generating an aggregate outlier score for the subset, the aggregate outlier score comprising a sum of the generated outlier scores for each of the plurality of features (para.[0012]; “levels of anomalousness of the values of each behavioral metric of a device may be combined to produce a measure of the overall anomalousness of the behavior of each device”).
As per claim 4, the rejection of claim 1 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
wherein the dataset associated with the device comprises data captured by one or more sensors in real time (para.[0052]; “analyzing the new observations of the activity of each network device in real time”).
As per claim 5, the rejection of claim 1 is incorporated and further Bogachev et al (US 2023/0408991 A1) discloses,
wherein the determined parameters are a gamma value and a sigma value of a tail of a calibration set of data, the method further comprising: calculating a final threshold as approximately equal to a risk factor multiplied by a total number of observations over a number of peaks in the dataset, all raised to a power of negative gamma value, minus one, multiplied by a proportion of the sigma value and the gamma value, plus an initial threshold and assigning the outlier score to the feature based on determining a sample value associated with the feature to be more than the final threshold (para.[0122]; “the POT approach specifies a preferably large value for the threshold 722, u, such that only those signals of interest which exceed the threshold 722 are considered extreme values. The distribution of the extreme values is then determined by fitting a suitable distribution”, para.[0124]; “the quality of statistical estimation of the model parameters from available exceedances (which would get depleted due to higher thresholds). Preferably, the threshold is chosen according to an empirical quantile; for instance at a 95% level, so that about 5% of observed values lie above this threshold. This empirical approach is particularly useful for initial calibration of the model”, para.[0125]; “the plurality of signals of interest are censored by defining the threshold exceedances over a threshold u”,
Therefore, it would have been obvious to one of ordinary skill in the art before the invention was filed to incorporate probabilistic forecast of extreme values of the system of Bogachev into probability computation of anomalous behavior of a device of the system of Dean to produce a probabilistic forecast of extreme values based on a statistical model of extremes fitted to data.
As per claim 6, the rejection of claim 1 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
further comprising: implementing the EVT algorithm to determine a threshold for anomalous features (para.[0086]; “extreme value theory is used. In particular, the method of Peaks Over Thresholds (POT) is used for estimating tail probabilities and quantiles from observed data”).
As per claim 7, the rejection of claim 6 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
further comprising: identifying the subset as anomalous based at least in part on the generated outlier score for the feature being greater than the determined threshold (para.[0014]; “probability of observing a more extreme value may be the probability of observing a greater value than the given value, m, when the given value is greater than a suitable quantile point of the values, mi, ... , mN; and/or wherein the probability of observing a more extreme value is the probability of observing a smaller value than the given value, m, when the given value is less than a suitable quantile point of the values, mi, ... , mN”).
As per claim 8, the rejection of claim 1 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
further comprising: identifying the subset as anomalous in real-time (para.[0252]; “New values of the behavioral metrics are fed into the system in real time for anomaly detection and alerting”).
As per claim 9, Dean et al (US 2017/0230392 A1) discloses,
A system, comprising: a processor; a memory storing instructions executable by the processor (para.[0035]; “system comprising a processor, and a memory comprising computer readable code operable, in use, to instruct the processor to perform”).
a data collector, implemented on the processor, that receives a dataset (para.[0047]; “a processor arranged to run the steps of the process described herein, memory required to store information related to the running of the
process, as well as a network interface for collecting the required information”).
an extreme value theory (EVT) mechanism, implemented on the processor (para.[0086]; “extreme value theory is used. In particular, the method of Peaks Over Thresholds (POT) is used for estimating tail probabilities and quantiles from observed data”).
that: selects a subset of data from the dataset, the subset including a feature (para.[0013]; “deriving values, m1, ..., mM of a metric, M, representative of data associated with the device”).
determines parameters of the selected subset of data (para.[0013]; “deriving values, m1, ..., mM of a metric, M, representative of data associated with the device” and para.[0043]; “The metrics are representative of data associated with a device of a computer system”).
implements an extreme value theory (EVT) algorithm to determine a probability value for the feature based at least in part on the determined parameters (para.[0043]; “modelling the distribution of values of metrics, using extreme value theory …..distribution is then used to calculate the survival probabilities of observations of values of the metric. The survival probability is the probability of observing a more extreme value than the observed value” and para.[0086]; “extreme value theory is used. In particular, the method of Peaks Over Thresholds (POT) is used for estimating tail probabilities and quantiles from observed data”).
in response to the determined probability value for the feature, generates an outlier score for the feature (para.[0013]; “the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously” and para.[0014]; “probability of observing a more extreme value may be the probability of observing a greater value than the given value, m, when the given value is greater than a suitable quantile point of the values, mi, ... , mN; and/or wherein the probability of observing a more extreme value is the probability of observing a smaller value than the given value, m, when the given value is less than a suitable quantile point of the values, mi, ... , mN”).
and identifies the subset as anomalous based at least in part on the generated outlier score for the feature (para.[0013]; “wherein the probability is used to determine whether the device is behaving anomalously”).
and a task executor, implemented on the processor, that executes an action based on the subset being identified as anomalous (para.[0012]; “Network system administrators/security officers may be sent alerts about any device whose behavior is determined to be sufficiently anomalous”).
The examiner believe Dean et al (US 2017/0230392 A1) discloses each and every feature of claim 1. In addition, Bogachev discloses implementing an extreme value theory (EVT) algorithm to determine a probability value for the feature based at least in part on the determined parameters (para.[0085]; “fitting a statistical model of extremes involves using either a block maxima approach or a peaks-over-threshold (POT) approach”, para.[0093]; “determining
values for the plurality of parameters which best model the observed extreme values”, and para.[0104]; “determining the plurality of parameters by estimating
the latent functional dependency of the plurality of parameters upon the one or more covariates”).
Therefore, it would have been obvious to one of ordinary skill in the art before the invention was filed to incorporate probabilistic forecast of extreme values of the system of Bogachev into probability computation of anomalous behavior of a device of the system of Dean to produce a probabilistic forecast of extreme values based on a statistical model of extremes fitted to data.
As per claim 10, the rejection of claim 9 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
wherein: the subset includes a plurality of features (para.[0012]; “processing the new network activity measurement of each device to compute the values of the corresponding behavioral metrics”).
and the EVT mechanism further: implements the EVT algorithm to determine a probability value for each of the plurality of features (para.[0043]; “modelling the distribution of values of metrics, using extreme value theory …..distribution is then used to calculate the survival probabilities of observations of values of the metric. The survival probability is the probability of observing a more extreme value than the observed value” and para.[0086]; “extreme value theory is used. In particular, the method of Peaks Over Thresholds (POT) is used for estimating tail probabilities and quantiles from observed data”).
generates an outlier score for each of the plurality of features (para.[0013]; “the probability of observing a more extreme value of the metric than a given value, m, of the metric, wherein the probability is used to determine whether the device is behaving anomalously” and para.[0014]; “probability of observing a more extreme value may be the probability of observing a greater value than the given value, m, when the given value is greater than a suitable quantile point of the values, mi, ... , mN; and/or wherein the probability of observing a more extreme value is the probability of observing a smaller value than the given value, m, when the given value is less than a suitable quantile point of the values, mi, ... , mN”).
As per claim 11, the rejection of claim 10 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
wherein the EVT mechanism further generates an aggregate outlier score for the subset, the aggregate outlier score comprising a sum of the generated outlier scores for each of the plurality of features (para.[0012]; “levels of anomalousness of the values of each behavioral metric of a device may be combined to produce a measure of the overall anomalousness of the behavior of each device”).
As per claim 12, the rejection of claim 9 is incorporated and further Bogachev et al (US 2023/0408991 A1) discloses,
wherein the determined parameters are a gamma value and a sigma value of a tail of a calibration set of data para.[0124]; “the quality of statistical estimation of the model parameters from available exceedances (which would get depleted due to higher thresholds). Preferably, the threshold is chosen according to an empirical quantile; for instance at a 95% level, so that about 5% of observed values lie above this threshold. This empirical approach is particularly useful for initial calibration of the model”).
Therefore, it would have been obvious to one of ordinary skill in the art before the invention was filed to incorporate probabilistic forecast of extreme values of the system of Bogachev into probability computation of anomalous behavior of a device of the system of Dean to produce a probabilistic forecast of extreme values based on a statistical model of extremes fitted to data.
As per claim 13, the rejection of claim 9 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
wherein the EVT mechanism further implements the EVT algorithm to determine a threshold for anomalous features (para.[0086]; “extreme value theory is used. In particular, the method of Peaks Over Thresholds (POT) is used for estimating tail probabilities and quantiles from observed data”).
As per claim 14, the rejection of claim 13 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
wherein the EVT mechanism further identifies the subset as anomalous based at least in part on the generated outlier score for the feature being greater than the determined threshold (para.[0014]; “probability of observing a more extreme value may be the probability of observing a greater value than the given value, m, when the given value is greater than a suitable quantile point of the values, mi, ... , mN; and/or wherein the probability of observing a more extreme value is the probability of observing a smaller value than the given value, m, when the given value is less than a suitable quantile point of the values, mi, ... , mN”).
As per claim 15, the rejection of claim 9 is incorporated and further Dean et al (US 2017/0230392 A1) discloses,
wherein the EVT mechanism further identifies the subset as anomalous in real-time (para.[0252]; “New values of the behavioral metrics are fed into the system in real time for anomaly detection and alerting”).
Claim 16 is a computer-storage memory claim corresponding to system claim 9, and rejected under the same reason set forth in connection to the rejection of claim 9 above
Claims 17, and 18 - 20 are computer-storage memory claim corresponding to method claims 3 and 5 - 7respectively, and rejected under the same reason set forth in connection to the rejection of claims 3 and 5 - 7 respectively above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUGUSTINE K. OBISESAN whose telephone number is (571)272-2020. The examiner can normally be reached Monday - Friday 8:30am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ajay Bhatia can be reached at (571) 272-3906. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AUGUSTINE K. OBISESAN/
Primary Examiner
Art Unit 2156
2/13/2026