ANOMALY DETECTION AT SCALE

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to communication (amendment) filed on 03/20/2026. Status of claims in the instant application: Claims 1-7, 9-16 and 18-20 are pending. Claims 8 and 17 are canceled. Claims 19 and 20 are newly added. Claims 1, 3, 9, 10, 12 and 18 are amended. Response to Arguments Applicant's arguments, see page [9] of the remarks filed on 03/20/2026 with respect to objection to drawing, have been fully considered but they are not persuasive. Applicant noted that updated/replacement drawing sheets have been submitted. However Examiner do not see any such updated drawing sheets in the filed wrapper, as available to the Examiner. Therefore, the drawing objections are maintained. Applicant's arguments, see page [9] of the remarks filed on 03/20/2026 with respect to objection to claim and specification, have been fully considered in view of amendments, and they are persuasive. Therefore, the objections have been withdrawn. Applicant's arguments, see page [9-10] of the remarks filed on 03/20/2026 with respect to rejection of claims under 35 USC 101 , have been fully considered in view of amendments, and they are persuasive. Therefore, the rejections have been withdrawn. Applicant's arguments, see page [10-11] of the remarks filed on 03/20/2026 with respect to rejection of claims under 35 USC 103, have been fully considered in view of amendments but they are not persuasive. Therefore, the claim rejections are maintained, and the Applicant is directed to Examiner’s response below. Applicant states, see page [10] of the remarks filed on 03/20/2026, “Independent claims 1 and 10 as amended herein are patentable over the combined teaching of Korycki, Sarathy, and Larentyev, at least because the independent claims as amended recite one or more features not taught by the combined teaching of the cited references. The amended independent claims recite, in part, providing an anomaly detection algorithm for identifying anomalies in a performance parameter based on historical telemetry data indicative of the performance parameter and generated by information technology infrastructure associated with an enterprise, training the anomaly detection algorithm with telemetry-independent data (TID) to improve accuracy of the anomaly detection algorithm, generating a time-series display of the performance parameter, wherein the time-series display highlights a suspected anomaly, and enabling a user to provide input confirming or rejecting the suspected anomaly as an actual anomaly.” In response, Examiner disagrees with Applicant’s above arguments, and characterization of the combination of prior arts. Examiner further notes that Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant has not specifically identified any feature in the claimed invention above that are not disclosed by the combination of the prior arts and/or how are they different from that disclosed in the combination of prior arts. Applicant states, see page [10] of the remarks filed on 03/20/2026, “Addressing the limitations for generating a time-series display and enabling a user to provide input recited in previously presented claims 8 and 17, both now canceled, Examiner appropriately conceded that Korycki and Sarathy did not individually or collectively disclose those features. See, Office Action, pp. 16-18. Examiner then cited Larentyev for teaching the limitations of previously presented claims 8 and 17. However, at least because Larentyev does not teach or suggest training an anomaly detection algorithm with telemetry independent data, i.e., data that is independent of the performance parameter, the combined teach of Korycki, Sarathy, and Larentyev does not teach or suggest each limitation of either independent claim.” In response, Examiner again disagrees with Applicant’s above arguments, and characterization of the combination of prior arts. Examiner further notes that Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant has not specifically identified any feature in the claimed invention above that are not disclosed by the combination of the prior arts and/or how are they different from that disclosed in the combination of prior arts. Examiner further notes that Applicant argued that “Larentyev does not teach or suggest training an anomaly detection algorithm with telemetry independent data”. However, Larentyev prior art was not cited by the Examiner in the previous office action to disclose such feature. Therefore, Applicant’s argument is not responsive to previous office action. Examiner further directs Applicant to the Sarathy prior art citations (Abstract, Para [0001, 0022, 0050, 0056, 0063-0064], FIG. 5) that was used to disclose the previously noted/highlighted claimed feature that the Applicant is arguing about for proper response. The cited potions of Sarathy prior art clearly discloses “training an anomaly detection algorithm with telemetry independent data”. The entity profile data (for example: personally identifiable information 502, digital personally identifiable information 504, natural data 506, demographic data 508, social data 510, and consumer data 511, identity of the target entity … The personally identifiable information 502 can include an address 512 of the target entity, a phone number 514 of the target entity … The natural data 506 can include calamity 518 and weather 520. Calamity 518 can include any suitable adverse events (e.g., civil war, rioting, crime, natural disaster, artificial disaster, etc.) occurring at or near a location of the target entity) used by Sarathy for model training clearly includes “telemetry independent data”. Drawings The drawings are objected to because the legends/details in the drawing are not legible. For example, annotation in FIG. 3-5 are not clear and is not readable. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 4-7, 10-11, 13-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20180006900 A1 to Korycki A. et al. (hereinafter “Korycki”) in view of Pub. No.: US 20240086923 A1 to SARATHY et al. (hereinafter “SARATHY”) and further in view of Pub. No.: US 20200210264 A1 to Lavrentyev et al. (hereinafter “Lavrentyev”). Regarding Claim 1. Korycki discloses An anomaly management method, comprising: providing an anomaly detection algorithm for identifying anomalies in a performance parameter based on historical telemetry data indicative of the performance parameter and generated by information technology infrastructure associated with an enterprise (Korycki, Abstract, FIG. 2, Para [0112-0014, 0019]: … Systems, methods, and software for operational anomaly detection in communication systems is provided herein. An exemplary method includes obtaining a measured sequence of state information associated with the communications system during a first timeframe, processing the measured sequence of state information to determine a predicted sequence of state information for the communication system during a second timeframe, and monitoring current state information for the communication system over at least a portion of the second timeframe. The method also includes determining operational anomalies associated with the communication system based at least on a comparison between the current state information and the predicted sequence of state information … The operations of FIG. 2 are indicated parenthetically below. In FIG. 2, anomaly processing system 110 obtains (211) a measured sequence of state information associated with a communications system during a first timeframe. The state information associated with the communications system can include operational telemetry information retrieved from one or more communication nodes of the communication system, with the operational telemetry information comprising indications of quantities of concurrent user connections, indications of node processor utilization, indications of node memory utilization, and indications of network latency … The telemetry information can be measured, observed, collected, received, or otherwise accumulated into an anomaly detection platform. Taken together, the telemetry information forms a vector of measurements, which describe the current state of the system. Anomaly detection maps the telemetry information to an anomaly reading. The reading can be categorical, i.e. “normal” vs “anomaly”, or quantitative, such as a number describing the degree or severity of anomaly … Anomaly detection can take an indicated telemetry measurement vector and compare against a collection of telemetry measurement vectors from a history of the system … Operators of the communication systems typically have access to a range of real time measurements including performance counters, system events, event logs, streaming operational status, or other telemetry data. For example, for a communication service system, telemetry information can be collected that indicates a number of concurrent user connections, processor utilization, memory utilization, average network latency, and the like for particular nodes or elements of the communication system as well as for the communication system as a whole … These classical methods can also be applied when the vector being evaluated is expanded to include the history of measurements over time, not just at a single time instance …); training the anomaly detection algorithm [with telemetry-independent data (TID)] to improve accuracy of the anomaly detection algorithm (Korycki, Abstract, FIG. 2, Para [0022, 0037]: … Sequence prediction platform 111 can process measured sequence 140 of state information using one or more machine learning algorithms. Sequence prediction platform 111 can process measured sequence 140 of state information using a recurrent neural network (RNN) process that determines the predicted sequence of state information based at least on measured sequence 140 of state information. The RNN process can be initially trained to determine the predicted sequence of state information can include using past state information observed for the communication system. Training the RNN process using the past state information can be provided by at least subdividing the past state information into a historical portion and a future portion, selecting the historical portion as an input to the RNN process, and iteratively evolving the historical portion using the RNN process until the future portion is predicted by the RNN process to within a predetermined margin of error. Other training methods and processes can be employed, and these can be included both automated and supervised training processes …). However, Korycki does not explicitly teach, but SARATHY from same or similar field of endeavor teaches: “training the anomaly detection algorithm with telemetry-independent data (TID) (SARATHY, Abstract, Para [0001, 0022, 0050, 0056, 0063-0064], FIG. 5: … A system can efficiently control access to an interactive computing environment using an entity profile. The system can receive entity data relating to a target entity. The entity data can include real-time data and external data. The system can extract features from the entity data. The system can generate signals based on the features. Each signal can include a subset of the features, and each signal can correspond to an amount of risk associated with the target entity. The system can generate, based on the signals, an entity profile. The system can provide a responsive message based on the entity profile that can be used to control access to an interactive computing environment … The present disclosure relates generally to risk assessment and access control. More specifically, but not by way of limitation, this disclosure relates to controlling access to an interactive computing environment using an entity profile … The risk assessment server 118 can include one or more processing devices that can execute program code, such as an entity profile model 112, a risk assessment application 114, and the like … In some examples, the training dataset 126 can be used to train one or more machine-learning models, which may include the risk assessment application 114, the entity profile model 112, and the like. The one or more machine-learning models can be trained to determine the entity profile 122 … The entity profile 122 can be determined based on one or more signals determined using received entity data that can include real-time streamed data about the target entity, real-time produced data about the target entity, historical data associated with the target entity, etc. The signals can be determined and stored in one or more network-attached storage units on which various repositories, databases, or other structures are stored. Examples of these data structures can include the risk data repository 123. Additionally or alternatively, a training dataset 126 can be stored in the risk data repository 123. In some examples, the training dataset 126 can be used to train one or more machine-learning models, which may include the risk assessment application 114, the entity profile model 112, and the like. The one or more machine-learning models can be trained to determine the entity profile 122, to determine scores about the target entity based on the entity profile 122, to control access to the interactive computing environment 107 using the entity profile 122 … FIG. 5 is a diagram depicting a visualization 500 of an entity profile 122 according to certain aspects of the present disclosure. In some examples, the entity profile 122 can include characteristics, scores, signals, and other suitable information about the target entity. As illustrated, the entity profile 122 includes signals including personally identifiable information 502, digital personally identifiable information 504, natural data 506, demographic data 508, social data 510, and consumer data 511. The entity profile 122 can include any other suitable information relating to behavior, identity, and the like about the target entity … The personally identifiable information 502 can include an address 512 of the target entity, a phone number 514 of the target entity, and other personally identifiable information 502 associated with the target entity. The digital personally identifiable information 504 can include a device 516 used by the target entity and any other suitable digital personally identifiable information (e.g., IP address, etc.) about the target entity. The natural data 506 can include calamity 518 and weather 520. Calamity 518 can include any suitable adverse events (e.g., civil war, rioting, crime, natural disaster, artificial disaster, etc.) occurring at or near a location of the target entity …)” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of SARATHY into the teachings of Korycki, because it discloses that, “Certain aspects described herein, which can include determining the entity profile and controlling access to the interactive computing environment based on the entity profile, can improve the technical field of access control for a computing environment. For instance, by using the entity profile, a risk assessment computing system may provide legitimate access to the interactive computing environment using fewer computing resources compared to other risk assessment systems (SARATHY, Para [0019])”. However the combination of Korycki-SARATHY does not explicitly teach, but Lavrentyev from same or similar field of endeavor teaches: “generating a time-series display of the performance parameter, wherein the time-series display highlights a suspected anomaly (Lavrentyev, FIG.7, FIG. 9, Para [00243, 0252-0255]: … using the system proposed in FIG. 9 allows this process to be simplified, namely, to determine the moment of occurrence of an anomaly and to generate graphs of the values of the features of the CPS and of the forecast values of those features (and then providing them to the user). These graphs, generated by the GUI for generating graphs 930, may be generated (and displayed to the user) both for features selected by the user and for features (from among all features of the CPS) on the mentioned list of features having the largest forecast error (that is, the contribution to the total forecast error of these features is greater than the contribution of other selected features). These are precisely the features which are the most likely sources of an anomaly … FIG. 9 presents a system for generating data for the monitoring of a cyber-physical system for the purpose of an early determination of anomalies in a graphic user interface (GUI) system. The GUI system contains at least one GUI element for selecting an feature 910, the element containing, in particular, a list of features of the cyber-physical system (hereinafter, the list of features), and being designed to receive information about the at least one feature of the CPS from the list of features, which at least one feature was selected by the user (also the operator) of the CPS. The list of features is selected using a GUI for selecting a list of features 911. Furthermore, at least one GUI element for selecting a period of time 920 is designed to receive information about the period of time, selected by the user, for the monitoring of the selected features of the CPS The system likewise contains a forecasting means 221, designed to generate a forecast for the features of the CPS for the indicated monitoring time period, and an anomaly determination means 222, designed to generate the total forecast error for the selected features of the CPS and the forecast error for each of the selected features of the CPS for the indicated monitoring time period… The GUI element for selection of the order of display 922 is designed to receive information about the method, selected by the user, of sorting and displaying the selected features on the element of the GUI for generating graphs 930. For example, a sorting mode may be selected (sorted tags, selected in FIG. 10a-10b), where the graphs of the values of the features will be sorted by largest forecast error—from the largest forecast error for the feature in the first graph to the smallest forecast error for the feature in the last graph. This display mode may be the default display mode. It also allows the system to automatically generate and present to the user of the CPS information on the most likely site of occurrence of an anomaly and disruption of the TP. It is also possible to select a display mode in the order in which selected features are present in the previously mentioned list of features of the CPS (selected in FIG. 10c) …) …); and enabling a user to provide input confirming or rejecting the suspected anomaly as an actual anomaly (Lavrentyev, Para [0242]: … the system and method described in FIG. 4-5, the user (operator) of the CPS may be shown accompanying information about the detected anomaly when determining an anomaly. For example, graphs of the change in values of the parameters during a period spanning the moment of detection of an anomaly. Furthermore, the graph may show the forecast values of the parameters, the total error threshold and the error threshold of the corresponding parameter, as well as an indication of the moment of detection of the anomaly and the parameters which are the sources of the anomaly. After further analysis, the user of the CPS may confirm or reject the detection of the anomaly and the parameters which are the source of the anomaly. This will allow a decreasing of an error of the first kind and an increasing of the accuracy of determination of anomalies and identification of parameters which are the source of the given anomaly. A system for generating data for the monitoring of a cyber-physical system for the purpose of an early determination of anomalies in a graphic user interface (GUI) system shall be presented below in greater detail in FIG. 9 …).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lavrentyev into the combined teachings of Korycki-SARATHY, because it discloses that, “the user of the CPS may confirm or reject the detection of the anomaly and the parameters which are the source of the anomaly. This will allow a decreasing of an error of the first kind and an increasing of the accuracy of determination of anomalies and identification of parameters which are the source of the given anomaly (Lavrentyev, Para [0242])”. Regarding Claim 2. The combination of Korycki-SARATHY-Lavrentyev discloses the method of claim 1, SARATHY further discloses, “wherein the TID includes enterprise profile data indicative of one or more attributes of the enterprise (SARATHY, Para [0056]: … The feature engine 406 can include a feature pipeline 424, a feature store 426, and any other suitable components for generating, extracting, or otherwise determining features from the entity data. The feature pipeline 424 can extract features or attributes from usable data. For example, the feature pipeline 424 can access the usable entity data stored by the data platform 422 and can extract features or attributes from the usable entity data. The extracted features can be used to determine signals for the entity profile 122. In one such example, the feature pipeline 424 can extract features including personally identifiable information, a time or location of the request, and the like from the entity data associated with the target entity. The feature pipeline 424 can transmit the extracted features to the feature store 426. The feature store 426 can store the extracted features for use in generating signals for the entity profile 122 …).” The motivation to further combine SARATHY remains same as in claim 1. Regarding Claim 4. The combination of Korycki-SARATHY-Lavrentyev discloses the method of claim 1, SARATHY further discloses, “wherein the TID includes external factor data indicative of one or more external events or conditions external to the enterprise (SARATHY, Para [0064]: … The digital personally identifiable information 504 can include a device 516 used by the target entity and any other suitable digital personally identifiable information (e.g., IP address, etc.) about the target entity. The natural data 506 can include calamity 518 and weather 520. Calamity 518 can include any suitable adverse events (e.g., civil war, rioting, crime, natural disaster, artificial disaster, etc.) occurring at or near a location of the target entity, and weather 520 can include reported or predicted weather occurring at or near the location of the target entity. The demographic data 508 can include parity 522, income 524, and crime 526 associated with the target entity …)”. The motivation to further combine SARATHY remains same as in claim 1. Regarding Claim 5. The combination of Korycki-SARATHY-Lavrentyev discloses the method of claim 4, SARATHY further discloses, “wherein the one or more external events or conditions include: severe weather and natural disaster events or conditions present in proximity to the enterprise (SARATHY, Para [0064]: … The natural data 506 can include calamity 518 and weather 520. Calamity 518 can include any suitable adverse events (e.g., civil war, rioting, crime, natural disaster, artificial disaster, etc.) occurring at or near a location of the target entity, and weather 520 can include reported or predicted weather occurring at or near the location of the target entity …); supply chain events associated with supply chain disruptions; and civil unrest events.” The motivation to further combine SARATHY remains same as in claim 1. Regarding Claim 6. The method of claim 1, Korycki further discloses, wherein the anomaly detection algorithm employs a long short-term memory (LSTM) neural network to calculate a baseline time-series based on the historical telemetry data (Korycki, Para [0032]: … Turning now to further examples of anomaly detection and sequence prediction, FIGS. 3-5 are presented. FIGS. 3-5 include various descriptions of example recurrent neural network (RNN) elements and processes. The examples herein employ machine learning approaches for implementing the above mentioned prediction capability, such as using these recurrent neural networks. There are several variants of RNN that can be employed for the examples herein. Among these variants, two examples include Long Short Term Memory (LSTM) and Gated Recurrent Unit (GRU) variants …)”. Regarding Claim 7. The combination of Korycki-SARATHY-Lavrentyev discloses the method of claim 1, Korycki further discloses, “wherein the historical telemetry data includes data indicative of at least one of: central processing unit (CPU) utilization of the infrastructure; and a latency parameter associated with accessing the infrastructure (Korycki, Para [0013]: … Anomalies indicate system behavior which is undesirable or unpredicted, and can indicate failures, errors, overloading, malicious attacks, or other events. Operators of the communication systems typically have access to a range of real time measurements including performance counters, system events, event logs, streaming operational status, or other telemetry data. For example, for a communication service system, telemetry information can be collected that indicates a number of concurrent user connections, processor utilization, memory utilization, average network latency, and the like for particular nodes or elements of the communication system as well as for the communication system as a whole. The telemetry information can be measured, observed, collected, received, or otherwise accumulated into an anomaly detection platform …).” Regarding Claim 10. This claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1. *** Note: Korycki also discloses a system (Korycki: Abstract, FIG.1, Para [0026]). Regarding Claim 11. This claim contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2. Regarding Claim 13. This claim contains all the same or similar limitations as claim 4, hence similarly rejected as claim 4. Regarding Claim 14. This claim contains all the same or similar limitations as claim 5, hence similarly rejected as claim 5. Regarding Claim 15. This claim contains all the same or similar limitations as claim 6, hence similarly rejected as claim 6. Regarding Claim 16. This claim contains all the same or similar limitations as claim 7, hence similarly rejected as claim 7. Regarding Claim 19. The combination of Korycki-SARATHY-Lavrentyev discloses the method of claim 2, SARATHY further discloses, “wherein the enterprise profile data pertains to at least one parameter selected from: a time zone parameter indicative of a principal time zone associated with the enterprise; a region parameter indicative of a geographic region associated with the enterprise (SARATHY, Para [0064]: … The personally identifiable information 502 can include an address 512 of the target entity, a phone number 514 of the target entity, and other personally identifiable information 502 associated with the target entity. The digital personally identifiable information 504 can include a device 516 used by the target entity and any other suitable digital personally identifiable information (e.g., IP address, etc.) about the target entity …); a holiday parameter indicative of one or more holidays associated with the enterprise; a business hours parameter indicative of business hours for the enterprise; and a maintenance window parameter indicative of one or more intervals for maintaining enterprise resources.” The motivation to further combine SARATHY remains same as in claim 2 (claim 1). Regarding Claim 20. This claim contains all the same or similar limitations as claim 2, hence similarly rejected as claim 2. Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20180006900 A1 to Korycki A. et al. (hereinafter “Korycki”) in view of Pub. No.: US 20240086923 A1 to SARATHY et al. (hereinafter “SARATHY”) and Pub. No.: US 20200210264 A1 to Lavrentyev et al. (hereinafter “Lavrentyev”), as applied to claim 2 above, and further in view of Pub. No.: US 20220114260 A1 to Udupi et al. (hereinafter “Udupi”). Regarding Claim 3. The combination of Korycki-SARATHY-Lavrentyev discloses the method of claim 2, however it does not explicitly teach but Udupi from same or similar field of endeavor teaches, “wherein the enterprise profile data pertains to an industry parameter indicative of an industry of the enterprise (Udupi, Abstract, Para [0029]: … According to another embodiment of the method, the input/output pairs of telemetry data used for the training of the federated neural network model may be weighted depending on a predefined metric. The weighting may allow not only to reflect geographical locations and its specifics in terms of potential cyber-attacks but also other profiles of the local hosts. For example, a usage within a certain vertical industry, a specific department, a type of host computer (e.g., central system enterprise computing system vs. Internet-of-Things (IoT), system or personal device). Further, the weighting can enable an improved protection depending on more tunable parameters against malware resulting in potentially malicious processes. …)”. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Udupi into the combined teachings of Korycki-SARATHY-Lavrentyev, because it discloses that, “the weighting can enable an improved protection depending on more tunable parameters against malware resulting in potentially malicious processes (Udupi, Para [0029])”. Regarding Claim 12. This claim contains all the same or similar limitations as claim 3, hence similarly rejected as claim 3. Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20180006900 A1 to Korycki A. et al. (hereinafter “Korycki et al.”) in view of Pub. No.: US 20240086923 A1 to SARATHY et al. (hereinafter “SARATHY”) and Pub. No.: US 20200210264 A1 to Lavrentyev et al. (hereinafter “Lavrentyev”), as applied to claim 8 above, and further in view of Pub. No.: US 20230007023 A1 to Andrabi et al. (hereinafter “Andrabi”). Regarding Claim 9. The combination of Korycki-SARATHY-Lavrentyev discloses the method of claim 1, however it does not explicitly teach but Andrabi from same or similar field of endeavor teaches, “further comprising: responsive to rejecting a suspected anomaly as an actual anomaly, training the anomaly detection algorithm to recognize the suspected anomaly as non-anomalistic (Andrabi, Para [0031]: … The anomalous-event-detection system provides several technical advantages over existing document hosting systems. For example, the anomalous-event-detection system can effectively detect accurate anomalous actions (e.g., malicious or accidental actions) amongst a large number of digital actions taken by numerous users in a large-scale digital-content-synchronization platform. In particular, unlike existing systems that detect a high number of false negative and false positive malicious and accidental actions within a decentralized synchronizing environment, the anomalous-event-detection system can adaptively learn (e.g., machine learn) to accurately detect anomalous actions. For example, by training (and continuously updating) a machine learning model to detect anomalous actions from parameters of digital actions monitored in real (or near-real) time using administrator device feedback on detected anomalies, the anomalous-event-detection system can reduce false negative and false positive detections. …).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Andrabi into the combined teachings of Korycki-SARATHY-Lavrentyev, because it discloses that, “by training (and continuously updating) a machine learning model to detect anomalous actions from parameters of digital actions monitored in real (or near-real) time using administrator device feedback on detected anomalies, the anomalous-event-detection system can reduce false negative and false positive detections (Andrabi, Para [0031])”. Regarding Claim 18. This claim contains all the same or similar limitations as claim 9, hence similarly rejected as claim 9. Pertinent Prior Arts The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. US 20180077175 A1; DiValentin et al.: DiValentin discloses Malicious threat detection through time-series graph analysis, in which a data analysis device receives a data file comprising multiple log data entries. The log data entries include parameters associated with a computer network event in a computing network. The data analysis device produces a graphical model of the computing network based on at least one parameter included in the log data. The data analysis device also identifies a parameter associated with a node of the computer network represented by the graphical model, and performs a time-series analysis on the parameter. The data analysis device further determines, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network. US 20240036963 A1; AZEEZ et al.: AZEEZ discloses systems and methods of detecting anomalies using a plurality of machine learning models. Each of the machine learning models may be trained to detect a respective behavior of historical data values for a given metric. Thus, a system may perform anomaly detection based on different behaviors of the same metric of data, reducing instances of false positive anomaly detection while also reducing instances of false negative reporting. The plurality of machine learning models may be trained to detect anomalies across multiple different types of metrics as well, providing robust multi-metric anomaly detection across a range of behaviors of historical data values. The system may implement a pluggable architecture for the plurality of machine learning models in which models may be added or removed from pluggable architecture. In this way, the system may detect anomalies using a configurable set of machine learning models. US 20230177027 A1; Bansal et al.: Bansal discloses method and system to classify each log line in a plurality of unlabeled log lines as an erroneous log line or a non-erroneous log line. The one or more computer processors templatize each classified erroneous log line and non-erroneous log line in the plurality of unlabeled log lines. The one or more computer processors cluster erroneous log templates into erroneous log template clusters and the non-erroneous log templates into non-erroneous log template clusters. The one or more computer processors eliminate the erroneous log template clusters and the non-erroneous log template clusters that exceed a frequency threshold. The one or more computer processors train a log anomaly model utilizing=remaining erroneous log template clusters and remaining non-erroneous log template clusters. The one or more computer processors identify a subsequent log line as anomalous or non-anomalous utilizing the trained log anomaly model. The present invention relates generally to the field of machine learning, and more particularly to continuous learning of point-in-time log anomalies from unlabeled data. US 20220400125 A1; MENDELOWITZ et al.: MENDELOWITZ discloses systems and methods for detecting potential malicious attacks in vehicles operational environment using staged Machine Learning (ML), comprising creating a plurality of features vectors each comprising a plurality of features extracted from vehicle operational data generated by a plurality of devices deployed in one or more vehicles which is indicative of operation of the one or more vehicles, detecting, in real-time, a plurality of anomaly feature vectors using one or more unsupervised ML models applied to the plurality of feature vectors, identifying, in real-time, one or more potential cyberattack events using one or more supervised ML models applied to the plurality of anomaly feature vectors, and generating an alert indicative of the one or more potential cyberattack events. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364. The examiner can normally be reached on 9AM-5PM EST M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MAHABUB S AHMED/Examiner, Art Unit 2434 /TESHOME HAILU/Primary Examiner, Art Unit 2434