ADAPTIVE MULTI-DIMENSIONAL ANOMALY DETECTION

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response the amendment filed on 12/30/2025. Claims 1-20 are pending and are rejected. Response to Arguments Applicant's arguments with respect to claims 1, 8, and 15 have been fully considered but they are not persuasive. Applicants are arguing in substance the following: Arguments to claims 1, 8, and 15: Zaman discloses a network access controller that monitors the network resources rather than "performing multi-dimensional analysis of traffic data from a plurality of traffic sources with security modules of an anomaly detector on the computing device". Shaman does not teach the historical traffic data of the plurality of traffic sources. Response to the arguments of claims 1, 8, and 15: Zaman teaches determining an anomaly score based on multiple factors, including a device score, a user score, and an interaction score, which constitutes a multi-dimensional analysis of activity associated with a device and its network interactions. The firewall of the disclosed interface system can include advanced functionalities including VPN, packet filtering, proxy firewall, web filtering, NAT firewall, stateful multilayer inspection firewall, Malware, and virus filtering, monitor network traffic ([0040]). Therefore, Zaman teaches the above limitation. Sharma teaches comparing between the traffic anomaly of each node of the first set of nodes with predetermined traffic patterns. In order to perform such comparisons, the system necessarily relies on previously collected or stored traffic information, which corresponds to historical traffic data. Therefore, Zaman teaches the historical traffic data The other Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-5, 8-12, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Zaman et al. (US 20220141239 A1), hereafter Zaman in view of Sharma et al. (US 20240259421 A1), hereafter Sharma and further in view of Gopal et al. (US 20200274902 A1), hereafter Gopal. Regarding claim 1, Zaman teaches a system for distributed denial-of-service (DDoS) protection, the system comprising: a processor; and a memory storing instructions that upon execution by the processor perform operations comprising ([0038], fig. 2, the memory 220, and the network circuitry 240 can be connected to the processor 210 through a system bus 230): monitoring system load metrics of a computing device ([0050] Referring to FIG. 4, the network access controller can monitor the network resources including the devices on the network and databases. The network access controller can check for any unusual activity (system load metrics)); using the system load metrics, performing multi-dimensional analysis of traffic data from a plurality of traffic sources with security modules of an anomaly detector on the computing device, ([0050] In case, unusual activity can be detected, the network access controller can determine a score based on the device, the user, and device user interaction (multi-dimensional analysis). For example, the user uploading a large number of files can be considered an unusual activity and the score of the unusual activity can be determined based on the score of the device and the score of the use; [0072] network connected devices related to network security); blocking the traffic data from the identified traffic source and allowing the traffic data from the plurality of traffic sources other than the identified traffic source ([0050] if the calculated score is above the threshold value, the network access controller can block, restrict, or limit the network and physical access for the device. Examiner note: Only the device that has a score above the threshold value is blocked. The other sources are not blocked). Zaman does not explicitly teach to dynamically adjust influence of individual anomaly scores from the security modules; wherein performing the multi-dimensional analysis comprises generating an aggregated anomaly score from the security modules using adaptive weighting based on the system load metrics; identifying a traffic source from the plurality of traffic sources based on the multi-dimensional analysis of traffic data from the plurality of traffic sources and associated historical traffic data of the plurality of traffic sources; and Sharma teaches identifying a traffic source from the plurality of traffic sources based on the multi-dimensional analysis of traffic data from the plurality of traffic sources and associated historical traffic data of the plurality of traffic sources ([0025], fig. 1, to generate the similarity score, the second set of nodes 102b may be configured to compare the traffic anomaly of each node of the first set of nodes 102a (associated historical traffic data) with each attack pattern of the set of predetermined traffic patterns (multi-dimensional analysis of traffic data). The second set of nodes 102b may further be configured to generate a new set of attack pattern that includes a new attack pattern for each traffic anomaly from the set of anomalies that has the similarity score less than the second threshold value. The second set of nodes 102b may be configured to provide the alert signal to the corresponding node of the first set of nodes (identifying a traffic source)); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman disclosure, identify an attacked network source based on monitor current traffic and previous activities of the network source, as taught by Sharma. One would be motivated to do so for enhancement of the security and productivity of a network. More particularly, to a system and method to mitigate Distributed denial of service (DDOS) attack. Zaman and Sharma do not explicitly teach to dynamically adjust influence of individual anomaly scores from the security modules; wherein performing the multi-dimensional analysis comprises generating an aggregated anomaly score from the security modules using adaptive weighting based on the system load metrics. Gopal teaches to dynamically adjust influence of individual anomaly scores from the security modules ([0021], fig. 2, if SSE 106 utilizes a web interface that is not configured with HTTPS, SAE 206 may be configured to reduce or decrease the static security score and indicate that the use of HTTPS is recommended for SSE 10; [0029] the diversity index is part of the dynamic security score that is measured by observing the network traffic flows that are received by SSE (system load metrics)); wherein performing the multi-dimensional analysis comprises generating an aggregated anomaly score from the security modules using adaptive weighting based on the system load metrics ([0023], figs 1-2, SAE 206 may generate a first dynamic security score that is based on untrusted ingress packet traffic flows generated by untrusted sources and received by SSE 106. Further, SSM 208 may generate a second dynamic security score that is based on trusted ingress packet traffic flows received by SSE 106 from trusted sources within the trusted domain 102. After using SSM 208 to compute the first and second dynamic security scores, SAE 206 (and/or SSM 208) may combine these two dynamic security scores together (aggregate anomaly score) in order to compute and report a single overall dynamic security score for SSE 10. Examiner note: The total dynamic security score is based on untrusted ingress packets traffic flows corresponds to “adaptive weighting”). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman and Sharma disclosure, identify an aggregate dynamic security score , as taught by Gopal. One would be motivated to do so to dynamically assessing network traffic flows to remediate security systems associated with enterprise networks. Regarding claims 2, 9, and 16, Zaman, Sharma, and Gopal teach all limitations of parent claims 1, 8, and 15, wherein Zaman further teaches performing the multi-dimensional analysis of traffic data comprises analyzing the traffic data from each of the plurality of traffic sources on a range of metrics across different entities and on interrelationships among the range of metrics across different entities ([0050] the determined score can be compared to a predefined threshold. The value of threshold can be proportional to the security level, hardened the security, lesser will be the threshold value, and more will be the prompts and manual intervention. If the calculated score is below the threshold value (range of metrics), the network access controller can continue monitoring the network resources). Regarding claims 3, 10, and 17, Zaman, Sharma, and Gopal teach all limitations of parent claims 1, 8, and 15, wherein Zaman further teaches the instructions upon execution by the processor perform further operations comprising: generating an anomaly score from each of the security modules ([0042] The vulnerability scanner 280 can give a score to each connected device based on the vulnerability, such as the lower the score value of the device on a predetermined scale, more the vulnerable can be the device); determining the aggregate anomaly score by applying weights to the anomaly scores from the security modules, the weights being adaptively determined based on the system load metrics ([0042] The vulnerability scanner based on such and many other factors can score the devices connected to the network); comparing the aggregate anomaly score with a threshold; based on the comparison, determining that the aggregate anomaly score exceeds the threshold; and identifying the traffic source from the plurality of traffic sources ([0049] In case, unusual traffic can be detected, a score based on the unusual traffic can be determined. If the score is above the predetermined threshold, the network access controller can block, restrict, or limit the network and physical access for the system). Regarding claims 4, 11, and 18, Zaman, Sharma, and Gopal teach all limitations of parent claims 1, 8, and 15, wherein Zaman further teaches the system load metrics comprises two or more of: central processing unit (CPU), memory, network, or disk ([0041] The network access controller can calculate an average security score for any network traffic; [0065] The interface system can monitor the memory and CPU utilization of all its components). Regarding claims 5, 12, and 19, Zaman, Sharma, and Gopal teach all limitations of parent claims 1, 8, and 15, wherein Zaman further teaches the security modules comprise two or more of: a tenant tracker, an internet protocol (IP) address tracker, or a connection tracker ([0058] The interface system can know if a bad user is jumping from one connected device to another, or moving wired to wireless connection, moving from one floor to another, etc. The interface system can monitor and take proper security actions if the security score crosses the threshold for that user. This is the beauty of the interface system as it has a complete posture and it can track any user, connected device, network traffic). Regarding claim 8, Zaman teaches computerized method comprising: monitoring system load metrics of a computing device ([0050] Referring to FIG. 4, the network access controller can monitor the network resources including the devices on the network and databases. The network access controller can check for any unusual activity (system load metrics)); using the system load metrics, performing multi-dimensional analysis of traffic data from a plurality of traffic sources with an anomaly detector on the computing device ([0050] In case, unusual activity can be detected, the network access controller can determine a score based on the device, the user, and device user interaction (multi-dimensional analysis). For example, the user uploading a large number of files can be considered an unusual activity and the score of the unusual activity can be determined based on the score of the device and the score of the use); performing an action only on the traffic data from the identified traffic source ([0050] if the calculated score is above the threshold value, the network access controller can block, restrict, or limit the network and physical access for the device). Zaman does not explicitly teach wherein performing the multi-dimensional analysis comprises generating anomaly scores from security modules of the anomaly detector and determining an aggregate anomaly score by applying adaptive weights to the anomaly scores based on the system load metrics; identifying a traffic source from the plurality of traffic sources based on the multi- dimensional analysis and associated historical traffic data; Sharma teaches identifying a traffic source from the plurality of traffic sources based on the multi- dimensional analysis and associated historical traffic data ([0025], fig. 1, to generate the similarity score, the second set of nodes 102b may be configured to compare the traffic anomaly of each node of the first set of nodes 102a (associated historical traffic data) with each attack pattern of the set of predetermined traffic patterns (multi-dimensional analysis of traffic data). The second set of nodes 102b may further be configured to generate a new set of attack pattern that includes a new attack pattern for each traffic anomaly from the set of anomalies that has the similarity score less than the second threshold value. The second set of nodes 102b may be configured to provide the alert signal to the corresponding node of the first set of nodes (identifying a traffic source)); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman disclosure, identify an attacked network source based on monitor current traffic and previous activities of the network source, as taught by Sharma. One would be motivated to do so for enhancement of the security and productivity of a network. More particularly, to a system and method to mitigate Distributed denial of service (DDOS) attack. Zaman and Sharma do not explicitly teach wherein performing the multi-dimensional analysis comprises generating anomaly scores from security modules of the anomaly detector and determining an aggregate anomaly score by applying adaptive weights to the anomaly scores based on the system load metrics; Gopal teaches wherein performing the multi-dimensional analysis comprises generating anomaly scores from security modules of the anomaly detector and determining an aggregate anomaly score by applying adaptive weights to the anomaly scores based on the system load metrics ([0023], figs 1-2, SAE 206 may generate a first dynamic security score that is based on untrusted ingress packet traffic flows generated by untrusted sources and received by SSE 106. Further, SSM 208 may generate a second dynamic security score that is based on trusted ingress packet traffic flows received by SSE 106 from trusted sources within the trusted domain 102. After using SSM 208 to compute the first and second dynamic security scores, SAE 206 (and/or SSM 208) may combine these two dynamic security scores together (aggregate anomaly score) in order to compute and report a single overall dynamic security score for SSE 10. Examiner note: The total dynamic security score is based on untrusted ingress packets traffic flows corresponds to “adaptive weighting”). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman and Sharma disclosure, identify an aggregate dynamic security score , as taught by Gopal. One would be motivated to do so to dynamically assessing network traffic flows to remediate security systems associated with enterprise networks. Regarding claim 15, Zaman teaches a computer storage medium storing computer-executable instructions that, upon execution by a processor, cause the processor to perform operations comprising: monitoring system load metrics of a computing device ([0050] Referring to FIG. 4, the network access controller can monitor the network resources including the devices on the network and databases. The network access controller can check for any unusual activity (system load metrics)); using the system load metrics, performing multi-dimensional analysis of traffic data from a plurality of traffic sources with an anomaly detector on the computing device ([0050] In case, unusual activity can be detected, the network access controller can determine a score based on the device, the user, and device user interaction (multi-dimensional analysis). For example, the user uploading a large number of files can be considered an unusual activity and the score of the unusual activity can be determined based on the score of the device and the score of the use); performing an action on the traffic data from the identified traffic source without performing the action on the traffic data from the plurality of traffic sources other than the identified traffic source ([0050] if the calculated score is above the threshold value, the network access controller can block, restrict, or limit the network and physical access for the device. Examiner note: Only the device that has a score above the threshold value is blocked. The other sources are not blocked) Zaman does not explicitly teach wherein performing the multi-dimensional analysis comprises generating anomaly scores from security modules of the anomaly detector and determining an aggregate anomaly score by applying adaptive weights to the anomaly scores based on the system load metrics; identifying a traffic source from the plurality of traffic sources based on the multi- dimensional analysis of traffic data from the plurality of traffic sources and associated historical traffic data; Sharma teaches identifying a traffic source from the plurality of traffic sources based on the multi- dimensional analysis of traffic data from the plurality of traffic sources and associated historical traffic data ([0025], fig. 1, to generate the similarity score, the second set of nodes 102b may be configured to compare the traffic anomaly of each node of the first set of nodes 102a (associated historical traffic data) with each attack pattern of the set of predetermined traffic patterns (multi-dimensional analysis of traffic data). The second set of nodes 102b may further be configured to generate a new set of attack pattern that includes a new attack pattern for each traffic anomaly from the set of anomalies that has the similarity score less than the second threshold value. The second set of nodes 102b may be configured to provide the alert signal to the corresponding node of the first set of nodes (identifying a traffic source)); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman disclosure, identify an attacked network source based on monitor current traffic and previous activities of the network source, as taught by Sharma. One would be motivated to do so for enhancement of the security and productivity of a network. More particularly, to a system and method to mitigate Distributed denial of service (DDOS) attack. Zaman and Sharma do not explicitly teach wherein performing the multi-dimensional analysis comprises generating anomaly scores from security modules of the anomaly detector and determining an aggregate anomaly score by applying adaptive weights to the anomaly scores based on the system load metrics; Gopal teaches wherein performing the multi-dimensional analysis comprises generating anomaly scores from security modules of the anomaly detector and determining an aggregate anomaly score by applying adaptive weights to the anomaly scores based on the system load metrics ([0023], figs 1-2, SAE 206 may generate a first dynamic security score that is based on untrusted ingress packet traffic flows generated by untrusted sources and received by SSE 106. Further, SSM 208 may generate a second dynamic security score that is based on trusted ingress packet traffic flows received by SSE 106 from trusted sources within the trusted domain 102. After using SSM 208 to compute the first and second dynamic security scores, SAE 206 (and/or SSM 208) may combine these two dynamic security scores together (aggregate anomaly score) in order to compute and report a single overall dynamic security score for SSE 10. Examiner note: The total dynamic security score is based on untrusted ingress packets traffic flows corresponds to “adaptive weighting”). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman and Sharma disclosure, identify an aggregate dynamic security score , as taught by Gopal. One would be motivated to do so to dynamically assessing network traffic flows to remediate security systems associated with enterprise networks. Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Zaman in view of Sharma in view of Gopal and further in view of Evans (US 10516695 B1). Regarding claims 6, 13, and 20, Zaman, Sharma, and Gopal teach all limitations of parent claims 1, 8, and 15, Zaman does not explicitly teach wherein blocking the traffic data from the identified traffic source comprises blocking only for a time period. Evans teaches wherein blocking the traffic data from the identified traffic source comprises blocking only for a time period (col. 9, lines 1-6, multiple thresholds could be configured to implement more fine-grained mitigations. For example, a top range could be configured (e.g., integers between 90-100) to place the compute instances involves as sources of the DDoS traffic in isolation (e.g., block all accesses into or out of the compute instance for a period of time). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman disclosure, blocking resource in a period of time, as taught by Evans. One would be motivated to do so for using one or more of multiple candidate responsive actions that can be selected to maximize the mitigation of the DDoS attack while minimizing impact to the users of the service provider system. Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Zaman in view of Sharma in view of Gopal and further in view of Kind (US 20120246726 A1). Regarding claims 7 and 14, Zaman, Sharma, and Gopal teach all limitations of parent claims 1 and 8, , Shazan does not explicitly teach wherein the instructions upon execution by the processor perform further operations comprising: using a probabilistic data structure for tracking the traffic data from the plurality of traffic sources, the probabilistic data structure comprising one or more of: count-min sketch (CMS), HyperLogLog (HLL), or exponentially weighted moving average (EWMA). Kind teaches using a probabilistic data structure for tracking the traffic data from the plurality of traffic sources, the probabilistic data structure comprising one or more of: count-min sketch (CMS), HyperLogLog (HLL), or exponentially weighted moving average (EWMA) ([0025] , the parameter L may be adapted over time to a number that is computed from a moving average function, such as exponentially weighted moving average (EWMA), of the actual total number of distinct elements in previous observation periods. The given values for N and M ensure that the relative error is epsilon for a threshold of T=phi*d with probability at least 1-delta). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Zaman disclosure, tracking traffic data comprises the WEMA, as taught by Kind. One would be motivated to do so to approximate the heavy distinct hitter in the data stream with a relatively low error and good probability of success, and the data stream may have a relatively high data rate. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH NGUYEN whose telephone number is (571)270-0657. The examiner can normally be reached M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached at 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ANH NGUYEN/ Primary Examiner, Art Unit 2458