Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The IDS filed 10/30/2019, 01/06/2020 and 11/12/2020 have been considered.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-23 of U.S. Patent No. 10,462,256, see corresponding table below. Although the claims at issue are not identical, they are not patentably distinct from each other because the present claims are fully disclosed in the patent. The only difference is that the present claims broader because are not fully detailed as compared side-by-side in the table. Before the effective filing date of the invention, one of ordinary skill in the art would have been motivated to broaden the claims in order to seek broader patent protection. 


US Patent No. 10,462,256
1. A system, comprising: 

a memory or other storage device configured to store for each of a plurality of implementations of a computing resource a corresponding behavioral profile data that reflects observed behavior of that implementation; and 








a processor coupled to the memory or other storage device and configured to 

read and use at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort, and to 



























take responsive action based on the determination that the observed behavior of the member implementation of the cohort deviates from the expected behavior of members of the cohort.
 
2.  The system of claim 1, wherein the processor is further configured to 
receive observation data associated with observed behavior of implementations 
included in said plurality of implementations;  generate said behavioral profile data based at least in part on said observation data;  and store said behavioral profile data in said memory or other storage device. 
 
3.  The system of claim 2, wherein the processor is further configured to update said behavioral profiles based at least in part on observation data received subsequently to one or both of creation and last update of said behavioral profiles. 
 



4.  The system of claim 3, wherein the processor is configured to accumulate 
observation data and to perform said update based at least in part on a 
determination that an update criteria has been met. 
 
5.  The system of claim 1, wherein each of said computing resources comprises one or more of a device, a hardware platform, a virtual machine, a container, an application or other software, a configuration, a protocol, a 
standards-based resource, a physical or logical storage device, a database, and a service. 
 
6.  The system of claim 1, wherein each behavioral profile comprises a summary 
representation that includes a set of coefficients or other values for each of a plurality of variables. 
 
7.  The system of claim 6, wherein said summary representation comprises a vector in a multidimensional space. 
 
8.  The system of claim 1, wherein said processor is configured to determine 
that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort at least in part by comparing a behavioral profile of the member implementation, or a portion 
thereof, to corresponding portions of the respective behavioral profiles of other implementations in the cohort. 
 

9.  The system of claim 1, wherein said processor is configured to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort at least in part by computing based on behavioral profile data of the cohort a statistical probability associated with the observed behavior. 
 





































































10.  A method, comprising: storing for each of a plurality of implementations of a computing resource a corresponding behavioral profile data that reflects 
observed behavior of that implementation;  







using at least portions of said behavioral profile data associated with one or more implementations included in 
a cohort comprising a sub-population of said plurality of implementations 
identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort; and 



























taking responsive action based on the determination that the observed behavior of the member implementation of the cohort deviates from the expected behavior of members of the cohort. 
 
11.  The method of claim 10, further comprising receiving observation data associated with observed behavior of implementations included in said plurality of implementations; generate said behavioral profile data based at least in part on said observation data; and store said behavioral profile data in said memory or other storage device. 
 
12.  The method of claim 11, further comprising updating said behavioral profiles based at least in part on observation data received subsequently to one or both of creation and last update of said behavioral profiles. 
 
13.  The method of claim 12, further comprising accumulating observation data 
and to perform said update based at least in part on a determination that an update criteria has been met. 
 
14.  The method of claim 10, wherein each of said computing resources comprises 
one or more of a device, a hardware platform, a virtual machine, a container, 
an application or other software, a configuration, a protocol, a standards-based resource, a physical or logical storage device, a database, and a service. 
 
15.  The method of claim 10, wherein each behavioral profile comprises a summary representation that includes a set of coefficients or other values for each of a plurality of variables. 
 
16.  The method of claim 15, wherein said summary representation comprises a 
vector in a multidimensional space. 
 
17.  The method of claim 10, wherein determining that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort includes comparing a behavioral profile of the member implementation, or a portion thereof, to corresponding portions of the respective behavioral profiles of other implementations in the cohort. 
 
18.  The method of claim 10, wherein determining that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort includes computing based on behavioral profile data of the cohort a statistical probability associated with the observed behavior. 
 
19.  A computer program product embodied in a non-transient computer readable 
medium and comprising computer instructions for: 

storing for each of a plurality of implementations of a computing resource a corresponding behavioral profile data that reflects observed behavior of that implementation;  







using at least portions of said behavioral profile data associated with one or more 
implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;  and 






























taking responsive action based on the determination that the 
observed behavior of the member implementation of the cohort deviates from the expected behavior of members of the cohort. 
 
20.  The computer program product of claim 19, further comprising computer 
instructions for receiving observation data associated with observed behavior 
of implementations included in said plurality of implementations;  generate said behavioral profile data based at least in part on said observation data;  and store said behavioral profile data in said memory or other storage device. 

1.  A system, comprising: 

a memory or other storage device configured to store for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an 
implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern;  and 

a processor coupled to 
the memory or other storage device and configured to: 

read and use at least portions of said behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;  

receive a request associated with said sub-population of said plurality of implementations;  

select two or more implementations within said 
sub-population to process the request;  

receive from each a response to the request;  

compare the responses;  determine, based at least in part on the comparison of the responses, a statistical mode response to be provided in 
response to the request;  detect that an outlier response not consistent with 
said statistical mode response was returned by one or more of said two or more implementations;  and 

take responsive action with respect to said one or more 
implementations that provided the outlier response. 
 



2.  The system of claim 1, wherein the process is further configured to receive observation data associated with observed behavior of implementations included in said plurality of implementations;  generate said behavioral profile data based at least in part on said observation data;  and store said behavioral profile data in said memory or other storage device. 
 
3.  The system of claim 2, wherein the processor is further configured to 
update said behavioral profiles based at least in part on observation data 
received subsequently to one or both of creation and last update of said behavioral profiles. 
 
4.  The system of claim 3, wherein the processor is configured to accumulate observation data and to perform said update based at least in part on a determination that an update criteria has been met. 
 
5.  The system of claim 1, wherein each of said computing resources comprises one or more of a device, a hardware platform, a virtual machine, a 
container, an application or other software, a configuration, a protocol, a 
standards-based resource, a physical or logical storage device, a database, and a service. 
 
6.  The system of claim 1, wherein said summary representation comprises a set of coefficients or other values for each of a plurality of variables. 
 

7.  The system of claim 1, wherein said summary representation comprises a 
vector in a multidimensional space. 
 
8.  The system of claim 1, wherein said processor is configured to 
determine that an observed behavior of a member implementation of the cohort 
deviates from an expected behavior of members of the cohort at least in part by 
comparing a behavioral profile of the member implementation, or a portion thereof, to corresponding portions of the respective behavioral profiles of other implementations in the cohort. 
 
9.  The system of claim 1, wherein said processor is configured to 
determine that an observed behavior of a member implementation of the cohort 
deviates from an expected behavior of members of the cohort at least in part by 
computing based on behavioral profile data of the cohort a statistical probability associated with the observed behavior. 
 
10.  The system of claim 1, wherein the processor is further configured to take responsive action based on said determination that the observed behavior deviates from an expected behavior of members of the cohort. 
 
11.  The system of claim 1, wherein the processor is further configured to act as an intermediary between one or more clients associated with said sub-population of said plurality of implementations, on the one hand, and said sub-population of said plurality of implementations on the other. 
 
12.  The system of claim 11, wherein the processor is further configured to block traffic between said clients and said one or more implementations that provided the outlier response based at least in part on detection of said outlier response. 
 
13.  The system of claim 11, wherein the processor comprises a sole way to obtain network access to said sub-population of said plurality of implementations. 
 
14.  The system of claim 1, wherein the processor is further configured to 
take responsive action in response to said determination that an observed 
behavior of a member implementation of the cohort deviates from an expected 
behavior of members of the cohort. 
 
15.  The system of claim 14, wherein the responsive action includes an 
action to modify a software-defined infrastructure in an environment with which 
said member implementation, including by doing one or more of stopping, starting, or reconfiguring involved VMs, containers, network segments, firewalls, and load balancers based on user configuration to do one or more of block, protect, and isolate the member implementation for forensic purposes. 

16.  A method, comprising: storing for each of a plurality of implementations of a computing resource a corresponding behavioral profile data comprising for each of a plurality of observed behavioral patterns observed to have been exhibited by an implementation a corresponding summary representation of one or more characteristic traits of the behavioral pattern;  

using at least portions of said behavioral profile data associated with one or more 
implementations included in a cohort comprising a sub-population of said 
plurality of implementations identified by configuration data as being associated with said cohort to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort;  

receiving a request associated with said sub-population of said plurality of implementations;  

selecting two or more implementations within said sub-population to process the request;  

receiving from each a response to the request;  

comparing the responses;  determining, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request;  detecting that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations;  and 

taking responsive action with respect to said one or more implementations that provided the outlier response. 
 



17.  The method of claim 16, further comprising receiving observation data associated with observed behavior of implementations included in said plurality of implementations;  and generating said behavioral profile data based at least in part on said observation data. 
 



18.  The method of claim 17, further comprising updating said behavioral profiles based at least in part on observation data received subsequently to one or both of creation and last update of said behavioral profiles. 
 
19.  The method of claim 18, further comprising accumulating observation data and performing said update based at least in part on a determination that an update criteria has been met. 
 























































20.  A computer program product embodied in a non-transient computer readable medium and comprising computer instructions for: 

storing for each of a 
plurality of implementations of a computing resource a corresponding behavioral 
profile data comprising for each of a plurality of observed behavioral patterns 
observed to have been exhibited by an implementation a corresponding summary 
representation of one or more characteristic traits of the behavioral pattern; and 

using at least portions of said behavioral profile data associated with one 
or more implementations included in a cohort comprising a sub-population of 
said plurality of implementations identified by configuration data as being 
associated with said cohort to determine that an observed behavior of a member 
implementation of the cohort deviates from an expected behavior of members of 
the cohort;  

receiving a request associated with said sub-population of said plurality of implementations;  

selecting two or more implementations within said sub-population to process the request;  

receiving from each a response to the request;  

comparing the responses;  determining, based at least in part on the comparison of the responses, a statistical mode response to be provided in response to the request;  

detecting that an outlier response not consistent with said statistical mode response was returned by one or more of said two or more implementations;  and 

taking responsive action with respect to said one or more implementations that provided the outlier response. 
 



21.  The computer program product of claim 20, further comprising receiving 
observation data associated with observed behavior of implementations included 
in said plurality of implementations;  generate said behavioral profile data based at least in part on said observation data;  and store said behavioral profile data in said memory or other storage device. 
 

22.  The computer program product of claim 21, further comprising updating 
said behavioral profiles based at least in part on observation data received 
subsequently to one or both of creation and last update of said behavioral profiles. 
 
23.  The computer program product of claim 22, further comprising accumulating observation data and performing said update based at least in part on a determination that an update criteria has been met. 



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sipple (US 2015/0101053) in view of Yao et al. (US 9,454,726, hereinafter referred to as “Yao”).

	Regarding claim 1, Sipple teaches a system, comprising: 
	a memory or other storage device (figure 7: 705) configured to store for each of a plurality of implementations of a computer resource a corresponding behavioral profile data that reflects observed behavior of that implementation [0026 – behavioral profiles to describe a pattern of communication observed during a specified interval];  and 
	a processor (figure 7: 703) coupled to the memory (figure 7: 705) or other storage device and configured to read and use at least portions of said behavioral profile data identified by configuration data as being associated with said cohort to determine that an observed behavior of a member of the cohort deviates from an expected behavior of members of the cohort (figure 3A – step 309 deviation from the baseline behavioral profile), and to take action based on the determination that the observed behavior of the member implementation of the cohort deviates from the expected behavior of members of the cohort [0027 - end-users can configure the platform 115 to automatically initiate actions in response to malicious behavior (e.g., deactivating malicious accounts, increase logging activities, terminating network sessions, etc.); 0030 - platform 115 may alert an end-user (e.g., security analyst, supervisor, manager, owner, etc.) to a potential insider threat when a network transfer that produces a systematic deviation is observed.  In one embodiment, platform 115 may also initiate actions in response to the potential insider threat]. 
	However, Sipple does not explicitly teach the behavioral profile data associated with one or more implementations included in a cohort comprising a sub-population of said plurality of implementations identified by configuration data. Nevertheless, this is taught by Yao (abstract - receiving a set of behavioral data associated with a plurality of user devices and identifying multiple cohort groups, each of the cohort groups including one or more of the user devices.  The behavioral data includes a behavior metric for each of the user devices and the cohort groups are identified based on the behavior metric for each of the user devices; a cohort group may be a subset of the users or user devices represented in the dataset). Before the effective filing date of the application, one of ordinary skill in the art would have been motivated to employ a cohort comprising a sub-population of the plurality of implementations in order to enable “custom segment” in a set of behavioral data and apply the custom segment as data filter in subsequent analytic report (col. 6, lines 12-27).   
 
	Regarding claim 2, Sipple teaches the system of claim 1, wherein the process is further configured to receive observation data associated with observed behavior of implementations included in said plurality of implementations [0040 – aggregate all feature vectors observed in a set time interval for a particular user session]; generate said behavioral profile data based at least in part on said observation data [0029 – platform 115 may generate user profiles];  and store said behavioral profile data in said memory or other storage device [0027 – behavioral profile stored in profile log 117]. 
 
	Regarding claim 3, Sipple teaches the system of claim 2, wherein the processor is further configured to update said behavioral profiles based at least in part on observation data received subsequently to one or both of creation and last update of said behavioral profiles [0030 – cohort profile is updated based on all observed network events]. 

	Regarding claim 4, Sipple does not explicitly teach the system of claim 3, wherein the processor is configured to accumulate observation data and to perform said update based at least in part on a determination that an update criteria has been met. Nevertheless this is taught by Yao (col. 6, lines 3-12). Before the effective filing date, one of ordinary skill in the art would have been motivated to update when update criteria is met in order to allow only needed data to be updated. 
 
	Regarding claim 5, Sipple teaches the system of claim 1, wherein each of said computing resources comprises one or more of a device, a hardware platform, a virtual machine, a container, an application or other software, a configuration, a protocol, a standards-based resource, a physical or logical storage device, a database, and a service [0021 – resources being access to a server]. 
 
	Regarding claim 6, Sipple teaches the system of claim 1, wherein said summary representation comprises a set of coefficients or other values for each of a plurality of variables (figure 2F; 0058 – coefficient). 
 
	Regarding claim 7, Sipple teaches the system of claim 1, wherein said summary representation comprises a vector in a multidimensional space (figure 2C – summary including vectors in 2D graph). 
 
	Regarding claim 8, Sipple teaches the system of claim 1, wherein said processor is configured to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort at least in part by comparing a behavioral profile of the member implementation, or a portion thereof, to corresponding portions of the respective behavioral profiles of other implementations in the cohort (figure 3B, step 309; 0075 – deviation from baseline behavioral profile is compared to threshold values]. 
 
	Regarding claim 9, Sipple teaches the system of claim 1, wherein said processor is configured to determine that an observed behavior of a member implementation of the cohort deviates from an expected behavior of members of the cohort at least in part by computing based on behavioral profile data of the cohort a statistical probability associated with the observed behavior (figure 6; 0095 – cohort deviation is calculated from probability). 

	Claims 10-18 are similar to claims 1-9, respectively, therefore are rejected under the same rationale. 

	Claims 19-20 are similar to claims 1-2, respectively, therefore are rejected under the same rationale. 
 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1. U.S Patent Application Publication No. 2009/0271343 – profiling based on subset of entities having behavior that deviates from the group.
2. U.S Patent Application Publication No 2015/0121518 – classifying anomaly behaviors. 
3. U.S Patent Application Publication No. 2015/0180893 – detecting abnormal behaviors.
4. U.S Patent No. 6,889,218 - detecting abnormal behaviors.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALINA N BOUTAH whose telephone number is (571)272-3908.  The examiner can normally be reached on M-F 7:00 AM - 3:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher L. Parry can be reached on 571-272-8328.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


ALINA N. BOUTAH
Primary Examiner
Art Unit 2443



/ALINA A BOUTAH/Primary Examiner, Art Unit 2443