Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Information Disclosure Statement
3.    The information disclosure statement (IDS) submitted on 08/13/2019, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
4.    Applicant’s Oath was filed on 08/13/2019.

Drawings
5.    Applicant’s drawings filed on 08/13/20195 has been inspected and is in compliance with MPEP 608.01.
Specification
6.    Applicant’s specification filed on 08/13/2019 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
7.    NO objections warranted at initial time of filing for patent.

Remarks
8.	Examiner request Applicant review relevant prior art under the conclusion of this office action.
Double Patenting
9.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 

Claims 1, 4, 5, 8, 11, 12, and 18  are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 10 and 20 of Patent Application no. 10,419,460. Although the claims at issue are not identical, they are not patentably distinct from each other because both the co-assigned Application claims 1, 4, 5, 8, 11, 12, and 18  and co-assigned Patented Application claims 1, 10 and 20 are almost the same in scope.

Instant Application claims 1, 4, 5 and associated claims therewith
Patent No. ‘460 claim 1 and associated claims therewith




Claim 5. The method of claim 4, wherein the abnormal user activity behavior signifies fraudulent activities.





The instant application claims 1, 4, 5, 8, 11, 12, and 18  and Patent No. ‘460 claims 1, 10, and 20 are directed towards a method and system of detecting abnormal online user activities. One of ordinary skill in the art would understand from the teachings found in Patented App ‘460 would not be significantly different from 
Therefore, it would have been obvious to one of ordinary skill in the art to modifyinstant Application claims 1, 4, 5, 8, 11, 12, and 18 with the additional limitation of so to obtain and Patent No. ‘460 claims 1, 10, and 20 as claimed. 
Allowance of application claim 1 would result in an unjustified time-wiseextension of the monopoly granted for the invention defined by co-pending Applicationclaim 1. Therefore, the provisional obviousness-type double patenting is appropriatebecause the conflicting claims have not in fact been patented. Application claim 1corresponds to co-pending application claim 1. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


10.	Claims 1-3, 6-10, 13-17, 19 and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 

Step one: Are the claims at issue directed to a statutory category? 
Yes. The claims recites a series of steps i.e., determining at least one measure characterizing a difference between baseline information related to normal user activities with respect to an entity and user activity information related to online user 

Step 2A – Prong 1: Is a Judicial Exception recited? 
Yes. The claim recites the limitation of determining at least one measure characterizing a difference between baseline information related to normal user activities with respect to an entity and user activity information related to online user activities with respect to the entity, assessing in real-time whether the user activity information indicates abnormal user activity behavior based on the at least one measure. This limitation, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “executed by a processor,” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “by the processor” language, the claim encompasses a user simply thinking about the differences between baseline information related to normal user activities with respect to an entity like workplace and user activity information related to online user activities with respect to the entity. Furthermore, the claims as a whole recites method of organizing human activity.  The mere nominal recitation of a generic computer, processor, storage and communication circuitry does 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The limitation of generating, in response to determining that the user activity information indicates the abnormal user activity behavior, output data comprising the user activity information and the at least one measure. As drafted, the limitations are a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “by a processor,” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “by a processor” language, the generating step in the context of this claim encompasses the user thinking about what to say regarding user activity information indicates the abnormal user activity behavior. Thus, the claim recites a mental process. 

Step 2A – Prong 2: Are the claims integrated into a practical application recited?
No. The claim recites three elements: determining at least one measure characterizing a difference between baseline information related to normal user activities with respect to an entity and user activity information related to online user activities with respect to the entity, assessing in real-time whether the user activity information indicates abnormal user activity behavior based on the at least one measure and generating, in response to determining that the user activity information indicates the abnormal user activity behavior, output data comprising the user activity information 
The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component (processor). Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to the abstract idea. 

Step 2b: Does the claims provide an inventive concept?
No. As discussed with respect to Step 2A Prong Two, the additional elements in the claim amount to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in 2B, i.e., mere instructions to apply an exception on a generic computer cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.
‐understood, routine, and conventional function when it is claimed in a merely generic manner (as it is here). Accordingly, a conclusion that the collecting step is well-understood, routine, conventional activity is supported under Berkheimer Option 2.
For these reasons, there is no inventive concept in the claim, and thus it is ineligible.

Allowable Subject Matter
11.	Claims 4, 5, 11, 12, 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

12.	Claims 1-3, 7-10, 13-17, 19 and 20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by U.S.  Publication No. 20100169970 hereinafter Stolfo.

As per claim 1, Stolfo discloses:
A method for detecting abnormal online user activities (para 0013 “An object of the present invention is to provide a technique for detecting violations of email security policies of a computer system by gathering statistics about email transmission through a computer system.”), the method being implemented on a computer comprising at least one processor, storage, and communications circuitry (para 0014 and 0042), the method comprising: 
determining at least one measure characterizing a difference between baseline information related to normal user activities with respect to an entity and user activity information related to online user activities with respect to the entity (para 0015 “A further object of the present invention is to provide a technique for generating and comparing profiles of normal or baseline email behavior for an email account and for selected email behavior and for determining the difference between such profiles, and whether such difference represents a violation of email security policy.” Para 0063 “The system 10 may also gather statistics about the behavior and features of individual email accounts 26, which is a Para 0068 “Once such histograms have been created, the histogram of the baseline behavior is compared with the histogram of the selected behavior to determine whether the new behavior represents a deviation that may be classified as a violation of email security policy.”); 
assessing in real-time whether the user activity information indicates abnormal user activity behavior based on the at least one measure (para 0040 “The selected email transmission is typically chosen for some recent time period to compare with the prior transmission of email. Each email and/or its respective attachment is identified with a unique identifier so it may be tracked through the system. Various statistics relating to the emails are gathered. The probability that some aspect of the email transmission, e.g. an attachment, an email Para 0068 “Once such histograms have been created, the histogram of the baseline behavior is compared with the histogram of the selected behavior to determine whether the new behavior represents a deviation that may be classified as a violation of email security policy.”); and 
generating, in response to determining that the user activity information indicates the abnormal user activity behavior, output data comprising the user activity information and the at least one measure (para 0076 “The modeling of the behavior of an email account may include defining a model based on the time of day in which emails are transmitted by a particular email account. FIG. 6 illustrates screen 400, which compares such email transmission for user account 402. Histogram 404 illustrates the average number of emails 406 sent for each bin 408, which represents each hour of the 24 hours in a day. The data in histogram 404 is accumulated for a predetermined period of time, e.g., the entire period that user account 402 has been tracked by the system 10 (time period 410). Histogram 412 is created for email transmission during a selected period of time being analyzed, e.g., the last month (time period 414). Histogram 412 illustrates the average number of emails 416 sent during each hour as represented by bins 418. The histogram 404 of baseline behavior is compared with the histogram 412 of the selected behavior, with a comparison equation such as the Mahalanobis distance equation, above, to produce a distance result 320. A threshold is set, which determines whether such a calculated difference is 

As per claim 2, Stolfo discloses:
The method of claim 1, wherein the baseline information is generated offline and comprises a baseline distribution representing the normal user activities with respect to the entity during a temporal duration (para 0063, 0064, 0066, and 0068).  

As per claim 3, Stolfo discloses:
The method of claim 1, wherein the user activity information is generated in real- time and comprises a dynamic distribution representing the online user activities with respect to the entity during a temporal duration (para 0018, 0019, 0040, and 0068).  

As per claim 6, Stolfo discloses:
The method of claim 1, wherein determining the at least one measure comprises: performing a Kolmogorov-Smirnov (KS) measure, performing an Information Value (IV) measure, or performing the KS measure and the IV measure (para 0021 and 0075).  

As per claim 7, Stolfo discloses:
The method of claim 1, wherein the output data further comprises an abnormal user activity flag indicating that abnormal user activity behavior has been detected, an entity identifier indicating the entity with which the abnormal user activity behavior was detected with respect to, and a temporal range indicating times associated with the online user activities (Fig. 6, para 0055, 0067, 0076, and 0104).  

As per claim 8, the implementation of the method of claim 1 will execute the non-transitory computer readable medium (paragraph 0014 and 0042) of claim 8. The claim is analyzed with respect to claim 1.

As per claim 9, the claim is analyzed with respect to claim 2.

As per claim 10, the claim is analyzed with respect to claim 3.

As per claim 13, the claim is analyzed with respect to claim 6.

As per claim 14, the claim is analyzed with respect to claim 7.

As per claim 15, the implementation of the method of claim 1 will execute the system of claim 15. The claim is analyzed with respect to claim 1.

As per claim 16, the claim is analyzed with respect to claim 2.

As per claim 17, the claim is analyzed with respect to claim 3.

As per claim 19, the claim is analyzed with respect to claim 6.

As per claim 20, the claim is analyzed with respect to claim 7.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S. Publication No. 20120275574 discloses on paragraph 0005 “According to a first aspect of the present invention there is provided a method of detecting faults within a telecommunications network, said telecommunications network comprising a plurality of entities. The method comprises grouping said entities into one or more groups based on the call traffic handled by said entities or on the call traffic said entities Para 0031 “In order to overcome, or at least mitigate the problems identified above there will now be described a method of detecting faults in a telecommunications network in which the lengths of calls handled by the entities within a network are monitored, and comparisons made between the call length patterns of similar entities. If this comparison indicates that the lengths of calls handled by a particular entity are abnormally short when compared with those of one or more similar entities, then this is indicative of a potential fault.” Para 0056 “A second method of performing the comparison could be to calculate the statistical difference between the call length patterns of two entities. The statistical difference is a measure of the distance between the distributions of two different datasets (i.e. a measure of the equality/similarity of the datasets). For example, the Kolmogorov-Smirnov (KS) test could be used to estimate the difference between two call length patterns. The result of the KS test is the probability, or p-value, that two datasets (in this case, the call length patterns of two entities) originate from the same distribution. According to this method, the KS test would be performed to compare the call length data for an entity with that of another entity in the same group. The resulting p-value could then be compared against a threshold p-value configured by the network operator, in order to determine if the 

U.S. Publication No. 20170012941 discloses on paragraph 0066 “For the purposes of the invention "anomaly" shall mean any abnormal, unusual, unexpected or strange artifact, event or trend in API characteristics (for example, characteristics such as traffic volume, bandwidth use, protocol use etc.) that could potentially represent the presence of a threat or indicator of compromise. Anomalies are identified in comparison with a baseline of normal network or user behavior that has been established over a period of time. Once certain parameters have been defined as normal, departures from normal parameters or ranges may be flagged as anomalous.”

U.S. Publication No. 20160306965 discloses on paragraph 0027 “An exemplary system is provided for creating and managing a watch list of entities (e.g., employees within an organization) that are being selected for monitoring from an insider threat perspective. The system is configured to monitor suspicious activity (e.g., failed authentications, sending large email attachments, concurrent accesses and so forth) and update risk scores in real time. Risk scores may indicate how suspicious an entity's activity is compared to activity of other entities. Monitoring every user in a large organization may be a huge computing task that is challenging to accomplish. By focusing on updating risk scores for a subset of all employees in an organization (e.g., only employees on a watch list) and by monitoring and scoring behaviors that are most likely to be associated with an insider threat, the amount of processing may be optimized. Alternatively, the system may create a baseline behavior for a peer group, such as an organizational unit (e.g., Human Resources, Finance, Marketing department, etc.) and monitor for suspicious activity of employees from the peer group to determine if activity of any the employees diverge from the baseline behavior of their peer group.”

U.S. Publication No. 20170251013 discloses on paragraph 0081 “The aggregation of activity information in the analytics repository 311 concerning access patterns and other event statistics enables the system to establish baselines of user behavior. Machine learning techniques can then be applied to detect threats and provide recommendations concerning how to respond to threats. Threat models can be developed to detect threats that are known or unknown or emerging. Threats can also 

U.S. Patent No. 9516053 discloses on Col. 18 Lines 25-35 “The security platform 300 can detect anomalies and threats by determining behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices, and then comparing activities of those entities to their behavior baselines to determine whether the activities are anomalous, or even rise to the level of threat. The behavior baselines can be adaptively varied by the platform 300 as new data are received. These functions can be performed by one or more machine-learning models, for example, in the real-time path, the batch path, or both.”

U.S. Publication No. 20160308884 discloses on paragraph 0010 “In another embodiment, a computer-implemented method includes determining, by a computing system, that a computer or its user is potentially malicious by computing statistical measures to compare one or more attributes of a PAS based on user authentication events for the computer with one or more attributes indicative of normal user behavior. The computer-implemented method also includes estimating, by the computing system, a statistical model for baseline behavior of the attributes and evaluating probabilities of observed attributes, by the computing system, under the baseline models. The computer-implemented method further includes outputting the PAS, by the computing system, for review by a security analyst to determine whether the PAS represents a 

U.S. Publication No. 20150262226 discloses on paragraph 0042 “The processing unit 204 may be configured to identify, in the click database 208, a subset of the plurality of click data entries 210 where each click data entry 210 in the subset includes a device identifier associated with a clearing indication of the received plurality of clearing indications. The processing unit 204 may then indicate in each of the identified click data entries 210 in the subset that the associated click is a fraudulent consumer click of the related webpage advertisement. In some embodiments, each click data entry 210 may include a click time and/or date, and the clearing indications may indicate non-existence of a clearing record during a predetermined period of time including the click time and/or date of each click data entry 210.”

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/GARY S GRACIA/Primary Examiner, Art Unit 2491