DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 10/28/2020.
In the instant Amendment: Claims 1, 10 and 17 have been amended and Claims 1, 10 and 17 are independent claims. Claims 1-2, 4-6, 9-10 and 12-17, 19, 21-26 have been examined and are pending. This Action is made FINAL.          
Response to Arguments
Applicants’ arguments with respect to amended claims 1, 10 and 17 have been considered but are moot in view of the new ground(s) of rejection. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. 
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f): 
(f) ELEMENT IN CLAIM FOR A COMBINATION.—An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph: 
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

Claims 10, 12-16, 17, 19, and 22-23 are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, as having means-plus-function limitations. 
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph: 
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and 
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 “means for receiving,” “means for generating,” and “means for detecting” of independent claim 17. Similarly, claims 19, 22 are interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because these claims dependent on independent claim 17.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “usage behavior monitoring module,” “distribution generation module” and “behavior change analysis module” of independent claim 10 and “result processing module” of claim 15. Similarly, claims 12-16, 23 are interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because these claims dependent on independent claim 10. 

If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4-5, 10, 12-13, 17, 19, 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Danila-Dumitrescu et al. (“Danila-Dumitrescu,” US 20180248902, filed Aug. 20, 2016) in view of Letal et al. (“Letal,” US 20160337389, published Nov. 17, 2016). 
Regarding claim 1, Danila-Dumitrescu discloses a method implemented by at least one computing device, the method comprising: 
receiving, by the at least one computing device, usage behavior data describing a number of actions performed by a plurality of individuals of a user population with respect to digital content of a service provider system over time, discloses the actions comprising one or more menu item selections, voice commands, gestures, or key combinations (Danila-Dumitrescu [0251], [0257], [0260]. In an example, a user has a huge spike in activity , and so is behaving abnormally compared to his history ; but if the department as a whole is displaying an activity spike , then the user ' s behaviour might not be abnormal . Abnormality may be evaluated against the current circumstances or a group of users , not just against historical data. Some related events or insights produced from other events might include that Jonathan has never logged into Salesforce before, Jonathan logged in in France 10 minutes ago , Jonathan tried 20 different pass words before this successful login … or that Jonathan has never logged in to Salesforce at this time or near this time before. In combination with other events , such as a non - typical log - in location or time , the lack of a short pause before confirming a transaction ( as detected by the time between clicks on hyperlinks in a web browser or data requests being made for sequential web pages or data , for example ) may indicate that an unauthorised person is using the user ' s credentials in this case); 
generating, by the at least one computing device, a plurality of action distributions based on the usage behavior data for the plurality of individuals of the user population, the plurality of action distributions describing changes in the number of times respective actions are performed by the individuals of the user population with respect to the digital Danila-Dumitrescu FIG. 5, [0245], [0251], [0272]. User - related attributes may comprise distributions of activity types by time and / or location or a record of activity over a recent period ( such as a 30 day sliding window average of user activity) . In an example , a user has a huge spike in activity , and so is behaving abnormally compared to his history ; but if the department as a whole is displaying an activity spike , then the user ' s behaviour might not be abnormal . Abnormality may be evaluated against the current circumstances or a group of users , not just against historical data. The report shows a timeline 321 with three events 322 occurring at different times . The events relating to a group of users can be superimposed on the same timeline , or on separate timelines , in order to review activity within a group. Such a report may be used for security provision or otherwise.);  
obtaining, by the at least one computing device, usage behavior data associated with a user account, the usage behavior data describing a respective action performed by a user of the user account (Danila-Dumitrescu  [0257]. Some related events or insights produced from other events might include that Jonathan has never logged into Salesforce before, Jonathan logged in in France 10 minutes ago , Jonathan tried 20 different pass words before this successful login … or that Jonathan has never logged in to Salesforce at this time or near this time before.); 
determining, by the at least one computing device, a change in behavior of the user account based on the respective action being inconsistent with the usage behavior data associated with the user account  (Danila-Dumitrescu  [0257]. Some related events or insights produced from other events might include that Jonathan has never logged into Salesforce before, Jonathan logged in in France 10 minutes ago , Jonathan tried 20 different pass words before this successful login … or that Jonathan has never logged in to Salesforce at this time or near this time before. All of these related events or insights may designate abnormality and / or maliciousness to some degree , but on their own may not be particularly note - worthy . However , if the analysis engine 230 is able to recognise that several of these events / insights are applicable , the threat of this log - in action increases heavily - for example , if Jonathan does not use Windows or Chrome , he does not seem to be in the office and 20 different passwords were tried before the detected successful log - in , then the events may be correlated to produce the inference that there are grounds for suspicion that an unauthorised person may be in the office and using Jonathan ' s credentials); 
in response to determining the change in behavior of the user account, comparing, by the at least one computing device, the usage behavior data associated with the user account with the generated plurality of action distributions of the user population to determine whether the change in behavior exhibited by the user account is consistent with changes that are exhibited by the user population as a whole (Danila-Dumitrescu FIG. 5, [0245], [0251], [0259], [0272]. User - related attributes may comprise distributions of activity types by time and / or location or a record of activity over a recent period ( such as a 30 day sliding window average of user activity) . In an example , a user has a huge spike in activity , and so is behaving abnormally compared to his history ; but if the department as a whole is displaying an activity spike , then the user ' s behaviour might not be abnormal . Abnormality may be evaluated against the current circumstances or a group of users , not just against historical data. A mix of generalisations can be compiled per job type ( i . e . user groups ) , thus allowing for sudden changes of behaviour as compared to colleagues with the same job type to be easily detected. The report shows a timeline 321 with three events 322 occurring at different times . The events relating to a group of users can be superimposed on the same timeline , or on separate timelines , in order to review activity within a group. Such a report may be used for security provision or otherwise.), 
the comparing including generating a probability that the change in behavior of the user account that is based on the respective action being inconsistent with the usage behavior data associated with the user account corresponds to the security breach to a [specified] degree of confidence to prevent a 30false positive error that results from detecting the security breach when the security 2 of 18P6521-USbreach has not occurred [and to prevent a false negative error that results from not detecting the security breach when the security breach has occurred] (Danila-Dumitrescu FIGs. 5-6,  [0246], [0251], [0263]. The tests may be used to produce a score which may be compared against a number of thresholds in order to classify an event or series or events, as mentioned. A trained model is used to find the probability of the user to be active at the given time and performing the given activity if it is found that the present event is significantly improbable , this may be a cause to flag the event as abnormal. To mitigate the problem of a high number of false positive results obscuring genuinely malicious behaviour , the analysis engine 230 may perform a “ sense check ' on any outputs 30 marked as abnormal and / or malicious by re - running calculations and / or testing against previously identified scenarios. The report 120 may also incorporate a risk score 122 calculated as previously described . Other factors that potentially could be in the report include measures of confidence, notes or feedback fields and / or recommendations about possible ways to resolve threats - for example , one such recommendation could be ' temporarily block user ' . Reporting in this way allows effective prioritisation of resources within an organisation , which is further improved in that the sophistication of the system 200 as a whole reduces the number of false positives , saving further resources.); and 
outputting, by the at least one computing device, a security breach likelihood alert responsive to determining that the security breach occurred when the change in behavior exhibited by the user account is inconsistent with the changes that are exhibited by the user population as a whole, wherein the security breach likelihood alert is not output if the change in behavior exhibited by the user account is consistent with the changes that are exhibited by the user population as a whole (Danila-Dumitrescu FIGs. 5-6,  [0246], [0251], [0264]. The tests may be used to produce a score which may be compared against a number of thresholds in order to classify an event or series or events, as mentioned. A trained model is used to find the probability of the user to be active at the given time and performing the given activity if it is found that the present event is significantly improbable , this may be a cause to flag the event as abnormal. In an example , a user has a huge spike in activity , and so is behaving abnormally compared to his history ; but if the department as a whole is displaying an activity spike , then the user ' s behaviour might not be abnormal . Abnormality may be evaluated against the current circumstances or a group of users , not just against historical data. Where a high risk threat is detected as it is occur ring , the log processing system 200 may be able to issue an alert via email , SMS , phone call or virtual assistant or another communication means). 

However, in an analogous art, Letal discloses a method comprising the steps of the comparing including generating a probability that the change in behavior of the user account that is based on the respective action being inconsistent with the usage behavior data associated with the user account corresponds to the security breach to a specified degree of confidence to prevent a 30false positive error that results from detecting the security breach when the security 2 of 18P6521-USbreach has not occurred and to prevent a false negative error that results from not detecting the security breach when the security breach has occurred (Letal FIG 2, [0038] – [0040], [0054]-[0055]. Learn the parameters of a probabilistic model. Select a threshold based on the inferred probabilities to achieve a desired false positive rate. Identify domains with probabilities of maliciousness greater than the threshold, mark them as malicious, and apply network security policies to the traffic received from these domains, as necessary. As illustrated, with a false positive rate on the order of 10-3, the techniques described herein correctly predict 20-60% of previously unseen malicious domains. Accordingly, as illustrated in FIGS. 6A and 6B, by modifying the threshold value for which a particular domain is determined to be malicious, an acceptable false positive rate can be achieved for the probabilistic model. Depending on the level of security required for a particular network, the threshold level may be set to favor false positives or false negatives.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Letal with the teachings of Danila-Dumitrescu to include the step of: the comparing including generating a probability that the change in behavior corresponds to the security breach to a specified degree of confidence to prevent a 30false positive error that results from detecting the security breach when the security 2 of 18P6521-USbreach has not occurred and to prevent a false negative error that results from not detecting the security breach when the security breach has occurred, to provide users with a means for setting an probabilistic model and  threshold for alerting security breaches while achieving a known rate for false positives and/or false negatives. (See Letal [0055]). 
Regarding claim 2, Danila-Dumitrescu and Letal disclose the method of claim 1. Danila-Dumitrescu further discloses wherein the digital 5content is an application or web service made accessible via the user account (Danila-Dumitrescu  [0257]. In relation to the example log processing described with reference to FIG . 3 , the apparently innocuous event ( “ Jonathan logged into Sales force ” ) may be examined in the context of other events related to the user and / or the object , which may reveal that there is something amiss . Some related events or insights produced from other events might include that Jonathan has never logged into Salesforce before , Jonathan logged in in France 10 minutes ago , Jonathan tried 20 different pass words before this successful login. ).
Regarding claim 4, Danila-Dumitrescu and Letal disclose the method of claim 1. Stolfo further discloses wherein 10the actions of the usage behavior data also describe characteristics of the individuals of the user population that initiated the actions (Danila-Dumitrescu [0251], [0259]. In an example , a user has a huge spike in activity , and so is behaving abnormally compared to his history ; but if the department as a whole is displaying an activity spike , then the user ' s behaviour might not be abnormal . Abnormality may be evaluated against the current circumstances or a group of users , not just against historical data. A mix of generalisations can be compiled per job type ( i . e . user groups ) , thus allowing for sudden changes of behaviour as compared to colleagues with the same job type to be easily detected.). 
Regarding claim 5, Danila-Dumitrescu and Letal disclose the method of claim 1. Danila-Dumitrescu further discloses generating a score based on a likelihood 15that a legitimate user associated with the user account of the service provider system engaged in each action of the plurality of actions as a result of the comparing (Danila-Dumitrescu [0246]. The tests may be used to produce a score which may be compared against a number of thresholds in order to classify an event or series or events , as mentioned . The first test uses the anomaly detection algorithm and aims to find divergence between the tested event ( s ) and expected behaviour. A trained model is used to find the probability of the user to be active at the given time and performing the given activity— if it is found that the present event is significantly improbable , this may be a cause to flag the event as abnormal.).
Regarding claim 10, claim 10 corresponds to a system corresponding to the method of claim 1. Claim 10 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 12, claim 12 corresponds to a system corresponding to the method of claim 2. Claim 12 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 13, Danila-Dumitrescu and Letal disclose the computer system of claim 10. Danila-Dumitrescu further discloses wherein the behavior change analysis module is configured to generate a score based on a likelihood that a user engaged in each action of the plurality of actions as a result of the comparing (Danila-Dumitrescu [0246]. The tests may be used to produce a score which may be compared against a number of thresholds in order to classify an event or series or events , as mentioned . The first test uses the anomaly detection algorithm and aims to find divergence between the tested event ( s ) and expected behaviour. A trained model is used to find the probability of the user to be active at the given time and performing the given activity— if it is found that the present event is significantly improbable , this may be a cause to flag the event as abnormal.). 
Regarding claim 17, claim 17 corresponds to a system corresponding to the method of claim 1. Claim 17 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 19, Danila-Dumitrescu and Letal disclose the computer system of claim 17. Danila-Dumitrescu further discloses wherein the actions involve computer operations initiated by the user that involve the digital content (Danila-Dumitrescu  [0257]. In relation to the example log processing described with reference to FIG . 3 , the apparently innocuous event ( “ Jonathan logged into Sales force ” ) may be examined in the context of other events related to the user and / or the object , which may reveal that there is something amiss . Some related events or insights produced from other events might include that Jonathan has never logged into Salesforce before , Jonathan logged in in France 10 minutes ago , Jonathan tried 20 different pass words before this successful login. ). 
Regarding claim 22, Danila-Dumitrescu and Letal disclose the system of claim 17. Danila-Dumitrescu further discloses comprising means for outputting a security breach likelihood alert responsive to determining that the user account is breached (Danila-Dumitrescu [0246]. The tests may be used to produce a score which may be compared against a number of thresholds in order to classify an event or series or events , as mentioned . The first test uses the anomaly detection algorithm and aims to find divergence between the tested event ( s ) and expected behaviour. A trained model is used to find the probability of the user to be active at the given time and performing the given activity— if it is found that the present event is significantly improbable , this may be a cause to flag the event as abnormal.
Regarding claim 23, claim 23 corresponds to a system corresponding to the system claimed in claim 22. Claim 23 is similar in scope to claim 22 and is therefore rejected under similar rationale. 
Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Danila-Dumitrescu et al. (“Danila-Dumitrescu,” US 20180248902, filed Aug. 20, 2016) in view of Letal et al. (“Letal,” US 20160337389, published Nov. 17, 2016) and Renouil (“Renouil,” US 20170013011, filed Sep. 23, 2016). 
Regarding claim 6, Danila-Dumitrescu and Letal disclose the method of claim 1.  Danila-Dumitrescu and Letal do not explicitly disclose: wherein the generating of the score includes multiplying the likelihood generated for the plurality of actions 20together. 
However, Renouil, in an analogous art, discloses wherein the generating of the score includes multiplying the likelihood generated for the plurality of actions 20together (Renouil [0037]. The likelihood weightings for each parameter, can, if applied, take any appropriate form or values, as e.g. 10 for very significant, 7-9 for significant, 4-6 for moderate, and 1-3 for low. For this embodiment variant, each of the parameters for likelihood is multiplied by the corresponding likelihood weighting which results in an overall score for a likelihood.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Renouil with teachings of Danila-Dumitrescu and Letal to include the steps of: wherein the generating of the score includes multiplying the likelihood generated for the plurality of actions 20together, to provide users with a means for generating an overall score of See Renouil [0037]).  
Regarding claim 14, claim 14 corresponds to a system corresponding to the method claimed in claim 6. Claim 14 is similar in scope to claim 6 and is therefore rejected under similar rationale. 
Claims 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Danila-Dumitrescu et al. (“Danila-Dumitrescu,” US 20180248902, filed Aug. 20, 2016) in view of Letal et al. (“Letal,” US 20160337389, published Nov. 17, 2016) and Ali (“Ali,” US 20080005052, published Jan. 3, 2008).   
Regarding claim 9, Danila-Dumitrescu and Letal disclose the method of claim 1. Danila-Dumitrescu and Letal do not explicitly disclose: the number of actions forms a series of binomial distributions for each action of the plurality of actions; and the generated plurality of action distributions follows a multivariate normal 5distribution.
However, in an analogous art, Ali discloses: the number of actions forms a series of binomial distributions for each action of the plurality of actions (Ali [0036]. For example, the conditional count aggregation operation is modeled by a binomial treatment. The binomial model only has a single parameter p denoting the proportion of units satisfying the condition C.); and 
the generated plurality of action distributions follows a multivariate normal 5distribution (Ali [0030]. Notice is taken of the Central Limit Theorem (CLT), which states that, for n random variables with arbitrary distribution (the distribution does not have to be a normal distribution) but with finite variance, if the mean is taken of the n variables, the distribution of the mean tends to normality as n tends to infinity.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Ali with the teachings of Danila-Dumitrescu and Letal to include the steps of: the number of actions forms a series of binomial distributions for each action of the plurality of actions; and the generated plurality of action distributions follows a multivariate normal 5distribution, to provide users with a means for using the central limit theorem to generate a normal distribution of the means of individual binomial distributions as number of binomial distributions increases. (See Ali [0030]). 
Regarding claim 16, claim 16 corresponds to a system corresponding to the method claimed in claim 9. Claim 16 is similar in scope to claim 9 and is therefore rejected under similar rationale. 
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Danila-Dumitrescu et al. (“Danila-Dumitrescu,” US 20180248902, filed Aug. 20, 2016) in view of Letal et al. (“Letal,” US 20160337389, published Nov. 17, 2016) and Dutta et al. (“Dutta,” US 20090276377, published Nov. 5, 2009). 
Regarding claim 15, Danila-Dumitrescu and Letal disclose the computer system of claim 10. Danila-Dumitrescu and Letal do not explicitly disclose: further comprising a result processing module implemented at least partially in hardware 15of the computing device to control inclusion of the user in a respective segment used as a basis to target 
However, Dutta, in an analogous art, discloses a computer system further comprising a result processing module implemented at least partially in hardware 15of the computing device to control inclusion of the user in a respective segment used as a basis to target digital marketing content, to define factors specifying inclusion in the segment, or configure digital marketing content. (Dutta FIG. 1 and [0019]. Statistical algorithms can be utilized to analyze user interests, changes in such interests, frequencies of such changes, or the like. The analyzed user interest information can establish criteria for grouping device users together based in part on determined interests. For instance, a popularity of one or more subject matters can be determined based on numbers of users having a threshold interest in the subject matter(s). In addition, real-time advertising, marketing, etc., can be directed to particular users at a point in time when such users are actively expressing an interest in a particular subject. Such information can prove valuable to online vendors or suppliers to increase consumption of online marketing or advertisement information. ). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Dutta with the teachings of Danila-Dumitrescu and Letal to include: a result processing module implemented at least partially in hardware 15of the computing device to control inclusion of the user in a respective segment used as a basis to target digital marketing content, to provide users with a means for applying statistical methods on user behavioral data and to See Dutta [0019]). 
Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Danila-Dumitrescu et al. (“Danila-Dumitrescu,” US 20180248902, filed Aug. 20, 2016) in view of Letal et al. (“Letal,” US 20160337389, published Nov. 17, 2016) and Malhotra et al. (“Malhotra,” US 20160299938, published Oct. 13, 2016). 
Regarding claim 21, Danila-Dumitrescu and Letal disclose the method of claim 1. Danila-Dumitrescu and Letal do not explicitly disclose: wherein 5the detecting the security breach likelihood further comprises differentiating legitimate access of the user account from a security breach of the user account based on a determination of a location of the change in the number of times the respective action is performed relative to a tail of a corresponding action distribution of the plurality of action distributions..
However, Malhotra, in an analogous art, discloses a computer method wherein 5the detecting the security breach likelihood further comprises differentiating legitimate access of the user account from a security breach of the user account based on a determination of a location of the change in the number of times the respective action is performed relative to a tail of a corresponding action distribution of the plurality of action distributions (Malhotra [0008]. The processor implement anomaly detection method further comprising modeling at least one of the first set of error vectors to obtain a multivariate Gaussian distribution; obtaining one or more likelihood values when the one or more parameters are applied on the second set of error vectors, wherein the one or more parameters comprises at least one of mu (μ), sigma (Σ), and a threshold, and wherein the anomaly is detected in the second time-series data when at least one of the one or more likelihood values is less than the threshold. [Note that in Gaussian and other distributions, a “tail” of a bell shaped curve may indicate relatively less likely events. In other words, the “tail” region (i.e. location) on a graph indicates events of low probability or high unlikelihood. ). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Malhotra with the teachings of Danila-Dumitrescu and Letal to include the steps of: wherein 5the detecting the security breach likelihood further comprises differentiating legitimate access of the user account from a security breach of the user account based on a determination of a location of the change in the number of times the respective action is performed relative to a tail of a corresponding action distribution of the plurality of action distributions, to provide users with a means for applying a multivariable Gaussian distribution for user behavior data and for differentiating likelihood of normal or abnormal user behavior. (See Malhotra [0008]). 
Claims 24-26 are rejected under 35 U.S.C. 103 as being unpatentable over Danila-Dumitrescu et al. (“Danila-Dumitrescu,” US 20180248902, filed Aug. 20, 2016) in view of Letal et al. (“Letal,” US 20160337389, published Nov. 17, 2016) and Ronen et al. (“Ronen,” US 20170359372, filed June 14, 2016). 
Regarding claim 24, Danila-Dumitrescu and Letal disclose the method of claim 1. Danila-Dumitrescu and Letal do not explicitly disclose: wherein the comparing further includes generating a null hypothesis that states that the change in behavior is legitimate and does not correspond to the security breach and comparing the null hypothesis to the generated probability.
Ronen [0020], [0035]. The monitor 160 will use the sampled flow data to determine whether the network traffic is indicative of an attack , and will execute the appropriate mitigation scheme when it is determined that an attack is occurring . [W]hen a number of observed communications 210 exceeds a number of predicted communications 220 by a set amount or a set percentage from the number of predicted communications 220 , the connections will be marked as including an attack and security measures may be taken ( port blocking , moving a machine 120 , securing an account , etc. ) . In yet other aspects, the difference threshold may be a percentage that is determined to be statistically significant ( where the null hypothesis assumes that there is not an attack ) and the threshold will be set by a p - value , which will take into account a number of samples used to build the predictive model for the estimates ; the p - value may depend on the statistical basis and vary as more data are collected .). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Ronen with the teachings of Danila-Dumitrescu and Letal to include the steps of: wherein the comparing further includes generating a null hypothesis that states that the change in behavior is legitimate and does not correspond to the security breach and comparing the null hypothesis to the generated probability, to provide users with a means for applying a See Ronen [0035]). 
Regarding claim 25, Danila-Dumitrescu, Letal and Ronen disclose the method of claim 24. Ronen discloses further comprising rejecting the null hypothesis and outputting the security breach likelihood alert (Ronen [0020], [0035]. The monitor 160 will use the sampled flow data to determine whether the network traffic is indicative of an attack , and will execute the appropriate mitigation scheme when it is determined that an attack is occurring . [W]hen a number of observed communications 210 exceeds a number of predicted communications 220 by a set amount or a set percentage from the number of predicted communications 220 , the connections will be marked as including an attack and security measures may be taken ( port blocking , moving a machine 120 , securing an account , etc. ) . In yet other aspects, the difference threshold may be a percentage that is determined to be statistically significant ( where the null hypothesis assumes that there is not an attack ) and the threshold will be set by a p - value , which will take into account a number of samples used to build the predictive model for the estimates ; the p - value may depend on the statistical basis and vary as more data are collected .). 
The motivation is the same as that of claim 24 above.
Regarding claim 26, Danila-Dumitrescu, Letal and Ronen disclose the method of claim 24. Ronen discloses further comprising 10accepting the null hypothesis and preventing the output of the security breach likelihood alert. (Ronen [0020], [0035]. The monitor 160 will use the sampled flow data to determine whether the network traffic is indicative of an attack , and will execute the appropriate mitigation scheme when it is determined that an attack is occurring . [W]hen a number of observed communications 210 exceeds a number of predicted communications 220 by a set amount or a set percentage from the number of predicted communications 220 , the connections will be marked as including an attack and security measures may be taken ( port blocking , moving a machine 120 , securing an account , etc. ) . In yet other aspects, the difference threshold may be a percentage that is determined to be statistically significant ( where the null hypothesis assumes that there is not an attack ) and the threshold will be set by a p - value , which will take into account a number of samples used to build the predictive model for the estimates ; the p - value may depend on the statistical basis and vary as more data are collected .). 
The motivation is the same as that of claim 24 above. 









Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961.  The examiner can normally be reached on Monday to Friday, 9 AM - 6  PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  

For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/EDWARD LONG/
Examiner, Art Unit 2439

/KARI L SCHMIDT/Primary Examiner, Art Unit 2439