DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This action is in response to the amendments filed November 9, 2020.
Claims 1-20 are currently pending.
Claims 1, 4, 11, 14, and 19 have been amended.

Double Patenting
The previous rejection of claims 1-5, 7-12, 19, and 20 on the ground of nonstatutory double patenting over claims 1-20 of co-pending Application No. 15/707,859 is withdrawn.  Applicant’s amendments distinguish the instant invention from co-pending Application No. 15/707,859.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:


This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are linked by the phrase “configured to” in claims 1, 4, 8-11, 14, and 18-20.
Specifically, the physical structure(s) required are referenced on page 77 of the Disclosure: 
In one or more exemplary designs, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another, i.e. may include transitory and/or non-transitory computer readable media. A storage media may be any available media that can be accessed by a computer.

An implementation including these physical structures, that is, computer hardware and/or non-transitory storage media, is assumed. 
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.


Claim Objections
The previous objection to claims 4 and 14 is withdrawn in view of Applicant’s amendment.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 11, 12, 14, and 16-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dupont et al, U.S. Patent Application Publication 2012/0137367 (“Dupont”).

Regarding independent claim 11, Dupont teaches “a system for performing cognitive modeling, comprising: an event acquirer configured to acquire an event comprising an associated date and set of data fields;” (Dupont ¶¶0280-0284, “Feature collection: The feature collection phase collects, for each observed event, the necessary information needed by the downstream components. It is a fully configurable component allowing the specification of all the subsets of the data stream, as well as the snippets of information to retain from each event its high level functions are described in FIG. 10 … 4. Extract time stamps needed by the downstream components.”; ¶0227 & ¶0229, collection of an audit trail allows ¶0230 pruning by date.)
“an analyzer element comprising a plurality of components repeated for each field in an event received from the event acquirer,” (Dupont ¶0150, “The present disclosure efficiently performs continuous monitoring of data produced or circulating within an entity….” The representation used for continuous monitoring is an event stream; ¶0152, “Event [100]: The central unit of analysis of the present disclosure. Depending on its origin, an event can be an observed event [102] exogenous to the system, a derived event [104] produced by the system, or user input….”) “wherein the analyzer element identifies an outlier as an event (Dupont teaches determining whether an input workflow instance (event) is within multiple standard deviations from average it is flagged as an outlier; see ¶0628.  Dupont’s teaching of determining an outlier event is sufficient to teach this limitation because of the conditional “or.”) or cumulative value of a terrain cell multiple standard deviations from a distribution mean or an order of magnitude larger than an allowed range of values (See Dupont ¶0628, which determines event outliers by standard deviation.), wherein the terrain cell comprises a day, time of day, and average weighted value structure that evolves over time (Page 7 of the instant specification notes that an action is an event represented by a taxonomy and that each specific value of the taxonomy is referred to as a terrain.  Therefore, the terrain cell appears to be only data values.  Dupont teaches frequency components that consider values including hour (time), day, week, and month; see ¶0369.  Dupont also teaches aggregating behavioral traits for each actor by computing the average score; see ¶0971-0973.  The claim does not provide details regarding the structure or how it evolves over time and Dupont’s teaching is sufficient to teach this limitation.);” and
“a periodic set of components configured to operate periodically on demand to analyze and predict based on information received from the analyzer element;” (Dupont ¶¶0209-0212, “As shown in FIG. 5, data collection is performed by the data collection component [400] within a collection session [500] in any combination of the following ways: [0210] A human user launching a collection session [500] from a machine hosting the data collection component [400] or remotely [505]. [0211] The data collection component [400] automatically collecting data in a continuous mode [510].  [0212] The data collection component [400] automatically collecting data in incremental mode [515], i.e. as a series of batch operations.”) and 
“a plurality of signal managers interfacing with the analyzer element and the periodic set of components, wherein the periodic set of components is configured to exclude signals based on content properties of data transmitted;” (Dupont ¶0255, “Predicate-based policy, for example a least-relevant-data-first pruning strategy: In conjunction with a maximum volume assigned to the collection instance [545], this policy enforces the predicate that data deemed the least relevant to the matter or project at hand will be pruned to keep the volume of a collection instance [545] below that limit.” Relevance is a calculated property of the data content.).
“wherein the plurality of components and the periodic set of components are configured to interface with a threat detector” (Dupont ¶¶0811-0812, “An actor [220] that matches at least one of these archetypes would typically be flagged for investigation if for example the corresponding archetype(s) suggest a level of present or future insider threat, where an insider threat is defined as a series of malevolent or unintentional actions by a person trusted by the organization with access to sensitive or valuable information and/or assets. [0812] In particular, the behavioral model [200] can provide evidence suggesting that the individual in question is a malicious insider. This covers three main types of situations described below, each of which presents a significant threat to the organization if it goes undetected until irreversible malicious acts are committed, unless a system such as the one described in this invention flags those individuals by raising alerts [305] based on the established behavioral model [200].” Dupont addresses insider threats by malicious individuals with valid access credentials by identifying anomalous behavior patterns.).

Regarding claim 12, Dupont further teaches “the analyzer element comprises a threshold application component,” (Dupont ¶0164, “The present disclosure describes a 
“a terrain updater,” (Dupont ¶0160, “A typed update [107] is a light representation of an incremental change to an evidence or event that can be forwarded to different components. A typed update [107] references one or several evidences or events that are affected by the changes.” Based on the terrain definition of page 7 of the Disclosure, a terrain is a specific value of a taxonomy, e.g. a group of multiple specific values jointly representing an action by some actor. In Dupont a specific event or evidence (post-analysis information associated with an event) is a set of values which can be updated through the system.)
“an outlier analysis module,” (Dupont ¶0628, “Alternatively, compute the normalized log-probability of the input workflow instance with respect to the workflow model. If this probability is within a given multiple of standard deviations (typically 3) from the average probability of workflow instances [134] within the training set, this instance [134] is flagged as an outlier.” This threshold is appropriate for an analysis based on higher order Markov chains per ¶0625.)
“a threshold violation predictor,” (Dupont ¶0164, “This allows the detection of anomalies in recent or past behavior, however the system also attempts to predict behavior [262] in the near future based on the behavioral model [200].” Predicting future anomalies/outliers is understood to rely on the generated user behavior model and a historic behavior related threshold such as that in ¶0628.)
“a time-ordered behavior evaluator,” (Dupont ¶0178, “The continuous clustering component [412] produces clusters of items [122] or events [100] from the incoming data stream on a continuous basis. It is a required stage of continuous discussion building [410].” Discussions as defined in ¶0156, “Discussion [136]: A possibly heterogeneous partially ordered set of electronic record items [122] for which it is presumed that any item [122] is causally related to all items [122] immediately following it by one or more sources of evidence [108].” The discussion building process is understood as evaluating at least the relatedness of events into a behavior sequence.) and 
“a graph updater” (Dupont ¶¶0165-166, “The behavioral model [200] computed by the system, as well as the anomalies [270] produced, are presented by the system using supporting evidence [202] and visualizations [204] in one embodiment. A visualization [204] is produced in several stages. Data is generated [365] over time either by an iterative process over batches of data [370], or on a continuous basis [375] using for example a sliding window mechanism [380]. Input data [365] for a particular visualization [204] is then selected [360] either automatically by the system or interactively by a user. A layout [355] is then produced to efficiently display [350] the visualization as part of the system's user interface [300].”).

Regarding claim 14, Dupont further teaches “a first signal manager is provided with the analyzer element and a second signal manager is provided with the periodic set of components, and the first signal manger and the second signal manager interface with a signal filter configured to receive signal weights from a signal weight repository” ().

Regarding claim 16, Dupont further teaches “the outlier analyzer determines whether or not frequency, periodicity, and general value of outliers implies the start of another data pattern or a change to an existing data pattern” (Dupont ¶0459, “Whenever categorization is used and its results are continuously evaluated and updated, the categorization results are taken into account, in addition to various features built and continuously updated in the data model.  This allows the anomaly detection component [450] to produce categorization anomalies as appropriate.” Continuously categorizing items allows for change in the sense of concept drift and recognition of anomalies; ¶0484, “An initial set of components [1420] is built at the beginning of the continuous categorization process.  These components [1420] are continuously maintained, meaning that some new components [1420] can be added and existing components [1420] can be deleted or modified.  This happens either when a significant model change has been automatically detected in the data, or when an administrator needs to implement a new policy (whether internal or external to the organization).” A significant model change can be automatically identified also.).

Regarding claim 17, Dupont further teaches “time-ordered behavior evaluator employs a Markov Graph, to learn a general sequence of events performed by one actor during a time period” (Dupont ¶0605, “In one embodiment of the present disclosure, once a pattern has been detected as significant in the baseline data analyzed for the whole set of actors [220] or a subset of those, the workflow model is built as a higher-order Markov chain whose states are composed of the individual event [100] and item [122] patterns….” Per page 14 of the Disclosure the Markov graph is understood to have dependency on multiple past events and therefore to graph a higher order Markov chain; ¶0625 and ¶0628 for example of Markov chain analysis for determining outliers.).

Regarding claim 18, Dupont further teaches “the actor behavior analyzer is configured to examine any changes in actor behavior over time by comparing similarity of past behavior with current behavior” (Dupont ¶0631, “[0631] Instances for the exact same actors [220] at a prior time (called baseline referential). This allows the system to detect deviations associated to a particular actor [220].” Per page 29 of the Disclosure, actor behavior analysis “examines the change in an Actor’s behavior over time by comparing the similarity of past behavior (the history) and current behavior.”)

Regarding independent claim 19, Dupont teaches “a cognitive modeling apparatus, comprising: an event acquirer;” (Dupont ¶0150, “The present disclosure efficiently performs continuous monitoring of data produced or circulating within an entity….” The representation used for continuous monitoring is an event stream; ¶0152, “Event [100]: The central unit of analysis of the present disclosure. Depending on its origin, an event can be an observed event 
“an updating and evaluating arrangement comprising hardware configured to apply thresholds,” (Dupont ¶0164, “The present disclosure describes a method for building and continuously maintaining a behavioral model [200]. This model represents assessed behavior [205] which can be either individual behavior [210] or collective behavior [215]. In order to detect anomalies [270], the system establishes baseline behaviors [260] which are a synthetic representation of communication habits and normal interactions, then assesses deviations [265] by comparing assessed behaviors [205] to such a baseline.” A historically generated baseline is used to assess behavioral deviation for events / evidence (¶0153, analysis results based on events), also see example ¶0626 using a threshold of 3 standard deviations.) “update event related data,” (Dupont ¶0160, “A typed update [107] is a light representation of an incremental change to an evidence or event that can be forwarded to different components. A typed update [107] references one or several evidences or events that are affected by the changes.” Based on the terrain definition of page 7 of the Disclosure, a terrain is a specific value of a taxonomy, e.g. a group of multiple specific values jointly representing an action by some actor. In Dupont a specific event or evidence (post-analysis information associated with an event) is a set of values which can be updated through the system.) “predict thresholds” (Dupont ¶0164, “This allows the detection of anomalies in recent or past behavior, however the system also attempts to predict behavior [262] in the near future based on the behavioral model [200].” Predicting future anomalies/outliers is understood to rely on the generated user behavior model and a historic behavior related threshold such as that in ¶0628.) and “determine outliers from events received from the event acquirer,” (Dupont ¶0628, “Alternatively, compute the normalized log-probability of the input workflow instance with respect to the workflow model. If this probability is within a given multiple of standard deviations (typically 3) from the average probability of workflow instances [134] within the training set, this instance [134] is flagged as an outlier.” This threshold is appropriate for an analysis based on higher order Markov chains per ¶0625.) “wherein the analyzer element identifies an outlier as an event (Dupont teaches determining whether an input workflow instance (event) is within multiple standard deviations from average it is flagged as an outlier; see ¶0628.  Dupont’s teaching of determining an outlier event is sufficient to teach this limitation because of the conditional “or.”) or cumulative value of a terrain cell multiple standard deviations from a distribution mean or an order of magnitude larger than an allowed range of values (See Dupont ¶0628, which determines event outliers by standard deviation.), wherein the terrain cell comprises a day, time of day, and average weighted value structure that evolves over time (Page 7 of the instant specification notes that an action is an event represented by a taxonomy and that each specific value of the taxonomy is referred to as a terrain.  Therefore, the terrain cell appears to be only data values.  Dupont teaches frequency components that consider values including hour (time), day, week, and month; see ¶0369.  Dupont also teaches aggregating behavioral traits for each actor by computing the average score; see ¶0971-0973.  The claim does not provide details regarding the structure or how it evolves over time and Dupont’s teaching is sufficient to teach this limitation.);” and 
“a periodic/on demand apparatus configured to analyze event data on demand;” (Dupont ¶¶0209-0212, “As shown in FIG. 5, data collection is performed by the data collection 
“a series of signal managers comprising a first signal manager connected to the updating and evaluation arrangement and a second signal manager connected to the periodic/on demand apparatus; wherein the series of signal managers are configured to exclude signals based on content properties” (Dupont ¶0255, “Predicate-based policy, for example a least-relevant-data-first pruning strategy: In conjunction with a maximum volume assigned to the collection instance [545], this policy enforces the predicate that data deemed the least relevant to the matter or project at hand will be pruned to keep the volume of a collection instance [545] below that limit.” Relevance is a calculated property of the data content.)..

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 7-10, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Dupont et al, U.S. Patent Application Publication 2012/0137367 (“Dupont”) in view of Adjaoute, U.S. Patent Application Publication 2016/0071017 (“Adjaoute”) further in view of Steiner et al, U.S. Patent Application Publication 2015/0355957 (“Steiner”).

Regarding independent claim 1, Dupont teaches “a system for performing cognitive modeling, comprising: an event acquirer configured to acquire an event comprising an associated date and set of data fields;” (Dupont ¶¶0280-0284, “Feature collection: The feature collection phase collects, for each observed event, the necessary information needed by the 
“an analyzer element comprising a plurality of components repeated for each field in an event received from the event acquirer, wherein the analyzer element applies thresholds to each event,” (Dupont ¶0164, “The present disclosure describes a method for building and continuously maintaining a behavioral model [200]. This model represents assessed behavior [205] which can be either individual behavior [210] or collective behavior [215]. In order to detect anomalies [270], the system establishes baseline behaviors [260] which are a synthetic representation of communication habits and normal interactions, then assesses deviations [265] by comparing assessed behaviors [205] to such a baseline.” A historically generated baseline is used to assess behavioral deviation for events / evidence (¶0153, analysis results based on events), also see example ¶0626 using a threshold of 3 standard deviations.)  “determines outliers,” (Dupont ¶0628, “Alternatively, compute the normalized log-probability of the input workflow instance with respect to the workflow model. If this probability is within a given multiple of standard deviations (typically 3) from the average probability of workflow instances [134] within the training set, this instance [134] is flagged as an outlier.” This threshold is appropriate for an analysis based on higher order Markov chains per ¶0625.) “evaluates time-ordered behavior,” (Dupont ¶0178, “The continuous clustering component [412] produces clusters of items [122] or events [100] from the incoming data stream on a “predicts threshold violations for the event,” (Dupont ¶0164, “This allows the detection of anomalies in recent or past behavior, however the system also attempts to predict behavior [262] in the near future based on the behavioral model [200].” Predicting future anomalies/outliers is understood to rely on the generated user behavior model and a historic behavior related threshold such as that in ¶0628.) “wherein the analyzer element identifies an outlier as an event (Dupont teaches determining whether an input workflow instance (event) is within multiple standard deviations from average it is flagged as an outlier; see ¶0628.  Dupont’s teaching of determining an outlier event is sufficient to teach this limitation because of the conditional “or.”) or cumulative value of a terrain cell multiple standard deviations from a distribution mean or an order of magnitude larger than an allowed range of values (See Dupont ¶0628, which determines event outliers by standard deviation.), wherein the terrain cell comprises a day, time of day, and average weighted value structure that evolves over time (Page 7 of the instant specification notes that an action is an event represented by a taxonomy and that each specific value of the taxonomy is referred to as a terrain.  Therefore, the terrain cell appears to be only data values.  Dupont teaches frequency components that consider values including hour (time), day, week, and month; see ¶0369.  Dupont also teaches aggregating behavioral traits for each actor by computing the average score; see ¶0971-0973.  The claim does not provide details regarding the structure or how it evolves over time and Dupont’s teaching is sufficient to teach this limitation.);” and
“a periodic set of components configured to operate periodically on demand,” (Dupont ¶¶0209-0212, “As shown in FIG. 5, data collection is performed by the data collection component [400] within a collection session [500] in any combination of the following ways: [0210] A human user launching a collection session [500] from a machine hosting the data collection component [400] or remotely [505]. [0211] The data collection component [400] automatically collecting data in a continuous mode [510].  [0212] The data collection component [400] automatically collecting data in incremental mode [515], i.e. as a series of batch operations.”) “the periodic set of components configured to perform peer to peer analysis,” (Dupont ¶0809, “Third, an individual behavior [210] can be used to contrast the individual's behavior with her peers' behavior in order to yield another kind of assessment of anomalous behavior as with changes over time.” Per page 28 of the Disclosure, peer to peer analysis is understood as comparisons to similar peer actors.) “actor correlation analysis,” (Dupont ¶0630, “Instances for the same actor groups [225] at a prior time (peer-group referential, as formalized in the section on Anomaly detection). This allows detection of deviations from an informal workflow process [128] over time within a certain set of individual actors [220] in the organization, as well as specific actors [220] who do not follow the same workflow as the majority of the other actors [220] in the group [225] (for example, it might be interesting to detect actors [220] who are systematically sloppy and skip important stages [154] in a workflow process [128]).” Automated clustering of peer groups is requisite to perform such detection. Per page 28 of the Disclosure, actor correlation analysis is understood as the “actor behavior analysis,” (Dupont ¶0631, “[0631] Instances for the exact same actors [220] at a prior time (called baseline referential). This allows the system to detect deviations associated to a particular actor [220].” Per page 29 of the Disclosure, actor behavior analysis “examines the change in an Actor’s behavior over time by comparing the similarity of past behavior (the history) and current behavior.”) and 
“a plurality of signal managers interfacing with the analyzer element and the periodic set of components configured to exclude signals based on content properties of data transmitted;” (Dupont ¶0255, “Predicate-based policy, for example a least-relevant-data-first pruning strategy: In conjunction with a maximum volume assigned to the collection instance [545], this policy enforces the predicate that data deemed the least relevant to the matter or project at hand will be pruned to keep the volume of a collection instance [545] below that limit.” Relevance is a calculated property of the data content.).
“wherein the plurality of components and the periodic set of components are configured to interface with a threat detector” (Dupont ¶¶0811-0812, “An actor [220] that matches at least one of these archetypes would typically be flagged for investigation if for example the corresponding archetype(s) suggest a level of present or future insider threat, where an insider threat is defined as a series of malevolent or unintentional actions by a person trusted by the organization with access to sensitive or valuable information and/or assets. [0812] In particular, the behavioral model [200] can provide evidence suggesting that the individual in question is a malicious insider. This covers three main types of situations described below, each of which presents a significant threat to the organization if it goes undetected until 
However, Dupont is understood not to address fuzzy semantic rule analysis. Adjaoute teaches “[components of a classification system which perform] semantic rule analysis,” (Adjaoute ¶0150, “Compiled flag settings rules are fuzzy rules (business rules) developed with fuzzy logic. Fuzzy rules are used to merge the predicted classes from all the predictive models and technologies 631-636 and decide on one final prediction, herein, prevailing predicted class 660. Rules 654 are either manually written by analytical engineers, or they are automatically generated when analyzing the enriched training data 124 (FIG. 1) in steps 126, 130, 134, 138, 142, and 146.” Determining the final predicted class is based on merging fuzzy membership in either automatically generated and/or manual sets. This is comparable to the Disclosure page 32’s rule sets.).
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont, would have appreciated the benefit of semantic rule analysis as proposed by Adjaoute. The ordinarily-skilled artisan would readily see the benefits of semantic rule analysis, which would provide the well-known, predictable, and expected results of translating expert knowledge of known threats/anomalies into actionable system rules. The artisan of ordinary skill would have been motivated to combine Dupont with Adjaoute as proposed above, at least because both are directed to predictive models. 

Dupont and Adjaoute are understood not to teach predicting rates of change. Steiner teaches “[components of an anomaly detection system which] predict rates of change” (Steiner ¶0106, “Method 300 builds/creates a model or pattern of normalcy from the identified patterns of events, block 308. Utilizing the model of normalcy, method 300 may build/create rules, block 310, that determine how and whether anomalies are detected, how method 300 treats, characterizes and reacts to a detected anomaly, etc. … Method 300 may repeat 302-310, block 312, over time using machine learning techniques to continue to build and update 308 the model of normalcy and build and update 310 the rules.” The model of normalcy updated over time is used to identify anomalous changes as opposed to normal changes, and that differentiation is understood as based on the rates of change of user behavior events.).
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont and Adjaoute, would have appreciated the benefit of anomalous event modeling as proposed by Steiner. The ordinarily-skilled artisan would readily see the benefits of tracking a normalcy model over time, which would provide the well-known, predictable, and expected results of recognizing changes in behavior. The artisan of ordinary skill would have been motivated to combine Dupont and Adjaoute with Steiner as proposed above, at least because both are directed to models of insider threat detection. 


Regarding claim 2, Dupont further teaches “the analyzer element comprises a threshold application component,” (Dupont ¶0164, “The present disclosure describes a method for building and continuously maintaining a behavioral model [200]. This model represents assessed behavior [205] which can be either individual behavior [210] or collective behavior [215]. In order to detect anomalies [270], the system establishes baseline behaviors [260] which are a synthetic representation of communication habits and normal interactions, then assesses deviations [265] by comparing assessed behaviors [205] to such a baseline.” A historically generated baseline is used to assess behavioral deviation for events / evidence (¶0153, analysis results based on events), also see example ¶0626 using a threshold of 3 standard deviations.)  “a terrain updater,” (Dupont ¶0160, “A typed update [107] is a light representation of an incremental change to an evidence or event that can be forwarded to different components. A typed update [107] references one or several evidences or events that are affected by the changes.” Based on the terrain definition of page 7 of the Disclosure, a terrain is a specific value of a taxonomy, e.g. a group of multiple specific values jointly representing an action by some actor. In Dupont a specific event or evidence (post-analysis information associated with an event) is a set of values which can be updated through the system.)   “an outlier analysis module,” (Dupont ¶0628, “Alternatively, compute the “a threshold violation predictor,” (Dupont ¶0164, “This allows the detection of anomalies in recent or past behavior, however the system also attempts to predict behavior [262] in the near future based on the behavioral model [200].” Predicting future anomalies/outliers is understood to rely on the generated user behavior model and a historic behavior related threshold such as that in ¶0628.) “a time-ordered behavior evaluator,” (Dupont ¶0178, “The continuous clustering component [412] produces clusters of items [122] or events [100] from the incoming data stream on a continuous basis. It is a required stage of continuous discussion building [410].” Discussions as defined in ¶0156, “Discussion [136]: A possibly heterogeneous partially ordered set of electronic record items [122] for which it is presumed that any item [122] is causally related to all items [122] immediately following it by one or more sources of evidence [108].” The discussion building process is understood as evaluating at least the relatedness of events into a behavior sequence.) and “a graph updater” (Dupont ¶¶0165-166, “The behavioral model [200] computed by the system, as well as the anomalies [270] produced, are presented by the system using supporting evidence [202] and visualizations [204] in one embodiment. A visualization [204] is produced in several stages. Data is generated [365] over time either by an iterative process over batches of data [370], or on a continuous basis [375] using for example a sliding window mechanism [380]. Input data [365] for a particular visualization [204] is then selected [360] either automatically by the system or 

Regarding claim 3, Dupont, Adjaoute, and Steiner further teach “the periodic set of components comprises a peer to peer analyzer, an actor correlation analyzer, an actor behavior analyzer,” (Dupont ¶0809, ¶0630, ¶0631) “a rate of change predictor,” (Steiner ¶0106) and “a semantic rule analyzer” (Adjaoute ¶0150).

Regarding claim 4, Dupont further teaches “a first signal manager is provided with the analyzer element and a second signal manager is provided with the periodic set of components, and the first signal manger and the second signal manager interface with a signal filter configured to receive signal weights from a signal weight repository” (Dupont ¶¶0280-0282, “Feature collection: The feature collection phase collects, for each observed event, the necessary information needed by the downstream components. It is a fully configurable component allowing the specification of all the subsets of the data stream, as well as the snippets of information to retain from each event its high level functions are described in FIG. 10: … 2. Prioritize incoming events [100] based on configurable prioritization predicates [1020]. See example ¶0288.).

Regarding claim 6, Dupont further teaches “the outlier analyzer determines whether or not frequency, periodicity, and general value of outliers implies the start of another data pattern or a change to an existing data pattern” (Dupont ¶0459, “Whenever categorization is 

Regarding claim 7, Dupont further teaches “time-ordered behavior evaluator employs a Markov Graph, to learn a general sequence of events performed by one actor during a time period” (Dupont ¶0605, “In one embodiment of the present disclosure, once a pattern has been detected as significant in the baseline data analyzed for the whole set of actors [220] or a subset of those, the workflow model is built as a higher-order Markov chain whose states are composed of the individual event [100] and item [122] patterns….” Per page 14 of the Disclosure the Markov graph is understood to have dependency on multiple past events and therefore to graph a higher order Markov chain; ¶0625 and ¶0628 for example of Markov chain analysis for determining outliers.).

Regarding claim 8, Dupont further teaches “the actor behavior analyzer is configured to examine any changes in actor behavior over time by comparing similarity of past behavior with current behavior” (Dupont ¶0185, “The anomaly detection component [450] continuously monitors the incoming stream of events [100] (both observed [102] and derived [104], including the behavioral model [200]) with the main goal of spotting anomalous behavior and anomalous patterns in the data based on statistical, analytical, and other types of properties associated to both recent data and historical data.” Comparing statistically the properties of recent data with historic data is one way of determining similarity of a monitored behavior stream.).

Regarding claim 9, Adjaoute further teaches “the semantic rule analyzer is configured to encode conditional, provisional, cognitive, operational, and functional knowledge” (Adjaoute ¶0150, “Compiled flag settings rules are fuzzy rules (business rules) developed with fuzzy logic. Fuzzy rules are used to merge the predicted classes from all the predictive models and technologies 631-636 and decide on one final prediction, herein, prevailing predicted class 660. Rules 654 are either manually written by analytical engineers, or they are automatically generated when analyzing the enriched training data 124 (FIG. 1) in steps 126, 130, 134, 138, 142, and 146.” Determining the final predicted class is based on merging fuzzy membership in either automatically generated and/or manual sets. This is comparable to the Disclosure page 32’s rule sets.).

Regarding claim 10, Steiner further teaches “the rate of change predictor is configured to store similarity and correlation results over time and rates of change over time” (Steiner ¶0106, “The patterns may provide indications of relations between events in different data streams under typical operating conditions. Method 300 builds/creates a model or pattern of normalcy from the identified patterns of events, block 308. Utilizing the model of normalcy, method 300 may build/create rules, block 310, that determine how and whether anomalies are detected, how method 300 treats, characterizes and reacts to a detected anomaly, etc. … Method 300 may repeat 302-310, block 312, over time using machine learning techniques to continue to build and update 308 the model of normalcy and build and update 310 the rules.” Models, patterns, and/or rules are stored to describe past correlations. These are updated over time storing the results over time.).

Regarding claim 13, Dupont teaches the system of claim 11, and teaches “a peer to peer analyzer” (Dupont ¶0809, “Third, an individual behavior [210] can be used to contrast the individual's behavior with her peers' behavior in order to yield another kind of assessment of anomalous behavior as with changes over time.” Per page 28 of the Disclosure, peer to peer analysis is understood as comparisons to similar peer actors.) “an actor correlation analyzer” (Dupont ¶0630, “Instances for the same actor groups [225] at a prior time (peer-group referential, as formalized in the section on Anomaly detection). This allows detection of deviations from an informal workflow process [128] over time within a certain set of individual actors [220] in the organization, as well as specific actors [220] who do not follow the same workflow as the majority of the other actors [220] in the group [225] (for example, it might be “an actor behavior analyzer” (Dupont ¶0631, “[0631] Instances for the exact same actors [220] at a prior time (called baseline referential). This allows the system to detect deviations associated to a particular actor [220].” Per page 29 of the Disclosure, actor behavior analysis “examines the change in an Actor’s behavior over time by comparing the similarity of past behavior (the history) and current behavior.”).
However, Dupont is understood not to address fuzzy semantic rule analysis. Adjaoute teaches “[components of a classification system which perform] semantic rule analysis,” (Adjaoute ¶0150, “Compiled flag settings rules are fuzzy rules (business rules) developed with fuzzy logic. Fuzzy rules are used to merge the predicted classes from all the predictive models and technologies 631-636 and decide on one final prediction, herein, prevailing predicted class 660. Rules 654 are either manually written by analytical engineers, or they are automatically generated when analyzing the enriched training data 124 (FIG. 1) in steps 126, 130, 134, 138, 142, and 146.” Determining the final predicted class is based on merging fuzzy membership in either automatically generated and/or manual sets. This is comparable to the Disclosure page 32’s rule sets.).
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont, would have appreciated the benefit of semantic rule analysis as proposed by Adjaoute. The ordinarily-skilled artisan would readily see the benefits of semantic rule analysis, which would 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont with the predictive model improvement based on fuzzy semantic rules of Adjaoute to achieve the well-known and expected benefit of incorporating expert knowledge to improve prediction.
Dupont and Adjaoute are understood not to teach predicting rates of change. Steiner teaches “[components of an anomaly detection system which] predict rates of change” (Steiner ¶0106, “Method 300 builds/creates a model or pattern of normalcy from the identified patterns of events, block 308. Utilizing the model of normalcy, method 300 may build/create rules, block 310, that determine how and whether anomalies are detected, how method 300 treats, characterizes and reacts to a detected anomaly, etc. … Method 300 may repeat 302-310, block 312, over time using machine learning techniques to continue to build and update 308 the model of normalcy and build and update 310 the rules.” The model of normalcy updated over time is used to identify anomalous changes as opposed to normal changes, and that differentiation is understood as based on the rates of change of user behavior events.).
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont and Adjaoute, would have appreciated the benefit of anomalous event modeling as proposed by Steiner. The ordinarily-skilled artisan would readily see the benefits of tracking a normalcy model over time, which would provide the well-known, predictable, and expected results of 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont and Adjaoute with the normalcy model tracking of Steiner to achieve the well-known and expected benefit of identifying normal vs. anomalous change over time.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Dupont et al, U.S. Patent Application Publication 2012/0137367 (“Dupont”) in view of Adjaoute, U.S. Patent Application Publication 2016/0071017 (“Adjaoute”) further in view of Steiner et al, U.S. Patent Application Publication 2015/0355957 (“Steiner”) further in view of Mayhew et al, Use of Machine Learning in Big Data Analytics for Insider Threat Detection (“Mayhew”).

Regarding claim 5, Dupont, Adjaoute, and Steiner teach the system of claim 1 but are understood not to teach exposing an application programming interface. Mayhew teaches “the threat detector employs an extreme vigilance application programming interface” (Mayhew page 921 column 1 paragraph 4, “BBAC provides an API for consuming threat status messages describing suspicious events via well-defined XML documents. This enables other components, such as the resiliency controllers being built under the Autonomic Resilient CDS (ARC) effort, to treat BBAC information as sensor input as part of a larger adaptation strategy.” Per page 36 of 
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont, Adjaoute, and Steiner, would have appreciated the benefit of providing an API for an anomaly based threat detector as proposed by Mayhew. The ordinarily-skilled artisan would readily see the benefits of exposing an application programming interface, which would provide the well-known, predictable, and expected results of enabling other programs to check threat information or consume threat related alerts. The artisan of ordinary skill would have been motivated to combine Dupont, Adjaoute, and Steiner with Mayhew as proposed above, at least because both are directed to models of insider threat detection. 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont, Adjaoute, and Steiner with the API provision of Mayhew to achieve the well-known and expected benefit of allowing coordination of threat information into larger software systems.

Claims 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dupont et al, U.S. Patent Application Publication 2012/0137367 (“Dupont”) in view of Mayhew et al, Use of Machine Learning in Big Data Analytics for Insider Threat Detection (“Mayhew”).

Regarding claim 15, Dupont teaches the system of claim 11, however it does not teach exposing an API. Mayhew teaches “the threat detector employs an extreme vigilance application programming interface” (Mayhew page 921 column 1 paragraph 4, “BBAC provides 
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont, would have appreciated the benefit of providing an API for an anomaly based threat detector as proposed by Mayhew. The ordinarily-skilled artisan would readily see the benefits of exposing an application programming interface, which would provide the well-known, predictable, and expected results of enabling other programs to check threat information or consume threat related alerts. The artisan of ordinary skill would have been motivated to combine Dupont with Mayhew as proposed above, at least because both are directed to models of insider threat detection. 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont with the API provision of Mayhew to achieve the well-known and expected benefit of allowing coordination of threat information into larger software systems.

Regarding claim 20, Dupont teaches the system of claim 19, however it does not teach exposing an API. Mayhew teaches “the threat detector employs an extreme vigilance application programming interface” (Mayhew page 921 column 1 paragraph 4, “BBAC provides an API for consuming threat status messages describing suspicious events via well-defined XML 
The artisan of ordinary skill, starting with the system for anomaly detection of Dupont, would have appreciated the benefit of providing an API for an anomaly based threat detector as proposed by Mayhew. The ordinarily-skilled artisan would readily see the benefits of exposing an application programming interface, which would provide the well-known, predictable, and expected results of enabling other programs to check threat information or consume threat related alerts. The artisan of ordinary skill would have been motivated to combine Dupont with Mayhew as proposed above, at least because both are directed to models of insider threat detection. 
Therefore, a person having ordinary skill in the art at the effective filing date of the invention would have found it obvious to combine the system of anomaly detection of Dupont with the API provision of Mayhew to achieve the well-known and expected benefit of allowing coordination of threat information into larger software systems.

Response to Arguments
Applicant's arguments filed November 9, 2020 have been fully considered but they are not persuasive.
On page 10 Applicant argues that the amended claims are materially different from the claims of co-pending application 15/707,859.  Examiner agrees and the rejection is withdrawn.

On page 12, the previous claim objections are withdrawn in view of Applicant’s argument.
Also, on page 12, Applicant argues that the prior art does not teach the newly presented features.  The rejection above has been modified to show that Dupont does teach these features and Applicant’s argument is not persuasive.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL T PELLETT whose telephone number is (571)270-7156.  The examiner can normally be reached on Monday - Friday 9-5 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li Zhen can be reached on 571-272-3768.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DANIEL T PELLETT/Primary Examiner, Art Unit 2121