Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
2. 	This Office Action is response to Non-Final Amendment filed on 11/10/2020. Claims 1, 8, 14, and 19 amended. Claims 1-20 are pending in this Office Action.

                                       Terminal Disclaimer
3.	The Terminal Disclaimer filed on 01/26/2021 has been reviewed and is approved.  

4.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given in a telephone interview with Mr. Stosch Sabo (Reg. No.: 72,790) on 01/26/2021 at 507-253-5445.
5.	In claims:
Please replace claims 1, 3, 8-9, and 14-15 with the amended claims 1, 3, 8-9, and 14-15. 
Cancel claims 7, 13, and 20






1. (Examiner’s Amendment) A method comprising:
receiving a first set of data from a first log of a first database for a first time and a second set of data from a second log of the first database for a second time, wherein the first time and the second time are consecutive intervals of equal time;
clustering the first set of data into a first number of clusters;
determining a cross-cluster movement and an average normalized point movement based on the second set of data and the clustered first set of data; 
determining the first number of clusters is an appropriate number of clusters based on the cross-cluster movement being less than a first threshold and the average normalized point movement being less than a second threshold; 
clustering a new set of data according to the first number of clusters, wherein the new set of data comprises a third log of the first database for a third time;
identifying an anomalous behavior in the new set of data based on a second cross-cluster movement being above the first threshold and a second average normalized point movement being above the second threshold; and
restricting access to the first database in response to identifying the anomalous behavior.

3. (Examiner’s Amendment) The method according to claim 1, wherein determining the first number of clusters is an appropriate number of clusters further comprises:
clustering the first set of data according to a first number of clusters by generating a first set of Voronoi regions, wherein 

7. (Canceled)	

8. (Examiner’s Amendment) A system comprising:
	a data manager comprising a memory and a processor communicatively coupled to a user interface and a first database, wherein the data manager performs operations comprising:
receive a first set of data from a first log of the first database for a first time and a second set of data from a second log of the first database for a second time, wherein the first time and the second time are consecutive intervals of equal time;
cluster the first set of data into a first number of clusters;
determine a cross-cluster movement and an average normalized point movement based on the second set of data and the clustered first set of data;
determine the first number of clusters is an appropriate number of clusters based on the cross-cluster movement being less than a first threshold and the average normalized point movement being less than a second threshold, wherein cross-cluster movement is based on changes in cluster classification for corresponding data points from the first set of data and the second set of data;
cluster a new set of data according to the appropriate number of clusters, wherein the new set of data comprises a third log of the first database for a third time; 
identify an anomalous behavior in the new set of data based on a second cross-cluster movement being above the first threshold and a second average normalized point movement being above the second threshold; and
restrict access to the first database in response to identifying the anomalous behavior.


cluster the first set of data according to a first number of clusters by generating a first set of Voronoi regions, wherein 

13. (Canceled)	

14. (Examiner’s Amendment) A computer program product comprising a computer readable storage medium having program instructions embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, the program instructions executable by a processor to cause the processor to perform a method comprising:
receiving a first set of training log data from a first database for a first time and a second set of training log data from the first database for a second time, wherein the first time and the second time are consecutive intervals of equal time;
partitioning the first set of training log data into a plurality of clusters having a first number of clusters and a respective centroid corresponding to each cluster, wherein respective data points in a given cluster are closer to a respective centroid of the given cluster than any other centroid of any other cluster;
determining a cross-cluster movement and an average normalized point movement based on the second set of training log data and the clustered first set of training log data;
determining the first number of clusters is an appropriate number of clusters based on the cross-cluster movement being below a first threshold and the average normalized point movement being below a second threshold; 

identifying an anomalous behavior in the new set of log data based on a second cross-cluster movement being above the first threshold and a second average normalized point movement being above the second threshold; and
restricting access to the first database in response to identifying the anomalous behavior.

15. (Examiner’s Amendment)	 The computer program product according to claim 14, wherein the program instructions causing the processor to partition the first set of training log data and the second set of training log data further cause the processor to perform a method further comprising:
clustering the first set of training log data according to the first number of clusters by generating a first set of Voronoi regions, wherein 

20. (Canceled)	







Allowable Subject Matter
6. 	Claims 1-6, 8-12, and 14-19 are allowed.
	The closest prior art, US Patent Publication No.: 2016/0189183 A1 of KM et al. (hereinafter KM) teaches a method for automatic discovery, annotation and visualization of customer segments and migration characteristics. Embodiments relate to customer management, and more particularly to segmenting customers based on value and analyzing segment migration of customers; where US Patent Publication No.: 2017/0344706 A1 of Torres et al. (hereinafter Torres) teaches a methods for data compression which facilitate the diagnosis and treatment of neurodevelopmental and neurodegenerative disorders, the methods comprise performing the following operations by a computing device; where US Patent Publication No.: 2007/0239554 A1 of Lin et al. (hereinafter Lin) teaches a method for determining a predictive rating, an active user is compared to a set of clusters. One or more of the clusters are determined to be most similar to the active user; where US Patent Publication No.: 2005/0089878 A1 of Debe et al. (hereinafter Debe) teaches a method to improved methods for determining functional residues on the surface of a query protein, the methods rely on determining a plurality of functional annotation scores for a query protein and comparing these functional annotation scores to distributions of similar functional annotation scores derived from a plurality of reference proteins.
In combination, KM, Torres, Lin and Debe fail to teach receiving a first set of data from a first log of a first database for a first time and a second set of data from a second log of the first database for a second time, wherein the first time and the second time are consecutive intervals of equal time; clustering the first set of data into a first number of clusters; determining a cross-cluster movement and an average normalized point movement based on the second set of data and the clustered first set of data.

.
The dependent claims bring definite, further limiting, and fully enable by the specification are also allowed.

6. 	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to James Hwa whose telephone number is 571-270-1285. The examiner can normally be reached on 9:00 am – 5:30 pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tamara Kyle can be reached on 571-272-4241. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only, for more information about the PAIR 
01/31/2021											
										
/SHYUE JIUNN HWA/
Primary Examiner, Art Unit 2156