DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
	This office action responds to the Reply filed on December 30, 2020 for application 16/254,520.  None of the claims were amended, and claims 1-26 remain pending in the application.

Response to Arguments
	The Applicant’s arguments filed on December 30, 2020 have been fully considered, and the Examiner responds as provided below.
	Regarding the Applicant’s response at page 10 of the Remarks that concerns the double patenting rejection, the Applicant’s response is noted.
	Regarding the Applicant’s response at pages 10-12 of the Remarks that concerns the § 102 rejection of claim 1, the Applicant presents two arguments to overcome the § 102 rejection.  The Examiner respectfully disagrees with these arguments, and the § 102 rejection is maintained.
	The Applicant’s first argument at pages 10-11 concerns the limitation “wherein the determining that the first access request is suspicious includes determining that the first data object is included in a first resource group of the plurality of resource groups and that the first resource group is not within the respective second sets of resource 
	Within this limitation, the Examiner interpreted a “data object” and “resource group” as a “file” and “folder” within Sawhney, respectively.  See Office Action of November 19, 2020 (“Office Action”) at p. 19.  The limitation at issue involves three criteria that must be met.  Relying upon Fig. 2 and ¶ [0075] of the pre-grant publication US 2019/0158513 (“PG-Pub ‘513”) that presents the example circle ‘C,’ user E, who belongs to user group “triangle,” makes a “first access request” for a data object (or file) that “is included in a first resource group,” where the “first resource group” accessed by the request is the resource group RGg that is the folder “invoices.”  The access request of user E corresponds to the first criterion of the limitation at issue. 
The access request is determined to be suspicious if the second and third criterion of the limitation at issue are met, i.e., 2) the “first resource group” RGg (as the folder “invoices”) is not within the “second [] resource groups” of the “first user group;” and 3) the “first resource group” RGg (or the folder “invoices”) is not within the “second [] resource groups” of “those of the user groups determined to be nearby the first user group.”  With respect to Fig. 2 and the circle ‘C’ example, the “second resource groups” associated with user group “triangle” are the resource groups RGa, RGd, and RGe as illustrated in block 154.  Because the resource group RGg (or the folder “invoices”) is not within the resource groups listed for user group “triangle,” the access request of user E meets the second criterion.  Intuitively, this result makes sense – because user E only accessed folders related to engineering in the past (e.g., folder “REL3”), it is suspicious for user E to access the “invoices” folder.
not “nearby” the user group “triangle” – only the user groups “star” and “pentagon” are nearby the user group “triangle.”  Consequently, the access request of user E meets the third criterion, and because both the second and third criterion of the limitation at issue are met, the access request of E is suspicious.
 In reaching the conclusion that Sawhney anticipates claim 1 under § 102, the Examiner relied upon the concepts taught by the reference and encompassed by claim 1, as discussed above.  Of particular importance is the claim element “nearby.”  This limitation only has meaning within the context of a “distance” as calculated by a clustering algorithm, which is employed by Applicant, see PG-Pub ‘513 ¶¶ [0094]-[0098], and taught by Sawhney, see, e.g., Cols. 8:22-49, 9:23-58.  Additionally, Sawhney uses the clustering algorithm “to detect an anomaly between a new access and a baseline profile wherein the baseline profile is established using clustering for accesses observed during a training period,” see Col. 9:38-50, with this “anomaly” corresponding to the “suspicious” request within claim 1.  The conceptual consistency between Sawhney and the circle ‘C’ example suggests that claim 1 and Sawhney are 
To address the specific wording of claim 1, the Applicant argues at page 11 of the Remarks that “there is no indication in Sawhney that determining that the first access request is suspicious includes determining that the first data object is included in the ‘affinity folders’ and that these ‘affinity folders’ are not within the respective second sets of ‘affinity folders’ determined for the first user group (e.g., the user group that the user issuing the access request belongs to) and those of the user groups determined to be nearby the first user group.” (Emphasis retained).  Applicant’s emphasis of “and” underscores that two criteria must be met for a finding that an access request is suspicious.  
Based upon the discussion above regarding the circle ‘C’ example and the corresponding teachings of Sawhney that involve distances and clustering, the Examiner concludes that the teachings of Sawhney, see, e.g., Cols. 8:22-49, 9:23-58, anticipate the claim limitation of a “first resource group [involving the access request for this folder] is not within the [] second [] resource groups of … those of user groups determined to be nearby the first user group.”  With respect to Sawhney, the access request to a folder (as a first resource group) is not within or not made to one of the folders (as a second resource group) for a user group that is close in distance to (or nearby) the user “affinity group” to which the user who made the request belongs (noting that “an affinity folder for a group is a folder most frequently accessed by that group, and an affinity group for a folder is a group that most frequently accesses that folder” see, e.g., Col. 12:21-24).  This type of request amounts to an anomaly.  See id.
not to a frequently accessed affinity folder associated with the user group of this user, then the request is an “anomaly” or suspicious.  
To illustrate, within the context of Fig. 2 and the circle ‘C’ example, “REL3” is an affinity folder associated with the user group “triangle,” and the access request to the “invoices” folder is an “anomaly” that is associated with the trivial case of the distance being zero for the user group “triangle,” where the user group “triangle” is “nearby” itself by way of the distance zero.  To the extent Sawhney does not explicitly teach this intuitive or trivial case of the distance being equal to zero – as the inventive concept involves the use of clustering to calculate nearby neighbors having non-zero distances – the trivial case is inherent, as it represents the state of the art when a clustering algorithm was not required to calculate a distance of 0 to a “nearby” neighbor.  See MPEP § 2112(III), stating “A Rejection under 35 U.S.C. 102 AND 103 can be made when the prior art product seems to be identical except that the prior art is silent as to an inherent characteristic.”

In the second argument to overcome the § 102 rejection that is presented at pages 11-12 of the Remarks, the Applicant states, “Applicant disagrees with the Examiner's interpretation at least because the distance between two groups disclosed in Sawhney is not calculated or determined based on a level of commonality between the second sets of resource groups determined for the respective ones of the user groups, as claimed.”  The Applicant further notes that the distances are calculated based upon edges, and “this calculation is [not in] any way based on a level of commonality between the second sets of resource groups determined for the respective ones of the user groups.”  
The Examiner respectfully disagrees with this position.  Instead of determining whether user groups are “nearby” based upon a “commonality,” Sawhney teaches distances – and hence whether user groups are “nearby” – that are based upon “similarities.”  For example, Sawhney teaches, “In one embodiment, the distance value is weighted according to similarities between the records based on relationships between folders identified in the records,” Col. 1:45-47, and “In one embodiment, identifying similarities between the records can include clustering distances of groups between the folder accesses…”  Col. 1:60-62.  Accordingly, the Examiner respectfully disagrees with the Applicant that Sawhney fails to teach that “nearby” user groups are not based upon a “commonality.”

 Regarding the Applicant’s response at pages 12-14 of the Remarks that concerns the § 102 or § 103 rejection of the dependent claims, the arguments for patentability rest upon the patentability of the independent claims 1 and 13.  Because the Examiner finds that independent claims 1 and 13 are not allowable over the prior art, the dependent claims are similarly not allowable.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a numbered footnote indicates a primary phrase to be first moved upwards to the first cited reference, while a lettered footnote indicates a secondary phrase to be moved after the movement of the primary phrase from which it was lifted.  Or more succinctly, move numbered material first, lettered material last.)
A.	Claims 1, 4-9, 11, 13, 16-18, and 20-24 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Sawhney et al. (US 9,106,687, “Sawhney”).
Regarding Claim 1
Sawhney discloses
A non-transitory computer-readable storage medium (Fig. 8, Col. 4:22-33) having instructions (Col. 2:55-3:3) which, when executed by one or more processors (Fig. 8, Col. 2:55-3:3) of a computer, 
cause the computer to implement a suspicious access detection module (Fig. 3, Col. 7:8-19, e.g., at least the “anomaly detection component 314,” “classifier component  to perform operations to detect suspicious access requests seeking access to different ones of a plurality of data objects (Col. 8:60-9:6, “a folder accessed in the given file access and F2 may be an affinity folder for a user or group performing the access,” and Col. 10:22-32, “Anomaly detection component 314 detects deviations between the baseline profile and most recent accesses,” where the “file” comprises a data object, i.e., a data object serves as a genus for a species comprising a file, thus the “file” as a species anticipates the data object as a genus), 
the plurality of data objects being organized within a plurality of resource groups (Col. 8:60-9:6, where the “folders” comprises resource groups, i.e., a resource group serves as a genus for a species comprising a folder, thus the “folder” as a species anticipates the resource group as a genus), the operations comprising: 
determining, based on a first access data describing a plurality of access requests sent on behalf of a plurality of users (Col. 7:20-53, “The analytics engine 308 uses repository access logs, queries enterprise directories for user information, group information, organization unit (OU) information and their memberships and reads access control settings on the content repository to perform one or more actions.”), the following: 
a first set of one or more accessed resource groups, for each respective one of the plurality of users, that identifies those of the plurality of resource groups that include those of the data objects to which access is sought by the access requests sent on behalf of the respective one of the users (Fig. 5, Col. 11:13-31, “identifying relationships among folders in a content repository,” and Col. 7:8-53, “The analytics engine 308 can determining…a set of … resource groups that relate to the aforementioned users, data objects, resource groups, and access requests), 
a plurality of user groups determined based on similarities between the first sets of accessed resource groups of the plurality of users (Fig. 4, Col. 11:1-12, i.e., the nodes in the figure that represent user groups and are related through a similarit[y], and Col. 7:66-8:21, “the access actions are clustered based on most frequently accessed folders [or resource groups] for users and/or groups (defined as an affinity folder for the user or group) and/or based on a group or user that most frequently accesses a folder [or resource group] (defined as an affinity group or affinity user for the folder)”), 
a second set of resource groups, for each respective one of the plurality of user groups, that identifies those of the plurality of resource groups in the first sets of accessed resource groups determined for the respective ones of the users in the respective one of the user groups (Col. 8:22-31, “the access actions are clustered based on most frequently accessed folders for users and/or groups (defined as an affinity folder for the user or group),” i.e., the “affinity folder[s],” which act as “affinity” resource groups and are found for each of the user groups, are a set of resource groups within the sets of accessed resource groups), and 
for each of the plurality of user groups, which of the others of the plurality of user groups are considered nearby that user group based on a level of commonality between the second sets of resource groups determined for the respective ones of the user groups (Fig. 4, Col. 11:1-12, Col. 9:58-10:32 “In one embodiment, the anomaly detection component 314 sends requests for calculating the distance between two resource groups] or any other object to the distance component 310.”); 
determining, based on a second access data describing at least a first access request, that the first access request is suspicious (Col. 10:22-32, “Anomaly detection component 314 detects deviations between the baseline profile and most recent accesses,” with the “most recent accesses” being the second access data), 
wherein the first access request seeks access to a first data object of the plurality of data objects and was issued on behalf of a first user of the plurality of users (Col. 10:22-32, “Anomaly detection component 314 detects deviations between the baseline profile…,” and Col. 7:8-53, “The analytics engine 308 can process data by analyzing each access for each given folder activity,”), 
wherein the first user is determined to belong to a first user group of the plurality of user groups (Col. 10:22-32, “Anomaly detection component 314 detects deviations between the baseline profile…,” and Col. 7:66-8:21, “the access actions are clustered based on most frequently accessed folders for users and/or groups (defined as an affinity folder for the user or group) and/or based on a group or user that most frequently accesses a folder (defined as an affinity group or affinity user for the folder)”),
 wherein the determining that the first access request is suspicious includes determining that the first data object is included in a first resource group of the plurality of resource groups and that the first resource group is not within the respective second sets of resource groups determined for the first user group and those of the user groups determined to be nearby the first user group (Fig. 4, Col. 9:38-50, “Clustering plots can provide affinity groups for specific folders [or specific resource groups], as well as resource groups] for a specific user identifier, group identifier or organization unit. The clustering can be used to detect an anomaly between a new access and a baseline profile wherein the baseline profile is established using clustering for accesses observed during a training period,” and Col. 9:51-57, “if one of the user's groups has no access to the file/folder [data object, resource group] being accessed, then that group can be eliminated from consideration”); and 
causing an alert to be generated responsive to the first access request being determined to be suspicious (Col. 10:22-32, “The anomaly detection component can also alert the administrator through the recommender component 3.18.”).
Regarding Claim 4
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
wherein said determining, for each of the plurality of user groups, which of the others of the plurality of user groups are considered nearby that user group (Fig. 4, Col. 11:1-12, Col. 9:58-10:32 “In one embodiment, the anomaly detection component 314 sends requests for calculating the distance between two groups, two folders or any other object to the distance component 310.”) comprises: 
calculating a distance value between each pair of the plurality of user groups to yield a plurality of distance values (Fig. 4, Col. 9:58-10:8, Col. 11:1-12, i.e., the distance values as shown, which is repeated as needed for all user groups), 
wherein the calculating is based on identifying common resource groups existing in the respective second sets of resource groups (Fig. 5, Col. 11:13-46, “namely calculating at least one of user to group distances or folder [or resource group] to folder resource group] distances based on the identified similarities from analyzing the records.”).
Regarding Claim 5
Sawhney discloses the non-transitory computer-readable storage medium of claim 4, and Sawhney further discloses
wherein said determining, for each of the plurality of user groups, which of the others of the plurality of user groups are considered nearby that user group (Fig. 4, Col. 11:1-12, Col. 9:58-10:32) further comprises: 
determining, based on the calculated distance values, a cutoff criterion that can be used to identify nearby user groups (Col. 10:22-51, “Anomaly detection component 314 detects deviations between the baseline profile and most recent accesses,” and “the anomaly detection component 314 sends requests for calculating the distance between two groups, two folders [or resource groups] or any other object to the distance component 310,” with the “recommender component 318” applying a cutoff criterion used to detect nearby or non-anomalous groups).
Regarding Claim 6
Sawhney discloses the non-transitory computer-readable storage medium of claim 5, and Sawhney further discloses
wherein the nearby user groups for the first user group include any of the others of the plurality of user groups in which the distance value between the first user group and the other user group satisfies the cutoff criterion (Col. 10:22-51, “the recommender component 318 may send a command or instruction to the permissions component 312 indicating a restriction or the granting of permissions to a given content item for a user satisfies the cutoff criterion).
Regarding Claim 7
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses 
	wherein determining that the first access request is suspicious is further based on determining that the first resource group is identified within one of the set of resource groups of a second user group of the plurality of user groups (Col. 10:33-51, “where D(g, g1) is Distance between the g, the user's most defined group and g1, group with most past access for the given folder”), 
wherein the second user group is not considered to be nearby the first user group (Fig. 4, the “outlier 430” is not nearby the “USER/GROUP 410” for which the calculation is performed).
Regarding Claim 8
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
wherein determining the plurality of user groups comprises: clustering the plurality of users into the plurality of user groups (Col. 9:58-10:7) according to a second clustering process (Col. :23:37, “Clustering algorithms may include CLOPE, Cobweb, DBScan, EM, FarthestFirst, FilteredClusterer, HierarchicalClusterer, OPTICS, sIB, SimpleKMeans, XMeans and/or the like.”), 
wherein the second clustering process utilizes the plurality of resource groups as features (Col. 8:60:9-22, “The distance component 310 can also determine the proximity .
Regarding Claim 9
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
wherein the alert causes one or more actions to be performed including one or more of: transmitting a message to an administrator (Col. 10:23-32, “The anomaly detection component can also alert the administrator through the recommender component 318,” noting only one limitation need be met with the claim limitation of or); 
causing the first access request to be blocked from reaching an intended destination; or 
causing a security measure to be activated to deny additional access requests from being successfully serviced that are caused to be issued by the first user, issued from a first electronic device of the first user, or include a network address utilized by the first electronic device.
Regarding Claim 11
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
	wherein the operations (Cols. 8:60-9:6,10:22-32) further comprise: 
receiving the first access data (Col. 7:20-53, “The analytics engine 308 uses repository access logs…”) from a monitoring module that lies on a path of communication between a plurality of electronic devices and one or more servers that provide access to the plurality of data objects (Fig. 1, Col. 4:51-5:3, i.e., the “analytics monitoring module lies on a path between “endpoint devices 106” and the “Storage Servers 140” that provide access to the “storage devices 160” for storing data objects); or 
receiving the first access data from the one or more servers that provide access to the plurality of data objects or one or more server end stations that implement the one or more servers (only one limitation need be met with the use of or).
Regarding Claim 23
Sawhney discloses the non-transitory computer-readable storage medium of claim 13, and Sawhney further discloses
wherein the plurality of access requests includes one or more database queries (Col. 10:22-32, With respect to the “most recent accesses,” distances are calculated “between two groups, two folders or any other object to the distance component;” and Col. 5:26-38, i.e., “other object[s]” are discloses as including “tables” that are accessed through database queries).
Regarding Independent Claim 13
	With respect to claim 13, a corresponding reasoning as given earlier for claim 1 applies, mutatis mutandis, to the subject matter of claim 13.  The difference between claim 1 and claim 13 rests upon claim 1 being directed towards an analysis involving resource groups and data objects to detect suspicious access requests, while claim 13 is directed towards an analysis involving databases and tables to detect suspicious access requests.  Because a database and table are obvious variations of a resource group and data object, respectively in view of Sawhney (as noted in the double patenting analysis), the database and table limitations of claim 13 do not result in any 
Regarding Dependent Claims 16-18, 20-22, and 24
With respect to claims 16-18, 20-22 and 24, a corresponding reasoning as given earlier for claims 4-9 and 11 applies, mutatis mutandis, to the subject matter of claims 16-18, 20-22 and 24. Therefore, claims 16-18, 20-22, and 24 are rejected, for similar reasons, under the grounds set forth for claims 4-9, and 12. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

B.	Claims 2-3, 10, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Sawhney in view of Hartman (US 7,690,037, “Hartman”).
Regarding Claim 2
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
	wherein the operations (Cols. 8:60-9:6,10:22-32) further comprise: 
1 …, from the first access data, …2 describing those of the plurality of access requests seeking access to those of the plurality of data objects that are included in a third set of one or more resource groups of the plurality of resource groups (Col. 11:13-31, Col. 8:60-9:6), 
wherein the set of resource groups (Col. 8:60-9:6, i.e., the “folders” comprises resource groups) includes: those of the plurality of resource groups determined to have been accessed…3, 
and/or those of the plurality of resource groups determined to have been accessed by fewer than a second threshold amount of users within the time period (only one limitation need be met with or).
Sawhney doesn’t disclose
	1 removing,…
	2 …, data… 
	3 …by more than a first threshold amount of users within a time period,… 
Hartman, however, discloses
	1 removing,… (Col. 5:49-6:9, “A filtering module 414 filters the corpus to exclude members of clusters that represent anomalous activities,” i.e., removing anomalous data is known in the art)
	2 …, data… (Col. 5:49-6:9)
	3 …by more than a first threshold amount of users within a time period,…( Col. 5:49-6:9, “the filtering threshold specifies a time-based value such as one hour, indicating that all clusters that can be examined within an hour”)
Regarding the combination of Sawhney and Hartman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sawhney to arrive at the claimed invention. KSR establishes that a 
To substantiate the conclusion of obviousness under this KSR rationale, the Examiner finds pursuant to MPEP § 2143(I)(C):
1) the prior art contained a base device, namely the user and resource-group profiling system of Sawhney, upon which the claimed invention can be seen as an “improvement” through the use of the removal of anomalous data;
2) the prior art contained a “comparable” system, namely the cluster analysis system of Hartman, that has been improved in the same way as the claimed invention through the removal of anomalous data; and
3) one of ordinary skill in the art could have applied the known improvement technique of applying the removal of anomalous data of Hartman to the base system (i.e., the user and resource-group profiling system of Sawhney), and the results would have been predictable to one of ordinary skill in the art.
Regarding Claim 3
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
further comprising one or more of: 
removing, from the first access data, data describing those of the plurality of access requests issued on behalf of an administrative user of the plurality of users (with the use of or, the first limitation need not be met in lieu of the third limitation being met);
 removing, from the first access data, data describing those of the plurality of access requests issued responsive to automated system processes as opposed to purposeful actions of the plurality of users (with the use of or, the first limitation need not be met in lieu of the third limitation being met); and/or 
1 …, from the first access data, …2 describing those of the plurality of access requests that seek access to those of the plurality of data objects included in those of the plurality of resource groups …3 user of the plurality of users (Col. 11:13-31, Col. 8:60-9:6).
Sawhney doesn’t disclose
	1 removing,…
	2 …, data…
	3 …that have been accessed by only one…
Hartman, however, discloses
	1 removing,… (Col. 5:49-6:9, “A filtering module 414 filters the corpus to exclude members of clusters that represent anomalous activities,” i.e., removing anomalous data is known in the art)
	2 …, data… (Col. 5:49-6:9)
	3 …that have been accessed by only one… (Col. 5:49-6:9, “the clusters with the most members are more likely to represent legitimate activities while the clusters with very few members are more likely to represent anomalous activity,” one falls within the range of “a few” given the context of the teaching that one to a few data points leads to inaccuracies)
	Regarding the combination of Sawhney and Hartman, the rationale to combine is the same as provided for claim 2.

Regarding Claim 10
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
wherein the plurality of access requests (Col. 8:60-9:6) includes: 
Sawhney doesn’t disclose
one or more database queries; 
one or more Common Internet Data object System (CIFS) or Server Message Block (SMB) requests; or 
one or more Hypertext Transport Protocol (I ITP) requests.
Hartman, however, discloses
one or more database queries (only one limitation need be met with the use of or); 
one or more Common Internet Data object System (CIFS) or Server Message Block (SMB) requests (only one limitation need be met with the use of or); or 
one or more Hypertext Transport Protocol (HTTP) requests (Col. 2:56-3:15, i.e., the network 114 employs HTTP).
Regarding the combination of Sawhney and Hartman, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the user and resource-group profiling system of Sawhney to have included the HTTP-request feature of Hartman. One of ordinary skill in the art would have been motivated to incorporate the HTTP-request feature of Hartman because HTTP requests is a common means of making an access request over a network.  
Regarding Claims 14 and 15
With respect to claims 14 and15, a corresponding reasoning as given earlier for claims 2 and 3 applies, mutatis mutandis, to the subject matter of claims 14 and 15. Therefore, claims 14 and 15 are rejected, for similar reasons, under the grounds set forth for claims 2 and 3.
C.	Claims 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sawhney in view of Kolishchack (US 2012/0210388, “Kolishchack”).
Regarding Claim 12
Sawhney discloses the non-transitory computer-readable storage medium of claim 1, and Sawhney further discloses
wherein the users include…1, 
the data objects are stored in databases (Col. 5:26-38, i.e., the “content repository 114 can include databases,” where databases store data objects), and 
the resource groups are one of database tables and databases (Col. 5:26-38, i.e., the “content repository 114” comprises a collection of resource groups, with the content repository including “a table or other data structure or collection of data structures” that represent the content of a “file server that” can be included within the “content repository”).
Sawhney doesn’t disclose
	1 … automatic processes and/or applications,
Kolishchack, however, discloses
	1 … automatic processes and/or applications (¶ [0033], “Depending on the embodiment, standard behavior may be established on past computer activity executed automatic),
	Regarding the combination of Sawhney and Kolishchak, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the resource-group profiling system of Sawhney to have included the computer activity aspects of Kolishchak. One of ordinary skill in the art would have been motivated to incorporate the computer activity aspects of Kolishchak because Kolishchak discusses the problem of unintentional data leakage by software, see Kolishchak ¶ [0005], and Kolishchak teaches a behavior model to account for the activity taken by computers to as prevent this type of data leakage, see Kolishchak ¶ [0033].
Regarding Claim 19
With respect to claim 19, a corresponding reasoning as given earlier for claim 12 applies, mutatis mutandis, to the subject matter of claim 19. Therefore, claim 19 is rejected, for similar reasons, under the grounds set forth for claim 12.
D.	Claims 25 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Sawhney in view of Kolishchak (US 2012/0210388, “Kolishchak”), and further in view of Koottayi et al. (US 2018/0288063, “Koottayi”).
Regarding Claim 25
Sawhney discloses the non-transitory computer-readable storage medium of claim 13, and Sawhney further discloses
further comprises: 
determining that a first of the plurality of user groups includes…1 (Fig. 4, Cols. 11:1-12 & 7:66-8:21); and 
…2.
Sawhney doesn’t disclose
	1 …a first type of a plurality of types of users;
	2 classifying, based on the first type of user determined for the first user group, the second set of databases determined for the first user group as being of a first type of a plurality of types of databases.
Kolishchak, however, discloses
	1 …a first type of a plurality of types of users (¶ [0033], “Depending on the embodiment, standard behavior may be established on past computer activity executed by a computer user, a group of computer users, a computer program, a group of computer programs, a computer system, or a group of computer systems”);
Koottayi, however, discloses
	2 classifying, based on the first type of user determined for the first user group, the second set of databases determined for the first user group as being of a first type of a plurality of types of databases (¶ [0009], “Resources 125 to which access is provided, either locally or remotely, by a target system 130 may be of various types including a file, a web page, a document, web content, a computing resource, software products, applications (e.g., cloud-based applications, enterprise applications, or any other applications), cloud services, various types of data (e.g., networked files, directory information, databases, or the like), and other resources;” see Fig. 9, ¶ [0142], i.e., “FIG. 9 shows a flowchart 900 that illustrates a process for generating behavior models for a .
	Regarding the combination of Sawhney and Kolishchak, the rationale to combine is the same as provided for claim 12 (see § C).
	Regarding the combination of Sawhney-Kolishchak and Koottayi, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the user and database profiling system of Sawhney-Kolishchak to have included the consideration of the databases of Koottayi. One of ordinary skill in the art would have been motivated to incorporate the consideration of the databases by Koottayi because teaches that “In order to effectively manage user access to resources [, such as databases,] within an enterprise, the enterprise often has to monitor and track the users' access to information stored in multiple target systems of the enterprise,” see Koottayi ¶ [0004]. 
Regarding Claim 26
Sawhney discloses the non-transitory computer-readable storage medium of claim 13, and Sawhney further discloses
further comprises: 
determining, for a first user group of the plurality of user groups,…1 (Fig. 4, Cols. 11:1-12 & 7:66-8:21); and 
2 ….
Sawhney doesn’t disclose
	1 … that the second set of databases are of a first type of a plurality of types of databases;
	2 classifying, based on the first type of database determined for the first user group, an interactive user in the first user group as being one of a plurality of types of interactive users.
Koottayi, however, discloses
1 … that the second set of databases are of a first type of a plurality of types of databases (¶ [0009], “Resources 125 to which access is provided, either locally or remotely, by a target system 130 may be of various types including a file, a web page, a document, web content, a computing resource, software products, applications (e.g., cloud-based applications, enterprise applications, or any other applications), cloud services, various types of data (e.g., networked files, directory information, databases, or the like), and other resources;” see Fig. 9, ¶ [0142], i.e., “FIG. 9 shows a flowchart 900 that illustrates a process for generating behavior models for a user and determining whether an access request of a user to a target system is anomalous based on one or more of the behavior models,” where the distinguishing of access requests to databases within “flowchart 900” can similarly be employed within Sawhney; and see also Fig. 4 and ¶ [0115] that generally discloses clustering of different access requests involving different resources);
Kolishchak, however, discloses
	2 classifying, based on the first type of database determined for the first user group, an interactive user in the first user group as being one of a plurality of types of interactive users (¶ [0033], “Depending on the embodiment, standard behavior may be established on past computer activity executed by a computer user, a group of computer users, a computer program, a group of computer programs, a computer system, or a group of computer systems,” Kolishchak at least differentiates between interactive users and non-interactive uses, with such a grouping being capable of being employed by the clustering method of Sawhney and/or Koottayi).
	Regarding the combination of Sawhney and Kolishchak, the rationale to combine is the same as provided for claim 12 (see § C).
Regarding the combination of Sawhney-Kolishchak and Koottayi, the rationale to combine is the same as provided for claim 25.

Additional Prior Art of Record
	The Examiner makes of record US 10,887,330 to Christian that involves the use of clustering within a data exfiltration system.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any 
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405.  The examiner can normally be reached on Monday-Friday 8:00-5:00 MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491