Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.        Claims 1 - 20 are pending.  Claims 1, 7, 13 are independent.    File date is 7-17-2018.  

Claim Rejections - 35 USC § 102  
2.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

3.        Claims 1 - 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Kirti et al. (US PGPUB No. 20180375886).     	
 
Regarding Claims 1, 7, 13, Kirti discloses a method for anomaly detection in association with an enterprise environment and an apparatus and a computer program product in a non-transitory computer readable medium for use in first and second data processing systems for anomaly detection in association with an enterprise environment, comprising:
a)  providing first machine learning to train at least a first and a second analytic, the first analytic corresponding to a first use case, and the second analytic corresponding to a second use case distinct from the first use case; (Kirti ¶ 082, ll 1-14: learning system applies various machine learning algorithms to data collected by security monitoring and control system; information learned about data utilized by data analysis system to make determinations about user activities associated with using services (i.e. cloud based and non-cloud based services) provided by service provider; learn patterns of normal behavior for users associated with an organization or enterprize; ¶ 170, ll 1-13: used to training other machine learning algorithms to learn normal behavior for an organization’s users; (first, second machine learning algorithms or mechanisms))    
b)  outputting anomaly information derived from the first machine learning, the anomaly information including data points detected as a result of applying the first and second analytics; (Kirti ¶ 075, ll 1-10: data analysis system conducts analysis on network data and activity data to perform operations such as anomaly detection; ¶ 139, ll 1-12: threat detection engine conducts anomaly detection to identify a threat; searching for statistical variations from established normal behavior) and
c)  providing second machine learning based on the anomaly information to capture a correlation among observed parameters in at least the first and second use cases; (Kirti ¶ 082, ll 1-14: learning system applies various machine learning algorithms to data collected by the security monitoring and control system; information learned about data utilized by data analysis system to make determinations about user activities using services provided; ¶ 170, ll 1-13: used to training other machine learning algorithms to learn normal behavior for an organization’s users; (first, second machine learning mechanisms))    
d)  wherein the first machine learning takes place in an enterprise network, and the second machine learning takes place in a cloud computing environment distinct from the enterprise network. (Kirti ¶ 212, ll 1-4: determining security control for service provider; security control used to configure access to cloud services (i.e. cloud computing environment); ¶ 031, ll 1-16: enterprise applications integrate applications with organizations identity management system and organization manages users (i.e. security attributes) associated with enterprise applications; within cloud services management of users handled by cloud service)    

Furthermore, for Claim 7, Kirti discloses wherein hardware processors; computer memory holding computer program instructions executed by the hardware processors for anomaly detection in association with an enterprise environment, the computer program instructions configured to perform operations.   (Kirti ¶ 256, ll 1-12: processing units execute programs or code instructions; processing subsystem provides various functionalities)    

Furthermore, for Claim 13, Kirti discloses wherein the computer program product holding computer program instructions that, when executed by a respective one of the first and second data processing systems, are configured to perform operations. (Kirti ¶ 256, ll 1-12: processing units execute programs or code instructions; processing subsystem provides various functionalities)     

Regarding Claims 2, 8, 14, Kirti discloses the method as described in claim 1 and the apparatus as described in claim 7 and the computer program product as described in claim 13, wherein each of the first use cases uses a distinct training data set. (Kirti ¶ 051, ll 11-18: analysis performed by security monitoring and control system includes determining models of normal and/or abnormal behavior; ¶ 165, ll 1-8: analytics engine performs various other analytics (separate, distinct training) on activity data; used to build behavior profiles utilizing different machine learning techniques in order to generate predictions based upon patterns of suspicious activity)    

Regarding Claims 3, 9, 15, Kirti discloses the method as described in claim 1 and the apparatus as described in claim 7 and the computer program product as described in claim 13, wherein the training data set is time-series data. (Kirti ¶ 052, ll 11-18: time series analysis techniques used to build user behavior profiles utilizing machine learning algorithms; ¶ 165, ll 1-9: various types of algorithms used for analyzing collected data utilizing analysis techniques such as time series analysis)    

Regarding Claims 4, 10, Kirti discloses the method as described in claim 1 and the apparatus as described in claim 7 and the computer program product as described in claim 13, further including outputting configuration and training data from the enterprise network to the cloud computing environment. (Kirti ¶ 212, ll 1-4: determining security control for service provider; security control used to configure access to cloud service (i.e. cloud computing environment))    

Regarding Claims 5, 11, 17, Kirti discloses the method as described in claim 1 and the apparatus as described in claim 7 and the computer program product as described in claim 13, wherein the correlation is a multidimensional distance measure. (Kirti ¶ 148, ll 10-15: distance can be calculated using any of a variety of distance measurements and/or formulas; ¶ 150, ll 1-4: determine deviation of user behavior over different time periods using maximum distances)    

Regarding Claims 6, 12, 18, Kirti discloses the method as described in claim 1 and the apparatus as described in claim 7 and the computer program product as described in claim 13, further including taking an action with respect to detected network activity or user behavior based the captured correlation provided by the second machine learning. (Kirti ¶ 172, ll 1-10: analytics engine can include a recommendation engine that receives output of threat detection engine, behavioral analytics engine and other analytics; raise alerts, and make recommendations, automatically perform actions, provide visualizations in order to understand remediation of security risks)    

Regarding Claim 16, Kirti discloses the computer program product as described in claim 13 wherein the computer program instructions are further configured to output configuration and training data from the first data processing system to the second data processing system. (Kirti ¶ 212, ll 1-4: determining security control for service provider; security control used to configure access (i.e. configuration data) to cloud service (i.e. cloud computing environment))   

Regarding Claim 19, Kirti discloses a machine learning system for anomaly detection, comprising:
a)  a first machine learning system executing in a first operating environment, the first machine learning system training at least a first and a second analytic, the first analytic corresponding to a first use case, and the second analytic corresponding to a second use case distinct from the first use case; (Kirti ¶ 082, ll 1-14: learning system applies various machine learning algorithms to data collected by the security monitoring and control system; information learned about data utilized by data analysis system to make determinations about user activities associated with using services (cloud based and non-cloud based) provided by service provider; learn patterns of normal behavior for users associated with an organization; ¶ 170, ll 1-13: used to training other machine learning algorithms to learn normal behavior of an organization’s users; (first, second machine learning mechanisms)) and
b)  a second machine learning system executing in a second operating environment remote from the first machine learning system, the second machine learning system configured to capture a multi-dimensional distance measure correlation among observed parameters in at least the first and second use cases, the observed parameters being derived by the first machine learning system. (Kirti ¶ 212, ll 1-4: determining security controls for service provider; security controls used to configure access to cloud services (i.e. cloud computing environment); ¶ 031, ll 1-16: enterprise applications integrate applications with organizations identity management system and organization manages users (security attributes) associated with enterprise applications; within cloud services management of users is handled by cloud service; ¶ 148, ll 10-15: distance can be calculated using any of a variety of distance measurements and/or formulas; ¶ 150, ll 1-4: determine deviation of user behavior over different time periods using maximum distances)

Regarding Claim 20, Kirti discloses the machine learning system as described in claim 19 wherein the first machine learning system executes as an application in a Security Event and Incident Management Platform (SIEM), and wherein the second machine learning system executes as an application in a cloud compute infrastructure with the second operating environment. (Kirti ¶ 042, ll 1-14: within security perimeter and network security systems such as Security Information and Event Management (SIEM) applications defend the devices in the enterprise network; ¶ 047, ll 1-2: cloud services authorized for use within organization; ¶ 212, ll 1-4: determining security control for service provider; security control used to configure access to cloud service (i.e. cloud computing environment))    

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920.  The examiner can normally be reached on M - F 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KYUNG H SHIN/                                                                                            March 24, 2021Primary Examiner, Art Unit 2443