DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of claims
The instant application filed on May 5, 2018 has been examined on merit.  Claims 1, 4, 8, 11, 15, 15 and 18 are amended per Applicant’s amendment filed on March 1, 2021 .  Claims 1-20 are pending.
Response to Arguments 
Objection to specification is withdrawn in view of the correction made to the drawing on Fig. 5 submitted on March 1, 2021, see page 8, 2¶. 
Claims 4 rejections under 112 (b) as indefiniteness is withdrawn in view of the amendment submitted on March 1, 2021, see page 8, 3¶.  
Applicant’s arguments with respect to 103 rejection, see pages 8-12, filed on March 1, 2021, have been considered but are moot because new ground of rejection is added to overcome amendments to the claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-10, 12-17, and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 9516053 B1), and in further view of Iyer et el. (US 9836598 B2, hereafter Iyer).
Regarding to claim  1, Muddu teaches (currently amended) A method of training and using a machine learning model to identify suspicious behavior in a network, ([Abstract] A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment.; FIG. 20 is a flow diagram illustrating a method to execute a model training process thread. [Col 9, lines 1-6] employs a number of machine learning mechanisms to perform security analytics. More specifically, the security platform introduced here can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats)
the machine learning model using training data that is based on data associated with a first set of users, comprising: ([Col 29, lines 57-59, Col 30, lines 1-6] The models (machine learning models) can be trained based on receiving of relevant events. [Col 11, lines 12-14]  In this description the term “event data” refers to machine data related to activity on a network with respect to an entity of focus, such as one or more users.  //Examiner remark first set of users include all entities which their respective activities in the network is being monitored and analyzed.)
 constructing a watch list comprising a second set of users ([Col 74, lines 38-43]  Once the user reviews information about the suspicious device, the user can use a “watchlist” to “mark” the device (e.g., as suspicious). Once the device is put in the watchlist, that tracking information can stay with the device and obtained upon access device information from any view.)  
as the machine learning model is being operating in an ingest mode against data being ingested for a first set of users;  ([Col  22, lines 4-23] The data connectors 802 can implement various techniques to obtain machine data from the data sources (I.e. ingest mode). Depending on the data source, the data connectors 802 can adopt a pull mechanism, a push mechanism, or a hybrid mechanism.   …   the data connectors 802 can receive from the data source a notification of a new event (i.e. data associated for first set of users), acknowledges the notification, and at a suitable time communicate with the data source to receive the event (i.e. ingesting data for the first set of users).
 upon a given occurrence, interrupting the ingest mode and ingesting data associated with (the second set of users);  ([Col  22, lines 4-23] The data connectors 802 can implement various techniques to obtain machine data from the data sources. Depending on the data source, the data connectors 802 can adopt a pull mechanism (i.e. respond to a request ingest data), a push mechanism (request for data ingestion), or a hybrid mechanism.    ([Col 74, lines 38-43]Once the device is put in the watchlist, that tracking information can stay with the device and obtained upon access device information from any view.  [Col 74, lines 8-12] network security monitoring can involve tracking network activity by users, devices, and applications (referred to collectively as “entities”) to identify and track anomalies and threats.
 refining the machine learning model based at least in part on the updated training data; and  ([Col 29, lines 57-60]  The models can be trained and, in some implementations, continually updated (i.e. refining Machine learning model) after their activation, by relevant events when the events are received.)
 switching back to the ingest mode ([Col  22, lines 4-23] discloses pull and push data receiving modes (ingesting modes) to process entity events ( data associated with first and second users) 
and operating the refined machine learning model against data being ingested for the second set of users.  ([Col 45, lines 54-60] At step 1902, the model preparation process thread selects a subset of event feature sets in the cache component 1512 for the model type. The model preparation process thread can select the subset from the most recent event feature sets (e.g., a real-time time slice) that are yet to be processed by the model execution engine 1808 or any other model preparation process threads. (i.e. using the refined machine learning model on the newest events (second set of users))
Muddu doesn’t explicitly teach following data ingestion, pruning at least a portion of the ingested data, the portion corresponding to data for any user included in the first set of users but not included in the second set of users; 
Iyer from analogues endeavor teaches following data ingestion, pruning at least a portion of the ingested data, the portion corresponding to data for any user included in the first 
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teachings of Iyer to the teachings of Muddu to perform a more focused monitoring of entities in a watch list.  When an entity is included within a watch list (second set of users), the entity may be monitored more often or more thoroughly. Monitoring an entity more often may entail executing searches more often to assess the entity's activity (ingesting data associated with second users, as taught by Iyre, Col 12, lines 6-19].  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art. 
Regarding to claims 8 and 15, they are rejected on the same rational as claim 1.
Regarding to claim 2,  the combination of Muddu and Iyer teach claim 1. 
Muddu doesn’t explicitly teach (original) The method as described in claim 1 wherein, following ingesting and pruning, additional data associated with the second set of users is ingested.  
Iyer teaches following ingesting and pruning, additional data associated with the second set of users is ingested.   ([Abstract]  An exemplary method may involve monitoring the activity of a subset of the set of entities (e.g., entities included in a watch list) by executing a search query against events indicating the activity of the subset of entities.  … Executing the search query may produce search results that pertain to activity of a particular entity from the subset. The search results may be evaluated [i.e. second set of users is ingested) based on a triggering 
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teachings of Iyer to the teachings of Muddu to perform a more focused monitoring of entities in a watch list.  When an entity is included within a watch list (second set of users), the entity may be monitored more often or more thoroughly. Monitoring an entity more often may entail executing searches more often to assess the entity's activity (ingesting data associated with second users, as taught by Iyre, Col 12, lines 6-19].  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art. 
Regarding to claims 9 and 16, they are rejected on same rational as claim 2.
Regarding to claim 3, (original) the combination of Muddu and Iyer teach claim 1. 
Muddu doesn’t explicitly teach the method as described in claim 1 wherein the second set of users includes users that have been found to have a highest moving average risk score for the machine learning model.  
Iyer the second set of users includes users that have been found to have a highest moving average risk score for the machine learning model.  ([Col 12, lines 45-48] Collectively, the entity accounts and entity devices may represent the entity.[Col 21, lines 49 – 53] the risk scores may also be used to add an entity (i.e. second set of user) to a watch list. In one example, when processing device is determining the statistical baseline it may identify one or more entities with activity that exceeds the normal activity and may associate a risk score to these entities.  [Col 14, lines 3 – 8] In particular, entity activity monitoring component 450 may utilize watch list data 432, data received from statistical analysis component 440 and risk scoring rules the rolling window are removed from the statistical baseline.  [Col 20, lines 39-43] The trigging condition may correspond to the statistical baseline when the triggering criteria are based on or determined in view of the statistical baseline. In one example, a value associated with the statistical baseline (e.g., median value, average value) may function as the threshold. [Col 13, lines 35-38] In some implementations, anomaly definition module 446 uses the statistical baseline for a triggering condition (e.g., any activity exceeding or not reaching the statistical baseline should be considered anomalous).  //Examiner remark: Statistical analytics of events, median and average, using a rolling window is a moving average.  Furthermore, removing event ( second set of users) from statistical baseline based on rolling down statistical analysis is highest lower is moving or rolling average.)
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention, to incorporate the teaching of Iyer into the teachings of Muddu to identify users that exceeds the base line threshold, as taught by Iyre, [Col 13, lines 35-38].  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art. 
Regarding to claim 10 and 17, they are rejected on same rational as claim 3.
Regarding to claim 5, (original) the combination of Muddu and Iyer teach claim 1. 
Muddu teaches the method as described in claim 1 wherein the given occurrence is receipt of a request for an updated machine learning model.  ([Col 18, lines 51-54] The security platform 300 can create a behavior baseline for any type of entity (for example, a user, a group of users, a device, a group of devices, an application, and/or a group of applications) //Examiner remark: the entity managed by the security system is first set of users, which contains all subset of users/entities.  ([Col 1, lines 41-45] by searching for patterns of behavior that are abnormal or otherwise vary from the expected use pattern of a particular entity (i.e. subset of the users), such as an organization or subset thereof, individual user, IP address, node or group of nodes in the network.  Examiner remark: a particular entity is part of whole entity/first set of users.)
Regarding to claims 12 and 19, they are rejected on the same rational as claim 5. 
Regarding to claim 6, (original) the combination of Muddu and Iyer teach claim 1. 
Muddu teaches the method as described in claim 1 wherein the first set of users includes all or a subset of the users in the network.  ([Col 29, lines 18-23] As more events are received, the model ( i.e. machine learning model) can become increasingly better trained (.e. refined) about the probability of association between the user and the machine identifiers. In some embodiments, the identity resolution module 812 creates a probabilistic graph to record a probability of association for each user it is currently tracking. [Col 29, lines 53-57] As events (behavior associated with a user) related to the given user arrive, versions of a machine learning model are initiated, trained, activated, (optionally) continually updated, and finally expired.)
Regarding to claims 13 and 20, they are rejected on the same rational as claim 6. 
Regarding to claim 7, (original) the combination of Muddu and Iyer teach claim 1. 
Muddu teaches the method as described in claim 1 further including applying the refined machine learning model to enable identification and tracking of behavior associated with one or more users that have been determined to satisfy a given risk condition.  ([Col 29, lines 18-23] As more events are received, the model ( i.e. machine learning model) can become increasingly better trained (.e. refined) about the probability of association between the user and the machine identifiers. In some embodiments, the identity resolution module 812 creates a probabilistic graph to record a probability of association for each user it is currently tracking. [Col 29, lines 53-57] As events (behavior associated with a user) related to the given user arrive, versions of a machine learning model are initiated, trained, activated, (optionally) continually updated, and finally expired.)
Regarding to claims 14 and 21, they are rejected on the same rational as claim 7.
Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 9516053 B1), and in further view of Iyer et el. (US 9836598 B2, hereafter Iyer), and in further view of Faigon et el. (US20170353477 A1, hereafter Faigon).
Regarding to claim 4, (currently amended) the combination of Muddu and Iyer teach claim 1. 
Muddu and Iyer don’t explicitly teach the second set of users also includes one or more users that are newly-active in the network. 
Faigon from analogues endeavor teaches the second set of users also includes one or more users that are newly-active in the network.  (Faigon [0029] when the disclosed machine learning based anomaly detection is applied to observe new users or devices, it detects patterns that are seen for the first time (a new IP address, a new application, a new account, etc.) (i.e. second set of users))
Therefore, it would have been obvious to a person having ordinary skills in the art, before the effective filing date of the claimed invention to incorporate the teaching of Faigon to the teachings of Muddu and Iyer to improve false-positives in a machine learning model because new users not having established enough behavior patterns are often flagged by the system, as taught by Faigon.  The combining of the teachings would have yielded predictable results to one of ordinary skills in the art. 
Regarding to claims 11 and 18, they are rejected on the same rational as claim 4. 

Conclusion

The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure:
US 20160078361 A1 – Machine learning service optimization.
US 10917419 B2 - An anomaly detector monitors a stream of the current time-series data and identifies statistical outliers of the stream of the current time-series data.
US 20150127595 A1 -  anomaly predictions using by computing a running 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SOLOMON AREGA whose telephone number is (571)272-0122. The examiner can normally be reached on Monday - Friday from 8:30 AM to 5:00 PM (EDT).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild, can be reached at telephone number (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

/SOLOMON AREGA/Examiner, Art Unit 2431     
                                                                                                                                                                                                                                                                                                                                                                    /LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431