Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1 – 20 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Gurkok et al (US Pub. #: 20180205748), hereafter Gur and Honda et al (US Pub. #: 20150350193), hereafter Honda have been fully considered and are persuasive. 

Allowable Subject Matter
1.	Amended claims 1 – 20 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with John Ogilvie (attorney) for filed amended claims on 05-06-2021:
               1.            (currently amended) An intrusion detection system for a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection system comprising:
a processor;

an access failure event set residing at least piecewise in the memory, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts; 
a bucket B configured to hold user account identifiers, B having a failure count range R which has at least one endpoint value; 
an attack window which specifies a time period; 
an alert threshold T which represents an amount of user accounts; 
a behavior analyzer which utilizes execution of the processor to analyze GCS access attempt behavior based on at least some of the access failure events by (a) inserting in B the identifiers of user accounts whose number of access failure events within the attack window time 
period is in the range R, (b) computing an extent E based on the number of user account identifiers in B, and (c) generating a spray attack alert when the computed extent E meets or exceeds the alert threshold T; and 
a plurality of N buckets B1..BN, the buckets B1..BN associated with respective failure count ranges R1..RN, wherein the ranges partition a numeric range from a lowest endpoint of R1 to a highest endpoint of RN, wherein the system also includes a plurality of alert thresholds 
T1..TN and a plurality of computed extents E1..EN corresponding to the buckets B1..BN, and wherein the behavior analyzer analyzes GCS access attempt behavior on a per-bucket basis with N being at least 2;

2.            (currently amended) The system of claim 1, wherein N is at least 3
3.            (original) The system of claim 1, further characterized by at least one of the following characteristics:
the credentials comprise plaintext passwords, pass phrases, or PINs;
the credentials comprise hashes;
the credentials comprise digital certificates; or
the credentials comprise digital representations of biometric information.
4.            (original) The system of claim 1, further characterized by at least one of the following characteristics:
the user account identifiers identify accounts in a public cloud GCS;  
the user account identifiers identify accounts in a hybrid cloud GCS; or
the user account identifiers identify accounts in a network GCS which communicates with the internet via a security 
5.            (original) The system of claim 1, further comprising an excluder which excludes items by excluding events or user accounts or both, and wherein the behavior analyzer omits excluded items from the GCS access attempt behavior analysis.
6.            (original) The system of claim 5, wherein the excluder recognizes as excludable and then excludes at least one of the following items:
an access failure event which indicates that a formerly valid credential was used in a failed attempt to access a user account;
a user account identifier which identifies a user account whose formerly valid credential was used in a failed attempt to access the user account within the past K days, where K is in the range 1..30.
an access failure event which identifies a user account whose credential was changed within the past K days, where K is in the range 1..30;
a user account identifier which identifies a user account whose credential was changed within the past K days, where K is in the range 1..30.
7.            (original) The system of claim 1, further comprising a threshold tuner which initializes or changes the alert threshold T based on historic access failure data.
8.            (original) The system of claim 1, further comprising a breached account finder which finds a user account Z that has apparently been breached, based on the presence of the Z’s account identifier in the bucket when the extent E met or exceeded T, thereby generating the spray attack alert, and also based on failed access attempts against Z being followed by an access success event indicating successful access to Z.

locating a digital bucket B which is one of a plurality of N buckets B1..BN with N being at least 2;
associating a failure count range R with the bucket B, R having at least one endpoint value, the buckets B1..BN associated with respective failure count ranges R1..RN wherein the ranges partition a numeric range from a lowest endpoint of R1 to a highest endpoint of RN, and 
wherein R is one of the ranges R1..RN;
getting an alert threshold T which is one of a plurality of alert thresholds T1..TN, the alert threshold T representing 
reading access failure event data from an access failure event set, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts of the GCS;
inserting in B the identifiers of user accounts whose number of access failure events is in the range R;
computing an extent E which is one of a plurality of computed extents E1..EN corresponding to the buckets B1..BN, the extent E based on the number of user account identifiers in B; and 
generating a spray attack alert when the computed extent E meets or exceeds the alert threshold T;
analyzing GCS access attempt behavior on a per-bucket basis and generating the spray attack alert in response to detection of activity which is consistent with a credential spray attack against the GCS.
               10.         (original) The process of claim 9, wherein getting the alert threshold T comprises automatically calculating T based on at least the following: an average AR of the number of user accounts whose number of access failure events is in the range R, and a standard deviation of the average AR.
               11.         (original) The process of claim 10, wherein getting the alert threshold T comprises excluding from calculation of T an access attempt failure which is attributable to use of an obsolete user account credential.
               12.         (original) The process of claim 10, wherein getting the alert threshold T comprises excluding from calculation of T a failed attempt to access a user account that underwent a credential change within K previous days, K in the range of 1 to 30.
               13.         (original) The process of claim 10, wherein calculation of T is further based on creating at least a predetermined minimum difference between T and the average AR.
               14.         (original) The process of claim 9, wherein the process detects a credential spray attack against the GCS, and the process enhances cybersecurity of the GCS by generating the spray attack alert in advance of at least one of the following responses to the detected credential spray attack:
disruption of the credential spray attack;
mitigation of harm from the credential spray attack;
identification of a source of the credential spray attack; or 

               15.         (original) The process of claim 9, further comprising ascertaining an attack window time period, and wherein the inserting inserts in B the identifiers of user accounts whose number of access failure events within the attack window time period is in the range R.
               16.         (currently amended) A non-transitory storage medium configured with code which upon execution by one or more processors performs an intrusion detection process for detecting credential spray attacks against a guarded computing system (GCS), the GCS having a plurality of user accounts which have respective user account identifiers, the intrusion detection process comprising:
locating a plurality of N digital buckets B1..BN, with N being at least 2;
associating respective failure count ranges R1..RN with the buckets B1..BN, wherein the ranges partition a numeric range from a lowest endpoint of R1 to a highest endpoint of RN;
getting respective alert thresholds T1..TN which each represent an amount of user accounts;
reading access failure event data from an access failure event set, the access failure event set including access failure events which represent failed attempts to use credentials to access user accounts of the GCS;
inserting in each bucket Bi of the buckets B1..BN the identifiers, if any, of user accounts whose number of access failure events is in the corresponding range Ri of the ranges R1..RN;
computing an extent Ei based on the number of user account identifiers in each respective non-empty bucket Bi; and 

whereby the intrusion detection process enhances cybersecurity of the GCS by analyzing GCS access attempt behavior on a per-bucket basis and generating the spray attack alert in response to a credential spray attack against the GCS.
               17.         (original) The non-transitory storage medium of claim 16, wherein the range RN is an open-ended range with a fixed and bounded lower endpoint and an arbitrarily large upper endpoint.
               18.         (original) The non-transitory storage medium of claim 16, wherein getting respective alert thresholds T1..TN comprises:
monitoring for at least H days attempts to use credentials to access user accounts of the GCS, where H is at least five;
calculating averages AR1..ARN of the number of user accounts whose number of access failure events is in the respective ranges R1..RN; and
calculating respective standard deviations STDV1..STDVN of the averages AR1..ARN. 
               19.         (original) The non-transitory storage medium of claim 16, wherein getting respective alert thresholds T1..TN comprises at least one of the following: 
excluding from calculation of at least one Ti an access attempt failure which is attributable to use of an obsolete user account credential;
excluding from calculation of at least one Ti a failed attempt to access a user account that underwent a credential change within K previous days, K in the range of 1 to 45.
20.         (original) The non-transitory storage medium of claim 16, further comprising finding a user account Z that has apparently been breached, based on the presence of the user 

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Gurkok teaches [0013-14] a historical data set of log-in attempts over a historical period for set of all users, presumed normal activity on average, the intrusion detection system (IDS) learns and clusters to identify unusual log-in attempts ([0034] into a hierarchy of time-interval bins...) Each stored login attempt is a tuple, such as user u, source s, destination d, day of week dy, hour of day hr, and status st. Source is the server from which the login attempt originated, destination is the target of the login attempted, and status is the success or failure of the login attempt; [0009] outlier score is determined based values associated with the destination score and the source given destination score of the number of failed login attempts [0011] for a number of users; [0053] threshold is the magnitude or intensity satisfied for a certain reaction, phenomenon, result, or condition to occur or be manifested; [0034] the IDS trains on historical data for the same time-interval bin in the same context. From such training, the IDS determines the previously noted average login unusualness score and number of attempted logins for different time horizons. The IDS scores a user's login activity for how unusual it is, in the past minute, in the past 5 minutes, in the past 30 minutes, etc; [0032-33] the IDS determines scores, which is suitable aggregates of scores of individual logins. For each user u, and from the set of logins, the user attempted on a day, the IDS derives two statistics, the average of the outlier scores of these logins and the number of logins; [0053-54] Having determined the outlier score, an alert is outputted if the outlier score satisfies a 

Further, a second prior art of record Honda teaches [0072] analysis setting DB, at least a threshold of the correlation coefficient used to identify an attacked destination group (user accounts), and a time period of IDS log data; Fig. 5 indicates number of attacks on a victim account at a given time; Fig. 7 shows a set of user accounts and corresponding identifiers.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: Accounts with access failure events are divided into buckets B1..BN based on access failure count ranges R1..RN, respective account identifiers with at least one endpoint value. Buckets will have account involvement extents E1..EN, which are compared to thresholds T1..TN. An intrusion detection tool generates an alert when some Ei hits its Ti. Detection spots any credential sprays. Breached accounts are found. Detection permits other responses, such as alert etc.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claims 9 and 16 mutatis mutandis.  

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to 


/BADRINARAYANAN /Examiner, Art Unit 2438.