Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The Amendment filed 05/18/2021 has been entered. Claims 1, 5, 7 and 16 have been amended.  Claims 1-20 are pending in this application.

Applicant's arguments with respect to claims 1, 5, 7 and 16 objection have been fully considered and persuasive. The objection has been withdrawn.


Allowable Subject Matter
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance:

The closest prior arts made of records are, Muddu et al. (U.S. Pub. No. 2018/0367551 A1, referred to as Muddu), Ben Ezra et al. (U.S Pub No. 2018/0069876 A1, referred to as Ben) and Thampy (U.S Pub No. 2019/0068627 A1, referred to as Thampy).
Muddu discloses a method for determining a frequency of the particular group in a traffic, and identifying the particular group as an anomaly based on whether the frequency of the particular group satisfies a frequency criterion.
Ben discloses a method for a predictive detection of cyber-attacks are provided, by receiving security events, matching each received security event to a plurality of previously generated event sequences to result in at least one matched event sequence, comparing each of the at least one matched event sequence to a plurality of previously identified attack patterns to result in at least one matched attack pattern. For each matched attack pattern, computing a risk score potentially indicating a cyber-attack and causing execution of a mitigation action based on the risk score.

Thampy discloses methods for a cloud security system that learns patterns of user behavior and uses the patterns to detect anomalous behavior in a network, by obtaining activity data from a service provider system. The activity data describes actions performed during use of a cloud service over a period of time. A pattern corresponding to a series of actions performed over a subset of time can be identified. The pattern can be added a model associated with the cloud service. The model represents usage of the cloud service by the one or more users.

However, regarding claim 1, the prior art of Muddu, Ben and Thampy when taken in the context of the claim as a whole do not disclose nor suggest, “(b) heuristically extracting an ordered event sequence from the list of events as a user session candidate without reliance on user identity data, (c) producing a candidate vector by vectorizing the extracted ordered event 15sequence, (d) submitting the candidate vector to a trained machine learning model which computes an anomaly score for the candidate vector, wherein the machine learning model measures 

However, regarding claim 7, the prior art of Muddu, Ben and Thampy when taken in the context of the claim as a whole do not disclose nor suggest, “computing an anomaly score for the candidate vector, without relying on user identity information, using a machine learning model which was trained with previously vectorized event sequences which collectively represent a history of events in the guarded computing system”.

However, regarding claim 16, the prior art of Muddu, Ben and Thampy when taken in the context of the claim as a whole do not disclose nor suggest, “computing an anomaly score for the candidate vector, without relying on user identity information, using a machine learning model and also using vectorized event sequences which collectively represent a history of events in the guarded computing system”.

Claims 2-6 depend on claim 1, claims 8-15 depend on claim 7 and claims 17-20 depend on claim 16, and are of consequence allowed.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408.  The examiner can normally be reached on Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HASSAN SAADOUN/Examiner, Art Unit 2435