DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on March 29, 2021 has been entered.

Remarks
Pending claims for reconsideration are claims 1-10, and 12-21. Applicant has
Amended claims 1, 10, and 17. 
Cancelled claim 11.
Added new claim 21.

Response to Arguments
Applicant’s arguments filed on March 29, 2021 have been fully considered but they are deemed moot in view of new ground of rejection (see 103 rejection below).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and 

Claims 1, 3-4, 7-10, and 14-20 are rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1, 4, 6, 8, 10, 12, 15, and 19 of U.S. Patent No. 9537880. Although the conflicting claims are not identical, they are not patentably distinct from each other because all the limitations of claims 1, 3-4, 7-10, and 14-20 of this instant application are found in claims 1, 4, 6, 8, 10, 12, 15, and 19 of the patent No. 9537880. Therefore, claims 1, 3-4, 7-10, and 14-20 of this instant application are anticipated by claims 1, 4, 6, 8, 10, 12, 15, and 19 of Patent 9537880, because all the limitation of broader genus claims of this instant application are contained in the narrower species claims of Patent 9537880.

Application No. 16/186801
Patent No. 9537880
1. A computerized method implemented by one or more processors, the method comprising: 




































accessing, via one or more databases, information indicating a first plurality of user accounts exhibiting high-risk behavior, the high-risk behavior being determined based on network access logs generated in response to network actions associated with, at least, the first plurality of user accounts; 












selecting, based on the accessed information, a particular user account of the first plurality of user accounts for detailed review; 

and causing presentation, via a user device, of an interactive user interface. wherein the interactive user interface: 


presents summary information associated with determined high-risk behavior of the particular user account, the summary information reflecting a plurality of measures associated with the high-risk behavior, wherein each measure is indicative of a type of user behavior associated with a risk of compromise, and 

responds to user input directed to a particular selectable option of a plurality of selectable options, each selectable option being associated with presenting detailed information associated with a measure of the plurality of measures,




obtaining logs from at least one network, the network comprising: 
a plurality of network accessible systems associated with the network, comprising one or more of: server systems; domain controllers; computers; laptops; checkout systems; point of sale systems; firewalls; and VPN servers; 
a plurality of computerized user devices configured to allow a plurality of users to access the network via the network accessible systems, each user having at least one user account associated with the network, the user account being associated with an IP address of at least one of the user devices; 
and a plurality of data storage devices for storing data generated by the network accessible systems, at least a portion of the data comprising the logs; 
wherein the logs are generated by the network accessible systems in response to network actions of the user accounts associated with the network, and the logs specifying information associated with network actions of user accounts that affect one or more network accessible systems or one or more user accounts;
 determining respective network actions of the user accounts based on the logs, wherein one or more determined network actions of a particular user account include transitions to one or more different user accounts, wherein at least one transition is associated with escalations of user privileges; 

maintaining, in one or more databases, information identifying the respective network actions of the user accounts; determining, for each of the user accounts, one or more user compromise scores associated with the user account based on the network actions maintained in the one or more databases, the user compromise scores measuring respective types of user behavior associated with a risk of compromise, 

wherein the user compromise scores include a user chaining score, and wherein determining the user chaining score for the particular user account is based on the different user accounts transitioned to, or accessed by, the particular user account, and wherein determining the user chaining score includes monitoring IP addresses specified in the logs; 
determining, based on the user compromise scores associated with each user account, a set of user accounts of the plurality of user accounts for review, 

the determined set of user accounts representing potential high-risk behavior such that the users associated with the user accounts are potential attackers of the network; 

providing, for presentation in an interactive user interface, information describing user accounts of the set of user accounts and respective user compromise scores associated with user accounts of the set of user accounts; and 


taking action to prevent an attack. 






2. The computerized method of claim 1, wherein the user input directed to the particular selectable object triggers access to the one or more databases, and determination of detailed information associated with the type of the summary information.

3. (Original) The computerized method of claim 1, wherein the determined high-risk behavior of the particular user account comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks, likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used.
6. The method of claim 1, further comprising: receiving, from a user device presenting the interactive user interface, a request to receive information describing the set of user accounts determined for review, the request identifying a particular time period; obtaining data describing network actions of each user account of the set of user accounts during the particular time period; and determining user compromise scores for each user account of the set of user accounts based on respective network actions of the user account during the particular time period.
4. The computerized method of claim 1, wherein the particular selectable option is associated with an investigation history, and wherein the interactive user interface presents detailed information comprising information describing one or more investigations into the particular user account.
10. The method of claim 9, wherein the anomaly score prioritizes user accounts to review, and wherein the interactive user interface orders the user accounts of the set of user accounts according to respective anomaly score.
5. The computerized method of claim 4, wherein the interactive user interface: enables, via user input, adjustment of a status associated with a judgement of an investigation into the particular user account, and provides selectable options to assign a reviewing user to review an investigation into the particular user account.

6. The computerized method of claim 1, wherein the particular selectable option is associated with user profile information of the particular user account, and wherein the interactive user interface presents user access rights associated with the particular user account, the user access rights comprising information obtained from one or more access control lists or group membership information.

7.  The computerized method of claim 1, wherein the particular selectable option is associated with access information related to user devices utilized to access the particular user account, and wherein the interactive user interface: presents a graphical depiction of one or more geographic regions from which the user devices were utilized, or presents a chart identifying respective measures of use associated with the user devices, the chart specifying a name associated with each user device and/or software information associated the user devices.
8. The method of claim 1, wherein a user compromise score of a first user account comprises one or more of: a host score associated with network accessible systems used, by the first user account, to access the one or more networks, an anomaly score associated with aggregate user behavior of the first user account, a speed score associated with a likelihood that a single user has accessed the first user account from disparate locations in a period of time, a location score associated with geographic locations from which the first user account was used, or a user chaining score 

8. The method of claim 1, wherein a user compromise score of a first user account comprises one or more of: a host score associated with network accessible systems used, by the first user account, to access the one or more networks, an anomaly score associated with aggregate user behavior of the first user account, a speed score associated with a likelihood that a single user has accessed the first user account from disparate locations in a period of time, a location score associated with geographic locations from which the first user account was used, or a user chaining score associated with user accounts transitioned to from the user account.
9. The computerized method of claim 1, wherein the interactive user interface: presents a visual representation of a graph illustrating transitions from the particular user account to the subsequent user accounts, and transitions from the subsequent user accounts to additional subsequent user accounts, the graph comprising edges connecting nodes associated with user accounts, the edges representing transitions.
… wherein one or more determined network actions of a particular user account include transitions to one or more different user accounts, wherein at least one transition is associated with escalations of user privileges; maintaining, in one or more databases, information identifying the respective network actions of the user accounts; determining, for each of the user accounts, one or more user compromise scores associated with the user account based on the network actions maintained in the one or more databases, the user compromise scores measuring respective types of user behavior associated with a risk of compromise, wherein the user compromise scores include a user chaining score, and wherein determining the user chaining score for the particular user account is based on the different user accounts transitioned to…; (Part of claim 1)
10. A system comprising one or more processors and non- transitory computer storage media storing instructions that when executed by the one or more processors, cause the one or more processors to perform operations comprising: 

































accessing, via one or more databases, information indicating a first plurality of user accounts exhibiting high-risk behavior; 















selecting, based on the accessed information, a particular user account of the first plurality of user accounts for detailed review; and 
causing presentation, via a user device, of an interactive user interface, wherein the interactive user interface: presents summary information associated with determined high-risk behavior of the particular user account, the summary information reflecting a plurality of measures associated with the high-risk behavior, 

wherein each measure is indicative of a type of user behavior associated with a risk of compromise, and responds to user input directed to a particular selectable option of a plurality of selectable options, each selectable option being associated with presenting detailed information associated with a measure of the plurality of measures, -4-Application No.: 16/186,801 Filing Date:November 12, 2018 

wherein in response to selection of a particular measure of the plurality of measures, the interactive user interface is updated to present a graphical representation associated with the particular measure.


obtaining logs from at least one network, the network comprising: a plurality of network accessible systems associated with the network, comprising one or more of: server systems; domain controllers; 
computers; laptops; checkout systems; point of sale systems; firewalls; and VPN servers; 
a plurality of computerized user devices configured to allow a plurality of users to access the network via the network accessible systems, each user having at least one user account associated with the network, the user account being associated with an IP address of at least one of the user devices; and 
a plurality of data storage devices for storing data generated by the network accessible systems, at least a portion of the data comprising the logs; 
wherein the logs are generated by the network accessible systems in response to network actions of the user accounts associated with the network, and the logs specifying information associated with network actions of user accounts that affect one or more network accessible systems or one or more user accounts; 
determining respective network actions of the user accounts based on the logs, wherein one or more determined network actions of a particular user account include transitions to one or more different user accounts, wherein at least one transition is associated with escalations of user privileges;

maintaining, in one or more databases, information identifying the respective network actions of the user accounts; determining, for each of the user accounts, one or more user compromise scores associated with the user account based on the network actions maintained in the one or more databases, 

the user compromise scores measuring respective types of user behavior associated with a risk of compromise, wherein the user compromise scores include a user chaining score, and 

wherein determining the user chaining score for the particular user account is based on the different user accounts transitioned to, or accessed by, the particular user account, and wherein determining the user chaining score includes monitoring IP addresses specified in the logs; 
determining, based on the user compromise scores associated with each user account, a set of user accounts of the plurality of user accounts for review, 
the determined set of user accounts representing potential high-risk behavior such that the users associated with the user accounts are potential attackers of the network; 




providing, for presentation in an interactive user interface, information describing user accounts of the set of user accounts and respective user compromise scores associated with user accounts of the set of user accounts; and 

taking action to prevent an attack.

(providing, for presentation in an interactive user interface, information describing user accounts of the set of user accounts and respective user compromise scores associated with user accounts of the set of user accounts; and) 
12.  The system of claim 10, wherein the particular selectable option is associated with an investigation history, and wherein the interactive user interface: enables, via user input, adjustment of a status associated with a judgement of an investigation into the particular user account, and provides selectable options to assign a reviewing user to review an investigation into the particular user account.

13. The system of claim 10, wherein the particular selectable option is associated with user profile information of the particular user account, and wherein the interactive user interface presents user access rights associated with the particular user account, the user access rights comprising information obtained from one or more access control lists or group membership information.

14. The system of claim 10, wherein the particular selectable option is associated with access information related to user devices utilized to access the particular user account, and wherein the interactive user interface: presents a graphical depiction of one or more geographic areas from which the user devices were utilized, or presents a chart identifying respective measures of use associated with the user devices, the chart specifying a name associated with each user device and/or software information associated the user devices.
19. The system of claim 12, wherein a user compromise score of a first user account comprises: a host score associated with network accessible systems used, by the first user account, to access the one or more networks, an anomaly score associated with aggregate user behavior of the first user account, a speed score associated with a likelihood that a single user has accessed the first user account from disparate locations in a period of time, a location score associated with geographic locations from which the first user account was used, or a user chaining score associated with user accounts transitioned to from the first user account.
15. The system of claim 10, wherein the particular selectable option is associated with user chaining, and wherein the interactive user interface: presents information identifying transitions initiating from the particular user account to one or more subsequent user accounts, the information identifying whether each transition is associated with escalated user privileges.
19. The system of claim 12, wherein a user compromise score of a first user account comprises: a host score associated with network accessible systems used, by the first user account, to access the one or more networks, an anomaly score associated with aggregate user behavior of the first user account, a speed score associated with a likelihood that a single user has accessed the first user account from disparate locations in a period of time, a location score associated with geographic locations from which the first user account was used, or a user chaining score associated with user accounts transitioned to from the first user account.
16. The system of claim 10, wherein the interactive user interface: presents a visual representation of a graph illustrating transitions from the particular user account to the subsequent user accounts, and transitions from the subsequent user accounts to additional subsequent user accounts, the graph comprising edges connecting nodes associated with user accounts, the edges representing transitions.
… maintaining, in one or more databases, information identifying the respective network actions of the user accounts; determining, for each of the user accounts, one or more user compromise scores associated with the user account based on the network actions maintained in the one or more databases, 
the user compromise scores measuring respective types of user behavior associated with a risk of compromise, wherein the user compromise scores include a user chaining score, and 
wherein determining the user chaining score for the particular user account is based on the different user accounts transitioned to, or accessed by, the particular user account, and wherein determining the user 



































accessing, via one or more databases, information indicating a first plurality of user accounts exhibiting high-risk behavior; 




















selecting, based on the accessed information, a particular user account of the first plurality of user accounts for detailed review; and 
causing presentation, via a user device, of an interactive user interface, wherein the interactive user interface: presents summary information associated with determined high-risk behavior of the particular user account, the summary information reflecting a plurality of measures associated with the high-risk behavior, wherein each measure is indicative of a type of user behavior associated with a risk of compromise, and 

responds to user input directed to a particular selectable option of a plurality of selectable options, each selectable option being associated with presenting detailed information associated with a measure of the plurality of measures, -6-Application No.: 16/186,801 Filing Date:November 12, 2018 




wherein in response to selection of a particular measure of the plurality of measures, the interactive user interface is updated to present a graphical representation associated with the particular measure.


obtaining logs from at least one network, the network comprising: a plurality of network accessible systems associated with the network, comprising one or more of: server systems; domain controllers; 
computers; laptops; checkout systems; point of sale systems; firewalls; and VPN servers; 
a plurality of computerized user devices configured to allow a plurality of users to access the network via the network accessible systems, each user having at least one user account associated with the network, the user account being associated with an IP address of at least one of the user devices; and 
a plurality of data storage devices for storing data generated by the network accessible systems, at least a portion of the data comprising the logs; 
wherein the logs are generated by the network accessible systems in response to network actions of the user accounts associated with the network, and the logs specifying information associated with network actions of user accounts that affect one or more network accessible systems or one or more user accounts; 
determining respective network actions of the user accounts based on the logs, wherein one or more determined network actions of a particular user account include transitions to one or more different user accounts, wherein at least one transition is associated with escalations of user privileges;

maintaining, in one or more databases, information identifying the respective network actions of the user accounts; determining, for each of the user accounts, one or more user compromise scores associated with the user account based on the network actions maintained in the one or more databases, 

the user compromise scores measuring respective types of user behavior associated with a risk of compromise, wherein the user compromise scores include a user chaining score, and 

wherein determining the user chaining score for the particular user account is based on the different user accounts transitioned to, or accessed by, the particular user account, and wherein determining the user chaining score includes monitoring IP addresses specified in the logs; determining, based on the user compromise scores associated with each user account, a set of user accounts of the plurality of user accounts for review, 


the determined set of user accounts representing potential high-risk behavior such that the users associated with the user accounts are potential attackers of the network; 











providing, for presentation in an interactive user interface, information describing user accounts of the set of user accounts and respective user compromise scores associated with user accounts of the set of user accounts; and 

taking action to prevent an attack.

(providing, for presentation in an interactive user interface, information describing user accounts of the set of user accounts and respective user compromise scores associated with user accounts of the set of user accounts; and)

19. The system of claim 12, wherein a user compromise score of a first user account comprises: a host score associated with network accessible systems used, by the first user account, to access the one or more networks, an anomaly score associated with aggregate user behavior of the first user account, a speed score associated with a likelihood that a single user has accessed the first user account from disparate locations in a period of time, a location score associated with geographic locations from which the first user account was used, or a user chaining score associated with user accounts transitioned to from the first user account.
19. The computer storage media of claim 17, wherein the particular selectable option is associated with access information related to user devices utilized to access the particular user account, and wherein the 


… maintaining, in one or more databases, information identifying the respective network actions of the user accounts; determining, for each of the user accounts, one or more user compromise scores associated with the user account based on the network actions maintained in the one or more databases, 
the user compromise scores measuring respective types of user behavior associated with a risk of compromise, wherein the user compromise scores include a user chaining score, and 
wherein determining the user chaining score for the particular user account is based on the different user accounts transitioned to, or accessed by, the particular user account, and wherein determining the user chaining score includes monitoring IP addresses specified in the logs; determining, based on the user compromise scores associated with each user account, a set of user accounts of the plurality of user accounts for review, …; (Part of claim 12)


Claims 1, 4, 6, 8, 10, 12, 15, and 19 of Patent No. 9537880 contain every element of claims 1, 3-4, 7-10, and 14-20 of the instant application and thus anticipate the claims of the instant application. Claims of the instant application therefore are not patently distinct from the earlier patent claims and as such are unpatentable over obvious-type double patenting. A later application/patent claim is not patentably distinct from an earlier claim if the later claim anticipated by the earlier claim.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting 
 Accordingly, absent a terminal disclaimer, claims 1, 3-4, 7-10, and 14-20 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2, 4-5, 10, 12, 17,  and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn et al. (U.S. Patent Application Publication No.: US 2015/0229664 A1 / or “Hawthorn” hereinafter) in view of Issacs et al. (U.S. Patent Application Publication No.: US 2016/0117403 A1 / or “Issacs” hereinafter).
A computerized method implemented by one or more processors, the method comprising” (Para 0005: discloses methods and systems for assessing security of users in a computing networks): 
“accessing, via one or more databases, information indicating a first plurality of user accounts exhibiting high-risk behavior, the high-risk behavior being determined based on network access logs generated in response to network actions associated with, at least, the first plurality of user accounts” (Para 151 -158: a security agents collect user interaction data i.e., “account exhibiting high risk behavior” of different types including live interaction data and previously collected information related to the user such as IP address of the device used by the user, location of the device used by the user etc.); 
“selecting, based on the accessed information, a particular user account of the first plurality of user accounts for detailed review; and causing presentation, via a user device, of an interactive user interface, wherein the interactive user interface” (Para 168-169, 173-175, selecting collected a user interaction data to calculates risk score; and Para 0176, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124”): 
“presents summary information associated with determined high-risk behavior of the particular user account, the summary information reflecting a plurality of measures associated with the high-risk behavior, wherein each measure is indicative of a type of user behavior associated with a risk of compromise” (Para 0007: calculating and displaying security score of a user i.e., an “individual user”; Para 0065: providing detail information of user account, user status; Para 0060; 179-0180: summary information of a , 
 “and responds to user input directed to a particular selectable option of a plurality of selectable options, each selectable option being associated with presenting detailed information associated with a measure of the plurality of measures” (Para 0188, provides details information of security vulnerability of a user; See also Para 0060, 0066 and Fig. 3),
“wherein in response to selection of a particular measure of the plurality of measures, the interactive user interface is updated to present a graphical representation associated with the particular measure” (Para 0175, security scores of a user is updated; and Para 0187, a graphical interface is used to display detain time line i.e. a “particular measure” of how user security score has changed overtime),
	But Hawthorn fails to specially disclose presenting a visual view an entity’s information and visually adjusting particular entity’s information. 
However, Issacs discloses “and presents a triage status for the particular user account, the presented triage status being visually adjusted according to a review status of the particular user account” (Issacs, Para 29: a visual view of an entity’s information is generated; and Para 0045: “Any changes to the entities based on the filters can also be applied to the other entity visualizations…” ).  
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of presenting a visual view an entity’s information and visually adjusting particular entity’s information of Issacs to the system of Hawthorn to create a system where a user can perform entity triage by assigning status to and 

Regarding claim 2, in view of claim 1, Hawthorn discloses “wherein the user input directed to the particular selectable object triggers access to the one or more databases, and determination of detailed information associated with the type of the summary information” (Para 0007: accesses to databases storing detail information such as risk scoring metrics, translation data; and Para 00064: summary of information).  

Regarding claim 4, in view of claim 1, Hawthorn discloses “wherein the particular selectable option is associated with an investigation history, and wherein the interactive user interface presents detailed information comprising information describing one or more investigations into the particular user account” (Fig. 16: Interactive data; Para 179: providing detail information of user account, User status, Para 0060: “interactive user interface”, and Fig. 3 and Para 0062: details related to security event).  

Regarding claim 5, in view of claim 4, Hawthorn discloses “wherein the interactive user interface: enables, via user input, adjustment of a status associated with a judgement of an investigation into the particular user account, and provides selectable options to assign a reviewing user to review an investigation into the particular user account” (Para 0198, make adjustment to a user account).  

 Regarding claim 10, Hawthorn discloses “A system comprising one or more processors and non- transitory computer storage media storing instructions that when executed by the one or more processors, cause the one or more processors to perform operations comprising” (Para 0005: discloses methods and systems for assessing security of users in a computing networks):
“accessing, via one or more databases, information indicating a first plurality of user accounts exhibiting high-risk behavior” (Para 151 -158: a security agents collect user interaction data i.e., “account exhibiting high risk behavior” of different types including live interaction data and previously collected information related to the user such as IP address of the device used by the user, location of the device used by the user etc.);
“selecting, based on the accessed information, a particular user account of the first plurality of user accounts for detailed review; and causing presentation, via a user device, of an interactive user interface, wherein the interactive user interface” (Para 168-169, 173-175, selecting collected a user interaction data to calculates risk score; and Para 0176, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124”):
“presents summary information associated with determined high-risk behavior of the particular user account, the summary information reflecting a plurality of measures associated with the high-risk behavior, wherein each measure is indicative of a type of user behavior associated with a risk of compromise” (Para 0007: calculating and displaying security score of a user i.e., an “individual user”; Para 0065: providing detail information of user account, user status; Para 0060; 179-0180: summary information of a ,
“and responds to user input directed to a particular selectable option of a plurality of selectable options, each selectable option being associated with presenting detailed information associated with a measure of the plurality of measures” (Para 0188, provides details information of security vulnerability of a user; See also Para 0060, 0066 and Fig. 3),Filing Date:November 12, 2018 
“wherein in response to selection of a particular measure of the plurality of measures, the interactive user interface is updated to present a graphical representation associated with the particular measure” (Para 0175, security scores of a user is updated; and Para 0187, a graphical interface is used to display detain time line i.e. a “particular measure” of how user security score has changed overtime), 
	But Hawthorn fails to specially disclose presenting a visual view an entity’s information and visually adjusting particular entity’s information. 
However, Issacs discloses “and presents a triage status for the particular user account, the presented triage status being visually adjusted according to a review status of the particular user account” (Issacs, Para 29: a visual view of an entity’s information is generated; and Para 0045: “Any changes to the entities based on the filters can also be applied to the other entity visualizations…” ).  
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of presenting a visual view an entity’s information and visually adjusting particular entity’s information of Issacs to the system of Hawthorn to create a system where a user can perform entity triage by assigning status to and 


Regarding claim 12, in view of claim 10, Hawthorn discloses “wherein the particular selectable option is associated with an investigation history, and wherein the interactive user interface: enables, via user input, adjustment of a status associated with a judgement of an investigation into the particular user account, and provides selectable options to assign a reviewing user to review an investigation into the particular user account” (Fig. 16: Interactive data; Para 179: providing detail information of user account, User status, Para 0060: “interactive user interface”, and Fig. 3 and Para 0062: details related to security event).  

Regarding claim 17, Hawthorn discloses “Non-transitory computer storage media storing instructions that when executed by a system of one or more processors, cause the system to perform operations comprising” (Para 0202, a system with processor, memory, and computer storage media):
“accessing, via one or more databases, information indicating a first plurality of user accounts exhibiting high-risk behavior; selecting, based on the accessed information, a particular user account of the first plurality of user accounts for detailed review” (Para 151 -158: a security agents collect user interaction data i.e., “account exhibiting high risk behavior” of different types including live interaction data and previously collected information related to the user such as IP address of the device used by the user, location of the device used by the user etc.);
“and causing presentation, via a user device, of an interactive user interface, wherein the interactive user interface” (Para 168-169, 173-175, selecting collected a user interaction data to calculates risk score; and Para 0176, the risks scores used to perform various actions. For example, “…risk assessment manager 110 may use a calculated risk scores to influence, guide, and/or determine a frequency and/or sophistication level of future security items 112 and/or training items 124”): 
“presents summary information associated with determined high-risk behavior of the particular user account, the summary information reflecting a plurality of measures associated with the high-risk behavior, wherein each measure is indicative of a type of user behavior associated with a risk of compromise” (Para 0007: calculating and displaying security score of a user i.e., an “individual user”; Para 0065: providing detail information of user account, user status; Para 0060; 179-0180: summary information of a particular user is displayed on an interactive environment as a campaign summary; and See also. Fig. 18; and Para 188: selecting and presenting user in a report),
“and responds to user input directed to a particular selectable option of a plurality of selectable options, each selectable option being associated with presenting detailed information associated with a measure of the plurality of measures” (Para 0188, provides details information of security vulnerability of a user; See also Para 0060, 0066 and Fig. 3),-6-Application No.: 16/186,801 Filing Date:November 12, 2018 
“wherein in response to selection of a particular measure of the plurality of measures, the interactive user interface is updated to present a graphical representation associated with the particular measure” (Para 0175, security scores of a user is updated; 
	But Hawthorn fails to specially disclose presenting a visual view an entity’s information and visually adjusting particular entity’s information. 
However, Issacs discloses “and presents a triage status for the particular user account, the presented triage status being visually adjusted to indicate a review status of the particular user account” (Issacs, Para 29: a visual view of an entity’s information is generated; and Para 0045: “Any changes to the entities based on the filters can also be applied to the other entity visualizations…” ).  
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of presenting a visual view an entity’s information and visually adjusting particular entity’s information of Issacs to the system of Hawthorn to create a system where a user can perform entity triage by assigning status to and the ordinary person skilled in the art would have been motivated to combine in order for a user to determine “… how she is progressing through the entities” (Issacs, Para 0033).
  
	Regarding claim 21, in view of claim 1, Hawthorn in view of Issacs disclose “wherein the triage status is presented in a particular color selected by a reviewing user from a plurality of colors, and wherein each color is indicative of a particular review status” (Issacs, Para 0033. “….each status is assigned a different color to distinguish between the different statuses and the color can be applied to the bar for that status”).



Claims 3, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn in view of Issacs and in further view of Andrews et al. (U.S. Patent Application Publication No.: US 2016/0292599 A1 / or “Andrews” hereinafter).
	
Regarding claim 3, in view of claim 1, Hawthorn discloses “wherein the determined high-risk behavior of the particular user account comprises one or more of information indicating network-2-Application No.: 16/186,801 Filing Date:November 12, 2018accessible systems not normally used by the particular user account to access the one or more networks” (Para 0156, the type of information collected by the agent includes “..the location of the system; the network (e.g., work, home, hotel, etc.)”), 
	Issacs discloses presenting a visual view an entity’s information and visually adjusting particular entity’s information (Para 0029, 0033).
	But Hawthorn and Issacs fail to specially disclose determining a user access to network resources from different locations within a time period threshold suggests abnormal access. 
However, Andrews discloses “likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used” (Andrews, Para 41: a user access data is collected to determine where the access was associated with risk because location, distance, and time period threshold suggesting access by a single user is not permissible).  
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of determining a user access to network resources from different locations within a time period threshold suggests abnormal 

Regarding claim 18, in view of claim 17, Hawthorn discloses “wherein the determined high- risk behavior of the particular user account comprises one or more of information indicating network accessible systems not normally used by the particular user account to access the one or more networks” (Para 0156, the type of information collected by the agent includes “..the location of the system; the network (e.g., work, home, hotel, etc.)”).
Issacs discloses presenting a visual view an entity’s information and visually adjusting particular entity’s information (Para 0029, 0033).
	But Hawthorn and Issacs fail to specially disclose determining a user access to network resources from different locations within a time period threshold suggests abnormal access. 
However, Andrews discloses “likelihoods associated with a single user being able to access the particular user account from different locations within threshold periods of times, information associated with traversing the network accessible systems, or information indicating risks and/or abnormalities associated with geographic locations from which the particular user account was used” (Andrews, Para 41: a user access data is collected to determine where the access was associated with risk because location, distance, and time period threshold suggesting access by a single user is not permissible).  
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of determining a user access to network resources from different locations within a time period threshold suggests abnormal .
 

Claims 6-8, 13-15,  and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn in view of Issacs and in further view of Patrick Crowley (U.S. Patent Application Publication No.: US 2014/0053265 A1 / or “Crowley” hereinafter).
	
	Regarding claim 6, in view of claim 1, Hawthorn discloses user profile generation and assessing risk score (Para 173-176).
	Issacs discloses presenting a visual view an entity’s information and visually adjusting particular entity’s information (Para 0029, 0033).
	But Hawthorn and Issacs fail to specially disclose user access list. 
However, Crowley discloses “wherein the particular selectable option is associated with user profile information of the particular user account, and wherein the interactive user interface presents user access rights associated with the particular user account, the user access rights comprising information obtained from one or more access control lists or group membership information” (Crowley, Para 66: discloses watch list).  
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of a watch list of Crowley to the system of Hawthorn and Issacs to create a system to utilize a watch list for user access and the 
	
	Regarding claim 7, in view of claim 1, Hawthorn discloses user interactive interfaces (Para 173-176), and geolocation (Para 0054).
	Issacs discloses presenting a visual view an entity’s information and visually adjusting particular entity’s information (Para 0029, 0033).
	But Hawthorn and Issacs fail to specially disclose device profile. 
However, Crowley discloses “wherein the particular selectable option is associated with access information related to user devices utilized to access the particular user account, and wherein the interactive user interface: presents a graphical depiction of one or more geographic regions from which the user devices were utilized, or presents a chart identifying respective measures of use associated with the user devices, the chart specifying a name associated with each user device and/or software information associated the user devices” (Crowley, Para 0069: discloses device profile i.e., user association with a device).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of a device profile of Crowley to the system of Hawthorn and Issacs to create a system to utilize a device profile for user access and the ordinary person skilled in the art would have been motivated to combine to enhance the security of the system (Crowley, Para 0066).
	
	Regarding claim 8, in view of claim 1, Hawthorn discloses user profile generation and assessing risk score (Para 173-176).

	But Hawthorn and Issacs fail to specially disclose a user account transition another user account with escalated user privilege. 
	However, Crowley discloses “ wherein the particular selectable option is associated with user chaining, and wherein the interactive user interface: presents information identifying transitions initiating from the particular user account to one or more subsequent user accounts, the information identifying whether each transition is associated with escalated user privileges(Crowley, Para 0066).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of a user account transition another user account with escalated user privilege of Crowley t to the system of Hawthorn and Issacs to create a system to detect account transition with escalated privileges and provide countermeasures and the ordinary person skilled in the art would have been motivated to combine to enhance the security of the system (Crowley, Para 0066).

Regarding claim 13, in view of claim 10, Hawthorn in view of Issacs and in further view of Crowley disclose “wherein the particular selectable option is associated with user profile information of the particular user account, and wherein the interactive user interface presents user access rights associated with the particular user account, the user access rights comprising information obtained from one or more access control lists or group membership information” (See rejection of claim 6). 

	Regarding claim 14, in view of claim 10, Hawthorn in view of Issacs and in further view of Crowley disclose “wherein the particular selectable option is associated with access information related to user devices utilized to access the particular user account, and wherein the interactive user interface: presents a graphical depiction of one or more geographic areas from which the user devices were utilized, or presents a chart identifying respective measures of use associated with the user devices, the chart specifying a name associated with each user device and/or software information associated the user devices” (See rejection of claim 7).   

Regarding claim 15, in view of claim 10, Hawthorn in view of Issacs and in further view of Crowley disclose “wherein the particular selectable option is associated with user chaining, and wherein the interactive user interface: presents information identifying transitions initiating from the particular user account to one or more subsequent user accounts, the information identifying whether each transition is associated with escalated user privileges” (See rejection of claim 8).   

Regarding claim 19, in view of claim 17, Hawthorn in view of Issacs and in further view of Crowley disclose “wherein the particular selectable option is associated with access information related to user devices utilized to access the particular user account, and wherein the interactive user interface: presents a graphical depiction of one or more geographic areas from which the user devices were utilized, or presents a chart identifying respective measures of use associated with the user devices, the chart specifying a name associated with each user device and/or software information associated the user devices” (See rejection of claim 7).   

.   


Claims 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Hawthorn in view of Issacs and in further view of Higbee et al. (US 9,325,730/ or “Higbee” hereinafter) and Puri et al (US 9,367,809/ or “Puri” hereinafter).

Regarding claim 9, in view of claim 1, Hawthorn, discloses collection user network interaction data to determine risk associated with them and presenting the data on an interactive interface (Hawthorn: Abstract and Para 151 -158). 
Issacs discloses presenting a visual view an entity’s information and visually adjusting particular entity’s information (Para 0029, 0033).
But Hawthorne and Issacs fail to explicitly state the user activity/event as being a user account login activity; or presents a visual representation of a graph illustrating transitions between user activity/events and transitions from the subsequent user activities/events to additional activities/events, the graph comprising edges connecting nodes associated with the activity/event, the edges representing transitions.

It would  have been obvious at the time of applicant's effective filing date to utilize the teachings of Higbee for prompting the user for a login to another user account in a phishing attack, which, when modifying the system of Hawthorn and Issacs would result in a staged phishing attack which prompts the user to login to another user account. One of ordinary skill in the art would be motivated to modify the system of Hawthorn and Issacs with Higbee in the manner proffered, in order to probe all user behavior weaknesses during phishing attacks such as prompting for account login to various other accounts.  
The combination of Hawthorn, Issacs and Higbee fail to disclose presents a visual representation of a graph illustrating transitions between user activity/events and transitions from the subsequent user activities/events to additional activities/events, the graph comprising edges connecting nodes associated with the activity/event, the edges representing transitions. 
However, Puri, discloses presents a visual representation of a graph illustrating transitions between user activity/events and transitions from the subsequent user activities/events to additional activities/events, the graph comprising edges connecting nodes associated with the activity/event, the edges representing transitions (Puri: Figs 2‐5; abstract).
 It would have been obvious at the time of applicant's effective filing date to utilize the teachings of Puri for representing user events and the transitions between them via a graph with probability weights to identify anamolies, which, when modifying Hawthorn/Issacs/Higbee would result in analyzing a user's behavioral response to a staged phishing attack prompting a 
One of ordinary skill in the art would be motivated to modify Hawthorn/Issacs/Higbee with Puri in the manner proffered, in order to use known techniques for displaying directed graphs with state transitions visually for easy human legible consumption.

Regarding claim 10, in view of claim 10, Hawthorn/Issacs/Higbee and Puri “wherein the interactive user interface: presents a visual representation of a graph illustrating transitions from the particular user account to the subsequent user accounts, and transitions from the subsequent user accounts to additional subsequent user accounts, the graph comprising edges connecting nodes associated with user accounts, the edges representing transitions” (See rejection of claim 9).


Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
James Albert Ionson  (US 2014/00709471) discloses:
“…predicting and detecting security breaches is provided which yields cognitive inputs to a security management interface accessible by a human operator. The system utilizes symbolic cognitive architectures and inference processing algebras allowing the system to respond to open, incomplete, and/or unknown problem domains, offering flexibility in the case of unexpected changes in the security environment (Abstract).
Gill et al. (U.S. Patent No.: US 10,21,138 B2) discloses rapid risk identification and visualization 799999(Col 16:45-56).
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431                                                                                                                                                                                                        
/SAMSON B LEMMA/Primary Examiner, Art Unit 2498