DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
	This office action responds to the AFCP amendments filed on May 5, 2021 for application 16/254,520.  Claim 1 was amended via the AFCP filing, and claims 1 and 13 were further amended via an Examiner’s Amendment presented below.  Claims 1-26 remain pending in the application.
Response to Arguments
	The Applicant’s arguments filed on May 5, 2021 have been fully considered, and the following provides a summary of the points discussed during the AFCP interview of May 26, 2021 (see the attached interview summary).
	Regarding the Applicant’s response at pages 10-14 of the Remarks that concerns the rejection § 102 rejection of independent claim 1, the Applicant's arguments in conjunction with the claim amendment are persuasive, and the § 102 rejection is withdrawn.  The Examiner’s Amendment presented below for claim 1 cures an antecedent basis issue.  The Examiner’s Amendment presented below for claim 13 allows claim 13 to be allowable for the same reason as stated in Applicant’s arguments that relate to claim 1.  The arguments presented in the Remarks for dependent claims 2-12 and 14-26 are rendered moot by the amendments to independent claims 1 and 13.  The non-statutory double patenting rejection is withdrawn based upon the filing of a terminal disclaimer on May 27, 2021.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was discussed in an interview with Daniel Lee (Reg. No. 71,309) on May 26, 2021, and the final authorization was provided via voicemail on May 27, 2021.
The application has been amended as follows:
1. 	(Currently Amended) A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a computer, cause the computer to implement a suspicious access detection module to perform operations to detect suspicious access requests seeking access to different ones of a plurality of data objects, the plurality of data objects being organized within a plurality of resource groups, the operations comprising: 
determining, based on a first access data describing a plurality of access 
requests sent on behalf of a plurality of users, the following: 
a first set of one or more accessed resource groups, for each respective 
one of the plurality of users, that identifies those of the plurality of resource groups that include those of the data objects to which access is sought by the access requests sent on behalf of the respective one of the users, 

first sets of accessed resource groups of the plurality of users, 
a second set of resource groups, for each respective one of the plurality of 
user groups, that identifies those of the plurality of resource groups in the first sets of accessed resource groups determined for the respective ones of the users in the respective one of the user groups, and 
for each of the plurality of user groups, which of the others of the plurality 
of user groups are considered nearby that user group based on a level of commonality between the second sets of resource groups determined for the respective ones of the user groups; 
determining, based on a second access data describing at least a first access 
request, that the first access request is suspicious, wherein the first access request seeks access to a first data object of the plurality of data objects and was issued on behalf of a first user of the plurality of users, wherein the first user is determined to belong to a first user group of the plurality of user groups, wherein the determining that the first access request is suspicious includes determining that the first data object is included in a first resource group of the plurality of resource groups and that the 2/16first resource group is not within the respective second sets of resource groups determined for the first user group and those of [[the]] other user groups determined to be nearby the first user group; and 
causing an alert to be generated responsive to the first access request being 

13. 	(Currently Amended) A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a computer, cause the computer to implement a suspicious access detection module to perform operations to detect suspicious access requests that identify different ones of a plurality of database tables, the plurality of database tables being organized within a plurality of databases, the operations comprising: 
determining, based on a first access data describing a plurality of access 
requests sent on behalf of a plurality of users, the following: 
5/16a first set of one or more accessed databases, for each respective one of 
the plurality of users, that identifies those of the plurality of databases that include those of the database tables that were identified by those of the access requests sent on behalf of the respective one of the users, 
a plurality of user groups determined based on similarities between the 
first sets of accessed databases of the plurality of users, 
a second set of databases, for each respective one of the plurality of user 
groups, that identifies those of the plurality of databases in the first sets of accessed databases determined for the respective ones of the users in the respective one of the user groups, and 
for each of the plurality of user groups, which of the others of the plurality 

determining, based on a second access data describing at least a first access 
request, that the first access request is suspicious, wherein the first access request identifies a first database table of the plurality of database tables and was issued on behalf of a first user of the plurality of users, wherein the first user is determined to belong to a first user group of the plurality of user groups, wherein the determining that the first access request is suspicious includes determining that the first database table is included in a first database of the plurality of databases and that the first database is not within the respective second sets of databases determined for the first user group and those of [[the]] other user groups determined to be nearby the first user group; and 
causing an alert to be generated responsive to the first access request being 
determined to be suspicious.
Allowable Subject Matter
Claims 1-26 are allowed.
The following is the Examiner’s statement of reasons for allowance.  The closest prior art references identified by the Examiner are “Sawhney” (US 9,106,687), “Hartman” (US 7,690,037), “Kolishchak” (US 2012/0210388), “Koottayi” (US 2018/0288063), and “Christian” (US 10,887,330).  Sawhney discloses a method and system for profiling access requests made by users within user groups to files within Hartman discloses a method for detecting anomalous activities by employing clusters that possess a filtering threshold that specifies a time-based value or frequency in which clusters can be examined.  Kolishchak discloses a method and system for preventing or detecting data leakage that can involve automated users, processes, and/or applications.  Koottayi discloses a process for generating behavior models for a user and determining whether an access request of a user to a target system is anomalous based on one or more of the behavior models.  Christian discloses the use of clustering within a data exfiltration system.  
What is missing from the prior art is a memory device with the following characteristics.  The memory device possesses instructions which, when executed by one or more processors of a computer, cause the computer to implement a suspicious access detection module to perform operations to detect suspicious access requests that seek access to different ones of a plurality of data objects that are organized within a plurality of resource groups.  The operations comprise determining, based on a first access data describing a plurality of access requests sent on behalf of a plurality of users, the following: 1) a first set of one or more accessed resource groups, for each respective one of the plurality of users, that identifies those of the plurality of resource groups that include those of the data objects to which access is sought by the access requests sent on behalf of the respective one of the users, 2) a plurality of user groups determined based on similarities between the first sets of accessed resource groups of the plurality of users, 3) a second set of resource groups, for each respective one of the 
Accordingly, the prior art of record, when taken individually or in combination, fails to teach or suggest the subject matter recited in claims 1 and 13.  Therefore, claims 1 and 13 are deemed allowable over the prior art of record.  The dependent claims that further limit claims 1 and 13 are allowable by virtue of their dependency.

Conclusion	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405.  The examiner can normally be reached on Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491