Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 16/383,335 is presented for examination by the examiner.  Claims 1, 14, and 22 are amended.  Claims 1-22 are pending.



Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 14, and 22 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103

Claims 1-8, 11, 14-20 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication 2016/0173509 to Ray et al hereinafter Ray in view of USP Application Publication 2020/0213341 to Wu et al., hereinafter Wu.


instrumenting a compute instance associated with the entity to report event vectors based on one or more events from one or more sensors associated with the compute instance (0067, 0080-0083 and 0160); 
receiving an event stream at the threat management facility, the event stream including a plurality of event vectors from the compute instance (0080 and 0108); 
calculating a risk score for the compute instance based on a distance between the entity model and one or more event vectors in the event stream (0100 and 0101); and 
selecting a remedial action for the compute instance when the risk score exceeds a threshold (0059 and 0102).

 Ray is silent in explicitly teaching entity model is expressed as a multi-dimensional vector in the event vector space.  On the other hand, Wu teaches an creating a model expressed as a multi-dimensional vector in the event vector space as means to detect anomalies in computer data (0048-50 and 0061).  Wu also teaches there are many different known algorithms for clustering in multi-dimensional space with the idea that anomalies will be seen a greater distances from the normal events.  Ray 

As per claim 2, Ray teaches the threshold is algorithmically determined (0088-0090 and 0123).

As per claim 3, Ray teaches the threat management facility stores a plurality of entity models for a plurality of different entity types within the enterprise network (0064, 0079, and 0121).

As per claim 4, Ray teaches the event stream includes event vectors from a plurality of compute instances associated with the enterprise network (0059, 0079-0084).

As per claim 5, Ray teaches the event stream includes event vectors from two or more different entities associated with the compute instance (0059, 0079-0084). 
As per claim 6, Ray teaches code that performs the steps of monitoring the event stream and creating the entity model based on a baseline of event vectors for the entity in the event stream over an interval (0120-0125).

As per claim 8, Ray teaches instrumenting the compute instance includes configuring the compute instance to normalize at least one of the events from at least one of the sensors (0125-0128).
As per claim 11, Ray teaches instrumenting the compute instance includes prioritizing at least one of the events from at least one of the sensors (0075, 0092, and 0093).
As per claim 14, Ray teaches storing an entity model at a threat management facility for an enterprise network (Fig. 5, 522), the entity model characterizing expected events for an entity (0035 and 0106); instrumenting a compute instance in the enterprise network to detect one or more events and report a number of event vectors including the one or more events to the threat management facility (0067, 0080-0083 and 0160); receiving an event stream of the number of event vectors from the compute instance at the threat management facility (0080 and 0108); calculating a risk score for the compute instance based on a comparison of one or more of the number of event vectors in the event stream with the entity model for the entity (0100 and 0101); and selecting a remedial action for the compute instance based on the number of event vectors when the risk score for the entity exceeds a threshold (0059 and 0102).
 Ray is silent in explicitly teaching the score is based on a multi-dimensional vector space distance between the event vectors.  On the other hand, Wu teaches an creating a model expressed as a multi-dimensional vector in the event vector space as 
As per claim 15, Ray teaches the threshold is algorithmically determined (0088-0090 and 0123).
As per claim 16, Ray teaches the threat management facility stores a plurality of entity models for a plurality of different entity types within the enterprise network (0064, 0079, and 0121).
As per claim 17, Ray teaches the event stream includes event vectors from a plurality of compute instances associated with the enterprise network (0059, 0079-0084).
As per claim 18, Ray teaches the event stream includes event vectors from two or more different entities associated with the compute instance (0059, 0079-0084). 
As per claim 19, Ray teaches the entity includes at least one of a domain controller, a physical device, a user, an operating system, and an application (0035 and 0106).


As per claim 22, Ray teaches a compute instance in an enterprise network, the compute instance configured to detect one or more events associated with the compute instance and report an event vector including the one or more events to a remote resource (0067, 0080-0083 and 0160); and a threat management facility, the threat management facility including a memory storing an entity model characterizing expected events for an entity [522], and the threat management facility  (0067, 0080-0083 and 0160) configured to receive an event stream including the event vector (0080 and 0108), to calculate a risk score for the compute instance based on a comparison of the event vector with the entity model (0100 and 0101), and to select a remedial action for the compute instance based on the event vector when the risk score for the entity exceeds a threshold (0059 and 0102).
 Ray is silent in explicitly teaching the score is based on a multi-dimensional vector space distance between the event vectors.  On the other hand, Wu teaches an creating a model expressed as a multi-dimensional vector in the event vector space as means to detect anomalies in computer data (0048-50 and 0061).  Wu also teaches there are many different known algorithms for clustering in multi-dimensional space with the idea that anomalies will be seen a greater distances from the normal events.  Ray already teaches the threat management system can learn about threats in one dimension and apply that knowledge in another dimension (0035).  The use of multi-dimensional vector in the event vector space in Wu is one obvious way to organize this .  


Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Ray and Wu as applied to claim 14 and in view of USP Application Publication 2019/0068627 to Thampy.
As per claim 21, Ray and Wu are silent in explicitly teaching calculating the risk score includes evaluating a distance between one of the number of event vectors and the entity model using a k-nearest neighbor algorithm.  Thampy teaches evaluating a distance between one of the number of event vectors and the entity model using a k-nearest neighbor algorithm to find suspicious activities in the network (0270). Ray also looks for unusual activities by using a model.  The use of a k-nearest neighbor algorithm is known for modeling.  The system of Ray and Wu could have used this algorithm to detect drift from normal behavior.  The claim is obvious because one of ordinary skill in the art can substitute known methods which do not produce unpredictable results.   Substituting one modeling algorithm for another does not produce unpredictable results.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Ray and Wu as applied to claim 1 and further in view of USP Application Publication  2015/0373043 to Wang et al hereinafter Wang.
As per claim 9, Ray and Wu are silent is explicitly teaching instrumenting the compute instance includes configuring the compute instance to tokenize at least one of .

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Ray and Wu as applied to claim 1 and further in view of USP Application Publication  2017/0085539 to Wishard.
As per claim 10, Ray and Wu are silent in explicitly teaching instrumenting the compute instance includes configuring the compute instance to encrypt at least one of the events from at least one of the sensors.  On the other hand the sensor reports of Wishard are encrypted because being sent to the management node (0010).  Encryption simply offers more security and prevents unauthorized access to the network’s events.  Only the management facility of Ray need have access to the data in order to formulate its models.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  Encrypting the data for safety does not yield any unpredictable result.

12 is rejected under 35 U.S.C. 103 as being unpatentable over Ray and Wu as applied to claim 1 and further in view of USP 8,769,676 to Kashyap.

As per claim 12, Ray and Wu are silent in explicitly teaching the distance is at least one of a Mahalanobis distance, a Euclidean distance, and a Minkowski distance.  Kashyap teaches the distance is at least one of a Mahalanobis distance, a Euclidean distance, and a Minkowski distance. (col. 7, lines 31). Ray also looks for unusual activities by using a model.  The system of Ray and Wu could have used this algorithm to detect drift from normal behavior.  The claim is obvious because one of ordinary skill in the art can substitute known methods which do not produce unpredictable results.   Substituting one modeling algorithm for another does not produce unpredictable results.


Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Ray and Wu as applied to claim 1 and further in view of USP Application Publication 2019/0068627 to Thampy.
As per claim 13, Ray and Wu are silent in explicitly teaching calculating the risk score includes evaluating a distance between one of the number of event vectors and the entity model using a k-nearest neighbor algorithm.  Thampy teaches evaluating a distance between one of the number of event vectors and the entity model using a k-nearest neighbor algorithm to find suspicious activities in the network (0270). Ray also looks for unusual activities by using a model.  The use of a k-nearest neighbor algorithm is known for modeling.  The system of Ray and Wu could have used this algorithm to .

Conclusion
The following is a statement of reasons for the indication of allowable subject matter:  newly found prior art related to distance based clustering modeling has been included.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431