DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 10/30/2019. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kleiner (US pub, 2020/0034266) in view of Kirti (US, pub, 20180375886).
Referring to claim 1 & 17 Kleiner teaches a method for detecting usage anomalies in a multi-tenant cloud environment, the method comprising:
obtaining activity data from a service provider system (Fig. 1, [029], Storage system 100 obtains activity data read from storage system 108 (e.g. user data)), wherein the activity data describes actions performed during use of a cloud service ([032], cloud storage), wherein the actions are performed by one or more users associated with a tenant ([064], GUI 1408 is used for performing actions by one or more users), 
Kleiner teaches an invention that collects application level performance data and track performance of storage system ([040], [042]) but expressly lacks service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service.
However, Kirti, an analogous art that teaches monitoring user and detecting anomalous activities in computing environment. Furthermore, Kirti teaches wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service (see paragraph [008], actions can be performed by one or more users associated with a tenant, where the service provider system provides the tenant with a tenant account. The tenant account enables the one or more users to access the cloud service);
determining, from the activity data, actions performed by a particular user (see paragraph [008], determining, using the activity data, one or more risk scores for the one or more users); and
generating, using the actions, a directed graph, wherein each node in the directed graph represents an action performed by the particular user [196], Fig.5, generating a directed graph based on action performed by particular user, i.e. general user or privilege user), and wherein each connection between two nodes represents a sequence in performance of actions represented by the two nodes (see paragraphs [197]-[200], sequence between nodes of the graph represent performance of actions represented by two nodes).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Kleiner’s storage system to include cloud security management & control system as taught by Kirti, conducting network threat analysis for tenants of a cloud service provider detecting anomalous characteristics in the spatial data and predicting threat in order to optimally provide multiple different cost-effective services in a multi-tenant cloud enabled system increasing overall productivity 
Referring to claim 2, Kirti teaches the method of claim 1, further comprising: determining that an event in the activity data conflicts with a security control associated with the cloud service ([139], anomaly detection associated with a cloud security system);
determining that the event corresponds an event captured in the directed graph (see paragraph [067], event activity obtained by service provider); and
generating a recommendation that the security control be modified ([110], see security policy).
Referring to claim 3, Kirti teaches the method of claim 1, further comprising: determining that an event in the activity data violates a security policy (see paragraph [079], policy can define an action or set of actions that, when detected, constitute a security violation; 
determining that the event corresponds to an event captured in the directed graph (see paragraph [067], event activity obtained by service provider); and
generating a recommendation to modify the security policy (see paragraphs [117], [171], [172] recommended action is presented).
Referring to claim 4, Kirti teaches the method of claim 1, further comprising: obtaining additional activity data from the service provider system (see paragraph [077], the mapping generator 170 can obtain (additional) data from the interface 120 to perform security analysis); mapping actions performed by the particular user to the directed graph (see paragraph [092]);
determining, from the mapping, that the particular user performed actions that do not correspond to the graph (see paragraph [148], [148]); and
generating an alert that an anomaly has been detected (see paragraph [122], generating alerts when events or activities associated with the user's account or accounts deviate from the norm [119]).
Referring to claim 5, Kirti teaches the method of claim 1, wherein weights assigned to each node indicate a number of times the corresponding actions represented by the nodes were performed (see paragraph [143])
Referring to claim 6, Kirti teaches the method of claim 1, wherein a weight assigned to each connection between two nodes indicates a number of times a first action represented by a first node from the two nodes preceded a second action represented by a second node from the two nodes (see paragraph [209] - [210]).
Referring to claim 7, Kirti teaches the method of claim 1, wherein each node is associated with a set of contextual parameters that are associated with the action represented by the node ([184], contextual parameters).
Referring to claim 8, Kirti teaches the method of claim 1, further comprising: receiving input including a request to register the cloud service with the security management system (see paragraph [187], request for registering for a service).
Referring to claim 9, Kirti teaches the method of claim 8, further comprising: configuring a pre-determined set of security controls for the cloud service (see paragraph [093]).
Referring to claim 10, Kirti teaches the method of claim 9, further comprising: using the directed graph to adjust the set of security controls (see paragraph [059], security management and control system 102 can change security settings for a service provided by the service provider 110).
Referring to claim 11, Kirti teaches the method of claim 8, further comprising: configuring a pre-determined set of security policies for the tenant (see paragraphs [060], [92], 103]).
Referring to claim 12, Kirti teaches the method of claim 11, further comprising: using the directed graph to adjust the set of security policies (see paragraphs [163], security management and control system uses analytics engine to adjust policies).
Referring to claim 13, Kleiner teaches a system comprising: one or more processors; and one or more memory devices comprising instructions that, when executed by the one or more processors (paragraph [024], processor, item 105) cause the one or more processors to perform operations comprising:
user data)), wherein the activity data describes actions performed during use of a cloud service ([032], cloud storage), wherein the actions are performed by one or more users associated with a tenant ([064], GUI 1408 is used for performing actions by one or more users), 
Kleiner teaches an invention that collects application level performance data and track performance of storage system ([040], [042]) but expressly lacks service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service.
However, Kirti, an analogous art that teaches monitoring user and detecting anomalous activities in computing environment. Furthermore, Kirti teaches wherein the service provider system provides the tenant with a tenant account, and wherein the tenant account enables the one or more users to access the cloud service; (see paragraph [008], actions can be performed by one or more users associated with a tenant, where the service provider system provides the tenant with a tenant account. The tenant account enables the one or more users to access the cloud service);

determining, from the activity data, actions performed by a particular user (see paragraph [008], determining, using the activity data, one or more risk scores for the one or more users); and
generating, using the actions, a directed graph, wherein each node in the directed graph represents an action performed by the particular user (see paragraph [196], Fig.5, generating a directed graph based on action performed by particular user, i.e. general user or privilege user), and wherein each connection between two nodes represents a sequence in performance of actions represented by the two nodes (see paragraphs [197]-[200], sequence between nodes of the graph represent performance of actions represented by two nodes).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Kleiner’s storage system to include cloud security management & control system as taught by Kirti, conducting network threat analysis for tenants of a cloud service provider detecting anomalous characteristics in the spatial data and predicting threat in order to optimally provide multiple different cost-effective services in a multi-tenant cloud enabled system increasing overall productivity. 
Referring to claim 14, Kirti teaches the system of claim 13, wherein weights assigned to each node indicate a number of times the corresponding actions represented by the nodes were performed (see paragraph [143]).
Referring to claim 15, Kirti teaches the system of claim 13, wherein a weight assigned to each connection between two nodes indicates a number of times a first action represented by a first node from the two nodes preceded a second action represented by a second node from the two nodes (see paragraph [209] - [210]).
Referring to claim 16, Kirti teaches the system of claim 13, wherein each node is associated with a set of contextual parameters that are associated with the action represented by the node ([184], contextual parameters).
Referring to claim 18, Kirti teaches the non-transitory computer-readable medium of claim 17, wherein weights assigned to each node indicate a number of times the corresponding actions represented by the nodes were performed (see paragraph [143]).
Referring to claim 19, Kirti teaches the non-transitory computer-readable medium of claim 17, wherein a weight assigned to each connection between two nodes indicates a number of times a first action represented by a first node from the two nodes preceded a second action represented by a second node from the two nodes (see paragraph [209] - [210]).
Referring to claim 20, Kirti teaches the non-transitory computer-readable medium of claim 17, wherein each node is associated with a set of contextual parameters that are associated with the action represented by the node ([184], contextual parameters).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The examiner also requests, when responding to this office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application. Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections See 37 CFR 1.111 (c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFTAB N. KHAN whose telephone number is (571)270-5172.  The examiner can normally be reached on Monday-Friday 8AM-5PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton Burgess can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AFTAB N. KHAN/
Primary Examiner, Art Unit 2454