DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted 2/28/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 4 is objected to because of the following informalities:
Claim 4 should recite: “during a particular time period”.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-16 are rejected under 35 U.S.C. 102(a)(1) and/or 102(a)(2) as being anticipated by Koottayi et al. (hereinafter, “Koottayi”), US 2018/0288063.
As per claim 1: Koottayi discloses: A method comprising: receiving, at a security computer system, a particular access indication of a particular access attempt to an electronic resource by a particular user (a resource may be requested and accessed by an application of a user, wherein the data from the access request is collected [Koottayi, ¶146]); responsive to the particular access indication, the security computer system accessing: a user behavior model based on previously-received indications of previous access attempts by a plurality of users for a plurality of electronic resources (one or more behavior models are selected for the user [Koottayi, ¶146]; the behavior models are generated from analyzing parameters of historical access request associated with a user or group of users [Koottayi, ¶¶113-115]), and a system access model based on access records and system characteristic data for one or more particular electronic resources (one or more models stored for the user are selected [Koottayi, ; processing, by the security computer system, the particular access indication through the user behavior model and the system access model (the collected data from the access request is analyzed against the selected behavior models [Koottayi, ¶147]); based on results of the processing, identifying, by the security computer system, one or more access anomalies related to the electronic resource (an overall deviation of the collected data from the models is used to determine whether the access request is anomalous [Koottayi, ¶147]); and based on identifying the one or more access anomalies, the security system using a mitigation model to implement one or more mitigation actions responsive to the one or more access anomalies (enforcement policies that manage anomalous access requests are dynamically generated through a machine learning component that modifies said policies with updated data [Koottayi, ¶¶75, 137-139]).

As per claim 2: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the previously-received indications of previous access attempts include, for ones of the plurality of users (collecting data from a plurality of access requests over a period of time [Koottayi, ¶143]): a user identifier corresponding to a user account associated with the access attempt (user identity [Koottayi, ¶143]), a user level of access identifier associated with the user account, (user attributes and resource attributes, session information including access information [Koottayi, ¶143]) a device identifier corresponding to a particular device used to attempt access (IP address/hostname [Koottayi, ¶143]), a time period associated with the access attempt (timestamps [Koottayi, ¶143]), an access location associated with the access attempt (GPS location [Koottayi, ¶143]), and a result of the access attempt (server context, such as authorized, deny, etc. [Koottayi, ¶143]); wherein the user behavior model includes expected user access profiles for ones of the plurality of users based on the previously-received indications of access attempts (a behavior model is generated by classifying incoming real-time data and historical data of access requests associated with a user into one or more data clusters that depict typical context of access requests from that user [Koottayi, ¶145]); and wherein identifying one or more access anomalies is based on a comparison between the particular access indication to the expected user access profiles (using the behavior model(s) to determine how much deviation is present between the cluster and the data of an access request in question [Koottayi, ¶147]).

As per claim 3: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the electronic resource includes a plurality of components (a resource is provided by a target system and may be various types including a file, web content, a computing resource, networked files, directory information, databases, or the like [Koottayi, ¶70]) and the access records include for particular ones of the plurality of components (data of the access requests are collected over a period of time [Koottayi, ¶143]]): one or more indications of when a particular component was previously accessed (last access time [Koottayi, ¶143]), one or more indications of particular user accounts used to access the particular component one or more indications of access locations associated with previous access attempts (user and client context of the access request, such as user identity and GPS ; wherein the system access model includes expected system access profiles for ones of the plurality of components based on the access records (the collected data from the plurality of access requests are used to generate one or more behavior models associated with the user [Koottayi, ¶145]); and wherein identifying one or more access anomalies is based on a comparison between the particular access indication to the expected system access profiles (the behavior models are used to determine a deviation from baseline data [Koottayi, ¶145]).

As per claim 4: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the user behavior model indicates that a particular user account associated with a particular user is expected to be used to access the electronic resource from a particular location during ad particular time period (a behavior model of a particular user generates one or more data clusters, which is used to determine how much a particular access request deviates from said clusters [Koottayi, ¶117]; the data clusters are a representation of data of past access requests by said user, wherein the data clusters are generated from machine learning techniques on data of access requests collected over a period of time; the collected data includes various information, including GPS location of a client, user identity, and timestamps [Koottayi, ¶¶143, 145]; thus, a deviation from the data clusters (e.g. historical data) would represent a deviation from “expected” context of a typical access request); wherein the system access model indicates that the particular user account is expected to be used to access particular components of the electronic resource (data of the access requests include resource context (e.g. resource URL, application domain, etc.) and corresponding user/client ; and where identifying one or more access anomalies includes: identifying a first anomaly when the particular user account is used to access the electronic resource at a different location than the particular location; and identifying a second anomaly when the particular user account is used to access different components of the electronic resource than the particular components (one or more behavior models based on the access request parameters disclosed in [Koottayi, ¶143] is used to determine deviations (e.g. “first/second anomaly”) from the data clusters generated from said behavior models [Koottayi, ¶147]).

As per claim 5: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the one or more mitigation actions include one or more of granting partial access to the electronic resource, denying access to the electronic resource, requiring additional verification from the particular user, or transmitting an alert to an entity other than the particular user (when an anomaly is detected, a policy to block the user is instituted; the session can be maintained or dropped; the user may be challenged and validated [Koottayi, ¶110]; requesting second factor authorization/authentication; reporting alerts [Koottayi, ¶141]).

As per claim 6: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: further comprising: subsequent to implementing the one or more mitigation actions, evaluating one or more results of the one or more mitigation actions; and based on results of the evaluating, updating the mitigation model (updating policies in real-time based 

As per claim 7: Koottayi discloses all limitations of claim 6. Furthermore, Koottayi discloses: wherein evaluating the one or more results of the one or more mitigation actions and updating the mitigation model is performed automatically by the security computer system without human intervention (updating the behavior models and policies in real-time [Koottayi, ¶95]).

As per claim 8: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the user behavior model and system access model were created using one or more machine learning algorithms (generating the one or more behavior models using supervised or unsupervised machine learning techniques [Koottayi, ¶145]), and further comprising: updating at least one of the user behavior model or the system access model based on additional access attempt data for one or more of the plurality of electronic resources (updating the behavior models in real-time based on historical and real-time data [Koottayi, ¶95]).

As per claim 9: Koottayi discloses all limitations of claim 1. Furthermore, Koottayi discloses: wherein the security computer system comprises one or more computing devices of an entity, wherein the electronic resource is a resource connected to an intranet of the entity, and wherein the particular user is an employee or contractor of the entity (the resources 125 

As per claim 10: Claim 10 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 10 is directed to a non-transitory, computer-readable medium storing instructions corresponding to the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 10.

	
As per claim 11: Koottayi discloses all limitations of claim 10. Furthermore, Koottayi discloses: wherein the operations further comprise: electronically receiving human feedback regarding a result of the implemented one or more mitigation actions, wherein the human feedback is not from the particular user (an administrator initially creates a default policy, or policies, in which machine learning aspects of threat detection/alerts are observed for some time; those alerts may be verified by the administrator (i.e. “human feedback”) to ensure the machine learning is not creating a high number of false positives [Koottayi, ¶94]); and updating the mitigation model based on the human feedback to make the mitigation model more likely or less likely to select the one or more mitigation actions for a future access attempt to the electronic resource that shares characteristics with the particular access attempt (the policies are dynamically created using machine learning capabilities and may be adjusted by the administrator [Koottayi, ¶¶93-94]).

As per claim 12: Koottayi discloses all limitations of claim 10. Furthermore, Koottayi discloses: wherein the operations further comprise excluding data for a plurality of access attempts to an identified electronic resource when building at least one of the user behavior model or the system access model (a set of parameters associated with the data from the plurality of access requests is identified/defined to be monitor; a subset of said parameters may be monitored and provided to the behavior analytics engine to generate one or more behavior models [Koottayi, ¶¶144-145]).

As per claim 13: Claim 13 incorporates all limitations of claim 10 and is a non-transitory, computer-readable medium storing instructions corresponding to the method of claim 3. Therefore, the arguments set forth above with respect to claims 3 and 10 are equally applicable to claim 13 and rejected for the same reasons.

As per claim 14: Claim 14 incorporates all limitations of claim 10 and is a non-transitory, computer-readable medium storing instructions corresponding to the method of claim 5. Therefore, the arguments set forth above with respect to claims 5 and 10 are equally applicable to claim 14 and rejected for the same reasons.

As per claim 15: Koottayi discloses all limitations of claim 10. Furthermore, Koottayi discloses: wherein the electronic resource comprises at least one of a computer file, a relational database, an RFID operated device configured to provide physical access, a file directory, a software application executing locally on a computer system, or a network-based application configured to provide functionality to users via the Internet (resources include a file, cloud-based applications, enterprise applications, databases, cloud services, access to a meeting room using a badge (e.g. “RFID”), etc. [Koottayi, ¶70]).

As per claim 16: Claim 16 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 16 is directed to a system comprising of a memory storing instructions corresponding to the method of claim 1. Claim 16 further includes features for “building” the models. However, this feature is also taught in [Koottayi, ¶145], where the behavior models are generated (“building”) from collected data of access requests and machine learning techniques. Thus, the responses provided above for claim 1, and herein, are equally applicable to claim 16.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claim 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over in view of Koottayi in view of Anghel et al. (hereinafter, “Anghel”), US 2019/0188065.
As per claim 17: Koottayi discloses all limitations of claim 16. Koottayi does not fully disclose the features of claim 17. Koottayi does suggest using supervised or unsupervised machine learning techniques to generate the data clusters used for determining similarities (e.g. via computing distances between data points) [Koottayi, ¶145]. However, auto-encoders were known types of machine learning algorithms. For example, Anghel is directed to analogous art of detecting anomalies in a computer network [Anghel, Abstract]. Hence, Anghel discloses: wherein building the user behavior model comprises training an autoencoder to calculate a similarity of a given access attempt for a given electronic resource relative to other ones of the previous access attempts by the plurality of users for the first plurality of electronic resources (an auto-encoder neural network is used to model normal traffic behavior and produce an anomaly score [Anghel, ¶¶107-109]; the anomaly scores are normalized and classified as anomalies above a given threshold [Anghel, ¶113]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the machine learning technique implemented in Koottayi to utilize auto-encoders for detecting anomalies in a computer network. As disclosed in [Anghel, ¶107], an auto-encoder has the main advantage of using neural networks, which no assumptions on the distribution of the input data are necessary. Therefore, compared to clustering, auto-encoders do not depend on the notions of distance or density in the input data.

As per claim 18: Koottayi discloses all limitations of claim 16. Koottayi does not fully disclose the features of claim 18. However, the same reasoning for incorporating Anghel in claim 17 is also applicable in claim 18. Specifically, the term “artificial neural network”, or simply neural network as commonly known in the art, is a broader term that encompasses all types of neural networks. The auto-encoder in Anghel is a specific type of neural network. Thus, Koottayi in view of Anghel disclose: wherein building the system access model comprises training an artificial neural network to output a similarity score, using the system characteristic data and the access records, for a given access attempt for a given electronic resource, the similarity score being indicative of a similarity of the given access attempt for the given electronic resource to other ones of the previous access attempts by the plurality of users for the first plurality of electronic resources (an auto-encoder neural network is used to model normal traffic behavior and produce an anomaly score [Anghel, ¶¶107-109]; the anomaly scores are normalized and classified as anomalies above a given threshold [Anghel, ¶113]).

As per claim 19: Koottayi in view of Anghel disclose all limitations of claim 18. Furthermore, Koottayi in view of Anghel disclose: further comprising re-training the artificial neural network based on updated system characteristic data and updated access records corresponding to a third plurality of electronic resources (updating the model parameters [Anghel, ¶110]; additionally, [Koottayi, ¶145] also discloses updating the behavior model as additional access requests are received and the data collected).

As per claim 20: Koottayi in view of Anghel disclose all limitations of claim 18. Furthermore, Koottayi in view of Anghel disclose: wherein identifying the one or more access anomalies is based on the similarity score from the system access model being below a threshold (the anomaly scores are normalized and classified as anomalies above a given threshold [Anghel, ¶113]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2010/0122120: Discloses modeling access requests into basic elements. The basic elements are compared to a bitmap table representing historical behavior information and determining if an anomalous request is present.
US 9,166,993: Discloses collecting file-activity data pertaining to file access activities in a network. A file access pattern is computed for each user and used to determine a first deviation. A second deviation is determined based on a peer history of other users.
US 2016/0142435: Discloses detecting anomalous behavior in data access events. The data of the network entities involved with an event is obtained and analyzed with a network behavior model to detect anomalous activities.
US 2016/0149941: Discloses combining structured and non-structured data to be utilized in detecting anomalous behavior. The structured data may include event logs and the non-structured data may include video logs.
US 2016/0197947: Discloses an anomaly behavior detection system for analyzing frequency of behaviors in the same access situation that have occurred during the entire access period and detecting an abnormal user behavior by analyzing a user behavior pattern during the entire access period.
US 2017/0126710: Discloses collecting a set of event parameters, such as contextual data related to an event, over a period of time to generate a baseline model. The baseline model is used for determining whether new events over an analyzed time period are anomalies via deviation scores.
US 2020/0274894: Discloses training a machine learning model for detecting anomalous access based on tuples that identify an actor, a resource, and a rating. The rating is assigned based on the number of access attempts over a period of time. A recommendation score is computed to determine what action is allowed.
D. Petrov and T. Znati, "Context-Aware Deep Learning-Driven Framework for Mitigation of Security Risks in BYOD-Enabled Environments," 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC), 2018, pp. 166-175, doi: 10.1109/CIC.2018.00032. (Discloses leveraging artificial neural networks and decision tree machine learning techniques to identify any attempts for access to sensitive information by non-legitimate users.)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453.  The examiner can normally be reached on Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        6-30-2021