DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 04/26/2021.
In the instant Amendment, Claims 1, 3-4, 6-7, 11, 13-14, 16-17 and 21 have been amended. Claims 2, 5, 9, 12, 15 and 19 have been cancelled without prejudice. Claims 1, 11 and 21 are independent claims.  Claims 1, 3-4, 6-8, 10-11, 13-14, 16-18 and 20-21 have been examined and are pending.  This Action is made FINAL.

	
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/18/2021, 05/10/2021 and 07/08/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Response to Arguments
Applicants’ arguments with respect to claims 1, 3-4, 6-8, 10-11, 13-14, 16-18 and 20-21 have been considered but are moot in view of the new ground(s) of rejection.  
The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (313) 446-6644 to schedule an interview.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 


Claims 1, 11 and 21 are rejected under 35 U.S.C. 103 as being patentable over Krasser et al.(“ Krasser,” US 20190026466, filed on 07/24/2017)  in view of Wallace et al. (“Wallace,” US 20170237773, published on 08/17/2017) 
Regarding Claim 1;

Krasser discloses a computer system comprising at least one hardware processor configured to (par 0299; a device comprising a processor; and a computer-readable medium, the computer-executable instructions upon execution by the processor configuring the device to perform operations):
select a client cluster from the plurality of client clusters (par 0030; cluster or computing devices can be deployed as a computing appliance operated by or on behalf of a particular user, group, or organization. For example, a corporation may deploy an appliance per office site, per division, or for the company as a whole; par 0059; cluster can be selected based on these characteristics and on the type of interaction)
in response to selecting the client cluster (par 0059; cluster can be selected based on these characteristics and on the type of interaction, e.g., ongoing streaming or intermittent request-response communications), 
train a behavior model to encode a collective behavior of members of the selected client cluster (par 0032; interact with cluster with discrete and/or ongoing transmissions of data to be used as input to a computational model or a technique of determining a computational model), 
 (par 0039; the computing devices can be configured to use the determined parameter values of trained CM; par 0032; a data source in a personal computing device can provide to cluster data of newly-installed executable files, after installation and before execution of those files. The data of newly installed executable files can include, e.g., identifiers and feature data such as that as described herein with respect to Table 1. This can provide improved accuracy of outputs of a computational model (CM); par 0034; computing devices operate CM(s) to determine a model output corresponding to a file on a user's computing device and transmit an indication of the model output [] A "trial" data stream refers to a data stream being tested against an existing broad model and local model(s) to determine whether that data stream is associated with malware); 
wherein the grouping is determined by analyzing a collection of events having occurred on members of the plurality of client systems to identify client systems having similar event profiles (par 0030; cluster or computing devices can be deployed as a computing appliance operated by or on behalf of a particular user, group, or organization. For example, a corporation may deploy an appliance per office site, per division, or for the company as a whole);
wherein the behavior model comprises an event encoder configured to receive a selected event of a sequence of events having occurred on members of the selected cluster and to determine an embedding vector of the selected event according to a position of the selected event within the sequence of events and further according to at least another event of the sequence of events (par 0032; a computing device can provide a feature vector of a sample and receive from cluster an indication of whether the sample is malware [] interact with cluster with discrete and/or ongoing transmissions of data to be used as input to a computational model or a technique of determining a computational model. a data source in a personal computing device can provide to cluster data of newly-installed executable files, e.g., feature vectors of those files; par 00196; performed one time or multiple times with respect to different feature vectors. a separate local model can be determined for each feature vector; par 00198; operation is performed multiple times for multiple first feature vectors to receive or otherwise provide a first group of feature vectors. The first group of feature vectors can include the first feature vector. Operations and can be performed one or more times, e.g., once per first feature vector, to select or otherwise provide a second group of one or more second (clean) feature vectors and a third group of one or more third (dirty) feature vectors. The second group can include the second feature vector. The third group can include the third feature vector); and
wherein training the behavior model comprises (par 0039; the computing device(s) can be configured to use the determined parameter values of trained CM(s)): 
predicting yet another event of the sequence of events according to the embedding vector (par 0253; the operation module can operate the broad CM by processing the trial feature vector through one or more decision trees of the plurality of decision trees to provide one or more trial prediction values; par 0038; the training module can determine the CMs based at least in part on "hyperparameters," values governing the training [] the training data set can be used to update the CMs, and the validation data set can be used in determining whether the updated CMs meet training criteria or how the next update to the CMs should be performed), and 
adjusting a parameter of the event encoder according to the prediction (par 0038; the training data set can be used to update the CMs, and the validation data set can be used in determining whether the updated CMs meet training criteria or how the next update to the CMs should be performed; par 0079; the training module can update parameters of a neural network, or rebuild or update a decision forest, based at least in part on training feature vectors of the feature vector(s) representing the training data streams of the training set).
Krasser discloses all the limitations as recited above, but does not explicitly disclose 2in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters.
However, in an analogous art, Wallace discloses attack detection using machine learning system/method that includes:
in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters (Wallace: par 0096; fig. 11; data is received or collected that characterizes each of a plurality of canary requests across a plurality of computing nodes (e.g., mobile phones, tablets, laptops and other computing devices) in different environments; par 0098; the samples are grouped to form a plurality of clusters such that, for each cluster, the corresponding samples in such cluster are more similar (based on one or more of the associated attributes in the samples) to each other as compared to samples in other clusters).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of . One would have been motivated to plurality of samples characterizing the interception of data traffic are grouped into a plurality of clusters (Krasser: par 0022).

Regarding Claim 11;
This Claim recites a method that perform the same steps as system of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 21;
This Claim recites a non-transitory computer-readable medium that perform the same steps as system of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  
Claims 3-4 and 13-14 are rejected under 35 U.S.C. 103 as being patentable over Krasser et al.(US 20190026466)  in view of Wallace et al. (US 20170237773) and further in view of Hanis et al. (“Hanis,” US 20190340615, filed on 05/04/2018) 

Regarding Claim 3;   
Krasser in combination with Wallace discloses the computer system of claim 1, 
Krasser in combination with Wallace disclose all the limitations as recited above, but does not explicitly disclose wherein: the event sequence comprises a 
However, in an analogous art, Hanis discloses sequence of events patterns in fraud detection system/method that includes:
wherein: the event sequence comprises a central event and an event context, the event context comprising a first subset of the events occurring prior to the central event and a second subset of events occurring later than the central event (Hanis: par 0018; fig. 3; most of the statistical fraud detection techniques are built upon profile variables computed on historical data. These variables are usually measurement aggregated across certain periods of time, for example, the minimum/maximum/average of weekly transaction amounts, or the minimum/maximum/average of unique numbers of counterparties; par 0037; the transactions can be considered as different sequences of events, i.e., n-sequence of events, where n for this example can be any integer value); the selected event is the central event (Hanis: par 0044; fig. 6; vectors for the 1-event sequences, vectors for the 2-event sequences, and so on, up to the maximum sequence dictated by the number of total events in the associated Petri-net graph for a series of related events. The aggregator layer is based on any one of a number of potential aggregators, such as customer, account, location, etc. If for example the customer aggregator is selected for aggregator level, then the resulting application layer  will include only those sequences that have the same customer value; par 0041; the second 2-event sequence includes events E2 and E3); and the yet another event is a member of the event context (Hanis: par 0044; fig. 6; vectors for the 1-event sequences, vectors for the 2-event sequences, and so on, up to the maximum sequence dictated by the number of total events in the associated Petri-net graph for a series of related events. The aggregator layer is based on any one of a number of potential aggregators, such as customer, account, location, etc. If for example the customer aggregator is selected for aggregator level, then the resulting application layer will include only those sequences that have the same customer value; par 0041; the second 2-event sequence includes events E2 and E3);.  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Hanis with the method/system of Krasser and Wallace to include wherein: the event sequence comprises a central event and an event context, the event context comprising a first subset of the events occurring prior to the central event and a second subset of events occurring later than the central event. One would have been motivated to each pattern image begins with a Petri-net model for historical events. A state space representation is generated based on the Petri-net model, and an event pattern layer is established using event sequence vectors from the state space representation (Hanis: abstract).
 
Regarding Claim 4; 
Krasser in combination with Wallace disclose the computer system of claim 1, 
Krasser in combination with Wallace disclose all the limitations as recited above, but does not explicitly disclose wherein: the event sequence comprises a central event and an event context, the event context comprising a first subset of 
However, in an analogous art, Hanis discloses sequence of events patterns in fraud detection system/method that includes:
Wherein: the event sequence comprises a central event and an event context, the event context comprising a first subset of the events occurring prior to the central event and a second subset of events occurring later than the central event (Hanis: par 0018; fig. 3; most of the statistical fraud detection techniques are built upon profile variables computed on historical data. These variables are usually measurement aggregated across certain periods of time, for example, the minimum/maximum/average of weekly transaction amounts, or the minimum/maximum/average of unique numbers of counterparties; par 0037; the transactions can be considered as different sequences of events, i.e., n-sequence of events, where n for this example can be any integer value); the selected event is a member of the event context (par 0044; fig. 6; vectors for the 1-event sequences, vectors for the 2-event sequences, and so on, up to the maximum sequence dictated by the number of total events in the associated Petri-net graph for a series of related events. The aggregator layer is based on any one of a number of potential aggregators, such as customer, account, location, etc. If for example the customer aggregator is selected for aggregator level, then the resulting application layer  will include only those sequences that have the same customer value; par 0041; the first 2-event sequence includes events E1 and E2); and the yet another event is the central event (par 0044; fig. 6; vectors for the 1-event sequences, vectors for the 2-event sequences, and so on, up to the maximum sequence dictated by the number of total events in the associated Petri-net graph for a series of related events. The aggregator layer is based on any one of a number of potential aggregators, such as customer, account, location, etc. If for example the customer aggregator is selected for aggregator level 72, then the resulting application layer 74 will include only those sequences that have the same customer value; par 0041; the first 2-event sequence includes events E1 and E2).  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Hanis with the method/system of Krasser and Wallace to include Wherein: the event sequence comprises a central event and an event context, the event context comprising a first subset of the events occurring prior to the central event and a second subset of events occurring later than the central event; the selected event is a member of the event context; and the another event is the central event. One would have been motivated to each pattern image begins with a Petri-net model for historical events. A state space representation is generated based on the Petri-net model, and an event pattern layer is established using event sequence vectors from the state space representation (Hanis: abstract).

Regarding Claim 13;
This Claim recites a method that perform the same steps as system of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  



Regarding Claim 14;
This Claim recites a method that perform the same steps as system of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Claims 6, 8, 10, 16, 18 and 20 are rejected under 35 U.S.C. 103 as being patentable over Krasser et al.(US 20190026466)  in view of Wallace et al. (US 20170237773) and further in view of  Gil et al. ("Gil," US 20180004961, published on 01/04/2018)

Regarding Claim 6; 
Krasser in combination with Wallace disclose the computer system of claim 1, 
Krasser in combination with Wallace disclose all the limitations as recited above, but does not explicitly disclose wherein: the event collection is divided into a plurality of event categories according to whether an event of the event collection occurs in a selected context of other events of the event collection; and an event profile of a selected client system is determined according to a count of events occurring on the selected client system and belonging to a selected category of the plurality of event categories.   
However, in an analogous art, Gil discloses detecting and assessing security risks system/method that includes:
wherein: the event collection is divided into a plurality of event categories according to whether an event of the event collection occurs in a selected context of other events of the event collection (Gil: par 0006; the system calculates a risk assessment for the plurality of user events based at least in part on the comparison between the user events and the user's behavior model, wherein any one of certain anomalies between the user events and the user's behavior model increase the risk assessment); and an event profile of a selected client system is determined according to a count of events occurring on the selected client system and belonging to a selected category of the plurality of event categories (Gil: par 0035; the system may aggregate data from users that share a common characteristic (e.g., same role or department) and create a group behavior model. A user's behavior in a session may be compared to both the user's behavior model and the group's behavior model; par 0047; the system determines whether the event belongs to an existing, open session or whether the event is a new logon session. In one embodiment, the system maintains a session database, with an entry for each user logon session. When the system determines that a new logon session has started, it adds an entry to the session database for the session and adds information from the applicable event log to the session entry. If the system determines that an event belongs to an existing session, it will add information from the event log to the existing session).  
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Gil with the method/system of Krasser and Wallace to include wherein: the event sequence comprises a central event and an event context, the event context comprising a first subset of the events occurring prior to the central event and a second subset of events occurring later than the central event. One would have been motivated to compare a plurality of user events during a period of time to the user's behavior model, including comparing a client device used, server(s) (Gil: par 0005).

Regarding Claim 8;
Krasser in combination with Wallace and Gil disclose the computer system of claim 6, 
Krasser further discloses wherein grouping the plurality of client systems into clusters comprises assigning client systems having similar event profiles to the same client cluster clusters (par 0030; cluster or computing devices can be deployed as a computing appliance operated by or on behalf of a particular user, group, or organization. For example, a corporation may deploy an appliance per office site, per division, or for the company as a whole; par 0059; cluster can be selected based on these characteristics and on the type of interaction).
  
Regarding Claim 10;
Krasser in combination with Wallace disclose the computer system of claim 1, 
Krasser in combination with Wallace disclose all the limitations as recited above, but does not explicitly disclose wherein the selected event comprises a launch of a selected process on a client system of the plurality of client systems. 
However, in an analogous art, Gil discloses detecting and assessing security risks system/method that includes:
wherein the selected event comprises a launch of a selected process on a client system of the plurality of client systems (Gil: par 0005; a computer system builds behavior models for users in the network (one for each user) based on the users' interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources (e.g., applications, data) used by the user; par 0047; in evaluating an event log, the system determines whether the event belongs to an existing, open session or whether the event is a new logon session. In one embodiment, the system maintains a session database, with an entry for each user logon session. When the system determines that a new logon session has started, it adds an entry to the session database for the session and adds information from the applicable event log to the session entry. If the system determines that an event belongs to an existing session, it will add information from the event log to the existing session.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Gil with the method/system of Krasser and Wallace to include wherein the selected event comprises a launch of a selected process on a client system of the plurality of client systems. One would have been motivated to compare a plurality of user events during a period of time to the user's behavior model, including comparing a client device used, server(s) accessed, and any resources accessed to the user's behavior model (Gil: par 0005).

Regarding Claim 16;
This Claim recites a method that perform the same steps as system of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  


Regarding Claim 18;
This Claim recites a method that perform the same steps as system of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.  

Regarding Claim 20;
This Claim recites a method that perform the same steps as system of Claim 10, and has limitations that are similar to Claim 10, thus are rejected with the same rationale applied against claim 10.  

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being patentable over Krasser et al.(US 20190026466)  in view of Wallace et al. (US 20170237773) and Gil et al. (US 20180004961) and further in view of Reybok et al. (“Reybok,” US 20170171231, published on 06/15/2017) 

Regarding Claim 7
Krasser in combination with Wallace and Gil disclose the computer system of claim 6, 
Gil further discloses each component determined according to a proportion of events belonging to each event category of the plurality of event categories (Gil: par 0047; evaluating an event log, the system determines whether the event belongs to an existing, open session or whether the event is a new logon session), the proportion calculated out of a total count of events of the event collection occurring on the selected client system (Gil: par 0011; calculating the risk assessment comprises associating a sub-total risk score with each of certain anomalies in the user events and aggregating all sub-total risk scores to calculate the risk assessment for the plurality of user events).     
Krasser in combination with Wallace and Gil disclose all the limitations as recited above, but does not explicitly disclose wherein the event profile of the selected client system comprises a plurality of components. 
However, in an analogous art, Reybok discloses network threat assessment system/method that includes:
wherein the event profile of the selected client system comprises a plurality of components (Reybok: par 68; fig. 2; a small subset of events in the database, filtered according to profile information can searched for correlation; par 0073; the answers to which can be used to build profile information, for example, by specifying things like company type, company identity, network type, types of machines [] and many other types of information).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Reybok with the method/system of Krasser and Wallace and Gil to include wherein the event profile of the selected client system comprises a plurality of components. One would have been motivated to receive, from the client network, a report of detected correlation between the indicator and security event data maintained by the client network; and updating the security event database responsive to the report of detected correlation (Reybok: abstract).




Regarding Claim 17;
This Claim recites a method that perform the same steps as system of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham  can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/C.W./Examiner, Art Unit 2439  


/JAHANGIR KABIR/Primary Examiner, Art Unit 2439