Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
2.	This action is in response to the amendment filed July 20, 2021.

3.	New claim 21 has been added.  Claims 1-21 have been examined and are pending with this action.


Response to Arguments
4.	Applicant's arguments filed July 20, 2021 have been fully considered but they are not persuasive. The applicant seems to be arguing that because Pratt does not explicitly use the phrase, “the subset of the first set of source computers”, that such description is not taught.  The examiner disagrees.
First, it is noted that the detected anomalies/threats of Pratt are clearly anomalies/threats of a particular computer (see Pratt, Abstract, “security threats to a computer network” & [0004]: “In various public and private computer networks, users employ devices such as desktop computers, laptop computers, tablets, smart phones, browsers, etc. to interact with others through computers and servers that are coupled to the network”).  Therefore, it is noted that when Pratt teaches of detecting an anomaly or threat, it is in association with a device.  Furthermore, Pratt teaches in paragraph [0074], “As a result, system 124 may determine, by using the received entity resolution data, the identity of certain entities associated with events without performing the identity resolution process. For example, based on behavioral analysis, system 122 can determine that there is a high probability that a particular use is associated with devices 1, 2, and 3. System 122 outputs this identity resolution information as a conclusion to rules-based network security system 124. The identity resolution information can be used with new incoming data at system 124 to, for example, associate certain users with other entities (e.g., devices, accounts, addresses, applications etc.) referenced in the event data. The events or anomalies output for display via GUI 162 can also be annotated based on the identity resolution data. The identity resolution data can provide the user 164 with additional information on which to base network security decisions and to develop additional anomaly detection rules” (emphasis added).  Clearly, such teachings supports the notion that each information regarding an anomaly or a threat, is associated with a computer device.
Secondly, since Pratt clearly teaches a subset of a first set from various sources (see Pratt, [0066]: “hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”, emphasis added), the combination of teaches of Pratt clearly teach “the subset of the first set of source computers”.
	To assert that somehow Pratt does not at least suggest, “the subset of the first set of source computers” is clearly erroneous and completely ignores knowledge of one of ordinary skill in the art.  
Furthermore, the order of the type of suspicious behaviors (login failures, new connections, series of consecutive connections, connections within a time frame, etc.) that make up the sets and subsets are subjective and does not patentably distinguish the invention.
	For the reasons above and the rejections set forth below, claims 1-21 have been rejected and remain pending.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.	Claim 1, 2, 6-8, 10-12, 16-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al. (US 2020/0296124) in view of Johnson (US 2009/0024549).
INDEPENDENT:
As per claim 1, Pratt teaches a method comprising: 
identifying, by an enforcement engine running on a network security device protecting a network including a plurality of computers, top users of a plurality of users of the network exhibiting a first suspicious behavior in a form of login failures by determining a first set of users of the plurality of users each having a number of login failure events during a given time duration that is greater than a first threshold value, wherein each user of the first set of users is associated with a source computer in a first set of source computers of the plurality of computers (see Pratt, Fig.1A; [0064]: “an "anomaly" is defined as a detected or identified variation from an expected pattern of activity on the part of an entity associated with an information technology environment, which may or may not constitute a threat. This entity activity that departs form expected patterns of activity can be referred to as "anomalous activity." For example, an anomaly may include an event or set of events of possible concern that may be actionable or warrant further investigation. Examples of anomalies include alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc”; and [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, emphasis added); 
identifying, by the enforcement engine, from the first set of source computers, a second set of source computers, representing a subset of the first set of source computers exhibiting a second suspicious behavior in a form of new computer connections by determining, during the time duration, those source computers in the first set of source computers that initiated a number of new connections that is greater than a second threshold value (see Pratt, Fig.1A; [0064]: “an "anomaly" is defined as a detected or identified variation from an expected pattern of activity on the part of an entity associated with an information technology environment, which may or may not constitute a threat. This entity activity that departs form expected patterns of activity can be referred to as "anomalous activity." For example, an anomaly may include an event or set of events of possible concern that may be actionable or warrant further investigation. Examples of anomalies include alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc”; [0066]: “As an example of scale, hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”; and [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, emphasis added); and 
classifying, by the enforcement engine, a third set of source computers, representing a subset of the second set of source computers exhibiting a third suspicious behavior in a form of consecutive new computer connections, as compromised source computers, by identifying those source computers in the second set of source computers that attempted their respective new connections in a sequence that results in a measure computed based on the sequence that is greater than a third threshold value (see Pratt, [0066]: “As an example of scale, hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”; [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”; and [0289]: “As previously described, anomalous activity can be categorized. For example, alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc. As previously mentioned, when anomalies detected by a rules-based detection system are acquired by a machine-learning based network security system, an identifying tag can facilitate the proper processing of the rules-based detected anomaly with other corresponding machine-learning based anomalies of the same or similar type, to detect threat indicators and threats. Based on user input at option 3504 defining a category of the anomaly, any resulting anomaly detected using the specified rule and presented to the machine-learning based network security system can include a tag identifying that category of anomalous activity”, emphasis added).
Pratt does not explicitly teach that the measure is a Shannon entropy measure.
Johnson teaches a Shannon entropy measure (see Pratt, [0024]: “This allows Shannon and generalized (Renyi) entropy functions to be defined on the column and row probability distributions”; and [0029]: “The original argument by Shannon was that if the information of two independent systems is to be additive, and if the information is a function of the probability distribution, and since probabilities of independent systems is multiplicative, then it follows that information (or entropy) must be the log of a power of the probability”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Pratt in view of Johnson so that the measure is a Shannon entropy measure.  One would be motivated to do so because Johnson teaches in paragraph [0006], entropy functions “can be used to dynamically monitor networks relative to such normal metrical values thus identifying when the network statistically alters its intrinsic patterns of connectivity”.

As per claim 11, Pratt teaches a non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device protecting a network including a plurality of computer systems (see Pratt, [0295]: “a computer program product which may include a non-transitory machine-readable medium having stored thereon instructions that may be used to program/configure a computer or other electronic device to perform some or all of the operations described above”), causes the one or more processors to perform a method comprising: 
(see Pratt, Fig.1A; [0064]: “an "anomaly" is defined as a detected or identified variation from an expected pattern of activity on the part of an entity associated with an information technology environment, which may or may not constitute a threat. This entity activity that departs form expected patterns of activity can be referred to as "anomalous activity." For example, an anomaly may include an event or set of events of possible concern that may be actionable or warrant further investigation. Examples of anomalies include alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc”; and [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, emphasis added); 
identifying from the first set of source computers, a second set of source computers, representing a subset of the first set of source computers exhibiting a second suspicious behavior in a form of new computer connections by determining, during the time duration, those source computers in the first set of source computers that initiated a number of new connections that is greater than a second threshold value (see Pratt, Fig.1A; [0064]: “an "anomaly" is defined as a detected or identified variation from an expected pattern of activity on the part of an entity associated with an information technology environment, which may or may not constitute a threat. This entity activity that departs form expected patterns of activity can be referred to as "anomalous activity." For example, an anomaly may include an event or set of events of possible concern that may be actionable or warrant further investigation. Examples of anomalies include alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc”; [0066]: “As an example of scale, hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”; and [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, emphasis added); and 
classifying a third set of source computers, representing a subset of the second set of source computers exhibiting a third suspicious behavior in a form of consecutive new computer connections, as compromised source computers, by identifying those source computers in the second set of source computers that attempted their respective new connections in a sequence that results in a measure computed based on the sequence that is greater than a third threshold value (see Pratt, [0066]: “As an example of scale, hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”; [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”; and [0289]: “As previously described, anomalous activity can be categorized. For example, alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc. As previously mentioned, when anomalies detected by a rules-based detection system are acquired by a machine-learning based network security system, an identifying tag can facilitate the proper processing of the rules-based detected anomaly with other corresponding machine-learning based anomalies of the same or similar type, to detect threat indicators and threats. Based on user input at option 3504 defining a category of the anomaly, any resulting anomaly detected using the specified rule and presented to the machine-learning based network security system can include a tag identifying that category of anomalous activity”, emphasis added).
Pratt does not explicitly teach that the measure is a Shannon entropy measure.
Johnson teaches a Shannon entropy measure (see Pratt, [0024]: “This allows Shannon and generalized (Renyi) entropy functions to be defined on the column and row probability distributions”; and [0029]: “The original argument by Shannon was that if the information of two independent systems is to be additive, and if the information is a function of the probability distribution, and since probabilities of independent systems is multiplicative, then it follows that information (or entropy) must be the log of a power of the probability”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Pratt in view of Johnson so that the measure is a Shannon entropy measure.  One would be motivated to do so because Johnson teaches in paragraph [0006], entropy functions “can be used to dynamically monitor networks relative to such normal metrical values thus identifying when the network statistically alters its intrinsic patterns of connectivity”.

As per claim 21, Pratt teaches a threat detection system, the system comprising: 
a network security device protecting a network including a plurality of computer systems (see Pratt, Abstract, “Techniques are described for processing anomalies detected using user-specified rules with anomalies detected using machine-learning based behavioral analysis models to identify threat indicators and security threats to a computer network. In an embodiment, anomalies are detected based on processing event data at a network security system that used rules-based anomaly detection”); 
a non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of the network security device, causes the one or more processors to perform a method (see Pratt, [0295]: “Embodiments of the techniques introduced here may be implemented, at least in part, by a computer program product which may include a non-transitory machine-readable medium having stored thereon instructions that may be used to program/configure a computer or other electronic device to perform some or all of the operations”) including: 
identifying top users of a plurality of users of the network exhibiting a first suspicious behavior in a form of login failures by determining a first set of users of the plurality of users each having a number of login failure events during a given time duration that is greater than a first threshold value, wherein each user of the first set of users is associated with a source computer in a first set of source computers of the plurality of computers (see Pratt, Fig.1A; [0064]: “an "anomaly" is defined as a detected or identified variation from an expected pattern of activity on the part of an entity associated with an information technology environment, which may or may not constitute a threat. This entity activity that departs form expected patterns of activity can be referred to as "anomalous activity." For example, an anomaly may include an event or set of events of possible concern that may be actionable or warrant further investigation. Examples of anomalies include alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc”; and [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, emphasis added); 
identifying from the first set of source computers, a second set of source computers, representing a subset of the first set of source computers exhibiting a second suspicious behavior in a form of new computer connections by determining, during the time duration, those source computers in the first set of source computers that initiated a number of new connections that is greater than a second threshold value (see Pratt, Fig.1A; [0064]: “an "anomaly" is defined as a detected or identified variation from an expected pattern of activity on the part of an entity associated with an information technology environment, which may or may not constitute a threat. This entity activity that departs form expected patterns of activity can be referred to as "anomalous activity." For example, an anomaly may include an event or set of events of possible concern that may be actionable or warrant further investigation. Examples of anomalies include alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc”; [0066]: “As an example of scale, hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”; and [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”, emphasis added); and 
classifying a third set of source computers, representing a subset of the second set of source computers exhibiting a third suspicious behavior in a form of consecutive new computer connections, as compromised source computers, by identifying those source computers in the second set of source computers that attempted their respective new connections in a sequence that results in a measure computed based on the sequence that is greater than a third threshold value (see Pratt, [0066]: “As an example of scale, hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”; [0149]: “In certain embodiments, anomalies and threats are detected by comparing events against the baseline profile for an entity to which the event relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected”; and [0289]: “As previously described, anomalous activity can be categorized. For example, alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc. As previously mentioned, when anomalies detected by a rules-based detection system are acquired by a machine-learning based network security system, an identifying tag can facilitate the proper processing of the rules-based detected anomaly with other corresponding machine-learning based anomalies of the same or similar type, to detect threat indicators and threats. Based on user input at option 3504 defining a category of the anomaly, any resulting anomaly detected using the specified rule and presented to the machine-learning based network security system can include a tag identifying that category of anomalous activity”, emphasis added).
Pratt does not explicitly teach that the measure is a Shannon entropy measure.
Johnson teaches a Shannon entropy measure (see Pratt, [0024]: “This allows Shannon and generalized (Renyi) entropy functions to be defined on the column and row probability distributions”; and [0029]: “The original argument by Shannon was that if the information of two independent systems is to be additive, and if the information is a function of the probability distribution, and since probabilities of independent systems is multiplicative, then it follows that information (or entropy) must be the log of a power of the probability”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Pratt in view of Johnson so that the measure is a Shannon entropy measure.  One would be motivated to do so because Johnson teaches in paragraph [0006], entropy functions “can be used to dynamically monitor networks relative to such normal metrical values thus identifying when the network statistically alters its intrinsic patterns of connectivity”.

INDEPENDENT:
As per claims 2 and 12, which respectively depend on claims 1 and 11, although Pratt further teaches number of login failure events, for at least one user of said first set of users, Pratt does not explicitly teach that the events follows any or a combination of normal distribution or Poisson distribution.
Johnson teaches a normal distribution (see Johnson, [0039]: “This provides three curves that can be monitored over time as well as watching the current row and column entropy spectra displayed overlaid upon the normal distribution for those circumstances”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Pratt in view of Johnson so that the events 0039], with such distribution, “The location where anomalies are occurring in the network can be identified for example by clicking on the associated spectral curve anomaly area. The system can then find the node identification in the lookup table thus identifying the anomalous nodes and subnets”.
As per claims 7 and 17, which respectively depend on claims 1 and 11, Pratt further teaches wherein said enforcement engine is initially trained for a time span so as to understand normal user behavior in the network, based on which said first, second, and third threshold values are determined (see Pratt, [0189]: “More specifically, a machine learning model can have different phases, for example, a training phase (after initiation and before ready) and an active phase (after ready and before expiration). In a training phase of a machine learning model, if an event that is received involves both a user and a machine identifier (e.g., if the event data representing the event has both a user identifier and a machine identifier), then machine learning model that is employed by the identity resolution module 1112 can use this event to create or update the probability of association between the user and the machine identifier. For example, when an authentication event is received (e.g., when a user logs into a particular machine) and involves a user (e.g., identified by a user identifier such as a username) and a machine identifier, the model learns that the user is now associated with the machine identifier, at least for a period of time until the user logs out or times out from the particular machine”).
As per claims 8 and 18, which respectively depend on claims 7 and 17, Pratt further teaches wherein training of said enforcement engine is performed based on any or a combination of information obtained from login failure events and information obtained from login success events that occurred during said time span (see Pratt, [0189]: “More specifically, a machine learning model can have different phases, for example, a training phase (after initiation and before ready) and an active phase (after ready and before expiration). In a training phase of a machine learning model, if an event that is received involves both a user and a machine identifier (e.g., if the event data representing the event has both a user identifier and a machine identifier), then machine learning model that is employed by the identity resolution module 1112 can use this event to create or update the probability of association between the user and the machine identifier. For example, when an authentication event is received (e.g., when a user logs into a particular machine) and involves a user (e.g., identified by a user identifier such as a username) and a machine identifier, the model learns that the user is now associated with the machine identifier, at least for a period of time until the user logs out or times out from the particular machine”).
As per claims 10 and 20, which respectively depend on claims 1 and 11, Pratt further teaches wherein any or a combination of said first, second, and third threshold values are optimized using a learning sub-engine that is configured in or operatively coupled with said enforcement engine, said learning sub-engine being configured to learn from incorrect classification of source computers made by said enforcement engine in said third set of source computers (see Pratt, Fig.1B; and Abstract: “detected using machine-learning based behavioral analysis models to identify threat indicators and security threats to a computer network”).

6.	Claims 5 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al. (US 2020/0296124) and Johnson (US 2009/0024549), and still further in view of Jin et al. (US 9,280,747).
As per claims 5 and 15, which respectively depend on claims 1 and 11, although Pratt further teaches wherein the number of new connections is evaluated based on a value such that if, for a given computer of the second set of source computers, the value is greater than the second threshold value, said given source computer is included as part of the second set of source computers (see claim 1 rejection above), Pratt does not explicitly teach that the value is a Jaccard index value.
(see Jin, Fig.5; and col.1, lines 59-62: “The program code can cause the processor to select a subset of the plurality of terms in the training data in which an associated Jaccard index value exceeds a threshold”).
The differences of the values are only found in the nonfunctional descriptive material and are not functionally involved in the steps recited.  The threat events of Pratt will be evaluated regardless of the value.  Thus this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability.
Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention was made to employ Jaccard index value because such value does not functionally change the steps of the invention claimed, because the subjective interpretation of the data does not patentably distinguish the claimed invention, and because Pratt teaches in paragraph [0125], “Machine learning models are employed to evaluate and analyze data in certain embodiments, that is not necessarily the case in every embodiment. In some cases, the security platform may also adapt more appropriately or more efficiently to the environment by using a combination of other suitable forms of analysis, including rule-based analysis, algorithm-based analysis, statistical analysis, etc”. 


Allowable Subject Matter
7.	Claims 3, 4, 6, 9, 13, 14, 16, and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is an examiner’s statement of reasons for allowance: 
The prior art of record does not disclose, teach, or suggest neither singly nor in combination the claimed limitation of “wherein said determining the first set of users of the plurality of users each having a number of login failure events during a given time duration that claims 3 and 13.
Dependent claims 4 and 14, which include additional limitations, respectfully depend on claims 3 and 13, and therefore allowable for the same reasons.
The prior art of record does not disclose, teach, or suggest neither singly nor in combination the claimed limitation of “wherein said classifying comprises: for each source computer in the second set of source computers: computing a total number of accesses to each destination computer of the plurality of computers in connection with the number of new connections; computing a probability of communication with said each destination computer; computing a normalized Shannon Entropy based on the total number of accesses and the probability of communication; and including the source computers in the third set of source computers when the normalized Shannon Entropy is greater than the third threshold value” as recited in dependent claims 6 and 16.
The prior art of record does not disclose, teach, or suggest neither singly nor in combination the claimed limitation of “wherein the information obtained is utilized to determine a mean and a standard deviation of login failure events for each tuple of a plurality of tuples including a particular user of the plurality of users and a particular source computer of the plurality of computers, and wherein the information obtained is used to determine, for each source computer of the plurality of computers those destination computers of the plurality of claims 9 and 19. 


Conclusion
8.	For the reasons above, claims 1, 2, 5, 7, 8, 10-12, 15, 17, 18, and 20 have been rejected and claims 3, 4, 6, 9, 13, 14, 16, and 19 have been objected to. Claims 1-20 remain pending.

9.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

10.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993.  The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  Please note, the examiner generally will not hold interviews after a Final Office Action has been issued.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MICHAEL YOUNG WON
Primary Patent Examiner
Art Unit 2449



/Michael Won/
Primary Examiner, Art Unit 2449
August 4, 2021