Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1.	This action is responsive an original application filed on 25 June 2020 this application is a continuation of multiple applications 14/970,317, 15/224,443, 15/462,540, and 16/209,379 now patents 9,407,652, 9,628,500, 10,075,464 and 10,735,448 which claim the benefit of a provisional application with a filing date of 26 June 2015.
2.	Claims 1-17 are currently pending.  Claims 1, 9, and 17, are independent claims. 
3.	The IDS submitted on 28 January 2021 has been considered.
Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/.
 The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. 
 An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, please refer to - http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp
 6.	Claims 1-17 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-15 of application 14/970,317 now patent 9,407,652, claims 1-20 of application 15/224,443 now patent 9,628,500, claims 1-20 of application 15/462,540 now patent 10,075,464, and claims 1-19 of 16/109,379 now patent 10,735,448.  Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/features of claimed program that detects malicious access request exist in the patented applications in similar or different names, essentially 

PATENT 9,407,652
PRESENT APPLICATION 
CLAIM 1
CLAIM 1
An anomaly-detection computer system to identify when an user of a 
network is a malicious actor, the anomaly-detection computer system comprising: one or more computer readable storage devices configured to store one or more 
software modules including computer executable instructions;  and one or more 
hardware computer processors in communication with the one or more computer 
readable storage devices and configured to execute the one or more software 
modules in order to cause the computer system to: 

log, to the one or more computer readable storage devices, activity on the network by a plurality of  users, 


the activity comprising indications of port numbers associated with the activity on the network;  


calculate similarity scores by, in part, comparing port numbers associated with a first user of the plurality of users to port 
numbers associated with other users of the plurality of users, the similarity 
scores calculated based at least in part on the logged activity on the network;
  


sort the plurality of users into a plurality of cohorts based at least in part 
on which of the plurality of users have similarity scores that satisfy a 
similarity threshold;  

store data into a memory, the data identifying which of 
the plurality of users were sorted into the plurality of cohorts;  


detect a first port number indicated in a new network activity of the first user of the 
plurality of users, wherein the first user is associated with a first cohort of 
the plurality of cohorts;  and determine, based at least in part on a comparison performed by the one or more processors of the first port number to other port numbers associated with the first cohort, that the new network activity associated with the first user is anomalous

having program instructions embodied thereon;  and one or more processors 
configured to execute the program instructions to cause the computer system to: 










receive network activity information associated with a plurality of users, 



wherein the network activity information includes at least indications of 
resources accessed by the plurality of users;  determine, 

for each for the resources accessed, and based at least in part on the network activity 
information, respective scale factors;  calculate similarity scores for the plurality of users based at least in part on the network activity information and the relevant scale factors;  



 sort the plurality of users into a plurality 
of cohorts based at least in part on the similarity scores;  









receive new first network activity information associated with a first user of the plurality of 
users, wherein the first user is associated with a first cohort of the plurality of cohorts;  and determine, based at least in part on a comparison between at least a portion of the first network activity information and 
network activity information associated with the first cohort, that the first network activity information associated with the first user is anomalous


Claim Rejections - 35 USC § 101
7.	35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

8.	Claims 1-8 and 17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  Independent claim 1 is directed to “A computer system compromising: one or more computer readable storage mediums” claims 1-8 are rejected under 101 because a computer readable medium can be interpreted as a signal or a computer program, which is non-statutory subject matter.  Independent claim 17 is directed to “A computer readable 
		In order to overcome the 101 rejection, the Examiner recommends that the language of the claim be modified to include "non-transitory" or "computer readable device".
Claim Rejections - 35 USC § 102
9.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

10.	Claims 1-2, 7-10, and 15-17, are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Basavapatna et al.  U.S. Patent Application Publication No. 2013/0097709 (hereinafter ‘709).
As to independent claim 9, “A computer-implemented method comprising: by one or more processors executing program instructions: receiving network activity information associated with a plurality of users, wherein the network activity information includes at least indications of resources accessed by the plurality of users” is taught in ‘709 Abstract, paragraph 28, note “Assessment records 268, including or based on data collected using event detection tools 208; security tools 246-266 can be associated with one or more users of enterprise system (i.e. plurality of users) … Further, in some implementations, user identifications (IDs) can be associated with device identifiers…and actions of a user can be identified based on an 
“determining, for each for the resources accessed, and based at least in part on the network activity information, respective scale factors;  calculating similarity scores for the plurality of users based at least in part on the network activity information and the relevant scale factors” is shown ‘709 paragraph 30, note “Further, a composite risk profile or score (e.g. calculated in connection with risk calculator 278) can be generated or calculated for based on an aggregation of use-or type-specific user profiles”;
“sorting the plurality of users into a plurality of cohorts based at least in part on the similarity scores” is disclosed in ‘709 Abstract, paragraphs 14-15;
“receiving new first network activity information associated with a first user of the plurality of users, wherein the first user is associated with a first cohort of the plurality of cohorts” is taught in ‘709 Abstract, paragraphs 12-15 and 36-37;
“and determining, based at least in part on a comparison between at least a portion of the first network activity information and network activity information associated with the first cohort, that the first network activity information associated with the first user is anomalous” is shown in ‘709 Abstract and paragraphs 12-15 note “risk event” is anomalous.
As to dependent claim 10, “The computer-implemented method of claim 9 further comprising: by the one or more processors executing program instructions: analyzing the network activity information to determine any distributed resources among the resources accessed by the plurality of users, wherein any multiple resources accessed that comprise a single distributed resources are considered a single resource accessed by the plurality of users for 
As to dependent claim 15, “The computer-implemented method of claim 9 further comprising: by the one or more processors executing program instructions: determining, based at least in part on a comparison between at least a portion of the first network activity information and previous network activity information associated with the first user, that the first network activity information associated with the first user is not anomalous” is taught in ‘709 paragraphs 12-15. 
As to dependent claim 16, “The computer-implemented method of claim 9, the plurality of users are sorted into the plurality of cohorts further based at least in part on user information associated with the users” is shown in ‘709 paragraphs 15, note “The particular behavioral profile can be group-based behavioral profile based on a plurality of inputs from a plurality of users in a group of users of the computing system, the plurality of inputs describing prior activities of the group of users in the computing system.  The group of users can be a business unit, users in a particular geographic location, users with a particular employment status, users in a particular department of an organization, a set of all identified users of the computing system, among other examples”.
	As to independent claim 1, this claim is directed to a computer system executing the method of claim 9; therefore it is rejected along similar rationale.
	As to dependent claims 2 and 7-8, these claims contain substantially similar subject matter as claims 10 and 15-16; therefore they are rejected along similar rationale.
	As to independent claim 17, this claim is directed to a computer readable medium executing the method of claim 9; therefore it is rejected along similar rationale.
Claim Rejections – 35 USC § 103
11.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

12.	Claims 3-5, 11-13, are rejected under 35 U.S.C. 103 as being unpatentable over Basavapatna et al.  U.S. Patent Application Publication No. 2013/0097709 (hereinafter ‘709) in view of Rodriguez U.S. Patent Application Publication No. 2012/0173710 (hereinafter ‘710). 
As to dependent claim 11, the following is not explicitly taught in ‘709: “The computer-implemented method of claim 9, wherein the respective scale factors comprise respective inverse user frequency scale factors” however ‘710 teaches data analysis server calculates deviation score using an inverse ratio in paragraph 58.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a user behavior risk assessment taught in ‘709 to include a means to perform inverse scale factors.  One of ordinary skill in the art would have been motivated to perform such a modification because detecting anomalies and the causes of anomalies in network traffic may enable networks to function more efficiently see ‘710 paragraphs 3-7.
As to dependent claim 12, “The computer-implemented method of claim 11, wherein the respective inverse user frequency scale factors are calculated, for each respective resource 
As to dependent claim 13, “The computer-implemented method of claim 11, wherein the respective inverse user frequency scale factors are calculated, for each respective resource accessed, by dividing the number of users by the number of accesses, and taking the log of the result” is shown in ’710 paragraphs 9 and 56.
As to dependent claims 3-5 these claims contain substantially similar subject matter as claims 11-13 therefore they are rejected along similar subject matter.
13.	Claims 6 and 14, are rejected under 35 U.S.C. 103 as being unpatentable over Basavapatna et al.  U.S. Patent Application Publication No. 2013/0097709 (hereinafter ‘709) in view of Kim et al. U.S. Patent Application Publication No. 2007/0226803 (hereinafter ‘803).
As to dependent claim 14, “The computer-implemented method of claim 9, the similarity scores are calculated at least in part by determining at least one of: Jaccard similarity scores, or cosine similarity scores” however ‘803 teaches using Jaccard or cosine to calculate( i.e. generate) similarity value (i.e. score) to detect intrusions and risk grade in the Abstract, paragraph 32 and claim 4.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of a user behavior risk assessment taught in ‘709 to include a means to use Jaccard or cosine to calculate similarity scores.  One of ordinary skill in the art would have been motivated to perform such a modification because improvements are needed to detect intrusions see ‘803 paragraphs 8-11.
	As to dependent claim 6, this claim contains substantially similar as claim 14; therefore it is rejected along similar rationale.
Conclusion
14.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ellen Tran whose telephone number is (571) 272-3842.  The examiner can normally be reached from 7:30 am to 4:00 pm.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        24 August 2021