DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 03/29/2021 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/29/2021, 06/15/2021, 06/30/2021, 08/03/2021, and 08/25/2021 was filed after the mailing date of the first action on the merits. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.

The limitations directed towards extracting features from the plurality of events, constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window; analyzing the distribution of the features from the plurality of events, generating a risk score for the user based upon the analyzing; and, performing a risk assessment operation based upon the distribution of features from the plurality of events, the risk 
For example, but for the limitation stating reciting receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security, a security analytics system, the security analytics system executing on a hardware processor, and the protected endpoint communicating with the security analytics system via a network, the recitation of extracting features from the plurality of events, constructing a distribution of the features from the plurality of events, the 
The judicial exception is not integrated into a practical application by additional elements. In particular, claim 1 recites a computer-implementable method for constructing a distribution of interrelated event features, claim 7 recites a system comprising:  a processor;  a data bus coupled to the processor; and  a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor, and claim 13 recites a non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions, and claims 1, 7, and 13 recite receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events 
These claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a computer-implementable method for constructing a distribution of interrelated event features as recited in claim 1, a system comprising:  a processor;  a data bus coupled to the processor; and  a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor as recited in claim 7, a non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions as recited in claim 13, and an electronic device, a computer system, a hardware processor, a security analytics system, and a network recited in claims 1, 7, and 13 are recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security, and the protected endpoint communicating with the security analytics system via a network is interpreted to be well understood, routine and conventional activity (Receiving Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security, a security analytics system, the security analytics system executing on a hardware processor, and the protected endpoint communicating with the security analytics system via a network and the recitation of an electronic device, a computer system, a hardware processor, a security analytics system, and a network, wherein the computer system, in the context of the disclosure, is a generic computer used as a tool,  does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use. The claims are not patent eligible.
With respects to claims 2, 8, and 14, the limitations are directed towards enriching data associated with each of the plurality of events prior to extracting features from the plurality of events. These elements further elaborate the abstract idea and the human mind and/or with pen and paper can enrich data associated with each of the plurality of events prior to extracting features from the plurality of events. Therefore, claims 2, 8, and 14, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.

Versata Dev. Group, Inc. v. SAP Am., Inc. (see MPEP 2106.05(d))). Therefore, claims 3, 9, and 15, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 4, 10, and 16, the limitations are directed towards labeling at least some of the plurality of events prior to extracting features from the plurality of events. These elements further elaborate the abstract idea and the human mind and/or with pen and paper can label at least some of 
With respects to claims 5, 11, and 17, the limitations are directed towards extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features. These elements further elaborate the abstract idea and the human mind and/or with pen and paper can extract features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features. Therefore, claims 5, 11, and 17, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 6, 12, and 18, the limitations are directed towards processing a query relating to the plurality of events, the processing the query being performed via a streaming query framework. These additional limitations appear to be insignificant extra solution activity and are interpreted to be well understood, routine and conventional (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Therefore, claims 6, 12, and 18, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claim 19, the limitations are directed towards the computer executable instructions are deployable to a client system from a server system at a remote location. These elements further elaborate the abstract idea and merely confine the claim to a particular technological environment or field of use. Therefore, claim 19, does not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1, 4-7, 10-13, 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri et al. (US Publication No.: US 20160371489 A1) hereinafter Puri, in view of Holeman et al. (U.S. Publication No.: US 20180191766 A1) hereinafter Holeman, in view of Hu et al. (U.S. Publication No.: US 20180204215 A1) hereinafter Hu, and further in view of Zimmerman et al. (U.S. Publication No.: US 20180027006 A1) hereinafter Zimmermann.
As to claim 1:
Puri discloses:
A computer-implementable method for constructing a distribution of interrelated event features [Paragraph 0118 methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory], comprising: 
extracting features from the plurality of events [Paragraph 0051 teaches the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.]; 
analyzing the distribution of the features from the plurality of events [Paragraph 0098 and Figure 1 teach anomalous behaviors may have a probability associated therewith. In this regard, the event cluster generator 108 may rank anomalous behaviors into five buckets/categories according to their probability (very-high, high, medium, low, and very-low). The five categories, along with the probability values, may serve to provide intuitive metrics. The discovered anomalies may be used for creation of a set of rules over which the data anomaly analyzer 116 will grade the data 118 that includes a stream of causally tagged event traces. Paragraph 0100 analyzing sets of behaviors as a whole and comparing to the patterns that exist within a larger graph allow for the discovery of the persistent threats that are difficult to detect, and for discovering attack categories that take place. Paragraph 0102 and Figure 1 teach the data anomaly analyzer 116 may compare graph patterns to one another. For example, for sets of agent behaviors that deviate from the norm or sets of activities that closely mimic known behaviors, the data anomaly analyzer 116 may grade how close an event set converges or diverges from known information. Paragraph 0103, Figure 1, and Figure 4 teach the data anomaly analyzer 116 may grade an incoming or emerging (in-flight) sequence of events against the probabilistic rankings of all known event walks that are contained within the master directed graph 104. The streaming detection measures anomalousness of an incoming, potentially incomplete, in-flight walk of events compared against the probability density distribution of all known master walks from the master directed graph 104 or learned model of behavior (e.g., the real-time activity graph for the user-1 at 400). 
; 

Puri discloses some of the limitations as set forth in claim 1 but does not appear to expressly disclose receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent , the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security, the protected endpoint communicating with the security analytics system via a network, constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window, constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window, generating a risk score for the user based upon the 
Holeman discloses:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions [Paragraph 0053 teaches user activity sensors 470 include computer program instructions that are executable to collect information relating to users of endpoint computer system 120. For example, in various embodiments, sensors 470 may indicate what users are currently logged in to endpoint computer system 120 and whether each login is local or remote. Sensors 470 may further indicate associated account attribution for observed network activity such as identifying which logged-in users or accounts correspond to particular observed network activity. Paragraph 0054 teaches sensors 470 may also collect information about the activities of users. For example, sensors 470 may collect information relating to user activity or inactivity, such as whether there is any input being supplied by the user (e.g., through user interface devices 370). Sensors 470 may also determine what user process are in the foreground (e.g., the identity of the process associated with a currently active window, such as a word processing program to which the user is currently inputting text, as compared to other processes running in the background. Note: The cited sensors as part of the endpoint computer system 120 collecting information about the activities of users is interpreted to read on the claimed identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions. The cited endpoint computer system 120 is interpreted to read on the , the protected endpoint comprising an endpoint device and an endpoint agent [Paragraph 0032 teaches an endpoint analysis agent may be implemented on an endpoint computer system in a variety of ways, as illustrated by FIG. 2. Note: The examiner interprets the endpoint analysis agent implemented on an endpoint computer system reads on the claimed the protected endpoint comprising an endpoint device and an endpoint agent.], the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0033 teaches in the depicted configuration (Figure 2), endpoint computer system 120 includes a hardware layer 240, which includes the actual underlying hardware of the system that supports process execution (e.g., processors, memory), and is discussed further with reference to FIG. 3. Endpoint computer system 120 further includes an operating system layer 220 that supports multiple system and application processes 212, including, in some embodiments, an endpoint analysis agent process.], the protected endpoint providing a policy-based approach to network security [Paragraph 0080 teaches enterprise policy 606 is a set of criteria (e.g., rules) that define how a computer system is to be monitored at observation points 602 and/or define the control actions to been taken at control points 604 when particular events occur. As the name suggests, policy 606 may be tailored to the particular needs of a given enterprise based on the enterprise's risk sensitivity, asset valuations, overhead tolerance, service level objectives, and monitoring requirements. In various embodiments, policy 606 specifies criteria in terms of thresholds corresponding to the desired extent, degree, or granularity of observation point monitoring and thresholds for when determined control actions are to be taken. Paragraph 0086 teaches network access restrictions to restrict or limit the network access capabilities of a system and/or user and/or application (e.g., adjusting an endpoint's 
the protected endpoint communicating with the security analytics system via a network [FIG. 3, a block diagram of a system 300 is shown that includes an exemplary endpoint computer system. In this particular configuration, endpoint analysis agent 340 is implemented in software. Paragraph 0067 teaches endpoint analysis agent 340 is operable to collect endpoint information, package that information (or a subset of that information) in one or more network flow data records, and send those records to network 110, where it may be received either by network flow analyzer 106, or by network flow collector 104, where it may be ultimately forwarded to analyzer 106. Paragraph 0068 teaches network flow analyzer 106 includes flow matching module 510, threat and anomaly detection module 520, and risk analysis module 530. Note: Endpoint computer system with an endpoint analysis agent 340 implemented in software collecting endpoint information via the endpoint analysis agent 340 and sending those records to network 110 where it is received by network flow analyzer 106 is interpreted to read on the claimed the protected endpoint communicating with the security analytics system via a network. The endpoint computer system with an endpoint analysis agent is interpreted to be the claimed protected endpoint and the network flow analyzer interpreted to be the claimed security analytics system. Network 110 used to send records from the endpoint computer system to the network flow analyzer is interpreted to be the claimed network.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint analysis agents running on a computer system to collect data associated with user activity, as taught by Holeman (Paragraph 0032, 0033, 0053, 0054, 0067, 0068, 

Puri and Holeman discloses some of the limitations as set forth in claim 1 but does not appear to expressly disclose constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window, constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window, generating a risk score for the user based upon the analyzing, and performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score.
Hu discloses:
constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate 
Note: Access requests associated with data elements are interpreted to be claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events. Categorization module configured to allow for categorization changes (updates) and categorize the nodes/data elements into clusters is interpreted to read on the claimed distribution of the features being constructed via a scoring container update operation. Categorization is interpreted to be the scoring container update operation, legitimate clusters and fraudulent clusters are interpreted to be the claimed scoring containers, wherein the clusters are configured to have data elements that have scores e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative, similar to the cited score. The DoA/score representing a probability of a current request being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed a scoring container to provide an approximation of a ;
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri and Holeman, by incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate, as taught by Hu (Paragraph 0004, 0025, 0029, 0095, 0098, 0099, 0106, 0107, and 0141), because all three applications are directed to identifying threats to information security and storing information relating to those threats; incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate provides protection of other resources, e.g., of a same type. For instance, the same attackers might attack other resources, and a profile (via a cluster in the data structure) can allow a server of another party to detect fraudulent requests much quicker, as the proper knowledge of the received data structure can be leveraged (see Hu Paragraph 0090).

Puri, Holeman, and Hu discloses most of the limitations as set forth in claim 1 but does not appear to expressly disclose generating a risk score for the user based upon the analyzing, and performing a risk assessment operation via a security analytics system based upon the distribution of 
Zimmermann discloses:
generating a risk score for the user based upon the analyzing [Paragraph 0158 teaches one may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users. Paragraph 0557 teaches the machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use the data collected from various platforms to profile an organization (and its users) based on behavior over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine learning… involving a cluster of events (such as that mobile access is usually from home and laptop access is normally from the office), but a machine learning facility can provide an indicator of departure from a pattern, whatever it is.  Paragraph 0558 teaches a user or group trust score or risk score may be calculated based on the various capabilities described. Note: The examiner interprets analyzing events in a cluster as part of learning from user behavior for to calculate a user risk score reads on the claimed generating a risk score for the user based upon the analyzing.]; and 
performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score [Paragraph 0007 teaches user behavior analysis (UBA). Paragraph 0011 teaches a cloud security fabric (CSF 100) that allows an enterprise to discover sensitive data, to apply policies and automation actions to data, users, and/or configurations, and make sure that regulated data is under compliance and that sensitive information is protected, so that the enterprise can enforce use policies around the data. Paragraph 0105 teaches there is value for the host or operator of the CSF 100 in the enterprise APIs 104 as well. 
Note: Security analytics services as part of the cloud security fabric (CSF) that provides user behavior analysis (UBA) in a cyber security use case to conduct a risk assessment, wherein the risk assessment reasonably involves user behaviors associated with a cluster of events used in determining a risk score that indicates riskiest users and/or the riskiest activities being undertaken by users reads on the claimed performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score. The cloud security fabric that includes security analytics services is interpreted to be the claimed security analytics system. The cited risk assessment involving a risk score that indicates the riskiest users is interpreted to read on the claimed risk assessment operation. The cited cluster of events used in the user behavior analysis to determine the user risk score as part of the risk assessment is interpreted to read on the claimed performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the risk assessment operation taking into account the risk score. CSF deployed including the security analytics service deployed on deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware is interpreted to read on the claimed the security analytics system executing on a hardware processor.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, and Hu, by incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering, as taught by Zimmermann (Paragraph 0007, 0011, 0114, 0118, 0132, 0134, 0158, 0557, 0558, and 0599), because all 

As to claim 4:
Puri discloses:
The method of claim 1, further comprising:  2labeling at least some of the plurality of events prior to extracting features from the 3plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed labeling at least some of the plurality of events. ].

As to claim 5:
Puri discloses:
The method of claim 1, wherein:  2the extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different 

As to claim 6:
Puri discloses:
The method of claim 1, further comprising:  2processing a query relating to the plurality of events, the processing the query being 3performed via a streaming query framework [Paragraph 0056 teaches the LCA framework stack may include a plurality of layers for data collection (i.e., event collection and management), data ingestion (normalization, parsing, and storage), query processing, data filtering, data mining, data analytics, an API wrapper allowing for extensive use and interplay with other tools and visualization applications to complete all necessary analytics, and web services control.
The examiner interprets query processing and data ingestion to be the claimed processing relating to the plurality of events wherein querying and data ingestion as part of the LCA framework stack is interpreted to be the claimed performed via a streaming query framework.]

As to claim 7:
Puri discloses:
A system comprising:  
2a processor;  3a data bus coupled to the processor; and  4a non-transitory, computer-readable storage medium embodying computer program 5code, the non-transitory, computer-readable storage medium being coupled to 6the data bus, the computer program code interacting with a plurality of 7computer operations and comprising instructions executable by the processor Paragraph 0118 teaches methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory (e.g., the memory 904 of FIG. 9, and the non-transitory computer readable medium 1102 of FIG. 11), such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), hard drives, and flash memory). The memory 904 may include a RAM, where the machine readable instructions and data for the processor 902 may reside during runtime.] 8and configured for:  
extracting features from the plurality of events [Paragraph 0051 teaches the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.]; 
analyzing the distribution of the features from the plurality of events [Paragraph 0098 and Figure 1 teach anomalous behaviors may have a probability associated therewith. In this regard, the event cluster generator 108 may rank anomalous behaviors into five buckets/categories according to their probability (very-high, high, medium, low, and very-low). The five categories, along with the probability values, may serve to provide intuitive metrics. The discovered anomalies may be used for creation of a set of rules over which the data anomaly analyzer 116 will grade the data 118 that includes a stream of causally tagged event traces. Paragraph 0100 analyzing sets of behaviors as a whole and comparing to the patterns that exist within a larger graph allow for the discovery of the persistent threats that are difficult to detect, and for discovering attack categories that take place. Paragraph 0102 and Figure 1 teach the data anomaly analyzer 116 may compare graph patterns to one another. For example, for sets of agent behaviors that deviate from the norm or sets of activities that closely mimic 
The examiner interprets anomalous behaviors to be the claimed features, the cluster generator ranking anomalous behaviors into buckets is interpreted to be the claimed distribution of features. The examiner interprets the rules, analyzing sets of behaviors as a whole and comparing to the patterns that exist within a larger graph and the data anomaly analyzer comparing graph patterns to one another including against the probability density distribution of all known master walks from the master directed graph to be the claimed analyzing the distribution of the features from the plurality of events.];

Puri discloses some of the limitations as set forth in claim 7 but does not appear to expressly disclose receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent , the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security, the protected endpoint communicating with the security analytics system via a network, constructing a distribution of the features from the plurality of events, the 
Holeman discloses:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions [Paragraph 0053 teaches user activity sensors 470 include computer program instructions that are executable to collect information relating to users of endpoint computer system 120. For example, in various embodiments, sensors 470 may indicate what users are currently logged in to endpoint computer system 120 and whether each login is local or remote. Sensors 470 may further indicate associated account attribution for observed network activity such as identifying which logged-in users or accounts correspond to particular observed network activity. Paragraph 0054 teaches sensors 470 may also collect information about the activities of users. For example, sensors 470 may collect information relating to user activity or inactivity, such as whether there is any input being supplied by the user (e.g., , the protected endpoint comprising an endpoint device and an endpoint agent [Paragraph 0032 teaches an endpoint analysis agent may be implemented on an endpoint computer system in a variety of ways, as illustrated by FIG. 2. Note: The examiner interprets the endpoint analysis agent implemented on an endpoint computer system reads on the claimed the protected endpoint comprising an endpoint device and an endpoint agent.], the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0033 teaches in the depicted configuration (Figure 2), endpoint computer system 120 includes a hardware layer 240, which includes the actual underlying hardware of the system that supports process execution (e.g., processors, memory), and is discussed further with reference to FIG. 3. Endpoint computer system 120 further includes an operating system layer 220 that supports multiple system and application processes 212, including, in some embodiments, an endpoint analysis agent process.], the protected endpoint providing a policy-based approach to network security [Paragraph 0080 teaches enterprise policy 606 is a set of criteria (e.g., rules) that define how a computer system is to be monitored at observation points 602 and/or define the control actions to been 
the protected endpoint communicating with the security analytics system via a network [FIG. 3, a block diagram of a system 300 is shown that includes an exemplary endpoint computer system. In this particular configuration, endpoint analysis agent 340 is implemented in software. Paragraph 0067 teaches endpoint analysis agent 340 is operable to collect endpoint information, package that information (or a subset of that information) in one or more network flow data records, and send those records to network 110, where it may be received either by network flow analyzer 106, or by network flow collector 104, where it may be ultimately forwarded to analyzer 106. Paragraph 0068 teaches network flow analyzer 106 includes flow matching module 510, threat and anomaly detection module 520, and risk analysis module 530. Note: Endpoint computer system with an endpoint analysis agent 340 implemented in software collecting endpoint information via the endpoint analysis agent 340 and sending those records to network 110 where it is received by network flow analyzer 106 is interpreted to read on the claimed the protected endpoint communicating with the security analytics system via a network. The endpoint computer system with an endpoint analysis agent is interpreted to be the 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint analysis agents running on a computer system to collect data associated with user activity, as taught by Holeman (Paragraph 0032, 0033, 0053, 0054, 0067, 0068, 0080, 0086, Figure 2, and Figure 3), because both applications are directed to identifying threats to information security and storing information relating to those threats; collecting endpoint information and using it to supplement network flow analysis has a number of potential benefits. Because a richer data set providing additional relevant context is being utilized, incidents of false positives for potential network security incidents may be reduced (see Holeman Paragraph 0027).

Puri and Holeman discloses some of the limitations as set forth in claim 7 but does not appear to expressly disclose constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window, constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window, generating a risk score for the user based upon the analyzing, and performing a risk assessment operation via a security analytics system based upon the distribution of features from the 
Hu discloses:
constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource. Paragraph 0098 teaches clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could 
Note: Access requests associated with data elements are interpreted to be claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events. Categorization module configured to allow for categorization changes (updates) and categorize the nodes/data elements into clusters is interpreted to read on the claimed distribution of the features being constructed via a scoring container update operation. Categorization is interpreted to be the scoring container update operation, legitimate clusters and fraudulent clusters are interpreted to be the ;
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri and Holeman, by incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate, as taught by Hu (Paragraph 0004, 0025, 0029, 0095, 0098, 0099, 0106, 0107, and 0141), because all three applications are directed to identifying threats to information security and storing information relating to those threats; incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate provides protection of other resources, e.g., of a same type. For instance, the same 

Puri, Holeman, and Hu discloses most of the limitations as set forth in claim 7 but does not appear to expressly disclose generating a risk score for the user based upon the analyzing, and performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score.
Zimmermann discloses:
generating a risk score for the user based upon the analyzing [Paragraph 0158 teaches one may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users. Paragraph 0557 teaches the machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use the data collected from various platforms to profile an organization (and its users) based on behavior over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine learning… involving a cluster of events (such as that mobile access is usually from home and laptop access is normally from the office), but a machine learning facility can provide an indicator of departure from a pattern, whatever it is.  Paragraph 0558 teaches a user or group trust score or risk score may be calculated based on the various capabilities described. Note: The examiner interprets analyzing events in a cluster as part of learning from user behavior for to calculate a user risk score reads on the claimed generating a risk score for the user based upon the analyzing.]; and 
performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score [Paragraph 0007 teaches user behavior analysis (UBA). Paragraph 0011 teaches a cloud security fabric (CSF 100) that allows an enterprise to discover sensitive data, to apply policies and automation actions to data, users, and/or configurations, and make sure that regulated data is under compliance and that sensitive information is protected, so that the enterprise can enforce use policies around the data. Paragraph 0105 teaches there is value for the host or operator of the CSF 100 in the enterprise APIs 104 as well. The host or operator can perform business automation functions, such as doing an automated security assessment report for an enterprise customer. Paragraph 0114 teaches connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms). Paragraph 0118 teaches referring to FIG. 3, the developer APIs 102 enable developers to access capabilities and services of the modules of the CSF 100 to enable various other solutions, such as SIEMs 304, DLPs 302, UBA solutions 310. Paragraph 0132 teaches there are a number of important cyber security use cases that may benefit from improved UBA solutions, where identification of a pattern of user or machine behavior allows identification of a threat. Paragraph 0134 teaches Important cyber security use cases and features may also include… risk assessment. Paragraph 0158 teaches one may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users. Paragraph 0557 teaches the machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use 
Note: Security analytics services as part of the cloud security fabric (CSF) that provides user behavior analysis (UBA) in a cyber security use case to conduct a risk assessment, wherein the risk assessment reasonably involves user behaviors associated with a cluster of events used in determining a risk score that indicates riskiest users and/or the riskiest activities being undertaken by users reads on the claimed performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score. The cloud security fabric that includes security analytics services is interpreted to be the claimed security analytics system. The cited risk assessment involving a risk score that indicates the riskiest users is interpreted to read on the claimed risk assessment operation. The cited cluster of events used in the user behavior analysis to determine the user risk score as part of the risk assessment is interpreted to read on the claimed performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the risk assessment operation taking into account the risk score. CSF deployed including the security analytics service deployed on deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, and Hu, by incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering, as taught by Zimmermann (Paragraph 0007, 0011, 0114, 0118, 0132, 0134, 0158, 0557, 0558, and 0599), because all four applications are directed to identifying threats to information security and storing information relating to those threats; incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering provides better threat indications, such as account compromise which will make alert identification more effective, allowing the production of fewer, more relevant alerts (see Zimmermann Paragraph 0129).

As to claim 10:
Puri discloses:
The system of claim 7, wherein the instructions are further configured for:  2labeling at least some of the plurality of events prior to extracting features from the 3plurality of events Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed labeling at least some of the plurality of events. ].

As to claim 11:
Puri discloses:
The system of claim 7, wherein:  2the extracting features comprises performing transformation operations on certain 3features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different colors (e.g., red, yellow, orange, etc.) representing the probability of occurrence of the events. Further analysis may be performed by grouping events and providing mechanisms to navigate and visualize them according to their features. The examiner interprets using three months of use of data, grouping events, and sizing representing anomalousness to be the claimed transformation operations for smaller sets on certain features wherein anomalousness is interpreted to be the claimed certain features.]

As to claim 12:
Puri discloses:
The system of claim 7, wherein:  2processing a query relating to the plurality of events, the processing the query being 3performed via a streaming query framework [Paragraph 0056 teaches the LCA framework stack may include a plurality of layers for data collection (i.e., event collection and management), data ingestion (normalization, parsing, and storage), query processing, data filtering, data mining, data analytics, an API wrapper allowing for extensive use and interplay with other tools and visualization applications to complete all necessary analytics, and web services control.


As to claim 13:
Puri discloses:
A non-transitory, computer-readable storage medium embodying computer 2program code, the computer program code comprising computer executable instructions 3[Paragraph 0118 teach methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory (e.g., the memory 904 of FIG. 9, and the non-transitory computer readable medium 1102 of FIG. 11), such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), hard drives, and flash memory). The memory 904 may include a RAM, where the machine readable instructions and data for the processor 902 may reside during runtime.] 8configured for:  
extracting features from the plurality of events [Paragraph 0051 teaches the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.]; 
analyzing the distribution of the features from the plurality of events [Paragraph 0098 and Figure 1 teach anomalous behaviors may have a probability associated therewith. In this regard, the event cluster generator 108 may rank anomalous behaviors into five buckets/categories according to their probability (very-high, high, medium, low, and very-low). The five categories, along with the 
The examiner interprets anomalous behaviors to be the claimed features, the cluster generator ranking anomalous behaviors into buckets is interpreted to be the claimed distribution of features. The examiner interprets the rules, analyzing sets of behaviors as a whole and comparing to the patterns that exist within a larger graph and the data anomaly analyzer comparing graph patterns to one another including against the probability density distribution of all known master walks from the master directed graph to be the claimed analyzing the distribution of the features from the plurality of events.]; and 

Puri discloses some of the limitations as set forth in claim 13 but does not appear to expressly disclose receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being 
Holeman discloses:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions [Paragraph 0053 teaches user activity sensors 470 include computer program instructions that are , the protected endpoint comprising an endpoint device and an endpoint agent [Paragraph 0032 teaches an endpoint analysis agent may be implemented on an endpoint computer system in a variety of ways, as illustrated by FIG. 2. Note: The examiner interprets the endpoint analysis agent implemented on an endpoint computer system reads on the claimed the protected endpoint comprising an endpoint device and an endpoint agent.], the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0033 teaches in the depicted configuration (Figure 2), endpoint , the protected endpoint providing a policy-based approach to network security [Paragraph 0080 teaches enterprise policy 606 is a set of criteria (e.g., rules) that define how a computer system is to be monitored at observation points 602 and/or define the control actions to been taken at control points 604 when particular events occur. As the name suggests, policy 606 may be tailored to the particular needs of a given enterprise based on the enterprise's risk sensitivity, asset valuations, overhead tolerance, service level objectives, and monitoring requirements. In various embodiments, policy 606 specifies criteria in terms of thresholds corresponding to the desired extent, degree, or granularity of observation point monitoring and thresholds for when determined control actions are to be taken. Paragraph 0086 teaches network access restrictions to restrict or limit the network access capabilities of a system and/or user and/or application (e.g., adjusting an endpoint's security policy pertaining to its firewall settings, DNS enforcement, etc.). Note: The enterprise policy and security policy utilizing computer system endpoints (protected endpoints) to control and observe data and data access is interpreted to read on the claimed the protected endpoint providing a policy-based approach to network security.]
the protected endpoint communicating with the security analytics system via a network [FIG. 3, a block diagram of a system 300 is shown that includes an exemplary endpoint computer system. In this particular configuration, endpoint analysis agent 340 is implemented in software. Paragraph 0067 teaches endpoint analysis agent 340 is operable to collect endpoint information, package that information (or a subset of that information) in one or more network flow data records, and send those records to network 110, where it may be received either by network flow analyzer 106, or by network 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint analysis agents running on a computer system to collect data associated with user activity, as taught by Holeman (Paragraph 0032, 0033, 0053, 0054, 0067, 0068, 0080, 0086, Figure 2, and Figure 3), because both applications are directed to identifying threats to information security and storing information relating to those threats; collecting endpoint information and using it to supplement network flow analysis has a number of potential benefits. Because a richer data set providing additional relevant context is being utilized, incidents of false positives for potential network security incidents may be reduced (see Holeman Paragraph 0027).

Puri and Holeman discloses some of the limitations as set forth in claim 13 but does not appear to expressly disclose constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability 
Hu discloses:
constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data 
;
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as 

Puri, Holeman, and Hu discloses most of the limitations as set forth in claim 13 but does not appear to expressly disclose generating a risk score for the user based upon the analyzing, and performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score.
Zimmermann discloses:
generating a risk score for the user based upon the analyzing [Paragraph 0158 teaches one may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users. Paragraph 0557 teaches the machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use the data collected from various platforms to profile an organization (and its users) based on behavior over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine ; and 
performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score [Paragraph 0007 teaches user behavior analysis (UBA). Paragraph 0011 teaches a cloud security fabric (CSF 100) that allows an enterprise to discover sensitive data, to apply policies and automation actions to data, users, and/or configurations, and make sure that regulated data is under compliance and that sensitive information is protected, so that the enterprise can enforce use policies around the data. Paragraph 0105 teaches there is value for the host or operator of the CSF 100 in the enterprise APIs 104 as well. The host or operator can perform business automation functions, such as doing an automated security assessment report for an enterprise customer. Paragraph 0114 teaches connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms). Paragraph 0118 teaches referring to FIG. 3, the developer APIs 102 enable developers to access capabilities and services of the modules of the CSF 100 to enable various other solutions, such as SIEMs 304, DLPs 302, UBA solutions 310. Paragraph 0132 teaches there are a number of important cyber security use cases that may benefit from improved UBA solutions, where 
Note: Security analytics services as part of the cloud security fabric (CSF) that provides user behavior analysis (UBA) in a cyber security use case to conduct a risk assessment, wherein the risk assessment reasonably involves user behaviors associated with a cluster of events used in determining a risk score that indicates riskiest users and/or the riskiest activities being undertaken by users reads on the claimed performing a risk assessment operation via a security analytics system based upon the distribution of features from the plurality of events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score. The cloud security fabric that includes security analytics services is interpreted to be the claimed security analytics system. The cited risk assessment involving a risk score that indicates the riskiest users is interpreted to read on 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, and Hu, by incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering, as taught by Zimmermann (Paragraph 0007, 0011, 0114, 0118, 0132, 0134, 0158, 0557, 0558, and 0599), because all four applications are directed to identifying threats to information security and storing information relating to those threats; incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering provides better threat indications, such as account compromise which will make alert identification more effective, allowing the production of fewer, more relevant alerts (see Zimmermann Paragraph 0129).

As to claim 16:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 13, wherein 2the computer executable instructions are further configured for:  3labeling at least some of the plurality of events prior to extracting features from the 4plurality of events [Paragraph 0104 teaches any incoming trace .

As to claim 17:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 13, wherein:  2the extracting features comprises performing transformation operations on certain 3features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different colors (e.g., red, yellow, orange, etc.) representing the probability of occurrence of the events. Further analysis may be performed by grouping events and providing mechanisms to navigate and visualize them according to their features. The examiner interprets using three months of use of data, grouping events, and sizing representing anomalousness to be the claimed transformation operations for smaller sets on certain features wherein anomalousness is interpreted to be the claimed certain features.]

As to claim 18:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 13, wherein 5the computer executable instructions are further configured for:  6processing a query relating to the plurality of events, the processing the query being 7performed via a streaming query framework [Paragraph 0056 teaches the LCA framework stack may include a plurality of layers for data collection (i.e., event collection and management), data ingestion (normalization, parsing, and storage), query processing, data filtering, data mining, data analytics, an API wrapper allowing for extensive use and interplay with other tools and visualization applications to complete all necessary analytics, and web services control.
The examiner interprets query processing and data ingestion to be the claimed processing relating to the plurality of events wherein querying and data ingestion as part of the LCA framework stack is interpreted to be the claimed performed via a streaming query framework.]




Claims 2, 8, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Puri et al. (US Publication No.: US 2016/0371489 A1) hereinafter Puri, in view of Holeman et al. (U.S. Publication No.: US 20180191766 A1) hereinafter Holeman, in view of Hu et al. (U.S. Publication No.: US 20180204215 A1) hereinafter Hu, in view of Zimmerman et al. (U.S. Publication No.: US 20180027006 A1) hereinafter Zimmermann, and further in view of Valentino et al. (US Publication 20130320212 A1) hereinafter Valentino.
As to claim 2:
Puri, Holeman, Hu, and Zimmerman disclose all of the limitation as set forth in claim 1 but do not appear to expressly disclose the method of claim 1, further comprising:  2enriching data associated with each of the plurality of events prior to extracting 3features from the plurality of events.

The method of claim 1, further comprising:  2enriching data associated with each of the plurality of events prior to extracting 3features from the plurality of events [Paragraph 0123 and Figure 7 teaches a time stamp is generated 706 to record the time at which a measurement was taken. This measure correlates to the motion (e.g., point at which on-board MEMS accelerometer device is read 702) and position (e.g., the estimated position of the sensor 704) at the time the sensor was read. The time stamp readings 706 may then be exported or recorded to the data log. Thus, the exposure event is captured in the data record 708.
The examiner interprets generated time stamp to record the time at which a measurement was taken to be the claimed enriching data associated with each of the plurality of events. Time stamp readings are interpreted to be the claimed enriched data associated with the plurality of events and in view of Figure 7 item 706 occurring prior to Figure 7 item 708 the examiner interprets the generated time stamp occurring a step before capturing the event in the data record 708 to be the claimed prior to extracting features from the plurality of events.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, and Zimmerman, by incorporating time stamp generation to record the time at which a measurement was taken, as taught by Valentino (Paragraph 0123), because all five applications are directed to event processing in technical environments; configuring the event detector to generate time stamps as an measurement or event from sensors enables the detection and analysis of exposure to a wide range of phenomena including, for example, radiological, chemical, biological and electromagnetic sources of exposure. The use of time, motion and position further enables the determination of whether a sensor moving during an event and when and where the exposure occurred (see Valentino Paragraph 0106).

As to claim 8:
Puri, Holeman, Hu, and Zimmerman disclose all of the limitation as set forth in claim 7 but do not appear to expressly disclose the system of claim 7, wherein the instructions are further configured for:  2enriching data associated with each of the plurality of events prior to extracting 3features from the plurality of events.
Valentino discloses:
The system of claim 7, wherein the instructions are further configured for:  2enriching data associated with each of the plurality of events prior to extracting 3features from the plurality of events [Paragraph 0123 and Figure 7 teaches a time stamp is generated 706 to record the time at which a measurement was taken. This measure correlates to the motion (e.g., point at which on-board MEMS accelerometer device is read 702) and position (e.g., the estimated position of the sensor 704) at the time the sensor was read. The time stamp readings 706 may then be exported or recorded to the data log. Thus, the exposure event is captured in the data record 708.
The examiner interprets generated time stamp to record the time at which a measurement was taken to be the claimed enriching data associated with each of the plurality of events. Time stamp readings are interpreted to be the claimed enriched data associated with the plurality of events and in view of Figure 7 item 706 occurring prior to Figure 7 item 708 the examiner interprets the generated time stamp occurring a step before capturing the event in the data record 708 to be the claimed prior to extracting features from the plurality of events.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, and Zimmerman, by incorporating time stamp generation to record the time at which a measurement was taken, as taught by Valentino (Paragraph 0123), because all five 

	As to claim 14:
Puri, Holeman, Hu, and Zimmerman disclose all of the limitation as set forth in claim 7 but do not appear to expressly disclose the non-transitory, computer-readable storage medium of claim 13, wherein 2the computer executable instructions are further configured for:  3enriching data associated with each of the plurality of events prior to extracting 4features from the plurality of events.
Valentino discloses:
The non-transitory, computer-readable storage medium of claim 13, wherein 2the computer executable instructions are further configured for:  3enriching data associated with each of the plurality of events prior to extracting 4features from the plurality of events [Paragraph 0123 and Figure 7 teaches a time stamp is generated 706 to record the time at which a measurement was taken. This measure correlates to the motion (e.g., point at which on-board MEMS accelerometer device is read 702) and position (e.g., the estimated position of the sensor 704) at the time the sensor was read. The time stamp readings 706 may then be exported or recorded to the data log. Thus, the exposure event is captured in the data record 708.
The examiner interprets generated time stamp to record the time at which a measurement was taken to be the claimed enriching data associated with each of the plurality of events. Time stamp readings are interpreted to be the claimed enriched data associated with the plurality of events and in 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri and Drissel, by incorporating time stamp generation to record the time at which a measurement was taken, as taught by Valentino (Paragraph 0123), because all five applications are directed to event processing in technical environments; configuring the event detector to generate time stamps as an measurement or event from sensors enables the detection and analysis of exposure to a wide range of phenomena including, for example, radiological, chemical, biological and electromagnetic sources of exposure. The use of time, motion and position further enables the determination of whether a sensor moving during an event and when and where the exposure occurred (see Valentino Paragraph 0106).

Claims 3, 9, 15, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Puri et al. (US Publication No.: US 20160371489 A1) hereinafter Puri, in view of Holeman et al. (U.S. Publication No.: US 20180191766 A1) hereinafter Holeman, in view of Hu et al. (U.S. Publication No.: US 20180204215 A1) hereinafter Hu, in view of Zimmerman et al. (U.S. Publication No.: US 20180027006 A1) hereinafter Zimmermann, in view of Valentino et al. (US Publication 20130320212 A1) hereinafter Valentino, and further in view of Cherubini et al. (U.S. Patent No.: US 10579281 B2) hereinafter Cherubini.
As to claim 3:
Puri discloses:
The method of claim 2, wherein:
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.];   
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the ;  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

Puri, Holeman, Hu, Zimmerman, and Valentino disclose all of the limitations of claim 1, 2, and most of claim 3 but do not appear to expressly disclose deduplicating at least some of the plurality of events 
Cherubini discloses:
6deduplicating at least some of the plurality of events [Column 18 Lines 12-15 teach a storage capacity manager is introduced because of the finite capacity of the storage unit, and a foreseen large amount of data segments steadily created within a big data system. Column 23 Lines 31-37 and Figure 1 teach prior to being stored on the physical media corresponding to the selected storage tier 21, each data segment is presented to an encoder 23, which provides different levels of protection, for example 
The examiner interprets the UEP encoder deduplicated data is stored and again routed for reclassification to element 11 of Figure 1. As part of reclassification, features are extracted from the data segments to determine the appropriate classification. Therefore deduplication occurs prior to feature extraction and is interpreted deduplicating at least some of the plurality of events.];
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, Zimmerman, and Valentino, by incorporating deduplication of the data segments, as taught by Cherubini (Column 23 Lines 31-37 and Figure 1), because all six applications are directed to event processing in technical environments; configuring the event detector to consider deduplication discards obsolete data segments and allows for judiciously increasing the storage system capacity of a storage unit (see Cherubini Column 18 Lines 15-18).

As to claim 9:
Puri discloses:
The system of claim 8, wherein:  
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.];   
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

Puri, Holeman, Hu, Zimmerman, and Valentino disclose all of the limitations of claim 7, 8, and most of claim 9 but do not appear to expressly disclose deduplicating at least some of the plurality of events 
Cherubini discloses:
6deduplicating at least some of the plurality of events [Column 18 Lines 12-15 teach a storage capacity manager is introduced because of the finite capacity of the storage unit, and a foreseen large amount of data segments steadily created within a big data system. Column 23 Lines 31-37 and Figure 1 teach prior to being stored on the physical media corresponding to the selected storage tier 21, each data segment is presented to an encoder 23, which provides different levels of protection, for example using unequal error protection (UEP), depending on the relevance class information. In an embodiment, compression and/or deduplication of the data segments may be considered in addition to UEP.
The examiner interprets the UEP encoder deduplicated data is stored and again routed for reclassification to element 11 of Figure 1. As part of reclassification, features are extracted from the data segments to determine the appropriate classification. Therefore deduplication occurs prior to feature extraction and is interpreted deduplicating at least some of the plurality of events.];
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, Zimmerman, and Valentino, by incorporating deduplication of the data 

As to claim 15:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 14, wherein:  
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
;   
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]


Cherubini discloses:
6deduplicating at least some of the plurality of events [Column 18 Lines 12-15 teach a storage capacity manager is introduced because of the finite capacity of the storage unit, and a foreseen large amount of data segments steadily created within a big data system. Column 23 Lines 31-37 and Figure 1 teach prior to being stored on the physical media corresponding to the selected storage tier 21, each data segment is presented to an encoder 23, which provides different levels of protection, for example using unequal error protection (UEP), depending on the relevance class information. In an embodiment, compression and/or deduplication of the data segments may be considered in addition to UEP.
The examiner interprets the UEP encoder deduplicated data is stored and again routed for reclassification to element 11 of Figure 1. As part of reclassification, features are extracted from the data segments to determine the appropriate classification. Therefore deduplication occurs prior to feature extraction and is interpreted deduplicating at least some of the plurality of events.];
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, Zimmerman, and Valentino, by incorporating deduplication of the data segments, as taught by Cherubini (Column 23 Lines 31-37 and Figure 1), because all six applications are directed to event processing in technical environments; configuring the event detector to consider deduplication discards obsolete data segments and allows for judiciously increasing the storage system capacity of a storage unit (see Cherubini Column 18 Lines 15-18).

As to claim 19:

Cherubini discloses:
The non-transitory, computer-readable storage medium of claim 13, 2wherein the computer executable instructions are deployable to a client system from a server 3system at a remote location [Column 27 Lines 33-37 teach the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. 
The examiner interprets computer readable program instructions to be the claimed computer executable instructions. Instructions executed on entirely or partially on the remote computer or server is interpreted to be the claimed deployable to a client system from a server system at remote location.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, and Zimmerman, by incorporating computer readable program instructions  to execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server, as taught by Cherubini (Column 27 Lines 33-37), because all five applications are directed to event processing in technical environments; configuring the event detector to use computer readable program instructions  to execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server achieves performance, reliability, 

As to claim 20:
Puri, Holeman, Hu, and Zimmerman disclose all of the limitations of claim 13 but do not appear to expressly disclose the non-transitory, computer-readable storage medium of claim 13, 2wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.
Cherubini discloses:
	The non-transitory, computer-readable storage medium of claim 13, 2wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis [Column 27 Lines 33-43 teach the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. Remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
The examiner interprets the internet service provider providing internet for computer readable program instructions to be the claimed computer executable instructions provided by a service provider. The user’s computer in receipt of the computer readable program instructions via the internet service provider is interpreted to be the claimed provided to a user on an on-demand basis.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, and Zimmerman, by incorporating an internet service provider providing internet for computer readable program instructions, as taught by Cherubini (Column 27 Lines 33-43), 

Response to Arguments
The following is in response to Applicant’s arguments filed on March 29, 2021. 
Applicant’s arguments regarding claim rejections based on 35 U.S.C. 103 have been fully and respectfully considered, but are moot in view of new grounds of rejections as necessitated by the amendments.

Regarding the Office Action rejection of claims 1-20 under 35 U.S.C. 101, the applicant presents the following arguments in the March 29, 2021 remarks pages 8 and 9.
It is respectfully submitted that the claims do not recite matter that falls within mental processes grouping of abstract ideas set forth in the Revised Patent Subject Matter Eligibility Guidance effective January 7, 2019 (Revised Guidelines). It is respectfully submitted that the claims, especially as amended, are not directed to something that could be practically, reasonably be performed in the human mind. Specifically, the claims do not per se recite mathematical concepts, methods of organizing human activity or mental processes. Accordingly, the claims should not be treated as reciting an abstract idea and are patent eligible…. Additionally, the claims are directed to a practical application. More specifically, the claims are generally directed to the practical application of performing a risk assessment operation via a security analytics system executing on a hardware processor… the claims should not be treated as reciting an abstract idea and are patent eligible.

Examiner respectfully presents the following response to Applicant’s amendments and remarks:
Applicant’s arguments have been fully considered but they are not persuasive. The examiner’s interpretation of the claims reciting an abstract idea in view of the amendments and the applicant’s argument is maintained. The limitations stating but for the limitation stating reciting receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security, a security analytics system, the security analytics system executing on a hardware processor, and the protected endpoint communicating with the security analytics system via a network, the recitation of extracting features from the plurality of events, constructing a distribution of the features from the plurality of events, the distribution of the features being constructed via a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window; analyzing the distribution of the features from the plurality of events, generating a risk score for the user based upon the analyzing; and, performing a risk assessment operation based upon the distribution of features from the plurality of events, the risk assessment operation taking into account the risk score, in the context of this claim, encompasses a user mentally constructing a distribution of features from 
The examiner’s interpretation of the judicial exception, as recited in claims 1, 7 and 13, is not integrated into a practical application by additional elements and the additional elements included in claims 1, 7, and 13 are not sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a computer-implementable method for constructing a distribution of interrelated event features as recited in claim 1, a system comprising:  a processor;  a data bus coupled to the processor; and  a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor as recited in claim 7, a non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions as recited in claim 13, and an electronic device, a computer system, a hardware processor, a security analytics system, and a network recited in claims 1, 7, and 13 are recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint providing a policy-based approach to network security, a security analytics system, the security analytics system executing on a hardware processor, and the protected endpoint communicating with the security analytics system via a network and the recitation of an electronic device, a computer system, a hardware processor, a security analytics system, and a network, wherein the computer system, in the context of the disclosure, is a generic computer used as a tool,  does not impose a meaningful limit on the judicial exception and it 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EARL ELIAS whose telephone number is (571)272-9762.  The examiner can normally be reached on Monday - Friday (IFP).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/USMAAN SAEED/Supervisory Patent Examiner, Art Unit 2169