Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application claims the benefit of and priority to U.S. Provisional Patent Application Ser. No. 62/732,470 filed on Sep. 17, 2018 and entitled “SUPERVISED LEARNING SYSTEM FOR IDENTITY COMPROMISE RISK COMPUTATION,” which application is expressly incorporated herein by reference in its entirety.
DETAILED ACTION
This office action is in response to an amendment application filed on 07/16/2021. In the amendment, applicant has amended claims 1, 4, 9, 11 and 15-16. Claim 8 has been cancelled. Claims 2-3, 5-7, 10 and 12-14 remain original. No new claim has been added.
For this office action, claims 1-7 and 9-16 have been received for consideration and have been examined. 
Response to Arguments
Claim Objections
	Applicant’s amendments to claims 4 and 11 have been reviewed by the examiner and appear to overcome the claim objections. Therefore, examiner has withdrawn these objections.
Claim Rejections under 35 U.S.C. § 101
	Applicant’s amendments to independent claims have been reviewed by the examiner and incorporation of the limitations from claim 8 has changed the scope of the independent 1, 15 and 16 and now these claims do not contain abstract idea. Therefore examiner has withdrawn this rejection. 
Claim Rejections under 35 U.S.C. § 103
Applicant’s arguments, filed 07/16/2021, with respect to the rejections of claims 1-16 under 35 U.S.C. § 103 have been fully considered and are persuasive. Examiner agrees that primary reference of Abrams does not explicitly disclose using multiple machine learning tool to generate quantified risk level and user identity risk score. Hence, examiner has relied upon Lin reference (US20200028862A1) in this rejection which discloses implementing multiple/tiered machine learning tools that is used to detect abnormalities in network activities or other user behavior patterns in an enterprise and generate an event and correlated score in relation to the user behavior (See Abstract & [0079-0080]).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claims 1-7 and 9-16 are rejected under 35 U.S.C. 103 as being unpatentable over Abrams et al., (US20150339477A1) in view of Lin et al.,(US20200028862A1) and further in view of Grajek et al., (US20180069867A1).
Regarding claim 1, Abrams discloses:
	A computing system comprising:
one or more processors; and one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to implement a method of improving precision and recall utility for user identity risk scores that are utilized in providing computer security, including instructions that are executable to configure the computer system to implement the method by at least:
accessing stored sign-in data (i.e. historical authentication data) for each sign-in event in a set of sign-in events (i.e. log in events) corresponding to a first user, the sign-in data being stored for a predetermined period of time (i.e. historical authentication data), the set of sign-in events comprising one or more sign-in event that each corresponds to a sign-in attempt by the first user (See FIG. 1; Step 104 [0020] An embodiment of risk assessment is illustrated by an exemplary method 100 of FIG. 1. At 102, the method starts. At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; Also see FIG. 2A; [0030-0031] for example types of log in events which will be evaluated);
from the stored sign-in data, and based on risk profiles associated with the stored sign-in data, identifying a set of sign-in detectors (i.e. set of authentication context properties and/or the set of malicious account context properties) for each sign-in event in the set of sign-in events corresponding to the first user, the set of sign-in detectors comprising one or more sign-in detector that each identifies at least a feature or an attribute that is detected for a corresponding sign-in event (See FIG. 1; See Step 106;  [0020] identification of a set of malicious account context properties associated with compromised user accounts and/or compromised user authentication events; Examiner interprets ‘set of  sign-in detectors’ as listed authentication context in [0020]; [0021] In an example, various compromise detection algorithms, such as a compromised email account detection algorithm, a compromised social network account detection algorithm, a malware detection algorithm, etc., may collect the compromised user account data, such as by acting upon at least some of the aforementioned telemetry);
generating a quantified risk level (generating indication of whether compromised or safe) [for the] set of sign-in detectors by applying a machine learning tool to the set of sign-in detectors, the machine learning tool quantifying a relative risk level associated with each sign-in detector of the set of sign-in detectors ([0020] At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; See FIG. 1; Step 110; [0025] provides for generating indication of whether context properties including non-event information is indicative of user account being “compromised” or “safe”);
generating a quantified risk level (generating indication of whether compromised or safe) [for the] set of sign-ins by applying the machine learning tool to the quantified risk level set of sign-in detectors to quantify a relative risk level associated with each sign-in event in the [0022] At 108, the set of authentication context properties and/or the set of malicious account context properties may be annotated to create an annotated context properties training set See FIG. 1; Step 110; [0025]-[0026] provides for generating indication of whether account events including sign-on events are indicative of user account being “compromised” or “safe”);
generating a first user identity risk score (i.e. risk analysis metric) by applying the machine learning tool to the quantified risk level set of sign-ins that were generated by applying the second machine learning tool to the quantified risk level set of sign-in detectors, the third machine learning tool quantifying a relative risk level associated with the first user (See FIG. 1; Step 114; [0026] provides for generating a risk metric for a user based on sign in events and context properties of user as per trained model … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment)).
Abrams discloses single using machine learning model to quantify risk level and generating user identity risk score. However Lin reference discloses using multiple/tiered machine learning tools that is used to detect abnormalities in network activities or other user behavior patterns in an enterprise and generate an event and correlated score in relation to the user behavior using tiered machine learning tools.
Therefore, Abrams explicitly fails to disclose:
A tiered machine learning framework used to detect abnormalities in network activities or other user behavior patterns; iteratively and dynamically updating the first user identity risk score or generating a new first user identity risk score by reapplying the third machine learning tool to the quantified risk level set of sign-ins detecting a user request from the first user corresponding to a new sign-in event having no stored sign-in event data or an existing sign-in event having stored sign-in event data; identifying the new first user identity risk score corresponding to the first user; and in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Lin discloses:
a tiered machine learning framework used to detect abnormalities in network activities or other user behavior patterns ([0006] this disclosure provides for a “tiered” (or “distributed”) machine learning-based infrastructure or framework that is used to detect abnormalities in network activities or other user behavior patterns in an enterprise. In general, the distributed nature of the approach is realized by providing a first (or “local”) machine learning (ML) tier that is configured to execute within an enterprise network environment itself and that provides machine learning to learn statistics for a set of use cases locally, and to alert deviations (e.g., to security analysts) from the learned distributions; [0077] the distributed nature of the approach is realized by providing “first” and “second” machine learning-based tiers that cooperate to provide an integrated, distributed ML framework; Also see [0079-0080]).

The motivation to include Tiered Machine Learning System for Anomaly Detection is to detect network threat data and network attacks more quickly and accurately (See Lin: [0003]).
The combination of Abrams and Lin fails to disclose:
	iteratively and dynamically updating the first user identity risk score or generating a new first user identity risk score by reapplying the third machine learning tool to the quantified risk level set of sign-ins detecting a user request from the first user corresponding to a new sign-in event having no stored sign-in event data or an existing sign-in event having stored sign-in event data; identifying the new first user identity risk score corresponding to the first user; and in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Grajek discloses:
iteratively and dynamically updating (i.e. adjusting and updating of ID confidence score) the first user identity risk score or generating a new first user identity risk score by reapplying the third machine learning tool to the quantified risk level set of sign-ins (Fig 1, 160 through 190 back to 150; See [0039] the ID confidence score can be adjusted based on comparison of evaluated behavioral biometrics with the behavioral biometric model; Also see [0040] The ID confidence score can also be augmented by information related to the user's conduct … A machine learning model can be created for each individual user that identifies the user by the specific actions and commands … If the conduct of the user is anomalous to the user conduct represented by the conduct model, then the user's ID confidence score can be adjusted by lowering of the score);
detecting a user request from the first user corresponding to a new sign-in event having no stored sign-in event data or an existing sign-in event having stored sign-in event data (Abrams: [0036] for user requesting to create account/logging in; Grajek: [0021] for user requesting access to IT resource and logging in);
identifying the new first user identity risk score corresponding to the user (Abrams: [0036] for creating metric for new user based on their context properties; Grajek: [0061] for updating old score/creating new score); and
in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request (Abrams: [0037] prompting user with authentication challenge; Grajek: [0059]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Abrams and Lin references and have a system which continuously updates the user’s risk analysis score as more sign-in and context information becomes available, as disclosed by Grajek.
The motivation to have a system which continuously updates the users’ risk analysis metric is that the score will be up-to-date and be based on all current information, and avoid the score becoming inaccurate for further user risk analysis (See Grajek: [0021]
Regarding claim 2, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 1, wherein the second machine learning tool and the third machine learning tool are incorporated into a single machine learning algorithm (Abrams: See [0005]).
Regarding claim 3, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 1, wherein the method includes generating the new first user identity risk score after generating the first user identity risk score and prior to detecting any new sign-in event associated with the first user (Grajek: [0077]; See also Fig 1, steps 160 through 190).
Regarding claim 4, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 1, wherein the method further comprises:
detecting the new sign-in event for the first user, wherein new sign-in event data for the new sign-in event is added to the stored sign-in event data; and based on the new sign-in event, identifying a new set of sign-in detectors, which is subsequently used to generate a new quantified risk level set of sign-in detectors through application of the first machine learning tool, and which is further used to generate a new quantified risk level set of sign-ins through application of the second machine learning tool, and which is even further used to generate the new first user identity risk score by applying the third machine learning tool (Abrams: FIG. 3A; [0036]-[0037]; see also Grajek [0054]-[0055] for continually updating data stored).
Regarding claim 5, the combination of Abrams, Lin and Grajek discloses:
Abrams: Fig 2A and 2B and associated text provides for continually updating the machine learning models;  See also Fig 3B, 334 and Fig 4B, 434;  See also par [0029] for changing other user scores after updating model;  Garjek: [0061] & [0067]).
Regarding claim 6, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 1, wherein the method further includes generating the new first user identity risk score by modifying the quantified risk level set of sign-ins by reapplying the second machine learning tool to the quantified risk level set of sign-in detectors prior to reapplying the third machine learning tool (Garjek: [0061] & [0067]).
Regarding claim 7, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 1, wherein the method further includes generating the new first user identity risk score by modifying the quantified risk level set of sign-in detectors by reapplying the first machine learning tool to the set of sign-in detectors prior to reapplying the second machine learning tool (Garjek: [0061] & [0067]
Regarding claim 9, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 1, wherein the method includes determining the new first user identity risk score exceeds the predetermined threshold and wherein the remedial action comprises requesting the first user provide supplemental authentication or verification information (Abrams: See FIG. 3B, 4B; [0037], [0039]).
Regarding claim 10, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 9, wherein the method includes determining the new first user identity risk score exceeds the predetermined threshold and wherein the remedial action comprises denying the user request (Grajek: See FIG. 5; [0059], [0077]).
Regarding claim 11, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 9, wherein the method includes determining the new first user identity risk score falls below the predetermined threshold, but wherein the first user identity risk score exceeded the predetermined threshold (Grajek: [0059]-[0062] for removing access after it was previously granted or forcing re-authentication after modifying score to drop score due to anomalous activity).
Regarding claim 12, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 9, wherein the method includes generating the first user identity risk score by applying a third machine learning tool to the quantified risk level set of sign-ins in combination with other third-party data to quantify a relative risk level associated with the first user (Abrams: [0026]).
Regarding claim 13, the combination of Abrams, Lin and Grajek discloses:
Abrams: FIG. 4B; [0039]).
Regarding claim 14, the combination of Abrams, Lin and Grajek discloses:
The computer system of claim 9, wherein the method includes generating the first user identity risk score by applying a third machine learning tool to the quantified risk level set of sign-ins in combination with supplemental user behavior analysis data to quantify a relative risk level associated with the first user, the supplemental user behavior analysis data being obtained by the computer system in response to determining that a quantified risk level of a sign-in event in the quantified risk level set of sign-ins exceeds a predetermined threshold (Abrams: FIG. 4B; [0039]).
Regarding claim 15, Abrams discloses:
A computer implemented method of improving precision and recall utility for user identity risk scores that are utilized in providing computer security, the method being performed by a computer system implementing at least: 
accessing stored sign-in data (i.e. historical authentication data) for each sign-in event in a set of sign-in events (i.e. log in events) corresponding to a first user, the sign-in data being stored for a predetermined period of time (i.e. historical authentication data), the set of sign-in See FIG. 1; Step 104 [0020] An embodiment of risk assessment is illustrated by an exemplary method 100 of FIG. 1. At 102, the method starts. At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; Also see FIG. 2A; [0030-0031] for example types of log in events which will be evaluated);
from the stored sign-in data, and based on risk profiles associated with the stored sign-in data, identifying a set of sign-in detectors (i.e. set of authentication context properties and/or the set of malicious account context properties) for each sign-in event in the set of sign-in events corresponding to the first user, the set of sign-in detectors comprising one or more sign-in detector that each identifies at least a feature or an attribute that is detected for a corresponding sign-in event (See FIG. 1; See Step 106;  [0020] identification of a set of malicious account context properties associated with compromised user accounts and/or compromised user authentication events; Examiner interprets ‘set of  sign-in detectors’ as listed authentication context in [0020]; [0021] In an example, various compromise detection algorithms, such as a compromised email account detection algorithm, a compromised social network account detection algorithm, a malware detection algorithm, etc., may collect the compromised user account data, such as by acting upon at least some of the aforementioned telemetry);
generating a quantified risk level (generating indication of whether compromised or safe) [for the] set of sign-in detectors by applying a machine learning tool to the set of sign-in detectors, the machine learning tool quantifying a relative risk level associated with each sign-in [0020] At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; See FIG. 1; Step 110; [0025] provides for generating indication of whether context properties including non-event information is indicative of user account being “compromised” or “safe”);
generating a quantified risk level (generating indication of whether compromised or safe) [for the] set of sign-ins by applying the machine learning tool to the quantified risk level set of sign-in detectors to quantify a relative risk level associated with each sign-in event in the set of sign-in events ([0022] At 108, the set of authentication context properties and/or the set of malicious account context properties may be annotated to create an annotated context properties training set See FIG. 1; Step 110; [0025]-[0026] provides for generating indication of whether account events including sign-on events are indicative of user account being “compromised” or “safe”);
generating a first user identity risk score (i.e. risk analysis metric) by applying the machine learning tool to the quantified risk level set of sign-ins that were generated by applying the machine learning tool to the quantified risk level set of sign-in detectors, the third machine learning tool quantifying a relative risk level associated with the first user (See FIG. 1; Step 114; [0026] provides for generating a risk metric for a user based on sign in events and context properties of user as per trained model … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment)).
Abrams fails to disclose:
	A tiered machine learning framework used to detect abnormalities in network activities or other user behavior patterns; iteratively and dynamically updating the first user identity risk score or generating a new first user identity risk score by reapplying the third machine learning tool to the quantified risk level set of sign-ins detecting a user request from the first user corresponding to a new sign-in event having no stored sign-in event data or an existing sign-in event having stored sign-in event data; identifying the new first user identity risk score corresponding to the first user; and in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Lin discloses:
a tiered machine learning framework used to detect abnormalities in network activities or other user behavior patterns ([0006] this disclosure provides for a “tiered” (or “distributed”) machine learning-based infrastructure or framework that is used to detect abnormalities in network activities or other user behavior patterns in an enterprise. In general, the distributed nature of the approach is realized by providing a first (or “local”) machine learning (ML) tier that is configured to execute within an enterprise network environment itself and that provides machine learning to learn statistics for a set of use cases locally, and to alert deviations (e.g., to security analysts) from the learned distributions; [0077] the distributed nature of the approach is realized by providing “first” and “second” machine learning-based tiers that cooperate to provide an integrated, distributed ML framework).
It would have been obvious to one of the ordinary skilled in the art before the effective filing date of the claimed invention to modify the Abrams teachings and include Tiered Machine Learning System for Anomaly Detection, as disclosed by Lin.
The motivation to include Tiered Machine Learning System for Anomaly Detection is to detect network threat data and network attacks more quickly and accurately (See Lin: [0003]).
The combination of Abrams and Lin fails to disclose:
	iteratively and dynamically updating the first user identity risk score or generating a new first user identity risk score by reapplying the third machine learning tool to the quantified risk level set of sign-ins detecting a user request from the first user corresponding to a new sign-in event having no stored sign-in event data or an existing sign-in event having stored sign-in event data; identifying the new first user identity risk score corresponding to the first user; and in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request, or alternatively, in response to determining the new first user identity risk score falls below a predetermined threshold, granting the user request.
However, Grajek discloses:
iteratively and dynamically updating (i.e. adjusting and updating of ID confidence score) the first user identity risk score or generating a new first user identity risk score by Fig 1, 160 through 190 back to 150; See [0039] the ID confidence score can be adjusted based on comparison of evaluated behavioral biometrics with the behavioral biometric model; Also see [0040] The ID confidence score can also be augmented by information related to the user's conduct … A machine learning model can be created for each individual user that identifies the user by the specific actions and commands … If the conduct of the user is anomalous to the user conduct represented by the conduct model, then the user's ID confidence score can be adjusted by lowering of the score);
detecting a user request from the first user corresponding to a new sign-in event having no stored sign-in event data or an existing sign-in event having stored sign-in event data (Abrams: [0036] for user requesting to create account/logging in; Grajek: [0021] for user requesting access to IT resource and logging in);
identifying the new first user identity risk score corresponding to the user (Abrams: [0036] for creating metric for new user based on their context properties; Grajek: [0061] for updating old score/creating new score); and
in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request (Abrams: [0037] prompting user with authentication challenge; Grajek: [0059]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Abrams and Lin references and have a system which continuously updates the user’s risk analysis score as more sign-in and context information becomes available, as disclosed by Grajek.
See Grajek: [0021]). 
Regarding claim 16, Abrams discloses:
	One or more hardware storage device comprising stored computer- executable instructions that are executable by one or more processors of a computer system to cause the computer system to implement a method of improving precision and recall utility for user identity risk scores that are utilized in providing computer security, and for at least causing the computer system to implement at least:
accessing stored sign-in data (i.e. historical authentication data) for each sign-in event in a set of sign-in events (i.e. log in events) corresponding to a first user, the sign-in data being stored for a predetermined period of time (i.e. historical authentication data), the set of sign-in events comprising one or more sign-in event that each corresponds to a sign-in attempt by the first user (See FIG. 1; Step 104 [0020] An embodiment of risk assessment is illustrated by an exemplary method 100 of FIG. 1. At 102, the method starts. At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; Also see FIG. 2A; [0030-0031] for example types of log in events which will be evaluated);
from the stored sign-in data, and based on risk profiles associated with the stored sign-in data, identifying a set of sign-in detectors (i.e. set of authentication context properties and/or the set of malicious account context properties) for each sign-in event in the set of See FIG. 1; See Step 106;  [0020] identification of a set of malicious account context properties associated with compromised user accounts and/or compromised user authentication events; Examiner interprets ‘set of  sign-in detectors’ as listed authentication context in [0020]; [0021] In an example, various compromise detection algorithms, such as a compromised email account detection algorithm, a compromised social network account detection algorithm, a malware detection algorithm, etc., may collect the compromised user account data, such as by acting upon at least some of the aforementioned telemetry);
generating a quantified risk level (generating indication of whether compromised or safe) [for the] set of sign-in detectors by applying a machine learning tool to the set of sign-in detectors, the machine learning tool quantifying a relative risk level associated with each sign-in detector of the set of sign-in detectors ([0020] At 104, historical authentication data may be evaluated (e.g., given user consent) to identify a set of authentication context properties associated with user authentication sessions; See FIG. 1; Step 110; [0025] provides for generating indication of whether context properties including non-event information is indicative of user account being “compromised” or “safe”);
generating a quantified risk level (generating indication of whether compromised or safe) [for the] set of sign-ins by applying the machine learning tool to the quantified risk level set of sign-in detectors to quantify a relative risk level associated with each sign-in event in the set of sign-in events ([0022] At 108, the set of authentication context properties and/or the set of malicious account context properties may be annotated to create an annotated context properties training set See FIG. 1; Step 110; [0025]-[0026] provides for generating indication of whether account events including sign-on events are indicative of user account being “compromised” or “safe”);
generating a first user identity risk score (i.e. risk analysis metric) by applying the machine learning tool to the quantified risk level set of sign-ins that were generated by applying the second machine learning tool to the quantified risk level set of sign-in detectors, the third machine learning tool quantifying a relative risk level associated with the first user (See FIG. 1; Step 114; [0026] provides for generating a risk metric for a user based on sign in events and context properties of user as per trained model … At 114, a current user context property of the current user may be evaluated using the risk assessment model to generate a risk analysis metric (e.g., a value corresponding to a potential risk/amount of maliciousness or non-maliciousness and/or a confidence of such an assessment)).
Abrams fails to disclose:
	A tiered machine learning framework used to detect abnormalities in network activities or other user behavior patterns; iteratively and dynamically updating the first user identity risk score or generating a new first user identity risk score by reapplying the third machine learning tool to the quantified risk level set of sign-ins detecting a user request from the first user corresponding to a new sign-in event having no stored sign-in event data or an existing sign-in event having stored sign-in event data; identifying the new first user identity risk score corresponding to the first user; and in response to determining the new first user identity risk 
However, Lin discloses:
a tiered machine learning framework used to detect abnormalities in network activities or other user behavior patterns ([0006] this disclosure provides for a “tiered” (or “distributed”) machine learning-based infrastructure or framework that is used to detect abnormalities in network activities or other user behavior patterns in an enterprise. In general, the distributed nature of the approach is realized by providing a first (or “local”) machine learning (ML) tier that is configured to execute within an enterprise network environment itself and that provides machine learning to learn statistics for a set of use cases locally, and to alert deviations (e.g., to security analysts) from the learned distributions; [0077] the distributed nature of the approach is realized by providing “first” and “second” machine learning-based tiers that cooperate to provide an integrated, distributed ML framework).
It would have been obvious to one of the ordinary skilled in the art before the effective filing date of the claimed invention to modify the Abrams teachings and include Tiered Machine Learning System for Anomaly Detection, as disclosed by Lin.
The motivation to include Tiered Machine Learning System for Anomaly Detection is to detect network threat data and network attacks more quickly and accurately (See Lin: [0003]).
The combination of Abrams and Lin fails to disclose:

However, Grajek discloses:
iteratively and dynamically updating (i.e. adjusting and updating of ID confidence score) the first user identity risk score or generating a new first user identity risk score by reapplying the third machine learning tool to the quantified risk level set of sign-ins (Fig 1, 160 through 190 back to 150; See [0039] the ID confidence score can be adjusted based on comparison of evaluated behavioral biometrics with the behavioral biometric model; Also see [0040] The ID confidence score can also be augmented by information related to the user's conduct … A machine learning model can be created for each individual user that identifies the user by the specific actions and commands … If the conduct of the user is anomalous to the user conduct represented by the conduct model, then the user's ID confidence score can be adjusted by lowering of the score);
Grajek: [0021] for user requesting access to IT resource and logging in);
identifying the new first user identity risk score corresponding to the user (Abrams: [0036] for creating metric for new user based on their context properties; Grajek: [0061] for updating old score/creating new score); and
in response to determining the new first user identity risk score exceeds a predetermined threshold, triggering a remedial action to the user request (Abrams: [0037] prompting user with authentication challenge; Grajek: [0059]).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Abrams and Lin references and have a system which continuously updates the user’s risk analysis score as more sign-in and context information becomes available, as disclosed by Grajek.
The motivation to have a system which continuously updates the users’ risk analysis metric is that the score will be up-to-date and be based on all current information, and avoid the score becoming inaccurate for further user risk analysis (See Grajek: [0021]). 




Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432