DETAILED ACTION
This non-final action is in response to application filed 03 May 2019. Claims 1-20 are pending of which claims 1, 14 and 20 are independent claims. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03 May 2019 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  
Claims 1-13 are directed to a process.
Claims 14-17 are directed to a manufacture.
Claims 18-20 are directed to a machine.
one of the statutory categories of invention (Step 1: Yes).
The claims recite the following limitations which have been identified as reciting mental processes:
1. 
obtaining, based on a plurality of events associated with changes in one or more of a computer registry and a computer process, a plurality of baseline models comprising (i) a user context that represents normal behavior for at least a first subset of features associated with the plurality of events with respect to a given one of a plurality of users, (ii) at least one inverse context that represents normal behavior for at least one of the features with respect to a particular value of one or more features in the first subset, and (iii) a global context representing a behavior of the features across the plurality of the users; 
detecting at least one new event attributable to the given user; 
calculating a score for the at least one new event based at least in part on a comparison of the at least one new event to one or more of the baseline models; 
determining that the at least one new event is an anomaly in response to the score satisfying a threshold; and 
initiating one or more remedial actions responsive to the determining, 
2. 
determining the one or more of the events that are attributable to the given user based on at least one identifier of the given user.
4. 

7. 
calculating a user context score for the at least one new event indicative of a deviation of the at least one new event from the user context for the given user; 
calculating an inverse context score for the at least one new event indicative of a deviation of the at least one new event from the at least one inverse context; and 
calculating a global context score for the at least one new event indicative of a deviation of the at least one new event from the global context.
14. 
to obtain, based on a plurality of events associated with changes in one or more of a computer registry and a computer process, a plurality of baseline models comprising (i) a user context that represents normal behavior for at least a first subset of features associated with the plurality of events with respect to a given one of a plurality of users, (ii) at least one inverse context that represents normal behavior for at least one of the features with respect to a particular value of one or more features in the first subset, and (iii) a global context representing a behavior of the features across the plurality of the users; 
to detect at least one new event attributable to the given user; 
to calculate a score for the at least one new event based at least in part on a comparison of the at least one new event to one or more of the baseline models; 

to initiate one or more remedial actions responsive to the determining.
15. 
determining the one or more of the events that are attributable to the given user based on at least one identifier of the given user.
17. 
to assign each of the plurality of events to one of a set of categories based on one or more predefined rules, wherein each category corresponds to at least one type of threat that is attributable to a given event.
18. 
to obtain, based on a plurality of events associated with changes in one or more of a computer registry and a computer process, a plurality of baseline models comprising (i) a user context that represents normal behavior for at least a first subset of features associated with the plurality of events with respect to a given one of a plurality of users, (ii) at least one inverse context that represents normal behavior for at least one of the features with respect to a particular value of one or more features in the first subset, and (iii) a global context representing a behavior of the features across the plurality of the users; 
to detect at least one new event attributable to the given user; 
to calculate a score for the at least one new event based at least in part on a comparison of the at least one new event to one or more of the baseline models; 

to initiate one or more remedial actions responsive to the determining.
19. 
determining the one or more of the events that are attributable to the given user based on at least one identifier of the given user.
These are mental processes because they can be performed in the human mind. For instance, the human can perform in the human mind the steps of obtaining a plurality of baseline models (e.g., by reading the models), detecting at least one new event attributable to the given user (e.g., by observing the new event), calculating a score, etc. (Step 2A Prong One: YES).
The claims recite the following limitations which have been identified as additional elements:
1. A computer-implemented method comprising steps of: 
wherein the method is performed by at least one processing device comprising a processor coupled to a memory.
2. The computer-implemented method of claim 1, wherein said obtaining comprises: 
3. The computer-implemented method of claim 1, comprising: 
providing an indication of one or more of: the score of the at least one new event and one or more devices associated with the at least one new event to a graphical user interface.
4. The computer-implemented method of claim 1, comprising: 

enriching one or more of the plurality events by at least one of clustering and tagging the one or more of the plurality of events.
6. The computer-implemented method of claim 1, comprising: 
normalizing the features for the plurality of events and the at least one new event.
7. The computer-implemented method of claim 1, wherein said calculating comprises one or more of: 
8. The computer-implemented method of claim 7, wherein the score for the at least one new event is based at least in part on the user context score, the inverse context score and the global context score.
9. The computer-implemented method of claim 1, wherein each of at least a subset of the plurality of baseline models corresponds to at least one of: 
an authentication schema, for a given time period, comprising a set of features associated with one or more of: logon times, logon attempts, computers accessed and domains accessed; 
a file access schema, for a given time period, comprising a set of features associated with one or more of: logon times, folders accessed, files moved, files deleted, file access times, file access rights, domains accessed; and 
an active directory schema, for a given time period, comprising a set of features associated with one or more of: password changes, active directory changes, privileged group memberships, and account management changes.

11. The computer-implemented method of claim 1, wherein the threshold is based at least in part on historical activity of the given user.
12. The computer-implemented method of claim 1, comprising: updating at least a portion of the plurality of baseline models based on the at least one new event.
13. The computer-implemented method of claim 1, wherein the plurality of events and the at least one new event are received from software agents executing on one or more endpoints of a network.
14. A non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device: 
15. The non-transitory processor-readable storage medium of claim 14, wherein said obtaining comprises
16. The non-transitory processor-readable storage medium of claim 14, wherein the program code when executed by at least one processing device further causes the at least one processing device: 
to provide an indication of one or more of: the score of the at least one new event and one or more devices associated with the at least one new event to a graphical user interface.
17. The non-transitory processor-readable storage medium of claim 14, wherein the program code when executed by at least one processing device further causes the at least one processing device: 

at least one processing device comprising a processor coupled to a memory; 
the at least one processing device being configured: 
19. The apparatus of claim 18, wherein said obtaining comprises
20. The apparatus of claim 18, wherein the at least one processing device is further configured to provide an indication of one or more of: the score of the at least one new event and one or more devices associated with the at least one new event to a graphical user interface.
The above identified claim limitations including information have been identified as general Purpose Machine which are merely implementing the abstract idea within a computer environment. See MPEP 2106.05(b)(I). When taken individually or viewed as an ordered combination the claims as a whole do not appear to be integrated into a practical application (Step 2A Prong Two: No).
The above identified claim limitations including information have been identified as general Purpose Machine which are merely implementing the abstract idea within a computer environment. See MPEP 2106.05(b)(I). When taken individually or viewed as an ordered combination the claims as a whole do not appear to amount to significantly more than the abstract idea (Step 2B: No).
Based on the above rational the claims have been deemed to ineligible subject matter under 35 USC 101.



Claim Rejections - 35 USC § 103

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-3, 7-10, 12-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable De Levie et al. (US 2017/0126710 A1, published May 4, 2017) and Jin et al. (US 11,055,405 B1, filed Apr. 30, 2019).
As per claim 1, De Levie discloses a computer-implemented method (De Levie par. 17, computerized method is disclosed for recursively detecting anomalies) comprising steps of: 
obtaining, based on a plurality of events associated with changes in one or more of a computer registry and a computer process, a plurality of baseline models (De Levie Fig. 1B, Constructing Statistical Baseline Models Of The Baseline Time Period, Each Statistical Baseline Model Representing A Subset Of Selected Parameters Of The Received Events at 120; De Levie par. 68, The anomaly detection system 1000 may receive, e.g. via the communication channel 1015 and/or from the storage unit 1010, event input data including events and related event parameters from one or more sources, e.g. predetermined data structures such as log repositories, log files or database records that provide events details) comprising (i) a user context that represents normal behavior for at least a first subset of features associated with the plurality of events with respect to a given one of a plurality of users (De Levie par. 45, from a model that includes the exit time of employees from a certain office, it may be 
detecting at least one new event attributable to the given user (De Levie Fig. 1B, Receiving New Events That Occurred During An Analyzed Time Period at 130; De Levie par. 42, event parameters may include one or more of the following parameters: an event time-stamp indicating time and date of issuing the ticket, a location where the traffic ticket was issued, and an entity associated with an event (e.g. a name and/or an identification number of a person)); 
calculating a score for the at least one new event based at least in part on a comparison of the at least one new event to one or more of the baseline models (De Levie Fig. 1B, Comparing Parameters Of The New Events Or New Event Deviations To The Statistical Baseline Model In Order To Identify Event Deviations, Detecting Event Deviations For The Analyzed Time Period And Generating A Deviation Score For Each Detected Event Deviation at 140-160),

De Levie does not explicitly disclose:
determining that the at least one new event is an anomaly in response to the score satisfying a threshold; and 
initiating one or more remedial actions responsive to the determining.
Jin teaches:
determining that the at least one new event is an anomaly in response to the score satisfying a threshold (Jin Fig. 15, Issue An Alert Identifying The Event As An Anomaly At 1510 When Aggregate Score Satisfying Anomaly Score Threshold At 1508); and 
initiating one or more remedial actions responsive to the determining (Jin 46:12, the system may take action to mitigate the security threat).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of De Levie with the teaching of Jin for determining that the at least one new event is an anomaly in response to the score satisfying a threshold; and initiating one or more remedial actions responsive to the 

As per claim 2, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie also discloses wherein said obtaining comprises: 
determining the one or more of the events that are attributable to the given user based on at least one identifier of the given user (De Levie Fig. 1B, Comparing Parameters Of The New Events Or New Event Deviations To The Statistical Baseline Model In Order To Identify Event Deviations at 140; De Levie par. 42, event parameters may include one or more of the following parameters: an event time-stamp indicating time and date of issuing the ticket, a location where the traffic ticket was issued, and an entity associated with an event (e.g. a name and/or an identification number of a person).

As per claim 3, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie also discloses:
providing an indication of one or more of: the score of the at least one new event and one or more devices associated with the at least one new event to a graphical user interface (De Levie par. 112, Processing unit 1020 may be configured to display the anomaly alert, on a provided viewer application or graphic user interface… The alert may include, e.g., the aggregated anomaly values calculated for a specified timeframe and a specific entity).


the user context for the given user (De Levie par. 45, from a model that includes the exit time of employees from a certain office, it may be determined that an exit time value between 17:00 and 19:00 is 'normal office exit time' behavior for a certain person); 
the at least one inverse context (De Levie par. 48, when behavior patterns in a firm include not arriving to the office during weekends, an event which includes entrance of an employee to the office during a weekend may be determined as a deviation from the expected behavior patterns); and 
the global context (De Levie par. 90, an employee may log into his computer each night during a specified week, and an event deviation baseline model may indicate that many other employees logged into their computers during nights of the same week).
De Levie does not explicitly disclose wherein said calculating comprises one or more of: 
calculating a user context score for the at least one new event indicative of a deviation of the at least one new event from the user context for the given user; 
calculating an inverse context score for the at least one new event indicative of a deviation of the at least one new event from the at least one inverse context; and 
calculating a global context score for the at least one new event indicative of a deviation of the at least one new event from the global context.
Jin teaches:

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of De Levie with the teaching of Jin for said calculating comprises one or more of: calculating a user context score for the at least one new event indicative of a deviation of the at least one new event from the user context for the given user; calculating an inverse context score for the at least one new event indicative of a deviation of the at least one new event from the at least one inverse context; and calculating a global context score for the at least one new event indicative of a deviation of the at least one new event from the global context. One of ordinary skilled in the art would have been motivated because it offers the advantage of identifying anomaly.

As per claim 8, De Levie-Jin discloses the computer-implemented method of claim 7. De Levie-Jin also discloses wherein the score for the at least one new event is based at least in part on the user context score, the inverse context score and the global context score (Jin Fig. 15, Determine An Aggregate Score For The Event Based On The Multiple Scores For The Event at 1506).
The same rationale as in claim 7 applies.

As per claim 9, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie also discloses: wherein each of at least a subset of the plurality of baseline models corresponds to at least one of: 

a file access schema, for a given time period, comprising a set of features associated with one or more of: logon times, folders accessed, files moved, files deleted, file access times, file access rights, domains accessed; and 
an active directory schema, for a given time period, comprising a set of features associated with one or more of: password changes, active directory changes, privileged group memberships, and account management changes.

As per claim 10, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie also discloses: wherein each of at least a subset of the plurality of baseline models reflects a single behavior (De Levie Fig. 1B, Constructing Statistical Baseline Models Of The Baseline Time Period, Each Statistical Baseline Model Representing A Subset Of Selected Parameters Of The Received Events at 120; De Levie par. 41, an event parameter may include an activity that was performed or occurred during the event, e.g. 'logging in to a computer', 'initiating a telephone call', changing a document, downloading a file, querying a data repository, etc.).

As per claim 12, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie also discloses: updating at least a portion of the plurality of baseline models based on the at least one new event (De Levie par. 45, A baseline model may be updated when necessary to reflect an updated behavior of the model parameters in light of new events that occurred).

As per claim 13, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie also discloses: wherein the plurality of events and the at least one new event are received from software agents executing on one or more endpoints of a network (De Levie par. 45, receiving a plurality of events from the event database 1040… The events that are received from external event or log repositories may be stored in event database 1040, and may be accessed by the processing unit 1020 via communication channel 1015 in order to construct statistical baseline models; De Levie par. 123, new events that occurred after the baseline time period, that may be continuously obtained from a log repository by processing unit 1020. New events may be received, for example, in a streaming process from an event logging database, or in a batch, e.g. log file that is generated by an event logging system).

Claims 14-16 are medium claims corresponding to the method claims 1-3; thus claims 14-16 are analyzed and rejected accordingly.



Claims 4 and 17 are rejected under 35 U.S.C. 103 as being unpatentable De Levie et al. (US 2017/0126710 A1, published May 4, 2017), Jin et al. (US 11,055,405 B1, filed Apr. 30, 2019) and Arzi et al. (US 2017/0171229 A1, published Jun. 15, 2017).
As per claim 4, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie-Jin does not explicitly disclose:
assigning each of the plurality of events to one of a set of categories based on one or more predefined rules, wherein each category corresponds to at least one type of threat that is attributable to a given event.
Arzi teaches:
assigning each of the plurality of events to one of a set of categories based on one or more predefined rules (Arzi par. 78, the domain reputation module 134b, which may also link to a reputation service, is able to classify all events executed on the user computer 120 into six categories: 1) suspicious events, 2) damage events, 3) network events, 4) file creates/deletes/modify, 5) hooks or code injections, 6) registry events), wherein each category corresponds to at least one type of threat that is attributable to a given event (see Arzi par. 183-295: e.g., Arzi par. 224, Large Registry Writes: A process wrote a large amount of data into the registry. Malware might use the registry to store executable code. This behavior is used by 'fileless' malware which attempts to avoid detection and removal; Arzi par. 233, Mass IP Access: A process has attempted to 
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of De Levie with the teaching of Arzi for assigning each of the plurality of events to one of a set of categories based on one or more predefined rules, wherein each category corresponds to at least one type of threat that is attributable to a given event. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing description of event types for helping analysis.

Claim 17 is medium claim corresponding to the method claim 4; thus claim 17 is analyzed and rejected accordingly.

Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable De Levie et al. (US 2017/0126710 A1, published May 4, 2017), Jin et al. (US 11,055,405 B1, filed Apr. 30, 2019) and Du et al. (US 2020/0120122 A1, provisional filed Oct. 15, 2018).
As per claim 5, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie-Jin does not explicitly disclose:
enriching one or more of the plurality events by at least one of clustering and tagging the one or more of the plurality of events.
Du teaches:

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of De Levie with the teaching of Du for enriching one or more of the plurality events by at least one of clustering and tagging the one or more of the plurality of events. One of ordinary skilled in the art would have been motivated because it offers the advantage of helping event analysis to assess potential threats.

As per claim 6, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie discloses the plurality of events (De Levie par. 68, The anomaly detection system 1000 may receive, e.g. via the communication channel 1015 and/or from the storage unit 1010, event input data including events and related event parameters from one or more sources) and the at least one new event (De Levie Fig. 1B, Receiving New Events That Occurred During An Analyzed Time Period at 130).
De Levie-Jin does not explicitly disclose:
normalizing the features for the plurality of events  and the at least one new event.
Du teaches:
normalizing the features for events (Du par. 59, The extracted signal features, which can be characterized as aggregated, normalized, enriched, or otherwise transformed events).


Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable De Levie et al. (US 2017/0126710 A1, published May 4, 2017), Jin et al. (US 11,055,405 B1, filed Apr. 30, 2019) and Bedhapudi et al. (US 2019/0108340 A1, published Apr. 11, 2019).
As per claim 11, De Levie-Jin discloses the computer-implemented method of claim 1. De Levie-Jin does not explicitly disclose:
wherein the threshold is based at least in part on historical activity of the given user.
Bedhapudi teaches:
the threshold is based at least in part on historical activity of the given user (Bedhapudi par. 311, One or more thresholds described herein may be machine- or user-specific such that the thresholds are based on the historical I/O activity for the specific user).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of De Levie with the teaching of Bedhapudi for the threshold is based at least in part on historical activity of the given 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20210286874 A1; Frequent Pattern Based Anomaly Event Detection
A method is disclosed that includes receiving, at a computing device, an event log including multiple events. The method further includes determining an aggregate score for the event and issuing an alert identifying the event as an anomaly based on the aggregate score exceeding the anomaly score threshold.
US 20170083815 A1; Current Behavior Evaluation With Multiple Process Models
The disclosure generally relates to the field of data processing, and more particularly to identifying anomalous behaviors of actors in data processing systems.
US 8756684 B2; System And Method For Network Security Including Detection Of Attacks Through Partner Websites
The present invention relates to computer network systems and methods for detecting and defending against attacks on websites, including attacks through third-party websites.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492