DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 8/10/2021.
Claims 1-21 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/10/2021 has been entered.

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with David H. Judson on 11/8/2021.

Claims 1, 7-8, 14-15 and 21 have been amended as follows: 

Claim 1:
A method of training and using a machine learning model to identify suspicious behavior in a network, the machine learning model using training data that is based on data associated with a first set of users, comprising:
		constructing a watch list comprising a second set of users as the machine learning model is being operating in an ingest mode against data being ingested for a first set of users; 
upon a given occurrence, interrupting the ingest mode and ingesting data associated with the second set of users; 
following data ingestion associated with the second set of users, pruning at least a portion of the ingested data to generate updated training data, the portion corresponding to data for any user included in the first set of users but not included in the second set of users; 

switching back to the ingest mode and operating the refined machine learning model against data being ingested for the second set of users to enable identification and tracking of the suspicious behavior.  

Claim 7:
The method as described in claim 1 wherein the refined machine learning model is applied to enable identification and tracking of the suspicious behavior associated with one or more users in the first set of users that have been determined to satisfy a given risk condition.   

Claim 8:
An apparatus, comprising:
		a processor; 
computer memory holding computer program instructions executed by the processor to train and use a machine learning model to identify suspicious behavior in a network, the machine learning model using training data that is based on data associated with a first set of users, the computer program instructions comprising program code configured to:
construct a watch list comprising a second set of users as the machine learning model is being operating in an ingest mode against data being ingested for a first set of users; 

following data ingestion associated with the second set of users, prune at least a portion of the ingested data to generate updated training data, the portion corresponding to data for any user included in the first set of users but not included in the second set of users; 
		refine the machine learning model based at least in part on the updated training data; and
switch back to the ingest mode and operate the refined machine learning model against data being ingested for the second set of users to enable identification and tracking of the suspicious behavior.

Claim 14:
The apparatus as described in claim 8 wherein is applied to enable identification and tracking of the suspicious behavior associated with one or more users in the first set of users that have been determined to satisfy a given risk condition.   

Claim 15:
A computer program product in a non-transitory computer readable medium for use in a data processing system to train and use a machine learning model to identify suspicious behavior in a network, the machine learning model using training data that is based on data associated with a first set of users, the computer program product 
construct a watch list comprising a second set of users as the machine learning model is being operating in an ingest mode against data being ingested for a first set of users; 
upon a given occurrence, interrupt the ingest mode and ingest data associated with the second set of users; 
following data ingestion associated with the second set of users, prune at least a portion of the ingested data to generate updated training data, the portion corresponding to data for any user included in the first set of users but not included in the second set of users; 
refine the machine learning model based at least in part on the updated training data; and
switch back to the ingest mode and operate the refined machine learning model against data being ingested for the second set of users to enable identification and tracking of the suspicious behavior.

Claim 21:
The computer program product as described in claim 15 wherein is applied to enable identification and tracking of the suspicious behavior associated with one or more users in the first set of users that have been determined to satisfy a given risk condition.    

 Response to Arguments
Applicant’s arguments, filed on 8/10/2021, with respect to claims 1-21 have been fully considered and are persuasive.  The 103 rejection of claims 1-21 has been withdrawn. 

Allowable Subject Matter
Claims 1-21 are allowed.
The following is an examiner’s statement of reasons for allowance: 
Independent Claims 1, 8 and 15 are allowed for the reasons argued by
Applicants on pages 7-11 of the Remarks filed on 8/10/2021 which are persuasive.
Although, the prior art of record Muddu (US 9516053) discloses "a security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known", Lyer (US 9836598) discloses “an exemplary method may involve monitoring the activity of a subset of the set of entities (e.g., entities included in a watch list) by executing a search query against events indicating the activity of the subset of entities. The events may be associated with timestamps and may include machine data. Executing the search query may produce search results that pertain to activity of a particular entity from the subset. The search results may be evaluated based on a FAIGON (US20170353477) discloses “constructing activity models on per-tenant and per-user basis using an online streaming machine learner that transforms an unsupervised learning problem into a supervised learning problem by fixing a target label and learning a regressor without a constant or intercept”, 
Neither Muddu, Lyer and FAIGON nor the prior art of record teaches individually or in combination the limitations listed below as recited in applicants' independent Claims: 
Claim 1: A method of training and using a machine learning model to identify suspicious behavior in a network, the machine learning model using training data that is based on data associated with a first set of users, comprising:
constructing a watch list comprising a second set of users as the machine learning model is being operating in an ingest mode against data being ingested for a first set of users; 
upon a given occurrence, interrupting the ingest mode and ingesting data associated with the second set of users; 
following data ingestion associated with the second set of users, pruning at least a portion of the ingested data to generate updated training data, the portion corresponding to data for any user included in the first set of users but not included in the second set of users; 

switching back to the ingest mode and operating the refined machine learning model against data being ingested for the second set of users to enable identification and tracking of the suspicious behavior.  
Claim 8: An apparatus, comprising:
a processor; 
computer memory holding computer program instructions executed by the processor to train and use a machine learning model to identify suspicious behavior in a network, the machine learning model using training data that is based on data associated with a first set of users, the computer program instructions comprising program code configured to:
construct a watch list comprising a second set of users as the machine learning model is being operating in an ingest mode against data being ingested for a first set of users; 
upon a given occurrence, interrupt the ingest mode and ingest data associated with the second set of users; 
following data ingestion associated with the second set of users, prune at least a portion of the ingested data to generate updated training data, the portion corresponding to data for any user included in the first set of users but not included in the second set of users; 
refine the machine learning model based at least in part on the updated training data; and

Claim 15: A computer program product in a non-transitory computer readable medium for use in a data processing system to train and use a machine learning model to identify suspicious behavior in a network, the machine learning model using training data that is based on data associated with a first set of users, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to:
construct a watch list comprising a second set of users as the machine learning model is being operating in an ingest mode against data being ingested for a first set of users; 
upon a given occurrence, interrupt the ingest mode and ingest data associated with the second set of users; 
following data ingestion associated with the second set of users, prune at least a portion of the ingested data to generate updated training data, the portion corresponding to data for any user included in the first set of users but not included in the second set of users; 
refine the machine learning model based at least in part on the updated training data; and
switch back to the ingest mode and operate the refined machine learning model against data being ingested for the second set of users to enable identification and tracking of the suspicious behavior.
The closest prior art made of record and cited consisted of the following references. 
Thampy (US 11165800) disclosed “a cloud security system that learns patterns of user behavior and uses the patterns to detect anomalous behavior in a network”. 
Cervantez (US 10979461) discloses “data security may be automatically evaluated and adjusted using machine learning and/or satisfiability modulo theories (SMT). In various examples, a machine learning model(s) may be trained using training data that includes samples of customer data labeled with different types of data corresponding to different sensitivity levels of the samples of the customer data. Once trained, this trained machine learning model(s) can be used to classify data that is, or is requested to be, stored in a storage container”.
Sharma (US 9544327) discloses “a cloud-based static analysis security tool accessible by a set of application development environments is augmented to provide for anonymous knowledge sharing to facilitate reducing security vulnerabilities. To the end, a crowdsourcing platform and social network are associated with the application development environments. Access to the social network platform by users of the application development environments is enabled. The anonymous access enables users to post messages without exposing sensitive data associated with a particular application development environment. As the static analysis security tool is used, a knowledgebase of information regarding identified security findings, fix priorities, and so forth, is continuously updated. Social network content (e.g., in the form of analytics, workflow recommendations, and the like) is then published from the knowledgebase to provide users with security knowledge generated by the tool from the set of application development environments”.
However, the prior art of record, taken by itself or in any combination, do not anticipate or make obvious the invention of the present application and in particular the claim features listed above.
Claims 2-7, 9-14 and 16-21 depend upon respective independent claims above and are therefore allowed by virtue of their dependencies.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TRANG T DOAN/Primary Examiner, Art Unit 2431