‘t see DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 2/14/2020.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application (No. 62/964,372, filed on 1/22/2020) under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/7/2020, 6/4/2021, 8/18/2021, 9/16/2021 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Claim Objections
Claims 1-2, 7-8, 13-14 are objected to because of the following informalities:  
Claim 1 lines 10-11, "the entity 11behavior catalog" may read "the entity 11behavior catalog data". 
Similarly for claim 7 lines 16-17 and claim 13 lines 11-12.
Claim 1 line 8, similarly claim 7 line 14, claim 13 line 9, “... from the electronic data source” may read “... from the electronically-observable data source” or more appropriate form.

Claim 2 line 2, similarly claim 8 line 2, claim 14 line 2, “… and an non-user …” may read “… and a non-user …”.
Claim 7 line 7, “… comprising instructions executable by the processor” is suggested to read “… comprising instructions executed by the processor”.
Appropriate correction is required.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being anticipated by claims 1-20 of copending Application No. 16/791,461 (hereinafter, “ ‘461”). Claims 1-20 are also provisionally rejected on the ground of nonstatutory double patenting as being anticipated by claims 21-40 of copending Application No. 17/226,717 (hereinafter, “ ’717”). 

Independent claims 1, 7, 13 are respectively rejected by claims 21, 27, 33 of ‘717. Although the claims at issues are not identical, they are not patentably distinct from each other. All the claim limitations recited in the instant application are encompassed/anticipated by the co-pending ‘717 claims (as seen in the table below).
Dependent claims 2-6, 8-12, and 14-20 are also rejected by the corresponding claims of ‘461 and ‘717, respectively, as shown in the table below.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Instant Application 16/791,449
Copending Application 16/791,461
Copending Application 17/226,717
Claim 1 (similarly claim 7, 13). 
A computer-implementable method for performing a security operation, 2comprising:  3monitoring an entity, the monitoring observing at least one electronically-observable 4data source;  
5deriving an observable based upon the monitoring of the 
7identifying a security related activity of the entity, the security related activity being 8based upon the observable derived from the electronic data source, the 9security related activity being of analytic utility;  
10converting the security related activity to entity behavior catalog data, the entity 11behavior catalog providing an inventory of entity behaviors;  
12accessing an entity behavior catalog based upon the entity behavior catalog data;


and 13performing a security operation via a security system, the security operation using the 14entity behavior catalog data stored within the entity behavior catalog based 15upon the security related activity.
Claim 1 (Claim 7, Claim 13). 


A computer-implementable method for performing a security operation, 2comprising:  3monitoring an entity, the monitoring observing at least one electronically-observable 4data source;  

5deriving an observable based upon the monitoring of the electronically-observable 6data source;  

7identifying a security related activity of the entity, the security related activity being 8based upon the observable derived from the electronic data source, the 9security related activity being of analytic utility; 

10converting the security related activity to entity behavior catalog data, the entity 11behavior catalog providing an inventory of entity behaviors;  

12accessing an entity behavior catalog based upon the entity behavior catalog data; 13inferring a security vulnerability scenario from the observable derived based upon the 14monitoring; 

and 15performing a security operation via a security system, the security operation using the 16security vulnerability scenario and the entity behavior catalog data stored 17within the entity behavior catalog based upon the security related activity.
Claim 21 (claim 27, claim 33). 

A computer-implementable method for performing a security operation, comprising: monitoring an entity, the monitoring observing at least one electronically-observable data source; 

deriving an observable based upon the monitoring of the electronically-observable data source; 

identifying a security related activity of the entity, the security related activity being based upon the observable derived from the electronic data source, the security related activity being of analytic utility; 

converting the security related activity to entity behavior catalog data, the entity behavior catalog providing an inventory of entity behaviors; 

accessing an entity behavior catalog based upon the entity behavior catalog data, the accessing being managed by an entity behavior catalog access management module; 

and performing a security operation via a security system, the security operation using the entity behavior catalog data stored within the entity behavior catalog based upon the security related activity.
Claim 2 (similarly claim 8, claim 14).
The method of claim 1, wherein:  2the entity behaviors comprise at least one of a user entity behavior and an non-user 3entity behavior.
Claim 2 (similarly claim 8, claim 14).

The method of claim 1, wherein:  2the entity behaviors comprise at least one of a user entity behavior and a non-user 3entity behavior.
Claim 22 (similarly claim 28, claim 34).

The method of claim 21, wherein: the entity behaviors comprise at least one of a user entity behavior and a non-user entity behavior.
Claim 3 (similarly claim 9, claim 15).
The method of claim 2, wherein:  2an entity behavior has an associated attribute, the associated attribute comprising at 3least one of a user entity attribute associated with the user entity behavior and 4a non-user entity attribute associated with the non-user entity behavior.
Claim 3 (similarly claim 9, claim 15).

The method of claim 2, wherein:  2an entity behavior has an associated attribute, the associated attribute comprising at 3least one of a user entity attribute associated with the user entity behavior and a non-user entity attribute associated with the non-user entity behavior.
Claim 23 (similarly claim 29, claim 35). 

The method of claim 22, wherein: an entity behavior has an associated attribute, the associated attribute comprising at least one of a user entity attribute associated with the user entity behavior and a non- user entity attribute associated with the non-user entity behavior.
Claim 4 (similarly claim 10, claim 16). 
The method of claim 1, wherein:  2the entity behavior catalog comprises an entity behavior catalog repository, the entity 3behavior catalog repository comprising at least one of a security vulnerability scenarios repository, a risk use cases repository, an entity behavior profiles -107-Attorney Docket No.: FP00186-US4 repository, an entity attributes repository, an entity behaviors repository, an 6activities repository and an observables repository.
Claim 4 (similarly claim 10, claim 16). 

The method of claim 1, wherein:  2the entity behavior catalog comprises an entity behavior catalog repository, the entity 3behavior catalog repository comprising at least one of a security vulnerability 4scenarios repository, a risk use cases repository, an entity behavior profiles 5repository, an entity attributes repository, an entity behaviors repository, an 6activities repository and an observables repository.
Claim 24 (similarly claim 30, claim 36).

The method of claim 21, wherein: the entity behavior catalog comprises an entity behavior catalog repository, the entity behavior catalog repository comprising at least one of a security vulnerability scenarios repository, a risk use cases repository, an entity behavior profiles repository, an entity attributes repository, an entity behaviors repository, an activities repository and an observables repository.
Claim 5 (similarly claim 11, claim 17).
The method of claim 1, wherein:  2the security operation uses the entity behavior catalog to determine whether an event 3is of analytic utility.
Claim 5 (similarly claim 11, claim 17). 

The method of claim 1, wherein:  2the anomaly detection operation uses the entity behavior catalog to determine whether 3an event is of analytic utility.
Claim 25 (similarly claim 31, claim 37).

The method of claim 21, wherein: the security operation uses the entity behavior catalog to determine whether an event is of analytic utility.
Claim 6 (similarly claim 12, claim 18). 
The method of claim 5, wherein:  2the security system comprises an analytic detection module, the analytic detection 3module determining whether the event is of analytic utility.
Claim 6 (similarly claim 12, claim 18).

The method of claim 5, wherein:  2the security analytics system comprises an analytic detection module, the analytic 3detection module determining whether the event is of analytic utility.
Claim 26 (similarly claim 32, claim 38). 

The method of claim 25, wherein: the security system comprises an analytic detection module, the analytic detection module determining whether the event is of analytic utility.
Claim 19. 
The non-transitory, computer-readable storage medium of claim 13, wherein:  2the computer executable instructions are deployable to a client system from a server 3system at a remote location.
Claim 19. 

The non-transitory, computer-readable storage medium of claim 13, wherein:  2the computer executable instructions are deployable to a client system from a server 3system at a remote location.
Claim 39. 

The non-transitory, computer-readable storage medium of claim 33, wherein: the computer executable instructions are deployable to a client system from a server system at a remote location.
Claim 20. 
The non-transitory, computer-readable storage medium of claim 13, wherein:  2the computer executable instructions are provided by a service provider to a user on an on-demand basis.
Claim 20. 

The non-transitory, computer-readable storage medium of claim 13, wherein:  2the computer executable instructions are provided by a service provider to a user on an on-demand basis.
Claim 40.

The non-transitory, computer-readable storage medium of claim 33, wherein: the computer executable instructions are provided by a service provider to a user on an on-demand basis.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-5, 7-11, 13-17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Myneni et al (US20210006542A1, hereinafter, "Myneni").
Regarding claim 1, Myneni teaches:
A computer-implementable method for performing a security operation, 2comprising:  
3monitoring an entity, the monitoring observing at least one electronically-observable 4data source (Myneni, [0018] Event logger 106 (i.e. electronically-observable 4data source) can provide functionality for components (e.g., directory manager 102, host machines 108) in datacenter 100 to log or otherwise record user activity in the datacenter as events 162. And referring to Fig. 2 and [0025] At operation 202, datacenter 100 can detect (i.e. monitoring) computer-related actions performed by a user (i.e. entity)…);  
5deriving an observable based upon the monitoring of the electronically-observable 6data source (Myneni, [0025] Events 162 (i.e. observable) can be reported by any component in the datacenter. For example, directory manager 102 can log events such as creation/deletion of users);  
7identifying a security related activity of the entity, the security related activity being 8based upon the observable derived from the electronic data source, the 9security related activity being of analytic utility (Myneni, [0025] Events 162 can be reported by any component in the datacenter. For example, directory manager 102 can log events such as creation/deletion of users, groups, etc. Users' computer-related actions can include failed login attempts, accessing files, accessing servers in the enterprise, accessing the network, installing software, executing processes (i.e. security related activity). And [0027] event logger can record each event 162 in a suitable log file such as an event log (not shown).  Such information can analyzed and monitored to assess network security (i.e. being of analytic utility));  
10converting the security related activity to entity behavior catalog data, the entity 11behavior catalog providing an inventory of entity behaviors (Myneni, [0026] At operation 204, datacenter 100 can log the user's computer-related actions. Referring to FIG. 1, …, the user's actions can be reported to event logger 106 (i.e. inventory of behavior catalog) as events 162. And [0028] At operation 206, datacenter 100 can compute or update the user's behavior-based risk score based on the logged events). Examiner notes converting is interpreted as logging and updating;  
12accessing an entity behavior catalog based upon the entity behavior catalog data (Myneni, [0048] At operation 604, rule builder 148 can access the user's behavior-based risk score that corresponds to the type of event in the received logged event. Examiner notes rule builder is building rules based on logged event data in order to regulate the user’s computer-related actions. It is obvious the rule builder needs to access the logged event data, i.e. entity behavior catalog data); 
and 13performing a security operation via a security system, the security operation using the 14entity behavior catalog data stored within the entity behavior catalog based 15upon the security related activity (Myneni, [0030] At operation 210, datacenter 100 can regulate the user's computer-related actions according the behavior-based firewall rules associated with the user. Also [0057] At operation 610, rule builder 148 can insert the generated behavior-based firewall rule into firewall table 142.  When the firewall table is subsequently distributed (pushed) to host machines 108 and installed in their respective firewall engines 186, the user's actions can be regulated according to the behavior-based firewall rule).  

Regarding claim 7, Myneni teaches:
A system comprising: 2a processor; 3a data bus coupled to the processor; and 4a non-transitory, computer-readable storage medium embodying computer program 5code, the non-transitory, computer-readable storage medium being coupled to 6the data bus, the computer program code interacting with a plurality of 7computer operations and comprising instructions executable by the processor (Myneni, See Fig. 7 Processor(s), Storage Subsystem and Bus Subsystem, and [0064] Memory subsystem 708 includes a number of memories including main random access memory (RAM) 718 for storage of instructions) 8and configured for: performing steps substantially similar to the method steps of claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 13, Myneni teaches:
A non-transitory, computer-readable storage medium embodying computer 2program code, the computer program code comprising computer executable instructions (Myneni, [0064] Memory subsystem 708 includes a number of memories including main random access memory (RAM) 718 for storage of instructions) 3configured for: 4performing steps substantially 

Regarding claim 2, similarly claim 8, claim 14, Myneni further teaches:
The method of claim 1, the system of claim 7, the non-transitory, computer-readable storage medium of claim 13, wherein: 2the entity behaviors comprise at least one of a user entity behavior and an non-user 3entity behavior (Myneni, [0026] for example, the client can include information that identifies the user who performed the computer-related action and information about the action itself. For example, if the action is a failed login attempt, the thin client can report the username (i.e. user entity behavior) that was used and where the login was attempted from (e.g., host machine, laptop, etc.) (i.e. non-user entity behavior)).  

Regarding claim 3, similarly claim 9, claim 15, Myneni further teaches:
The method of claim 2, the system of claim 8, the non-transitory, computer-readable storage medium of claim 14, wherein: 2an entity behavior has an associated attribute, the associated attribute comprising at 3least one of a user entity attribute associated with the user entity behavior and 4a non-user entity attribute associated with the non-user entity behavior (Myneni, [0026] … If the action is accessing a file or a server, the thin client can report the location/ name of the file or server being accessed along with attributes of the file or server (e.g., required access level, protections, etc.)).  

Regarding claim 4, similarly claim 10, claim 16, Myneni further teaches:
(Myneni, Fig. 5 shows score table which can be interpreted as risk use cases repository).  

Regarding claim 5, similarly claim 11, claim 17, Myneni further teaches:
The method of claim 1, the system of claim 7, the non-transitory, computer-readable storage medium of claim 13, wherein:  2the security operation uses the entity behavior catalog to determine whether an event 3is of analytic utility (Myneni, [0027] The event logger can record each event 162 in a suitable log file such as an event log (not shown). Such information can analyzed and monitored to assess network security. An event log can capture many different types of information; for example, an event log can capture all logon sessions to a network, along with account lockouts, failed password attempts, etc. An event log can also record different types of application events, such as application errors, closures or other related events (i.e. analytic utility)).  
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 6, 12, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Myneni et al (US20210006542A1, hereinafter, "Myneni"), in view of Stockdale et al (US20200244673A1-IDS provided by applicant, hereinafter, “Stockdale”).
Regarding claim 6, similarly claim 12, claim 18, Myneni teaches:
The method of claim 5, the system of claim 11, the non-transitory, computer-readable storage medium of claim 17,

wherein:  2the security system comprises an analytic detection module, the analytic detection 3module determining whether the event is of analytic utility (Stockdale, discloses anomaly detector detecting a cyber-attack, see [Abstract]. And referring to Fig. 1 Cyber Threat Module (i.e. analytic detection module). And [0009] FIG. 1 illustrates a block diagram of an embodiment of a cyber threat defense system with a cyber threat module that references machine-learning models to identify cyber threats by identifying deviations from normal behavior).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stockdale in the method of monitoring user actions with behavior-based security of Myneni by using cyber threat module as analytic detection in the cyber threat defense system for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify malicious activity distributed across multiple devices in the network for anomaly detection (Stockdale, [Abstract]).

Regarding claim 19, Myneni teaches:
The non-transitory, computer-readable storage medium of claim 13, 
While Myneni does not explicitly teach but in the same field of endeavor Stockdale teaches:
(Stockdale, [0032] The cyber threat defense system 100 may protect against cyber security threats from an e-mail system or other communication system, as well as its network. The network may be …, a Cloud environment (i.e. remote). Examiner notes in a cloud environment, the server and client system may be remote from each other). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stockdale in the method of monitoring user actions with behavior-based security of Myneni by using cyber threat module as analytic detection in the cyber threat defense system in a cloud based network for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify malicious activity distributed across multiple devices in the cloud based network for anomaly detection (Stockdale, [Abstract]).

Regarding claim 20, Myneni-Stockdale combination further teaches: 
The non-transitory, computer-readable storage medium of claim 13, 
While Myneni does not explicitly teach but in the same field of endeavor Stockdale teaches:
wherein: 2the computer executable instructions are provided by a service provider to a user on an on-demand basis (Stockdale, [0186] A cloud provider platform (i.e. service provider) may include one or more of the server computing systems. And [0187] Cloud-based remote access can be coded to utilize a protocol, such as Hypertext Transfer Protocol ("HTTP"), to engage in a request (i.e. on-demand) and response cycle with an application on a client computing system such as a web-browser application resident on the client computing system).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stockdale in the method of monitoring user actions with behavior-based security of Myneni by using cyber threat module as analytic detection in the cyber threat defense system in a cloud based network for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify malicious activity distributed across multiple devices in the cloud based network for anomaly detection (Stockdale, [Abstract]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Petersen et al (US20200125725A1). Discloses utilities for data network monitoring for identification of security threats related to identity such as user with log message data.
Thomas et al (US20190190929A1). Disclose enterprise monitored for indications of malicious activity.
Moyle et al (US20130097701A1). Discloses method for identifying detection of a particular activity performed by a particular user using computing device.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436