DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 13 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The phrase “near-real time relative to…” in claims 13 and 20 is a relative term which renders the claim indefinite. The phrase “near-real time relative to…” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. (hereinafter, “Johnson”), US 2020/0280573 in view of Saxena et al. (hereinafter, “Saxena”), US 2019/0327271.
As per claim 1: Johnson discloses: A method, comprising: receiving, by a device, log data identifying access of user devices  (data sources 202 includes any number of data repositories, including system access logs [Johnson, ¶0026]; an enterprise defense cybersecurity system (EDCS), receives the data from normalization module 206, which operates on data from a data ingestion queue 204 and the data sources 2020 [Johnson, ¶0025-0027; Fig. 2]; access attempts can be performed on locally or remotely via a cloud [Johnson, ¶0039]); aggregating, by the device, the log data to generate aggregated log data identifying (system profiles are built from access records and system characteristics data for one or more particular electronic resources [Johnson, ¶0044]; access records are collected over a period of time [Johnson, ¶0079]); training, by the device, one or more machine learning models, with the aggregated log data, to generate one or more trained machine learning models (for any particular electronic resource, corresponding data (e.g. access attempt data, access records, system characteristic data) may be used in building a system access model [Johnson, ¶0052]; system access models include expected system access profiles [Johnson, ¶0048]); receiving, by the device, particular log data identifying access of a particular user device, of the user devices (the EDCS receives a particular access indication of a particular access attempt to an electronic resource by a particular user from the data sources 202 [Johnson, ¶0035; Fig. 3(310)]), (the EDCS processes the particular access indication through the system access model [Johnson, ¶0053; Fig. 3(330)]; the EDCS then identifies one or more access anomalies related to the electronic resource in the attempt [Johnson, ¶0056; Fig. 3(340)]); and performing, by the device, one or more actions based on identifying the anomaly (the EDCS uses a mitigation model to implement one or more mitigation actions [Johnson, ¶0058; Fig. 3(350)]).
Johnson further suggests a wide variety of what the electronic resources may include, such as a particular hardware and/or software component [Johnson, ¶0036]. However, Johnson does not specify the electronic resources as “containers” (the strikethrough limitations). 
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to include application containers as an electronic resource requiring to be protected in Johnson. The types of electronic resources would have been a design choice based on what type of system was being developed. Containers were common forms of software at the time and would have been advantageous to have a system to protect them as resources. As discussed in [Saxena, ¶0079], containers have advantages of using less resources and are executed in a sandbox. 

As per claim 2: Johnson in view of Saxena disclose all limitations of claim 1. Furthermore, Johnson in view of Saxena disclose: wherein the log data include data identifying one or more of: times of day associated with the user devices accessing the cloud-based network (access attempts may have specific time or time period [Johnson, ¶0043]), activities of the user devices while accessing the cloud-based network (system access records include particular devices and interactions via a network [Johnson, ¶0047]), network addresses of the user devices associated with the containers (IP address of an access attempt [Johnson, ¶0043]), hardware utilized by the containers (system characteristics include hardware [Johnson, ¶0049]), or actions performed by the user devices within the containers (actions associated with a particular user [Johnson, ¶0047]).

As per claim 3: Johnson in view of Saxena disclose all limitations of claim 1. Furthermore, Johnson in view of Saxena disclose: wherein each of the container profiles includes data identifying one or more of (system profiles are built from access records and system characteristics data for one or more particular electronic resources [Johnson, ¶0044]; electronic resources would include containers as discussed with Saxena earlier in claim 1]): a container identifier for each of the containers (a particular electronic resource [Johnson, ¶0052]), a timestamp associated with the container identifier (time periods of access attempts [Johnson, ¶0043, 0046]), a geographical location associated with each of the containers (network location, including physical location data [Johnson, ¶0049]), network addresses allocated to one or more of the user devices associated with each of the containers (IP address of access attempts [Johnson, ¶0043]), or one or more of the user devices associated with each of the containers (access records include one or more indications of particular user accounts used to access the particular component of an electronic resource [Johnson, ¶0048]).

As per claim 4: Johnson in view of Saxena disclose all limitations of claim 1. Furthermore, Johnson in view of Saxena disclose: wherein performing the one or more actions comprises one or more of: causing the particular user device to be blocked from further access to the cloud-based network and the particular container (implementing IP-blocking [Johnson, ¶0030]); generating an alert identifying the particular user device associated with the anomaly (generate an alert for human review [Johnson, ¶0030]); or modifying a security policy to address the anomaly (implementing a traffic throttling scheme, increase logging for a particular system or group of systems [Johnson, ¶0030]).

As per claim 5: Johnson in view of Saxena disclose all limitations of claim 1. Furthermore, Johnson in view of Saxena disclose: wherein performing the one or more actions comprises one or more of: quarantining access of the particular user device to the cloud-based network and the particular container, for further evaluation (suspend access to an electronic resource [Johnson, ¶0030]; mitigation actions may be evaluated automatically for updating a mitigation model [Johnson, ¶0062]); generating a new security policy to address the anomaly (refining mitigation actions using machine learning techniques [Johnson, ¶0032]); or retraining the one or more machine learning models based on the anomaly (updating the mitigation model based on detection and confirmation of an anomaly [Johnson, ¶0060]).

As per claim 6: Johnson in view of Saxena disclose all limitations of claim 1. Johnson does not disclose: wherein the one or more machine learning models include one or more classification tree machine learning models. However, Saxena discloses supervised learning using a decision tree for creating a model for identifying anomalies [Saxena, ¶0266].
Thus it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement decision tree machine learning techniques in training the models in Johnson. According to [Johnson, ¶0081], the models may be trained using various machine learning techniques, where one embodiment discloses using autoencoders to build the models [Johnson, ¶0081]. Decision tree were a well-known and 

As per claim 7: Johnson in view of Saxena disclose all limitations of claim 1. Furthermore, Johnson in view of Saxena disclose: wherein the anomaly includes information indicating that the particular user device is accessing the cloud-based network and the particular container from a network address not associated with the particular user device (in a given example in [Johnson, ¶0063], a particular user account associated with a particular user is expected to be used to access a particular electronic resource, wherein the electronic resource is expecting this particular user account to be used (herein, the electronic resource would be containers as discussed with Saxena in claim 1); each particular device used in access attempts are identified via an IP address [Johnson, ¶0043]; therefore, an access attempt by an unexpected user device to said electronic resource would be identified as an anomaly).

As per claim 8: Claim 8 is different in overall scope from claims 1, 4, and 5 but recites substantially similar subject matter as claims 1, 4, and 5. Claim 8 is directed to a device corresponding to the method of claims 1, 4, and 5. Thus, the response provided above for claims 1, 4, and 5 are equally applicable to claim 8.

As per claim 9: Johnson in view of Saxena disclose all limitations of claim 8. Furthermore, Johnson in view of Saxena disclose: wherein the anomaly includes information indicating that the particular user device is accessing the cloud-based network and the particular container from a network address not within a network address range associated with the particular user device (in the given example of [Johnson, ¶0063], an IP address that is outside of a geographic area (e.g. the United States), may indicate an anomalous access attempt to an electronic resource).

As per claim 10: Johnson in view of Saxena disclose all limitations claim 8. Furthermore, Johnson in view of Saxena disclose: wherein the one or more processors are further configured to: store the log data, the aggregated log data, and information identifying the anomaly in a data structure (normalizing data into a uniform style [Johnson, ¶0026]).

As per claim 11: Johnson in view of Saxena disclose all limitations of claim 8. Furthermore, Johnson in view of Saxena disclose: wherein the one or more processors, when performing the one or more actions, are configured to: cause a remediation plan, addressing the anomaly, to be implemented in the cloud-based network and the particular container (mitigation actions include suspending access to an electronic resource, implement an IP-blocking scheme, and increase logging [Johnson, ¶0030]).

As per claim 12: Johnson in view of Saxena disclose all limitations of claim 8. Furthermore, Johnson in view of Saxena disclose: wherein the one or more processors, when aggregating the log data to generate the aggregated log data, are configured to: utilize a time aggregation technique or a spatial aggregation technique to aggregate the log data and generate the aggregated log data (collecting information about access records over a period of time (“time aggregation”) [Johnson, ¶0079]; system access model is based on access records and system characteristics (that are collected, or “spatial aggregation” for a particular electronic resource) for one or more particular electronic resources [Johnson, ¶0044]).

As per claim 13: Johnson in view of Saxena disclose all limitations of claim 8. Furthermore, Johnson in view of Saxena disclose: wherein the anomaly is identified in near-real time relative to receiving the particular log data (processing a particular access indication through the models to produce how anomalous a particular access attempt is [Johnson, ¶0053-0056]).

As per claim 14: Johnson in view of Saxena disclose all limitations of claim 8. Furthermore, Johnson in view of Saxena disclose: wherein the one or more processors, when performing the one or more actions, are configured to: provide, for display, a notification identifying the anomaly (providing a notification, such as an email, of a detected anomaly [Johnson, ¶0060]).

As per claim 15: Claim 15 is different in overall scope from claims 1 and 3 but recites substantially similar subject matter as claims 1 and 3. Claim 15 is directed to a non-transitory computer-readable medium corresponding to the method of claims 1 and 3. Thus, the response provided above for claims 1 and 3 are equally applicable to claim 15.

As per claim 16: Claim 16 incorporates all limitations of claim 15 and is a non-transitory computer-readable medium corresponding to the method of claim 4. Therefore, the arguments set forth above with respect to claims 4 and 15 are equally applicable to claim 16 and rejected for the same reasons.

As per claim 17: Claim 17 incorporates all limitations of claim 15 and is a non-transitory computer-readable medium corresponding to the method of claim 5. Therefore, the arguments set forth above with respect to claims 5 and 15 are equally applicable to claim 17 and rejected for the same reasons.

As per claim 18: Johnson in view of Saxena disclose all limitations of claim 15. Furthermore, Johnson in view of Saxena disclose: wherein the anomaly includes information indicating that the particular user device is accessing the cloud-based network and the particular container from a network address not within a network address range associated with the particular user device (in the given example of [Johnson, ¶0063], an IP address that is outside of a geographic area (e.g. the United States), may indicate an anomalous access attempt to an electronic resource).

As per claim 19: Johnson in view of Saxena disclose all limitations of claim 15. Furthermore, Johnson in view of Saxena disclose: wherein the instructions further comprise: one or more instructions that, when executed by the one or more processors, cause the one or more processors to: store the log data, the aggregated log data, and information identifying the anomaly in a data structure (normalizing data into a uniform style [Johnson, ¶0026]).

As per claim 20: Johnson in view of Saxena disclose all limitations of claim 15. Furthermore, Johnson in view of Saxena disclose: wherein the anomaly is identified in near-real time relative to receiving the particular log data (processing a particular access indication through the models to produce how anomalous a particular access attempt is [Johnson, ¶0053-0056]).
      
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 8,601,531: Discloses detecting normal and abnormal access patterns of data system resources based on a variety of identification factors. These factors include an identity of the requestor, location of the requestor, the type of resource being accessed, and a time of the access. See col. 5, lines 8-38.
US 2018/0293377: Discloses generating a prediction model for suspicious behavior using user data that is information of a user who accesses data, document data that is information of the data itself, and an access log. See ¶0140.
US 2020/0296117: Discloses generating a resource behavior profile for a resource being monitored. The profile is compare to recorded resource behavior 
US 10,853,350: Discloses determining a data access pattern for a data object, such that the pattern may be used to determine anomalous attempts to access the data object.  See col. 4, line 54 – col. 5, line 13.
M. Tharshini, M. Ragavinodini and R. Senthilkumar, "Access Log Anomaly Detection," 2017 Ninth International Conference on Advanced Computing (ICoAC), 2017, pp. 375-381, doi: 10.1109/ICoAC.2017.8441194. (Discloses analyzing stored access logs and detecting anomalous events. Both static and dynamic logs are used. See Abstract.)
Du, Min, et al. "Deeplog: Anomaly detection and diagnosis from system logs through deep learning." Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017. (Discloses a deep neural network model to automatically learn log patterns and detect anomalies when log patterns deviate from the normal model. See Abstract.)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        1-13-2022