Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/28/2021. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Claims 1-20 are pending.
Applicant presents the following arguments in the November 02, 2021 amendment.
Applicant's arguments with respect to claims 1, 8 and 15 have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Sol et al. (US 2016/0019387 A1, hereinafter Sol) in view of Love et al. (US 9,836,183 B1, hereinafter Love) and in view of Apostolopoulos (US 2018/0219888 A1, hereinafter Apostolopoulos). 
Regarding independent claim(s) 1, Sol discloses a method comprising: performing, by one or more computer processors executing processor readable instructions, operations comprising: extracting features from time-series user behavioral data; applying a machine-learning clustering algorithm to the extracted features to generate a time series of user clusters associated by the time-series user behavioral data (Sol discloses a behavior change detection system collects behavior from a service, such as an on line service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an "answer" that the service presents to a series of requests. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents, which is generate a time series of user clusters associated by the time-series user behavioral data. A behavior is a cluster of clusters, computed using the hierarchical clustering algorithm (e.g., agglomerative approach), using data collected for an object feature in specific context over a period of time. The behavioral change is quantified using a value between O and 1. Quantification of the behavioral change in this manner enables classification of behavioral changes over time. This process produces a time series with user volatility and operational volatility data (generate a time series of user clusters associated by the time-series behavioral data). A change in one thing results in a similar or opposite change in the other thing, (see Sol: Para. 0028-0030, 0070-0075 and 0090-0100). To scale complex behavior models to the high volume and variety of data present on line, it is important to efficiently distribute learning of models. The abnormal user behavior in this most cases the actual theft of information is preceded by abnormal (though possibly permitted) behavior of the user, i.e. the user even before the theft of information begins to take actions that are not typical for his previous activity both according to the set of performed operations and to the content of the processed information. This reads on the claim concept of extracting features from time-series user behavioral data; applying a machine-learning clustering algorithm to the extracted features to generate a time series of user clusters associated by the time-series behavioral data. Device 1000 includes one or more processors 1010 (e.g., any of microprocessors, controllers, and the like) which process various computer executable or readable instructions to control the operation of device, (see Sol: Para. 0136-0153). This reads on the claim concept of performing, by one or more computer processors executing processor readable instructions, operations comprising). 
However, Sol does not appears to specifically disclose creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes, each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters 'within the time series of user clusters, and each user-attribute node comprising static identifying information associated with one or more of the user entities. 
In the same field of endeavor, Love discloses creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes, each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters 'within the time series of user clusters, and each user-attribute node comprising static identifying information associated with one or more of the user entities (Love discloses a graph data structure that provides both relatively fine grained context to the information presented, in some cases with node-specific graphical elements, (see Love: Col. 3 Line 1-67, Col. 4 Line 1-67, Col. 6 line 1-67 and Col. 17 line 1-67). This reads on the claim concept of creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes. Each of the vectors and create a graph of reachable vectors, where nodes on the graph are identified in response to non-core corresponding vectors being within a threshold distance of a core vector in the graph, and in response to core vector in the graph being reachable by other core vectors in the graph, (see Love: Col. 17 line 1-67). A corresponding graph may be constructed, with documents, paragraphs, entities, sentiments, or terms as nodes, and weighted edges indicating relationships, like similarity, relatedness, species-genus relationships, synonym relationships, possession relationships, relationships in which one node acts on another node, relationships in which one node is an attribute of another, (see Love: Col. 16 line 1-67). The clustered graph may include a relatively large number of nodes, each node corresponding to some entity, document, or other item, (see Love: Col. 5 line 1-67, Col. 10 line 1-67, Col. 14 line 1-67 and Col. 32 line 1-67). This reads on the claim concept of each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters within the time series of user clusters. Sending each node a subset of documents, while other tasks may be assigned to nodes by topic (e.g., sending each node a subset of topics). In some cases, the number of nodes may be relatively large, e.g., exceeding 10, or 100 nodes. Sending instructions to the distributed data, rather than moving data between computing devices where instructions are static, is expected to yield faster results for particularly large data sets, (see Sol: Col. 22 line 1-67). This reads on the claim concept of each user-attribute node comprising static identifying information associated with one or more of the user entities). 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior of Sol in order to have incorporated the a graph data structure, as disclosed by Love, since both of these mechanisms are directed to actual theft of information is preceded by abnormal (though possibly permitted) behavior of the user, i.e. the user even before the theft of information begins to take actions that are not typical for his previous activity both according to the set of performed operations and to the content of the processed information. Also, the very stage of data breach preparation during which abnormal behavior of the user is observed usually takes quite a long time, up to several months. The purpose of internal intrusions is usually to gain access to textual information (financial reports, contracts, technical documentation, e-mail, etc.). Therefore, the key moment is to detect abnormal behavior of users during working process with data. Abnormal behavior may indicate that the user is not the one on behalf of whom he authorized (user authentication task), or the user is interested in corporate documents that are not related to his current work activity. After getting access to the desired information, the "Data hiding" phase begins. At this stage, the main goal of the insider is to test the existing information security systems of the company and find the optimal way to safely exfilter the received information. To find deviations from the user's reference profile in such data as Employee Movement History (GPS), typed text, the resulting text the k method of the nearest neighbors is used. You can reduce the data analysis load as well as bring down the number of iterations in training applying this method. During training this method only stores training data. Classification is performed when new untagged data is obtained at the input of the method. In this case, the data received from the user is checked and it starts process of finding if it belongs to a specific users' group or user. A Graph is a non-linear data structure consisting of nodes and edges. The nodes are sometimes also referred to as vertices and the edges are lines or arcs that connect any two nodes in the graph. Graphs are used to solve many real-life problems. Graphs are used to represent networks. The networks may include paths in a city or telephone network or circuit network. Graphs are also used in social networks like linked In, Facebook. For example, in Facebook, each person is represented with a vertex (or node). Each node is a structure and contains information like person id, name, gender, locale etc. A graph is a pictorial representation of a set of objects where some pairs of objects are connected by links. The interconnected objects are represented by points termed as vertices, and the links that connect the vertices are called edges. Incorporating the teachings of Love into Sol would produce clustered graph, the clustered graph having three or more clusters, each cluster having a plurality of nodes of the graph, the nodes being connected in pairs by one or more respective edges, as disclosed by Love, (see Abstract). 
However, Sol and Love do not appears to specifically disclose the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes, the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and  providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user. 
In the same field of endeavor, Apostolopulos discloses the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes (Apostolopulos discloses a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. a graph can be built with links between the time units. The links can also receive scoring based on a number of factors. A graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. Entity is a thing, person, place, unit, object or any item about which the data should be captured and stored in the form of properties and tables (Entity property is an attribute). Any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph. Also, identifiable relationships can include a relationship between entities of the same type (e.g., two users) or entities of different types (e.g., user and device). For example, a portion of the configuration file can specify, for the relationship graph generator 710, that an edge is to be created from an entity "srcUser'' to another entity "sourceIP," with a relationship that corresponds to an event category to which the event belongs, such as "uses." The relationship graph 802 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 802. The relationship graph 802 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges. The distributed computation system 920 can be implemented on the same computer cluster as the distributed file system 914. A computation worker can be considered a "processing node" of the computing cluster of the distributed computation system 920. The nodes in the anomaly graph are assigned to a number of groups. Each group corresponds to a time unit and includes the nodes associated with activities that occurred in the time unit (performing a clustering (e.g., k-means) on the groups. The relationship graphs (e.g., event-specific graphs or the composite relationship graph), each link that connects between the groups represents a relationship between the nodes in those groups as established by an activity recorded in the batch of events. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes. An undirected graph is a subgraph in which any two vertices (e.g., nodes) are connected to each other by links. The connected components may be formed by performing computation on the graph using known algorithms, (see Apostolopulos: Para. 0037-0040, 0126, 0135-0145, 0158-0164, 0165-0180, 0227-0240 and FIG. 23). This reads on the claim concepts of the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes),     
the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user (Apostolopulos discloses a graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. Entity is a thing, person, place, unit, object or any item about which the data should be captured and stored in the form of properties and tables (Entity property is an attribute/ include event data that has more attributes). The relationship graph 802 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 802. The relationship graph 802 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges. The distributed computation system 920 can be implemented on the same computer cluster as the distributed file system 914. A computation worker can be considered a "processing node" of the computing cluster of the distributed computation system 920. The nodes in the anomaly graph are assigned to a number of groups. Each group corresponds to a time unit and includes the nodes associated with activities that occurred in the time unit (performing a clustering (e.g., k-means) on the groups. The relationship graphs (e.g., event-specific graphs or the composite relationship graph), each link that connects between the groups represents a relationship between the nodes in those groups as established by an activity recorded in the batch of events. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes. The method condenses network activities that are of the same type and associated with the same user into a single entry of combined network activity. Also, identifiable relationships can include a relationship between entities of the same type (e.g., two users) or entities of different types (e.g., user and device). The event-specific relationship graph includes a number of nodes and at least one edge interconnecting nodes. The nodes represent the entities involved in the event. Each edge represents an interaction between a pair of the entities. The output of the machine learning layer 510 includes anomalies, threat indicators, and/or threats. This output may be analyzed by the various applications such as a threat detection application 516, a security analytics application 518 or other applications 520. The output of the job processing cluster is received back into the security platform for further analysis, (see Apostolopulos: Para. 0037-0040, 0110-0126, 0135-0145, 0158-0164, 0165-0180, 0189-0204, 0227-0240 and FIG. 23). This reads on the claim concepts of the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user).  
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data structure of Sol and Love in order to have incorporated the processing graph data, as disclosed by Apostolopulos, since both of these mechanisms are directed to a Graph is a data structure consisting of nodes and edges. The nodes are sometimes also referred to as vertices and the edges are lines or arcs that connect any two nodes in the graph. Graphs are used to solve many real-life problems. Graphs are used to represent networks. For example, in Facebook, each person is represented with a vertex (or node). Each node is a structure and contains information like person id, name, gender, locale etc. Graphs are ideal for cases where you're working with things that connect to other things. Two distinct forms of clustering can be performed on graph data. Vertex clustering seeks to cluster the nodes of the graph into groups of densely connected regions based on either edge weights or edge distances. The second form of graph clustering treats the graphs as the objects to be clustered and clusters these objects on the basis of similarity. Detecting graph elements with “similar” properties is of great importance, especially in large networks, where it is crucial to identify specific patterns or structures quickly. The process of grouping together elements/entities that appear based on some similarity measure to be closer to each other (than from the remaining elements) is called cluster analysis. The graph structure, or on the location of the nodes, or other characteristics, e.g., specific properties of the graph elements. Nodes that based on this similarity value are considered to be similar are grouped into the so-called clusters. In other words, each cluster contains elements that share common properties and characteristics. The collection of all the clusters composes a clustering. Edge Between clustering detects clusters in a graph network by progressively removing the edge with the highest between centrality from the graph. Between centrality measures how often a node/edge lies on the shortest path between each pair of nodes in the diagram. The method stops when there are no more edges to remove or if the algorithm has reached the requested maximum number of clusters. The resulting clustering is one that achieved the best quality during the process. The graph into k clusters based on the location of the nodes such that their distance from the cluster’s mean (centroid) is minimum. The distance is defined using various metrics as euclidean distance, euclidean-squared distance, manhattan distance, or Chebyshev distance. Users can also implement a Voronoi diagram to visualize the result of this algorithm. A Voronoi diagram is a partitioning of the plane that contains n points (called sites or generators) into convex polygon regions such that each such region contains exactly one of these points, and each point of the polygon is closer to the generator point that from any other point. Graph Clustering is the process of grouping the nodes of the graph into clusters, taking into account the edge structure of the graph in such a way that there are several edges within each cluster and very few between clusters. Graph Clustering intends to partition the nodes in the graph into disjoint groups. The clusters are just the connected components of the graph. (A connected component is a maximal connected piece of the graph.) There are easy algorithms to find the connected components in a graph. Incorporating the teachings of Apostolopoulos into Sol and Love would produce a graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors, disclosed by Apostolopoulos, (see Abstract).             
Regarding independent claim(s) 8, Sol discloses system comprising: one or more hardware processors; and one or more computer-readable media storing instructions that cause the one or more hardware processors to perform operations comprising: extracting features from time-series user behavioral data; applying a machine-learning clustering algorithm to the extracted features to generate a time series of user clusters associated by the time-series user behavioral data (Sol discloses a behavior change detection system collects behavior from a service, such as an on line service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an "answer" that the service presents to a series of requests. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents, which is generate a time series of user clusters associated by the time-series behavioral data. A behavior is a cluster of clusters, computed using the hierarchical clustering algorithm (e.g., agglomerative approach), using data collected for an object feature in specific context over a period of time. The behavioral change is quantified using a value between O and 1. Quantification of the behavioral change in this manner enables classification of behavioral changes over time. This process produces a time series with user volatility and operational volatility data (generate a time series of user clusters associated by the time-series behavioral data). A change in one thing results in a similar or opposite change in the other thing, (see Sol: Para. 0028- 0030, 0070-0075 and 0090-0100). To scale complex behavior models to the high volume and variety of data present on line, it is important to efficiently distribute learning of models. The abnormal user behavior in this most cases the actual theft of information is preceded by abnormal {though possibly permitted) behavior of the user, i.e. the user even before the theft of information begins to take actions that are not typical for his previous activity both according to the set of performed operations and to the content of the processed information. This reads on the claim concept of extracting features from time-series user behavioral data; applying a machine-learning clustering algorithm to the extracted features to generate a time series of user clusters associated by the time-series behavioral data. Device 1000 includes one or more processors 1010 {e.g., any of microprocessors, controllers, and the like) which process various computer-executable or readable instructions to control the operation of device, {see Sol: Para. 0136-0153). A central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. This reads on the claim concept of performing, by one or more computer processors executing processor-readable instructions, operations comprising); 
However, Sol does not appears to specifically disclose creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes, each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters 'within the time series of user clusters, and each user-attribute node comprising static identifying information associated with one or more of the user entities.
In the same field of endeavor, Love discloses creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes, each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters 'within the time series of user clusters, and each user-attribute node comprising static identifying information associated with one or more of the user entities (Love discloses a graph data structure that provides both relatively fine grained context to the information presented, in some cases with node-specific graphical elements, (see Love: Col. 3 Line 1-67, Col. 4 Line 1-67, Col. 6 line 1-67 and Col. 17 line 1-67). This reads on the claim concept of creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes. Each of the vectors and create a graph of reachable vectors, where nodes on the graph are identified in response to non-core corresponding vectors being within a threshold distance of a core vector in the graph, and in response to core vector in the graph being reachable by other core vectors in the graph, (see Love: Col. 17 line 1-67). A corresponding graph may be constructed, with documents, paragraphs, entities, sentiments, or terms as nodes, and weighted edges indicating relationships, like similarity, relatedness, species-genus relationships, synonym relationships, possession relationships, relationships in which one node acts on another node, relationships in which one node is an attribute of another, (see Love: Col. 16 line 1-67). The clustered graph may include a relatively large number of nodes, each node corresponding to some entity, document, or other item, (see Love: Col. 5 line 1-67, Col. 10 line 1-67, Col. 14 line 1-67 and Col. 32 line 1-67). This reads on the claim concept of each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters within the time series of user clusters. Sending each node a subset of documents, while other tasks may be assigned to nodes by topic {e.g., sending each node a subset of topics). In some cases, the number of nodes may be relatively large, e.g., exceeding 10, or 100 nodes. Sending instructions to the distributed data, rather than moving data between computing devices where instructions are static, is expected to yield faster results for particularly large data sets, (see Sol: Col. 22 line 1-67). This reads on the claim concept of each user-attribute node comprising static identifying information associated with one or more of the user entities), 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior of Sol in order to have incorporated the a graph data structure, as disclosed by Love, since both of these mechanisms are directed to actual theft of information is preceded by abnormal (though possibly permitted) behavior of the user, i.e. the user even before the theft of information begins to take actions that are not typical for his previous activity both according to the set of performed operations and to the content of the processed information. Also, the very stage of data breach preparation during which abnormal behavior of the user is observed usually takes quite a long time, up to several months. The purpose of internal intrusions is usually to gain access to textual information (financial reports, contracts, technical documentation, e-mail, etc.). Therefore, the key moment is to detect abnormal behavior of users during working process with data. Abnormal behavior may indicate that the user is not the one on behalf of whom he authorized (user authentication task), or the user is interested in corporate documents that are not related to his current work activity. After getting access to the desired information, the "Data hiding" phase begins. At this stage, the main goal of the insider is to test the existing information security systems of the company and find the optimal way to safely exfilter the received information. To find deviations from the user's reference profile in such data as Employee Movement History (GPS), typed text, the resulting text the k method of the nearest neighbors is used. You can reduce the data analysis load as well as bring down the number of iterations in training applying this method. During training this method only stores training data. Classification is performed when new untagged data is obtained at the input of the method. In this case, the data received from the user is checked and it starts process of finding if it belongs to a specific users' group or user. A Graph is a non-linear data structure consisting of nodes and edges. The nodes are sometimes also referred to as vertices and the edges are lines or arcs that connect any two nodes in the graph. Graphs are used to solve many real-life problems. Graphs are used to represent networks. The networks may include paths in a city or telephone network or circuit network. Graphs are also used in social networks like linked In, Facebook. For example, in Facebook, each person is represented with a vertex (or node). Each node is a structure and contains information like person id, name, gender, locale etc. A graph is a pictorial representation of a set of objects where some pairs of objects are connected by links. The interconnected objects are represented by points termed as vertices, and the links that connect the vertices are called edges. Incorporating the teachings of Love into Sol would produce clustered graph, the clustered graph having three or more clusters, each cluster having a plurality of nodes of the graph, the nodes being connected in pairs by one or more respective edges, as disclosed by Love, (see Abstract).
However, Sol and Love do not appears to specifically disclose the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes, the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user. 
  In the same field of endeavor, Apostolopoulos discloses the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes (Apostolopulos discloses a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. a graph can be built with links between the time units. The links can also receive scoring based on a number of factors. A graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. Entity is a thing, person, place, unit, object or any item about which the data should be captured and stored in the form of properties and tables (Entity property is an attribute). Any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph. Also, identifiable relationships can include a relationship between entities of the same type (e.g., two users) or entities of different types (e.g., user and device). For example, a portion of the configuration file can specify, for the relationship graph generator 710, that an edge is to be created from an entity "srcUser'' to another entity "sourceIP," with a relationship that corresponds to an event category to which the event belongs, such as "uses." The relationship graph 802 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 802. The relationship graph 802 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges. The distributed computation system 920 can be implemented on the same computer cluster as the distributed file system 914. A computation worker can be considered a "processing node" of the computing cluster of the distributed computation system 920. The nodes in the anomaly graph are assigned to a number of groups. Each group corresponds to a time unit and includes the nodes associated with activities that occurred in the time unit (performing a clustering (e.g., k-means) on the groups. The relationship graphs (e.g., event-specific graphs or the composite relationship graph), each link that connects between the groups represents a relationship between the nodes in those groups as established by an activity recorded in the batch of events. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes. An undirected graph is a subgraph in which any two vertices (e.g., nodes) are connected to each other by links. The connected components may be formed by performing computation on the graph using known algorithms, (see Apostolopulos: Para. 0037-0040, 0126, 0135-0145, 0158-0164, 0165-0180, 0227-0240 and FIG. 23). This reads on the claim concepts of the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes),  
the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user (Apostolopoulos discloses a graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. Entity is a thing, person, place, unit, object or any item about which the data should be captured and stored in the form of properties and tables (Entity property is an attribute/ include event data that has more attributes). The relationship graph 802 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 802. The relationship graph 802 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges. The distributed computation system 920 can be implemented on the same computer cluster as the distributed file system 914. A computation worker can be considered a "processing node" of the computing cluster of the distributed computation system 920. The nodes in the anomaly graph are assigned to a number of groups. Each group corresponds to a time unit and includes the nodes associated with activities that occurred in the time unit (performing a clustering (e.g., k-means) on the groups. The relationship graphs (e.g., event-specific graphs or the composite relationship graph), each link that connects between the groups represents a relationship between the nodes in those groups as established by an activity recorded in the batch of events. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes. The method condenses network activities that are of the same type and associated with the same user into a single entry of combined network activity. Also, identifiable relationships can include a relationship between entities of the same type (e.g., two users) or entities of different types (e.g., user and device). The event-specific relationship graph includes a number of nodes and at least one edge interconnecting nodes. The nodes represent the entities involved in the event. Each edge represents an interaction between a pair of the entities. The output of the machine learning layer 510 includes anomalies, threat indicators, and/or threats. This output may be analyzed by the various applications such as a threat detection application 516, a security analytics application 518 or other applications 520. The output of the job processing cluster is received back into the security platform for further analysis, (see Apostolopulos: Para. 0037-0040, 0110-0126, 0135-0145, 0158-0164, 0165-0180, 0189-0204, 0227-0240 and FIG. 23). This reads on the claim concepts of the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user). 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data structure of Sol and Love in order to have incorporated the processing graph data, as disclosed by Apostolopulos, since both of these mechanisms are directed to a Graph is a data structure consisting of nodes and edges. The nodes are sometimes also referred to as vertices and the edges are lines or arcs that connect any two nodes in the graph. Graphs are used to solve many real-life problems. Graphs are used to represent networks. For example, in Facebook, each person is represented with a vertex (or node). Each node is a structure and contains information like person id, name, gender, locale etc. Graphs are ideal for cases where you're working with things that connect to other things. Two distinct forms of clustering can be performed on graph data. Vertex clustering seeks to cluster the nodes of the graph into groups of densely connected regions based on either edge weights or edge distances. The second form of graph clustering treats the graphs as the objects to be clustered and clusters these objects on the basis of similarity. Detecting graph elements with “similar” properties is of great importance, especially in large networks, where it is crucial to identify specific patterns or structures quickly. The process of grouping together elements/entities that appear based on some similarity measure to be closer to each other (than from the remaining elements) is called cluster analysis. The graph structure, or on the location of the nodes, or other characteristics, e.g., specific properties of the graph elements. Nodes that based on this similarity value are considered to be similar are grouped into the so-called clusters. In other words, each cluster contains elements that share common properties and characteristics. The collection of all the clusters composes a clustering. Edge Between clustering detects clusters in a graph network by progressively removing the edge with the highest between centrality from the graph. Between centrality measures how often a node/edge lies on the shortest path between each pair of nodes in the diagram. The method stops when there are no more edges to remove or if the algorithm has reached the requested maximum number of clusters. The resulting clustering is one that achieved the best quality during the process. The graph into k clusters based on the location of the nodes such that their distance from the cluster’s mean (centroid) is minimum. The distance is defined using various metrics as euclidean distance, euclidean-squared distance, manhattan distance, or Chebyshev distance. Users can also implement a Voronoi diagram to visualize the result of this algorithm. A Voronoi diagram is a partitioning of the plane that contains n points (called sites or generators) into convex polygon regions such that each such region contains exactly one of these points, and each point of the polygon is closer to the generator point that from any other point. Graph Clustering is the process of grouping the nodes of the graph into clusters, taking into account the edge structure of the graph in such a way that there are several edges within each cluster and very few between clusters. Graph Clustering intends to partition the nodes in the graph into disjoint groups. The clusters are just the connected components of the graph. (A connected component is a maximal connected piece of the graph.) There are easy algorithms to find the connected components in a graph. Incorporating the teachings of Apostolopoulos into Sol and Love would produce a graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors, disclosed by Apostolopoulos, (see Abstract).       
Regarding independent claim(s) 15, Sol discloses one or more non-transitory computer readable media storing instruction which, when executed by one or more hardware processors of a machine, cause the machine to perform operations comprising: extracting features from time-series user behavioral data; applying a machine-learning clustering algorithm to the extracted features to generate a time series of user clusters associated by the time-series user behavioral data (Sol discloses a behavior change detection system collects behavior from a service, such as an on line service, and detects behavior changes, either permanent or transient, in the service. Machine learning hierarchical (agglomerative) clustering techniques are utilized to compute deviations between clustered data sets representing an "answer" that the service presents to a series of requests. Operational scalability issues are addressed by using the computed volatility of the events in a time series as input for a classifier. During a learning process (i.e., the machine learning process), the system identifies relevant features that are affected by security incidents, which is generate a time series of user clusters associated by the time-series behavioral data. A behavior is a cluster of clusters, computed using the hierarchical clustering algorithm (e.g., agglomerative approach), using data collected for an object feature in specific context over a period of time. The behavioral change is quantified using a value between O and 1. Quantification of the behavioral change in this manner enables classification of behavioral changes over time. This process produces a time series with user volatility and operational volatility data (generate a time series of user clusters associated by the time-series behavioral data). A change in one thing results in a similar or opposite change in the other thing, (see Sol: Para. 0028- 0030, 0070-0075 and 0090-0100). To scale complex behavior models to the high volume and variety of data present on line, it is important to efficiently distribute learning of models. The abnormal user behavior in this most cases the actual theft of information is preceded by abnormal {though possibly permitted) behavior of the user, i.e. the user even before the theft of information begins to take actions that are not typical for his previous activity both according to the set of performed operations and to the content of the processed information. This reads on the claim concept of extracting features from time-series user behavioral data; applying a machine-learning clustering algorithm to the extracted features to generate a time series of user clusters associated by the time-series behavioral data. Device 1000 includes one or more processors 1010 (e.g., any of microprocessors, controllers, and the like) which process various computer-executable or readable instructions to control the operation of device, (see Sol: Para. 0136-0153). This reads on the claim concept of performing, by one or more computer processors executing processor-readable instructions, operations comprising);
However, Sol does not appears to specifically disclose creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes, each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters 'within the time series of user clusters, and each user-attribute node comprising static identifying information associated with one or more of the user entities.
In the same field of endeavor, Love discloses creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes, each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters 'within the time series of user clusters, and each user-attribute node comprising static identifying information associated with one or more of the user entities (Love discloses a graph data structure that provides both relatively fine grained context to the information presented, in some cases with node-specific graphical elements, (see Love: Col. 3 Line 1-67, Col. 4 Line 1-67, Col. 6 line 1-67 and Col. 17 line 1-67). This reads on the claim concept of creating a graph data structure for a graph comprising user nodes, cluster nodes, and user-attribute nodes. Each of the vectors and create a graph of reachable vectors, where nodes on the graph are identified in response to non-core corresponding vectors being within a threshold distance of a core vector in the graph, and in response to core vector in the graph being reachable by other core vectors in the graph, (see Love: Col. 17 line 1-67). A corresponding graph may be constructed, with documents, paragraphs, entities, sentiments, or terms as nodes, and weighted edges indicating relationships, like similarity, relatedness, species-genus relationships, synonym relationships, possession relationships, relationships in which one node acts on another node, relationships in which one node is an attribute of another, (see Love: Col. 16 line 1-67). The clustered graph may include a relatively large number of nodes, each node corresponding to some entity, document, or other item, (see Love: Col. 5 line 1-67, Col. 10 line 1-67, Col. 14 line 1-67 and Col. 32 line 1-67). This reads on the claim concept of each user node representing a uniquely identified user entity, each cluster node representing one of the user clusters within the time series of user clusters. Sending each node a subset of documents, while other tasks may be assigned to nodes by topic (e.g., sending each node a subset of topics). In some cases, the number of nodes may be relatively large, e.g., exceeding 10, or 100 nodes. Sending instructions to the distributed data, rather than moving data between computing devices where instructions are static, is expected to yield faster results for particularly large data sets, (see Sol: Col. 22 line 1-67). This reads on the claim concept of each user-attribute node comprising static identifying information associated with one or more of the user entities), 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior of Sol in order to have incorporated the a graph data structure, as disclosed by Love, since both of these mechanisms are directed to actual theft of information is preceded by abnormal (though possibly permitted) behavior of the user, i.e. the user even before the theft of information begins to take actions that are not typical for his previous activity both according to the set of performed operations and to the content of the processed information. Also, the very stage of data breach preparation during which abnormal behavior of the user is observed usually takes quite a long time, up to several months. The purpose of internal intrusions is usually to gain access to textual information (financial reports, contracts, technical documentation, e-mail, etc.). Therefore, the key moment is to detect abnormal behavior of users during working process with data. Abnormal behavior may indicate that the user is not the one on behalf of whom he authorized (user authentication task), or the user is interested in corporate documents that are not related to his current work activity. After getting access to the desired information, the "Data hiding" phase begins. At this stage, the main goal of the insider is to test the existing information security systems of the company and find the optimal way to safely exfilter the received information. To find deviations from the user's reference profile in such data as Employee Movement History (GPS), typed text, the resulting text the k method of the nearest neighbors is used. You can reduce the data analysis load as well as bring down the number of iterations in training applying this method. During training this method only stores training data. Classification is performed when new untagged data is obtained at the input of the method. In this case, the data received from the user is checked and it starts process of finding if it belongs to a specific users' group or user. A Graph is a non-linear data structure consisting of nodes and edges. The nodes are sometimes also referred to as vertices and the edges are lines or arcs that connect any two nodes in the graph. Graphs are used to solve many real-life problems. Graphs are used to represent networks. The networks may include paths in a city or telephone network or circuit network. Graphs are also used in social networks like linked In, Facebook. For example, in Facebook, each person is represented with a vertex (or node). Each node is a structure and contains information like person id, name, gender, locale etc. A graph is a pictorial representation of a set of objects where some pairs of objects are connected by links. The interconnected objects are represented by points termed as vertices, and the links that connect the vertices are called edges. Incorporating the teachings of Love into Sol would produce clustered graph, the clustered graph having three or more clusters, each cluster having a plurality of nodes of the graph, the nodes being connected in pairs by one or more respective edges, as disclosed by Love, (see Abstract).
However, Sol and Love do not appears to specifically disclose the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes, the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user. 
 In the same field of endeavor, Apostolopoulos discloses the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes (Apostolopulos discloses a graph-based network security analytic framework to combine multiple sources of information and security knowledge in order to detect risky behaviors and potential threats. a graph can be built with links between the time units. The links can also receive scoring based on a number of factors. A graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. Entity is a thing, person, place, unit, object or any item about which the data should be captured and stored in the form of properties and tables (Entity property is an attribute). Any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph. Also, identifiable relationships can include a relationship between entities of the same type (e.g., two users) or entities of different types (e.g., user and device). For example, a portion of the configuration file can specify, for the relationship graph generator 710, that an edge is to be created from an entity "srcUser'' to another entity "sourceIP," with a relationship that corresponds to an event category to which the event belongs, such as "uses." The relationship graph 802 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 802. The relationship graph 802 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges. The distributed computation system 920 can be implemented on the same computer cluster as the distributed file system 914. A computation worker can be considered a "processing node" of the computing cluster of the distributed computation system 920. The nodes in the anomaly graph are assigned to a number of groups. Each group corresponds to a time unit and includes the nodes associated with activities that occurred in the time unit (performing a clustering (e.g., k-means) on the groups. The relationship graphs (e.g., event-specific graphs or the composite relationship graph), each link that connects between the groups represents a relationship between the nodes in those groups as established by an activity recorded in the batch of events. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes. An undirected graph is a subgraph in which any two vertices (e.g., nodes) are connected to each other by links. The connected components may be formed by performing computation on the graph using known algorithms, (see Apostolopulos: Para. 0037-0040, 0126, 0135-0145, 0158-0164, 0165-0180, 0227-0240 and FIG. 23). This reads on the claim concepts of the graph comprising edges between the user nodes and the user-attribute nodes and between the user nodes and the cluster nodes; processing the graph data structure with a graph algorithm to identify one or more groups of similar user nodes based on identifying a highly connected subgraph, indicating a similarity between the user nodes), 
 the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user (Apostolopoulos discloses a graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. Entity is a thing, person, place, unit, object or any item about which the data should be captured and stored in the form of properties and tables (Entity property is an attribute/ include event data that has more attributes). The relationship graph 802 also includes edges that link the nodes representing entities. The identified relationships between the entities are the edges in the graph 802. The relationship graph 802 can be stored in known data structures (e.g., an array) suitable for representing graphs that have nodes and edges. The distributed computation system 920 can be implemented on the same computer cluster as the distributed file system 914. A computation worker can be considered a "processing node" of the computing cluster of the distributed computation system 920. The nodes in the anomaly graph are assigned to a number of groups. Each group corresponds to a time unit and includes the nodes associated with activities that occurred in the time unit (performing a clustering (e.g., k-means) on the groups. The relationship graphs (e.g., event-specific graphs or the composite relationship graph), each link that connects between the groups represents a relationship between the nodes in those groups as established by an activity recorded in the batch of events. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes. The method condenses network activities that are of the same type and associated with the same user into a single entry of combined network activity. Also, identifiable relationships can include a relationship between entities of the same type (e.g., two users) or entities of different types (e.g., user and device). The event-specific relationship graph includes a number of nodes and at least one edge interconnecting nodes. The nodes represent the entities involved in the event. Each edge represents an interaction between a pair of the entities. The output of the machine learning layer 510 includes anomalies, threat indicators, and/or threats. This output may be analyzed by the various applications such as a threat detection application 516, a security analytics application 518 or other applications 520. The output of the job processing cluster is received back into the security platform for further analysis, (see Apostolopulos: Para. 0037-0040, 0110-0126, 0135-0145, 0158-0164, 0165-0180, 0189-0204, 0227-0240 and FIG. 23). This reads on the claim concepts of the user-attribute nodes and the cluster nodes associated with the one or more groups of similar user nodes; and providing an output based on the identified one or more groups of similar user nodes, wherein the output comprises an indication that a plurality of user nodes of the one or more groups of similar user nodes correspond to a same user). 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data structure of Sol and Love in order to have incorporated the processing graph data, as disclosed by Apostolopulos, since both of these mechanisms are directed to a Graph is a data structure consisting of nodes and edges. The nodes are sometimes also referred to as vertices and the edges are lines or arcs that connect any two nodes in the graph. Graphs are used to solve many real-life problems. Graphs are used to represent networks. For example, in Facebook, each person is represented with a vertex (or node). Each node is a structure and contains information like person id, name, gender, locale etc. Graphs are ideal for cases where you're working with things that connect to other things. Two distinct forms of clustering can be performed on graph data. Vertex clustering seeks to cluster the nodes of the graph into groups of densely connected regions based on either edge weights or edge distances. The second form of graph clustering treats the graphs as the objects to be clustered and clusters these objects on the basis of similarity. Detecting graph elements with “similar” properties is of great importance, especially in large networks, where it is crucial to identify specific patterns or structures quickly. The process of grouping together elements/entities that appear based on some similarity measure to be closer to each other (than from the remaining elements) is called cluster analysis. The graph structure, or on the location of the nodes, or other characteristics, e.g., specific properties of the graph elements. Nodes that based on this similarity value are considered to be similar are grouped into the so-called clusters. In other words, each cluster contains elements that share common properties and characteristics. The collection of all the clusters composes a clustering. Edge Between clustering detects clusters in a graph network by progressively removing the edge with the highest between centrality from the graph. Between centrality measures how often a node/edge lies on the shortest path between each pair of nodes in the diagram. The method stops when there are no more edges to remove or if the algorithm has reached the requested maximum number of clusters. The resulting clustering is one that achieved the best quality during the process. The graph into k clusters based on the location of the nodes such that their distance from the cluster’s mean (centroid) is minimum. The distance is defined using various metrics as euclidean distance, euclidean-squared distance, manhattan distance, or Chebyshev distance. Users can also implement a Voronoi diagram to visualize the result of this algorithm. A Voronoi diagram is a partitioning of the plane that contains n points (called sites or generators) into convex polygon regions such that each such region contains exactly one of these points, and each point of the polygon is closer to the generator point that from any other point. Graph Clustering is the process of grouping the nodes of the graph into clusters, taking into account the edge structure of the graph in such a way that there are several edges within each cluster and very few between clusters. Graph Clustering intends to partition the nodes in the graph into disjoint groups. The clusters are just the connected components of the graph. (A connected component is a maximal connected piece of the graph.) There are easy algorithms to find the connected components in a graph. Incorporating the teachings of Apostolopoulos into Sol and Love would produce a graph can be built with links between the time units. The links can also receive scoring based on a number of factors. The resulting graph can be compared with known security knowledge for adjustments. Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors, disclosed by Apostolopoulos, (see Abstract).
Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sol et al. (US 2016/0019387 A1, hereinafter Sol) in view of Love et al. (US 9,836,183 B1, hereinafter Love) in view of Apostolopoulos (US 2018/0219888 A1, hereinafter Apostolopoulos) and in view of Baluja et al. (US 9,031,951 B1, hereinafter Baluja). 
Regarding dependent claim(s) 2, the combination of Sol, Love and Apostolopoulos discloses the method as in claim 1. However, the combination of Sol, Love and Apostolopoulos do not appear to specifically disclose wherein providing the output comprises displaying the identified one or more groups of similar user nodes, the operations further comprising receiving feedback indicating whether two user nodes within a same identified group of similar user nodes correspond a same user.  
In the same field of endeavor, Baluja discloses wherein providing the output comprises displaying the identified one or more groups of similar user nodes, the operations further comprising receiving feedback indicating whether two user nodes within a same identified group of similar user nodes correspond a same user (Baluja discloses associate user nodes with the labels and determine that a user is similar or dissimilar to another user in the social network, (see Baluja: Col. 6 line 1-67, Col. 7 line 1-67 and Col. 8 line 1-67). This reads on the claim concept of providing the output comprises displaying the identified one or more groups of similar user nodes. Feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); an input from the user can be received in any form, including acoustic, speech, or tactile input. A user identifies with one group more than another group. In this case, the weights on the edges may be greater for preferred groups, such as groups that include frequent content postings from the user, (see Baluja: Col. 23 line 1-67 and Col. 24 line 1-67). 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data to structure identify the groups of similar user nodes between nodes are edges user nodes of Sol, Love and Apostolopoulos in order to have incorporated receiving feedback indicating, as disclosed by Baluja, since both of these mechanisms are directed the group nodes provide the ability to create fan-out/fan-in style static and dynamic aggregation scenarios that are stateless and highly performant without requiring an queue manager to be available for the integration server. The Group gather node is responsible for attempting to reconcile incoming messages as replies to groups, or storing unknown messages for reconcilement with groups that may still be in construction. The Group gather and Group complete nodes are together somewhat analogous to the node, however those group nodes are in separate threads and transactions. Machine learning algorithms scan each comment that you feed them for overall sentiment and themes that they organize using tags. These tags have two functional purposes: routing comments to relevant stakeholders and creating structure for qualitative data to be analyzed quantitatively. There exists a large body of work on the problem of learning from human trainers, and specifically on learning from trainer feedback. The goal of this work is to characterize the different strategies followed by human trainers when teaching virtual agents, and to build learning algorithms that take those strategies into account. A model of how feedback is provided under different strategies, and use this model both to classify strategies seen in practice, and to build inference algorithms to learn behaviors from such feedback. One way to reduce human involvement is to train an evaluator to predict these ratings. That evaluator can be used to train the underlying question answering system. Rather than eliciting training data in every case or in a random subset of cases, we would like to focus our attention on the cases that are most likely to be informative, utilizing human input as effectively as possible. This is a standard research problem in machine learning. A lot of labelled and unlabeled data, in addition to information from human feedback. Efficient algorithms will have to combine these data sources. Incorporating the teachings of Baluja into Sol, Love and Apostolopoulos would produce associating nodes in a graph representing the social network, where the users are represented by user nodes in the graph, and determining that a user is similar or dissimilar to another user in the social network, as disclosed by Baluja, (see Abstract).
Regarding claim 9, (draw system): claim 9 is system claim respectively that correspond to method of claim 2. Therefore, 9 is rejected for at least the same reasons as the method 2. 
Regarding claim 16, (draw computer readable media): claim 16 is computer readable media claim respectively that correspond to method of claim 2. Therefore, 16 is rejected for at least the same reasons as the method 2. 
Claims 3, 4, 10, 11 and 17are rejected under 35 U.S.C. 103 as being unpatentable over Sol et al. (US 2016/0019387 A1, hereinafter Sol) in view of Love et al. (US 9,836,183 B1, hereinafter Love) in view of Apostolopoulos (US 2018/0219888 A1, hereinafter Apostolopoulos) in view of Baluja et al. (US 9,031,951 B1, hereinafter Baluja) and in view of Fogel (US 2006/0036560 A1, hereinafter Fogel). 
Regarding dependent claim(s) 3, the combination of Sol, Love, Apostolopoulos and Baluja discloses the method as in claim 2. However, the combination of Sol, Love, Apostolopoulos and Baluja do not appear to specifically disclose the operations further comprising adjusting the graph algorithm based on the feedback. 
In the same field of endeavor, Fogel discloses the operations further comprising adjusting the graph algorithm based on the feedback (Fogel discloses a behavioral rule could assign a high level of risk of fraud to a credit card transaction, if the credit card used for the transaction has been reported lost. The sequence 400 may also include operation 416, which comprises adjusting at least one of the behavioral operators based on the feedback received regarding the outputted results. A tree is an undirected graph in which any two vertices are connected by exactly one path, or equivalently a connected acyclic undirected graph, (see Fogel: Para. 0047, 0049 and 0063). This reads on the claim concept of the operations further comprising adjusting the graph algorithm based on the feedback).
 Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data structure to identify the groups of similar user nodes between nodes are edges user nodes and receiving feedback indicating of Sol, Love, Apostolopoulos and Baluja in order to have incorporated adjusting the graph algorithm based on the feedback, as disclosed by Fogel, since both of these mechanisms are directed the main advantage machine learning has over any of the traditional data science techniques is the fact that at its core resides the algorithm. These are the directions a computer uses to find a model that fits the data as well as possible. The difference between machine learning and traditional data science methods is that we do not give the computer instructions on how to find the model; it takes the algorithm and uses its directions to learn on its own how to find said model. Unlike in traditional data science, machine learning needs little human involvement. A machine learning algorithm is like a trial and- error process, but the special thing about it is that each consecutive trial is at least as good as the previous one. But bear in mind that in order to learn well, the machine has to go through hundreds of thousands of trial-and-errors, with the frequency of errors decreasing throughout. A machine learning technique called Graph-Based Induction efficiently extracts typical patterns from graph-structured data by stepwise pair expansion (pairwise chunking). It is very efficient because of its greedy search. Meanwhile, a decision tree is an effective means of data classification from which rules that are easy to understand can be obtained. Extract all the pairs consisting of connected two nodes in the graph. Select all the typical pairs based on the typicality criterion from among the pairs extracted, rank them according to the criterion and register them as typical patterns. If either or both nodes of the selected pairs have already been rewritten (chunked), they are restored to the original patterns before registration. Replace the selected pair in with one node and assign a new label to it. Rewrite the graph by replacing all the occurrences of the selected pair with a node with the newly assigned label. Graph- Based assigns a new label for each newly chunked pair. Because it recursively chunks pairs, it happens that the new pairs that have different labels because of different chunking history happen to be the same pattern (subgraph). A decision tree for graph-structured data by defining attributes and attribute values a pattern/subgraph in graph-structured data and existence/non-existence of the pattern in a graph. Since the value for an attribute is either yes (the classifying pattern exists) or no (the classifying pattern does not exist), data (graphs) are divided into two groups, namely, the one with the pattern and the other without the pattern. Incorporating the teachings of Fogel into Sol, Love, Apostolopoulos and Baluja would produce adjusting at least one parameter based on the feedback received concerning system performance, wherein the at least one parameter is a parameter of a machine learning method, as disclosed by Fogel, (see Abstract). 
Regarding claim 10, (draw system): claim 10 is system claim respectively that correspond to method of claim 3. Therefore, 10 is rejected for at least the same reasons as the method 3. 
Regarding dependent claim(s) 4, the combination of Sol, Love, Apostolopoulos and Baluja discloses the method as in claim 2. However, the combination of Sol, Love, Apostolopoulos and Baluja do not appear to specifically disclose the operations further comprising adjusting the machine-learning clustering algorithm based on the feedback. 
In the same field of endeavor, Fogel discloses the operations further comprising adjusting the machine-learning clustering algorithm based on the feedback (Fogel discloses a behavioral rule could assign a high level of risk of fraud to a credit card transaction, if the credit card used for the transaction has been reported lost. The sequence 400 may also include operation 416, which comprises adjusting at least one of the behavioral operators based on the feedback received regarding the outputted results. A tree is an undirected graph in which any two vertices are connected by exactly one path, or equivalently a connected acyclic undirected graph. Algorithm is used for clustering data, based on clustering performance, the user 302 may desire to revise the number of clusters from, for example, two to three or more, or from four to three or less, (see Fogel: Para. 0027, 0047, 0049, 0051 0054 and 0063). This reads on the claim concept of the operations further comprising adjusting the machine-learning clustering algorithm based on the feedback).
	Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data structure to identify the groups of similar user nodes between nodes are edges user nodes and receiving feedback indicating of Sol, Love, Apostolopoulos and Baluja in order to have incorporated adjusting the graph algorithm based on the feedback, as disclosed by Fogel, since both of these mechanisms are directed the main advantage machine learning has over any of the traditional data science techniques is the fact that at its core resides the algorithm. These are the directions a computer uses to find a model that fits the data as well as possible. The difference between machine learning and traditional data science methods is that we do not give the computer instructions on how to find the model; it takes the algorithm and uses its directions to learn on its own how to find said model. Unlike in traditional data science, machine learning needs little human involvement. A machine learning algorithm is like a trial and- error process, but the special thing about it is that each consecutive trial is at least as good as the previous one. But bear in mind that in order to learn well, the machine has to go through hundreds of thousands of trial-and-errors, with the frequency of errors decreasing throughout. A machine learning technique called Graph-Based Induction efficiently extracts typical patterns from graph-structured data by stepwise pair expansion (pairwise chunking). It is very efficient because of its greedy search. Meanwhile, a decision tree is an effective means of data classification from which rules that are easy to understand can be obtained. Extract all the pairs consisting of connected two nodes in the graph. Select all the typical pairs based on the typicality criterion from among the pairs extracted, rank them according to the criterion and register them as typical patterns. If either or both nodes of the selected pairs have already been rewritten (chunked), they are restored to the original patterns before registration. Replace the selected pair in with one node and assign a new label to it. Rewrite the graph by replacing all the occurrences of the selected pair with a node with the newly assigned label. Graph- Based assigns a new label for each newly chunked pair. Because it recursively chunks pairs, it happens that the new pairs that have different labels because of different chunking history happen to be the same pattern (subgraph). A decision tree for graph-structured data by defining attributes and attribute values a pattern/subgraph in graph-structured data and existence/non-existence of the pattern in a graph. Since the value for an attribute is either yes (the classifying pattern exists) or no (the classifying pattern does not exist), data (graphs) are divided into two groups, namely, the one with the pattern and the other without the pattern. Incorporating the teachings of Fogel into Sol, Love, Apostolopoulos and Baluja would produce adjusting at least one parameter based on the feedback received concerning system performance, wherein the at least one parameter is a parameter of a machine learning method, as disclosed by Fogel, (see Abstract).
	Regarding claim 11, (draw system): claim 11 is system claim respectively that correspond to method of claim 4. Therefore, 11 is rejected for at least the same reasons as the method 4. 
	Regarding claim 17, (draw computer readable media): claim 17 is computer readable media claim respectively that correspond to method of claim 4. Therefore, 17 is rejected for at least the same reasons as the method 4.  
Claims 5, 6, 12, 13, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sol et al. (US 2016/0019387 A1, hereinafter Sol) in view of Love et al. (US 9,836,183 B1, hereinafter Love) in view of Apostolopoulos (US 2018/0219888 A1, hereinafter Apostolopoulos) and in view of Neumann (US 10,728,263 B1, hereinafter Neumann). 
Regarding dependent claim(s) 5, the combination of Sol, Love and Apostolopoulos discloses the method as in claim 1. However, the combination of Sol, Love and Apostolopoulos do not appear to specifically disclose the operations further comprising analyzing user behavioral data associated with user nodes within one of the identified one or more groups of similar user nodes to detect an abnormal behavioral pattern, the output comprising an indication of the abnormal behavioral pattern. 
In the same field of endeavor, Neumann discloses the operations further comprising analyzing user behavioral data associated with user nodes within one of the identified one or more groups of similar user nodes to detect an abnormal behavioral pattern, the output comprising an indication of the abnormal behavioral pattern (Neumann discloses the behavior correlation module may determine that the behavioral characteristics appear to exhibit a high correlation with respect to a specific behavior pattern but may be missing one or more behavioral characteristics identified in the pattern, (see Neumann: Col. 9 line 1-67 and Col. 10 line 1-67). The data source 106 stores behavioral characteristics correlated behavioral characteristics (fragments) 118, behavioral correlation profiles 120, information profiles regarding previously identified attacks. The behavioral correlation profiles 120 contain information to map (associate) event data from the event logs into behavioral characteristics 116, which may be viewed as mapping lower order activities from the event logs into higher order behaviors, (see Neumann: Col. 12 line 1-67 and Col. 16 line 1-67). This reads on the claim concept of analyzing user behavioral data associated with user nodes within one of the identified one or more groups of similar user nodes to detect an abnormal behavioral pattern. Provide a reduction of false attack indications (e.g., false negatives) or missed attacks by finding correlations with previously unknown attack profiles that are variations or partial matches to known attacks, {see Neumann: Col. 10 line 1-67 and Col. 19 line 1-67). This reads on the claim concept of the output comprising an indication of the abnormal behavioral pattern). 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data to structure identify the groups of similar user nodes between nodes are edges user nodes of Sol, Love and Apostolopoulos in order to have incorporated the user node associated with one or more groups of user node to identified an abnormal behavioral pattern, as disclosed by Neumann, since both of these mechanisms are directed data objects are often related to each other and exhibit dependencies. In fact, most relational data can be thought of as inter-dependent, which necessitates to account for related objects in finding anomalies. Graphs naturally represent the inter-dependencies by the introduction of links (or edges) between the related objects. The multiple paths lying between these related objects effectively capture their long-range correlations. The nature of anomalies could exhibit themselves as relational. Correlation is a term that is a measure of the strength of a linear relationship between two quantitative variables (e.g., height, weight). This post will define positive and negative correlations. Anomaly Detection is a technique used to identify unusual events or patterns that do not conform to expected behavior. Those identified are often referred to as anomalies or outliers. Using the capability of machine learning, anomaly detection has practical applications and benefits in different areas of business operations. Any nefarious activity that can damage an information system can be broadly classified as an intrusion. Anomaly detection can be effective in both detecting and solving intrusions of any kind. Common data-centric intrusions include cyberattacks, data breaches, or even data defects. Another benefit of anomaly detection using machine learning is in the domain of gathering and analyzing mobile sensor data. The growing adoption of loT devices and the reduced costs of data capture through mobile sensors is definitely driving this trend. Be it a mobile app or a network failure, a sudden degradation in performance can affect any business. Statistical Process Control (or SPC) is a quality standard that is common in the manufacturing process. Anomaly detection is deployed to check if any data falls outside the control limits and to determine the root cause. In short, anomaly detection in SPC can be used to detect any product variation or any issue occurring in the manufacturing process that needs to be immediately resolved. Incorporating the teachings of Neumann into Sol, Love and Apostolopoulos would produce an analytics-based security monitoring system adapted to detect a plurality of behavioral characteristics from behavioral data, each representing an action conducted in a computing environment, as disclosed by Neumann, (see Abstract).  
Regarding claim 12, (draw system): claim 12 is system claim respectively that correspond to method of claim 5. Therefore, 12 is rejected for at least the same reasons as the method 5.
Regarding claim 18, (draw computer readable media): claim 18 is computer readable media claim respectively that correspond to method of claim 5. Therefore, 18 is rejected for at least the same reasons as the method 5. 
Regarding dependent claim(s) 6, the combination of Sol, Love and Apostolopoulos discloses the method as in claim 1. However, the combination of Sol, Love and Apostolopoulos do not appear to specifically disclose the operations further comprising detecting one or more user nodes isolated from the identified one or more groups of similar user nodes, the output comprising an indication of the one or more isolated user nodes.  
In the same field of endeavor, Neumann discloses the operations further comprising detecting one or more user nodes isolated from the identified one or more groups of similar user nodes, the output comprising an indication of the one or more isolated user nodes (Neumann discloses the behavior correlation module may determine that the behavioral characteristics appear to exhibit a high correlation with respect to a specific behavior pattern but may be missing one or more behavioral characteristics identified in the pattern, (see Neumann: Col. 9 line 1-67 and Col. 10 line 1- 67). The behavioral correlation module 218 receiving these two behavioral characteristics may correlate the unusual (isolated) port activity and the unusual (isolated) beaconing activity into a behavioral fragment based on their "relatedness" as indicated by a behavioral correlation profile, (see Neumann: Col. 17 line 1-67, Col. 18 line 1-67 and Col. 20 line 1-67). This reads on the claim concept of the operations further comprising detecting one or more user nodes isolated from the identified one or more groups of similar user nodes. May trace the origin of any computing nodes associated with the attack and halt operation of those computing nodes and/or any connections formed with these computing nodes to other nodes in the computing environment until the attack has been resolved, (see Neumann: Col. 15 line 1-67 and Col. 26 line 1-67). This reads on the claim concept of the output comprising an indication of the one or more isolated user nodes).  
Regarding claim 13, (draw system): claim 13 is system claim respectively that correspond to method of claim 6. Therefore, 13 is rejected for at least the same reasons as the method 6.  
Regarding dependent claim(s) 19, the combination of Sol, Love and Apostolopoulos discloses the one or more non-transitory computer-readable media as in claim 15. However, the combination of Sol, Love and Apostolopoulos do not appear to specifically disclose the operations further comprising detecting one or more user nodes isolated from the identified one or more groups of similar user nodes, the output comprising an indication of the one or more isolated user nodes. 
In the same field of endeavor, Neumann discloses the operations further comprising detecting one or more user nodes isolated from the identified one or more groups of similar user nodes, the output comprising an indication of the one or more isolated user nodes (Neumann discloses the behavior correlation module may determine that the behavioral characteristics appear to exhibit a high correlation with respect to a specific behavior pattern but may be missing one or more behavioral characteristics identified in the pattern, (see Neumann: Col. 9 line 1-67 and Col. 10 line 1- 67). The behavioral correlation module 218 receiving these two behavioral characteristics may correlate the unusual (isolated) port activity and the unusual (isolated) beaconing activity into a behavioral fragment based on their "relatedness" as indicated by a behavioral correlation profile, (see Neumann: Col. 17 line 1-67, Col. 18 line 1-67 and Col. 20 line 1-67). This reads on the claim concept of the operations further comprising detecting one or more user nodes isolated from the identified one or more groups of similar user nodes. May trace the origin of any computing nodes associated with the attack and halt operation of those computing nodes and/or any connections formed with these computing nodes to other nodes in the computing environment until the attack has been resolved, (see Neumann: Col. 15 line 1-67 and Col. 26 line 1-67). The computer readable medium includes volatile media, nonvolatile media, removable media, non-removable media, and/or another available medium, (see Neumann: Col. 13 line 1-67 and Col. 14 line 1-67). This reads on the claim concept of the operations further comprising detecting one or more user nodes isolated from the identified one or more groups of similar user nodes, the output comprising an indication of the one or more isolated user nodes).
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data to structure identify the groups of similar user nodes between nodes are edges user nodes of Sol, Love and Apostolopoulos in order to have incorporated the user node associated with one or more groups of user node to identified an abnormal behavioral pattern, as disclosed by Neumann, since both of these mechanisms are directed data objects are often related to each other and exhibit dependencies. In fact, most relational data can be thought of as inter-dependent, which necessitates to account for related objects in finding anomalies. Graphs naturally represent the inter-dependencies by the introduction of links (or edges) between the related objects. The multiple paths lying between these related objects effectively capture their long-range correlations. The nature of anomalies could exhibit themselves as relational. Correlation is a term that is a measure of the strength of a linear relationship between two quantitative variables (e.g., height, weight). This post will define positive and negative correlations. Anomaly Detection is a technique used to identify unusual events or patterns that do not conform to expected behavior. Those identified are often referred to as anomalies or outliers. Using the capability of machine learning, anomaly detection has practical applications and benefits in different areas of business operations. Any nefarious activity that can damage an information system can be broadly classified as an intrusion. Anomaly detection can be effective in both detecting and solving intrusions of any kind. Common data-centric intrusions include cyberattacks, data breaches, or even data defects. Another benefit of anomaly detection using machine learning is in the domain of gathering and analyzing mobile sensor data. The growing adoption of loT devices and the reduced costs of data capture through mobile sensors is definitely driving this trend. Be it a mobile app or a network failure, a sudden degradation in performance can affect any business. Statistical Process Control (or SPC) is a quality standard that is common in the manufacturing process. Anomaly detection is deployed to check if any data falls outside the control limits and to determine the root cause. In short, anomaly detection in SPC can be used to detect any product variation or any issue occurring in the manufacturing process that needs to be immediately resolved. Incorporating the teachings of Neumann into Sol, Love and Apostolopoulos would produce an analytics-based security monitoring system adapted to detect a plurality of behavioral characteristics from behavioral data, each representing an action conducted in a computing environment, as disclosed by Neumann, (see Abstract).  
Claims 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sol et al. (US 2016/0019387 A1, hereinafter Sol) in view of Love et al. (US 9,836,183 B1, hereinafter Love) in view of Apostolopoulos (US 2018/0219888 A1, hereinafter Apostolopoulos) and in view of Apostolopoulos (US 10,205,735 B1, hereinafter Apostolopoulos). 
Regarding dependent claim(s) 7, the combination of Sol, Love and Apostolopoulos discloses the method as in claim 1. However, the combination of Sol, Love and Apostolopoulos do not appear to specifically disclose the operations further comprising merging the user entities represented by the user nodes within a group of similar user nodes. 
In the same field of endeavor, Apostolopoulos discloses the operations further comprising merging the user entities represented by the user nodes within a group of similar user nodes (Apostolopoulos discloses patterns of behavior that are abnormal or otherwise vary from the expected use pattern of a particular entity, such as an organization or subset thereof, individual user, IP address, node or group of nodes in the network. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes, (see Apostolopoulos: Col. 9 line 1-67, Col. 25 line 1-67 and Col. 37 line 1-67). This reads on the claim concept of the operations further comprising merging the user entities represented by the user nodes within a group of similar user nodes). 
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data to structure identify the groups of similar user nodes between nodes are edges user nodes of Sol, Love and Apostolopoulos in order to have incorporated the node merge within the similar group of user nodes, as disclosed by Apostolopoulos, since both of these mechanisms are directed much value can be obtained from merging multiple files of data to get clearer, more comprehensive pictures of prospects, customers, and business opportunities. Data points that are spread across multiple sources are a classic example where the whole is greater than the sum of the parts, if only the data could be combined. Achieving this can unleash a large number of possibilities to use the newly merged data in all kinds of scenarios, including analytics, machine learning, and other forms of data analysis. Matching data across tables or merging files can be a challenge, especially if the only overlapping field is a textual field such as "company name", where the same data could be represented countless ways. Inconsistently represented data, quite common, makes the ability match data using SQL queries or simple merge logic very difficult. Match rates will typically be very low. This stands in the way of aggregating data from multiple sources. A similarity-driven cluster merging method is proposed for unsuper-vised fuzzy clustering. The cluster merging method is used to resolve the problem of cluster validation. Starting with an over specified number of clusters in the data, pairs of similar clusters are merged based on the proposed similarity-driven cluster merging criterion. The similarity between clusters is calculated by a fuzzy cluster similarity matrix, while an adaptive threshold is used for merging. Analyzing the community structures in networks can facilitate the recognition of the characteristics of networks and make prediction further about the functional properties of the corresponding systems. That is to say, community detection provides us with an effective means for studying the functional properties of networks via dipping into structural characteristics, which really make sense in practical applications. The hierarchical clustering methods reveal multilevel community structures either in divisive ways or in agglomerative approaches or in hybrid ways; e.g., GN algorithm detects communities by repeatedly removing the edge with the largest between ness from the networks, its output is a dendrogram representing the nested hierarchy of possible community structures of the network, and the level corresponding to the largest value of a measure, modularity, is taken as the final result. Fast algorithm takes each node in the network as a community first and then repeatedly merges two of them into one. The modularity optimization-based algorithms detect community structures from networks by utilizing the physical meaning of modularity the higher the value of modularity, the better the community structure and taking the modularity as the objective to optimize. Merge sort is a sorting technique based on divide and conquer technique. With worst-case time complexity being O (n log n), it is one of the most respected algorithms. Merge sort first divides the array into equal halves and then combines them in a sorted manner. Incorporating the teachings of Apostolopoulos into Sol, Love and Apostolopoulos would produce a graph can be built with links between the time units. The links can also receive scoring based on a number of factors, as disclosed by Apostolopoulos, (see Abstract). 
Regarding claim 14, (draw system): claim 14 is system claim respectively that correspond to method of claim 7. Therefore, 14 is rejected for at least the same reasons as the method 7. 
Regarding dependent claim(s) 20, the combination of Sol, Love and Apostolopoulos discloses the one or more non-transitory computer-readable media as in claim 15. However, the combination of Sol, Love and Apostolopoulos do not appear to specifically disclose the operations further comprising merging the user entities represented by the user nodes within a group of similar user nodes. 
In the same field of endeavor, Apostolopoulos discloses the operations further comprising merging the user entities represented by the user nodes within a group of similar user nodes (Apostolopoulos discloses patterns of behavior that are abnormal or otherwise vary from the expected use pattern of a particular entity, such as an organization or subset thereof, individual user, IP address, node or group of nodes in the network. The merge can combine similar nodes and edges into the same record, and in some embodiments, can increase the weight of the merged entity nodes, (see Apostolopoulos: Col. 9 line 1-67, Col. 25 line 1-67 and Col. 37 line 1-67). Including various machine-readable storage media, may be used for storing and executing program instructions, (see Apostolopoulos: Col. 48 line 1-67). This reads on the claim concept of the operations further comprising merging the user entities represented by the user nodes within a group of similar user nodes).   
Accordingly, it would have been obvious to a person of ordinarily skill in the art before the effective filing date of the claimed invention to modify the Abnormal User Behavior using a graph data to structure identify the groups of similar user nodes between nodes are edges user nodes of Sol, Love and Apostolopoulos in order to have incorporated the node merge within the similar group of user nodes, as disclosed by Apostolopoulos, since both of these mechanisms are directed much value can be obtained from merging multiple files of data to get clearer, more comprehensive pictures of prospects, customers, and business opportunities. Data points that are spread across multiple sources are a classic example where the whole is greater than the sum of the parts, if only the data could be combined. Achieving this can unleash a large number of possibilities to use the newly merged data in all kinds of scenarios, including analytics, machine learning, and other forms of data analysis. Matching data across tables or merging files can be a challenge, especially if the only overlapping field is a textual field such as "company name", where the same data could be represented countless ways. Inconsistently represented data, quite common, makes the ability match data using SQL queries or simple merge logic very difficult. Match rates will typically be very low. This stands in the way of aggregating data from multiple sources. A similarity-driven cluster merging method is proposed for unsuper-vised fuzzy clustering. The cluster merging method is used to resolve the problem of cluster validation. Starting with an over specified number of clusters in the data, pairs of similar clusters are merged based on the proposed similarity-driven cluster merging criterion. The similarity between clusters is calculated by a fuzzy cluster similarity matrix, while an adaptive threshold is used for merging. Analyzing the community structures in networks can facilitate the recognition of the characteristics of networks and make prediction further about the functional properties of the corresponding systems. That is to say, community detection provides us with an effective means for studying the functional properties of networks via dipping into structural characteristics, which really make sense in practical applications. The hierarchical clustering methods reveal multilevel community structures either in divisive ways or in agglomerative approaches or in hybrid ways; e.g., GN algorithm detects communities by repeatedly removing the edge with the largest between ness from the networks, its output is a dendrogram representing the nested hierarchy of possible community structures of the network, and the level corresponding to the largest value of a measure, modularity, is taken as the final result. Fast algorithm takes each node in the network as a community first and then repeatedly merges two of them into one. The modularity optimization-based algorithms detect community structures from networks by utilizing the physical meaning of modularity the higher the value of modularity, the better the community structure and taking the modularity as the objective to optimize. Merge sort is a sorting technique based on divide and conquer technique. With worst-case time complexity being O (n log n), it is one of the most respected algorithms. Merge sort first divides the array into equal halves and then combines them in a sorted manner. Incorporating the teachings of Apostolopoulos into Sol, Love and Apostolopoulos would produce a graph can be built with links between the time units. The links can also receive scoring based on a number of factors, as disclosed by Apostolopoulos, (see Abstract). 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
                                                               Contact Information 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOHANES Demiss KELEMEWORK whose telephone number is (571)272-8772. The examiner can normally be reached Monday-Friday 8:00 am-5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashish Thomas can be reached on 571-272-0631. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YOHANES D KELEMEWORK/               Examiner, Art Unit 2164                                                                                                                                                                                         
/ASHISH THOMAS/               Supervisory Patent Examiner, Art Unit 2164