Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11-22-2021 has been entered.

Response to Amendments
The amended claims 1-6, 8-14, 16-19 and 21-23 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Rathod et al (US 20160241576), hereafter Rath and Bernstein et al (US 20160142435), hereafter Bern have been fully considered and are persuasive. Claim(s) 7, 15 and 20 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1-6, 8-14, 16-19 and 21-23 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment

1.	(Currently Amended) A method, comprising:
computing, by a storage system, [[an]]one or more access rates of a set of entities for each user of a plurality of users, wherein the one or more access rates refers to data operations for the set of entities stored by the storage system;
normalizing, by the storage system, the one or more access rates of the first set of entities for a first subset of the plurality of users by dividing a respective user’s access rate by a total access rate of a community, the respective user being part of first subset belonging to the community, and the one or more normalized access rates including a first normalized access rate for a first user of the first subset; 
determining, by the storage system, that the first normalized access rate satisfies a threshold
detecting, by the storage system, a first anomaly in response to determining that the first normalized access rate satisfies the threshold;
detecting, by the storage system, a second anomaly based on a total number of active users after resolution of the community in relation to a number of active users of a previous historical snapshot of the community; and
restricting, by the storage system, access by the first user to the set of entities in response to detecting the first and second anomalies.

(Currently Amended) The method of claim 1, wherein the community is based on access to the set of entities by the first subset of the plurality of users.

3.	(Previously Presented) The method of claim 1, wherein the second anomaly is based on a size of the community.

determining, by the storage system, that a user membership of the community is a third anomaly based on a first total number of communities after resolution of the community in relation to a second total number of communities of the previous historical snapshot of the community.
5.	(Currently Amended) The method of claim 1, further comprising:
detecting, by the storage system, a third anomaly in response to access rates for a second subset of the plurality of users that satisfies a second threshold, wherein the second subset is not part of the community. 
6.	(Currently Amended) The method of claim 1, wherein the one or more access rates for the first subset are determined with respect to a sliding time period. 
	7.	(Cancelled) 
8.	(Previously Presented) The method of claim 1, further comprising:
transmitting a message to an administrator in response to detecting the first anomaly, the message specifying the first user’s entity access patterns associated with the first anomaly. 
9.	(Currently Amended) A non-transitory machine-readable medium having stored thereon instructions for performing a method, comprising machine executable code which when executed by at least one machine, causes the machine to:
	compute, by a storage system, [[an]]one or more access rates of a set of entities for each user of a plurality of users, wherein the one or more access rates refers to data operations for the set of entities stored by the storage system; 
normalize, by the storage system, the one or more access rates of the set of entities for a first subset of the plurality of users by dividing a respective user’s access rate by a total access rate of a community, the respective user being part of first subset belonging to the community, and the one or more normalized access rates including a first normalized access rate for a first user of the first subset; 
determine, by the storage system, that the first normalized access rate satisfies a threshold 

detect, by the storage system, a second anomaly based on a change in a size of the community; and
restrict, by the storage system, access by the first user to the set of entities in response to detecting the first and second anomalies.

10.	(Currently Amended) The non-transitory machine-readable medium of claim 9, wherein the community is based on access to the set of entities by the first subset of the plurality of users.

11.	(Previously Presented) The non-transitory machine-readable medium of claim 9, wherein the second anomaly is based on a total number of active users after resolution of the community in relation to a number of active users of a previous historical snapshot of the community.

12.	(Previously Presented) The non-transitory machine-readable medium of claim 9, further comprising machine executable code which causes the machine to:
determine that a user membership of the community is a third anomaly based on a first total number of communities after resolution of the community in relation to a second total number of communities of a previous historical snapshot of the community.
13.	(Currently Amended) The non-transitory machine-readable medium of claim 9, further comprising machine executable code which causes the machine to:
detect a third anomaly in response to access rates for a second subset of the plurality of users satisfies a second threshold, wherein the second subset is not part of any community. 
14.	(Currently Amended) The non-transitory machine-readable medium of claim 9, wherein the one or more access rates for the first subset are determined with respect to a sliding time period.
15.	(Cancelled) 
first subset includes the plurality of users.
17.	(Currently Amended) A computing device comprising:
	a memory containing a machine-readable medium comprising machine executable code having stored thereon instructions for performing a method of forming communities; and
a processor coupled to the memory, the processor configured to execute the machine executable code to:
compute, by a storage system, [[an]]one or more access rates of a set of entities for each user of a plurality of users, wherein the one or more access rates refers to data operations for the set of entities stored by the storage system; 
normalize, by the storage system, the one or more access rates of the set of entities for a first subset of the plurality of users by dividing a respective user’s access rate by a total rate of a community, the respective user being part of first subset belonging to the community, and the one or more normalized access rates including a first normalized access rate for a first user of the first subset; 
determine, by the storage system, that the first normalized access rate satisfies a first threshold
detect, by the storage system, a first anomaly in response to the determination that the first normalized access rate satisfies the first threshold;
determine, by the storage system, that a change in a size of the community satisfies a second threshold;
detect, by the storage system, a second anomaly in response to the determination that the change satisfies the second threshold; and
restrict, by the storage system, access by the first user to the set of entities in response to detecting the first and second anomalies.
18.	(Currently Amended) The computing device of claim 17, wherein the community is based on access to the set of entities by the first subset of the plurality of users.
one or more access rates for the first subset are determined with respect to a sliding time period.
20.	(Cancelled) 
21.	(New) The method of claim 5, further comprising:
restricting access by a second user of the second subset in response to detecting the third anomaly. 
22.	(New) The non-transitory machine-readable medium of claim 13, further comprising machine executable code which causes the machine to:
restrict access by a second user of the second subset in response to detecting the third anomaly. 
23.	(New) The computing device of claim 17, wherein the processor is configured to execute the machine executable code to:
	detect a third anomaly in response to access rates for a second subset of the plurality of users satisfies a second threshold, wherein the second subset is not part of any community; and
restrict access by a second user of the second subset in response to detection of the third anomaly.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Rath teaches [0006] Metrics associated with accesses to a service are collected and include activities associated with a user, [0032] performed by storage device, [0045] the user profile is continuously built based on contextual information associated with every visit of all users in the system; [0041, 53] metrics include values (like min, max, mean, variance and median values) of one or more of: number of hits, unique URI's visited etc... the distribution of accesses for the current metric is compared to a 

Further, a second prior art of record Bern teaches [0017] calculating a confidence score for each respective diversity value ([0045] diversity value represents the extent of relationship between entities and entity types (set of users) involved in the data access event), based on a number of activities of a combination of certain network entities in the respective group and [0173] detecting an anomaly in comparison to a threshold and based on [0108-145] entity subgroups relationships and [0045, 94, 158-159] a network behavior model comprises updated historical snapshot of normal behavior and relationships of network entities; [0074] abnormal activities are prevented based on the detection of [0091-94] number of data access events and relationships between entities which take part in the activities.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: computing an access rate of a set of entities for each user of a plurality of users. Further, normalizing the access rates for a 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 10 and 16 mutatis mutandis.  Claim(s) 7, 15 and 20 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST). Examiner interviews are 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.