DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 330.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-9, 11-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bowditch (U.S. 20200358819A1) in view of Rausch et al. (U.S. 10552739), hereinafter Rausch, and Williams et al. (U.S. 20150254555A1), hereinafter Williams. 

obtaining a training dataset during a training mode, wherein the training dataset includes counts of actions performed by users while operating applications in the computer system (Bowditch: Fig. 1 and [0023] provide for the training dataset including actions performed by users);   
obtaining a surveillance dataset during a surveillance mode, wherein the surveillance dataset includes counts of actions performed by users while operating applications in the computer system (Bowditch: Fig. 1, [0013] [0023] provide for the receiving request representing the surveillance dataset including counts of actions performed by the users);
 using the trained models to detect anomalous actions in the surveillance dataset (Bowditch: Fig. 1 and [0023] provide for detecting anomalies in the surveillance dataset using the trained models); and 
when an anomalous action is detected, triggering an alert (Bowditch: Fig. 1 and [0023] provide for generating an alert when an anomalous action is detected).
Bowditch does not teach about using the training dataset to produce corresponding per-action datasets. However, Rausch teaches this limitation (Rausch: Col. 8 Lines 20-25 provide for per-action based datasets).
Bowditch and Rausch are both considered to be analogous to the claimed invention because they are in the same field of machine learning with training datasets. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the 
Rausch further teaches about cleansing the training dataset based on counts of actions in the per-action datasets to produce a cleansed training dataset. (Rausch: Col. 43 Lines 9-19 provide for cleansing the training dataset which can be based on counts of actions in the dataset).  
Bowditch and Rausch do not teach about using the cleansed training dataset to produce corresponding per-user datasets and training per-user models based on the per-user datasets to detect anomalous actions of users. However, Williams teaches this limitation (William: [0214] and [0215] provide for per-user dataset and training per-user models based on the per-user datasets to detect anomaly detection).
Bowditch, Rausch and Williams are all considered to be analogous to the claimed invention because they are in the same field of machine learning with training datasets. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bowditch/Rausch method to incorporate the teachings of Williams and provide cleansing training dataset to produce corresponding per-user datasets and training per-user models based on the per-user datasets to detect anomalous actions of users. Doing so would aid in detecting anomaly accurately for each user, as the anomaly detection is customized to a user’s historical behavior patterns and as behavior varies widely from user to user. 
Claim 9 recites the same limitation as claim 1 for a non-transitory computer-readable storage medium storing instruction and is thereby rejected under the same rationale. 

Regarding claim 3, Bowditch further teaches the method of claim 1, wherein when an anomalous action is detected, the method further comprises performing a remedial action, which can include one or more of the following: informing a system administrator about the anomaly and providing contextual information; scheduling execution of diagnostics and/or security scanning applications for affected parts of the computer system; suspending associated users and/or applications; and enforcing multi-factor authentication for associated users and/or applications (Bowditch: [0023] provides for the remedial action when an anomalous action is detected, including generating an alert, alarm, etc. to the user, the user's employer, and/or to another suitable entity, such as a Managed Security Service Provider (“MSSP”), security researcher, etc., that the request is malicious, and/or can block or prevent further interaction with the requestor/threat actor, e.g., a webpage, domain, server, etc.).
Claim 11 recites the same limitation as claim 3 for a non-transitory computer-readable storage medium storing instruction and is thereby rejected under the same rationale. 
Claim 19 recites the same limitation as claim 3 for a system and is thereby rejected under the same rationale. 
Regarding claim 4, Rausch further teaches the method of claim 1, wherein the computer system comprises a cloud-computing infrastructure, which hosts applications for various tenants (Rausch: Col. 23 Lines 60-67 and Col. 24 Lines 1-12 provide for the cloud-computing infrastructure which hosts applications for different users (tenants)).
Claim 12 recites the same limitation as claim 4 for a non-transitory computer-readable storage medium storing instruction and is thereby rejected under the same rationale. 

Regarding claim 5, Rausch does not teach about triggering the alert. However, Bowditch teaches this limitation (Bowditch: [0023] provide for triggering the alert by sending a notification to an associated tenant).
Bowditch and Rausch are both considered to be analogous to the claimed invention because they are in the same field of machine learning with training datasets. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Rausch to incorporate the teachings of Bowditch and provide a cloud computing infrastructure hosting application for various tenants and detecting anomalous actions of the host and tenants. Doing so would aid in implementing the anomaly detection in cloud computing.
Claim 13 recites the same limitation as claim 5 for a non-transitory computer-readable storage medium storing instruction and is thereby rejected under the same rationale. 
Regarding claim 6, Rausch further teaches the method of claim 4, wherein the method is performed for a specific application instance and a specific tenant ((Rausch: Col. 23 Lines 60-67 and Col. 24 Lines 1-12 provide for the cloud-computing infrastructure which hosts applications for different users (tenants)).
Claim 14 recites the same limitation as claim 6 for a non-transitory computer-readable storage medium storing instruction and is thereby rejected under the same rationale. 
Regarding claim 7, Rausch further teaches the method of claim 1, wherein obtaining the training data involves gathering and aggregating the training data from various logs within the 
Claim 15 recites the same limitation as claim 7 for a non-transitory computer-readable storage medium storing instruction and is thereby rejected under the same rationale. 
Regarding claim 8, Williams teaches the method of claim 1, wherein the counts of actions comprise counts of actions over fixed time intervals (Williams: [0217] provides for samples in datasets taken over a time window).
Claim 16 recites the same limitation as claim 8 for a non-transitory computer-readable storage medium storing instruction and is thereby rejected under the same rationale. 
Claims 2, 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Bowditch (U.S. 20200358819A1), Rausch (U.S. 10552739) and Williams (U.S. 20150254555A1), in view of Fu et al. (U.S. 20190364088A1), hereinafter Fu and Gilgur et al. (U.S. 7783510B1), hereinafter Gilgur. 
Regarding claim 2, Bowditch/Rausch/Williams do not teach about clustering the per-action datasets based on counts of actions to produce a set of clusters and identifying singleton and rare clusters in the set of clusters, wherein other clusters in the set of clusters are normal clusters. However, Fu teaches this limitation (Fu: [0004] and [0005] provide for clustering-based approach, where a clustering algorithm utilizes a notion of outliers applied to samples to determine samples far from a cluster centroid which represent the singleton and rare clusters.)
Fu further teaches identifying actions associated with singleton and rare clusters having counts greater than the threshold as anomalous (Fu: [0004] provide for the anomalies whose characteristics differ from the normal profile by more than a predetermined threshold amount) 

Bowditch/Rausch/Williams/Fu do not teach about fitting a mixed Poisson distribution (MPD) into each normal cluster MPD1, ..., MPDk in the set of clusters and testing all singleton and rare clusters based on a percentile threshold for each fitted MPDi. However, Gilgur teaches this limitation (Gilgur: Col. 6 Lines 32-43 provide for fitting a mixed Poisson Distribution into the normal clusters.)
 Bowditch, Rausch, Williams, Fu and Gilgur are all considered to be analogous to the claimed invention because they are in the same field of machine learning with training datasets. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bowditch/Rausch/Williams/Fu method to incorporate the teachings of Gilgur and provide fitting a mixed Poisson distribution (MPD) into each normal cluster in the set of clusters and testing all singleton and rare clusters based on a percentile threshold for each fitted cluster. Doing so would aid in detecting anomaly accurately using a known anomaly detection technique.

Claim 18 recites the same limitation as claim 2 for a system and is thereby rejected under the same rationale. 
Pertinent Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Zoll et al. (U.S. 20180083833A1) teaches a method and system for performing context-aware prognoses for health analysis of monitored system. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346. The examiner can normally be reached Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 





/YASMIN JAHIR/Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432