DETAILED ACTION
This Office action is in response to a non-provisional utility patent application filed by Applicant on 9/3/2019.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-2, 4-5, 8-9, 11-12, 15-16, 18-19 rejected under 35 U.S.C. 103 as being unpatentable over Kirti (U.S. Pat. App. Pub. 2015/0172321 A1) in view of Laffoon (U.S. Pat. 8,984,632 B1) in view of Mao (U.S. Pat. 10,019,582 B1).
Regarding claims 1, 8, and 15, Kirti discloses: a method for identifying anomalous data events (analyzing information related to user activity in one or more clouds using machine learning to perform threat detection of suspicious activities. Kirti para. 0056.), comprising: monitoring a networked file system for suspicious events (detecting patterns of suspicious user activity in one cloud or across multiple clouds. Kirti para. 0056.); receiving an indication of a suspicious event associated with a user and a file (using threat models and base line expectations for identifying rare and infrequence event and behavior analytics to derive suspicious behavior of a user including file access. Kirti para. 0088.); performing a pattern of behavior analysis using historical events associated with the user (data collected over time is used to build models of normal behavior (e.g., patterns of events and activity) and flag behavior that deviates from normal as abnormal behavior. Kirti para. 0089.); and displaying a report for the user including the anomalous event (alerts and threat reports are generated based upon pre-defined rules that can include specific events and thresholds. Kirti para. 0087.).  
Kirti does not disclose: performing an adjacency by time analysis using a set of events for the user before the suspicious event and a set of events for the user after the suspicious event; performing an adjacency by location analysis using a set of files located in a location of 
However, Laffoon does disclose: performing an adjacency by time analysis using a set of events for the user before the suspicious event and a set of events for the user after the suspicious event; determining whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by time analysis (analyzing collected activity data relating to activities across multiple mobile device and within close proximal times to the detected activities. Laffoon col. 3, l. 53 – col. 4, l. 7.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the analyzing information related to user activity in one or more clouds using machine learning to perform threat detection of suspicious activities of Kirti with pattern analysis related to the adjacency of time of events related to a suspicious event based upon the teachings of Laffoon. The motivation being that identifying activity at the suspicious activity time may not identify all the activity taking place in proximity to the suspicious event. Laffoon col. 3, ll. 58-60.
Kirti in view of Laffoon does not disclose: performing an adjacency by location analysis using a set of files located in a location of the file; determining whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by location analysis.
However, Mao does disclose: performing an adjacency by location analysis using a set of files located in a location of the file; determining whether the suspicious event is an anomalous event based on the pattern of behavior analysis, the adjacency by location analysis (analyzing data usage patterns related to GPS location of the user. Mao col. 7, ll. 3-16.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the analyzing information related to user activity in one or more clouds using machine learning to perform threat detection of suspicious activities of Kirti with pattern analysis related to the adjacency of location of events related to a suspicious event based upon the teachings of Mao. The motivation being to identify leak data related to a suspicious activity. Mao col. 5, ll. 29-61.
Regarding claims 2, 9, and 16, Kirti in view of Laffoon in view of Mao discloses the limitations of claims 1, 8, and 15, respectively, wherein events include creating, deleting, modifying, and copying a file (triggering events include downloading (reads on the recited copying and creating), elevating privileges (reads on modifying and deleting). Kirti para. 0092.).  
Regarding claim 4, 11, and 18, Kirti in view of Laffoon in view of Mao discloses the limitations of claims 1, 8, and 15, respectively, further comprising: training a machine-learning model for the pattern of behavior analysis using historical event data associated with the user to identify a variance in events associated with the user (data collected over time is used to build models of normal behavior (patterns of events and user activity – such as variance of login events over a time period) and flag behavior that deviates from normal as abnormal behavior. Kirti para. 0089. This information is provided back to one or more machine learning algorithms to automatically modify parameters of the system. Kirti para. 0089.).  
Regarding claims 5, 12, and 19, Kirti in view of Laffoon in view of Mao discloses the limitations of claims 1, 8, and 15, respectively, further comprising: training a machine-learning model for the pattern of behavior analysis using historical event data associated with users in a similar group as the user to identify a variance in events associated with the user (data collected over time is used to build models of normal behavior (patterns of events and user activity – clustering algorithms are used to put data into clusters by aggregating all entries of users logging in from a mobile device) and flag behavior that deviates from normal as abnormal behavior. Kirti para. 0089. This information is provided back to one or more machine learning algorithms to automatically modify parameters of the system. Kirti para. 0089.).

Claim 3, 10, 17 rejected under 35 U.S.C. 103 as being unpatentable over Kirti in view of Laffoon in view of Mao in view of Stevens (U.S. Pat. 8,856,390 B1) in view of Chesla (U.S. Pat. App. Pub. 2017/0063930 A1) in view of Yablokov (U.S. Pat. 10,409,987 B2).
Regarding claims 3, 10, and 17, Kirti in view of Laffoon in view of Mao discloses the limitations of claims 1, 8, and 15, respectively. Kirti in view of Laffoon in view of Mao does not disclose: wherein suspicious event includes inserting a Universal Serial Bus (USB) storage device in to a computing system, uploading a file to a cloud storage service, and identifying a multipurpose internet mail extension (MIME) type mismatch.
However, Stevens does disclose: wherein suspicious event includes inserting a Universal Serial Bus (USB) storage device in to a computing system (the security condition identifies a particular security threat to the device including if a USB device has been connected to the host. Stevens col. 3, ll. 20-25.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the analyzing information related to user activity in one or more clouds using machine learning to perform threat detection of suspicious activities of Kirti with identifying as a suspicious event when a USB device is inserted into the system based upon the teachings of Stevens. The motivation being to identify a major indicator of a security breach. Sevens col. 3, ll. 7-25.
Kirti in view of Laffoon in view of Mao in view of Stevens does not disclose: uploading a file to a cloud storage service, and identifying a multipurpose internet mail extension (MIME) type mismatch.
However, Chesla does disclose: uploading a file to a cloud storage service (identifying an abnormal event of uploading a file. Chesla para. 0137.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the analyzing information related to user activity in one or more clouds using machine learning to perform threat detection of suspicious activities of Kirti with identifying as a suspicious event when a file is uploaded to storage based upon the teachings of Chesla. The motivation being to identify a propagation threat of malware to a system. Chesla para. 0137.
Kirti in view of Laffoon in view of Mao in view of Stevens in view of Chesla does not disclose: identifying a multipurpose internet mail extension (MIME) type mismatch.
However, Yablokov does disclose: identifying a multipurpose internet mail extension (MIME) type mismatch (matching from an antivirus list an analysis of files based upon characteristics such as certain file extensions and MIME types. Yablokov col. 4, ll. 5-54.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the analyzing information related to user activity in one or more clouds using machine learning to perform threat detection of suspicious activities of Kirti with identifying as a suspicious event a mismatch of file extensions and MIME types based upon the teachings of Yablokov. The motivation being determining malware threats based upon characteristics and context of indicators from an antivirus database. Yablokov col. 3, ll. 37-63.

Allowable Subject Matter
Claims 6-7, 13-14, 20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Figlin (U.S. Pat. App. Pub. 2011/0173699 A1), detection of inappropriate, unauthorized or malicious activity in a computer system by insider actors; Han (U.S. Pat. 11,012,454 B1), detecting abnormal behavior in cloud applications; Margolies (U.S. Pat. App. Pub. 2011/0225650 A1), detecting insider fraud based upon rules related to behavior of sources of data; O’Neill (U.S. Pat. App. Pub. 2011/0087495 A1), monitoring suspicious behavior for criminal and wrongful activities related to computer information; and Girdhar (U.S. Pat. App. Pub. 2020/0110870 A1), detecting unusual or suspicious computer behavior such as copying a large number of files to or from the cloud.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VANCE M LITTLE whose telephone number is (571) 270-0408.  The examiner can normally be reached on Monday - Friday 9:30am - 5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung (Jay) Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/VANCE M LITTLE/Examiner, Art Unit 2493