Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claims 1, 2, 7, 8, 9, 14, 15, 16, and 21, are objected to because of the following informalities:  
In claims 1, 2, 7, 8, 9, 14, 15, 16, and 21, “the analysis” should be “the analyzing” because the antecedent recitation is “analyzing.” For purposes of examination, “the analysis” has been interpreted to have the meaning of the above suggested revision.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 22-25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 22 and 24, last paragraph, recite the limitation "one of the security actions.” There is insufficient antecedent basis for this limitation (a plurality of security actions) in the at least one security action.” For purposes of examination, the above phrase has been interpreted to have the meaning of the suggested revision.
Claims dependent from one or more of the above discussed claims are also rejected for the same reasons, since these dependent claims incorporate the indefinite recitations of their parent claims without curing the deficiencies thereof. Therefore, claims 23 and 25 are rejected due to their dependency on claims 22 and 24.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-2, 6-9, 13-16, 20-21, and 22-24 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to an abstract idea and the claims as a whole, considering all claim elements both individually and in combination, do not amount to significantly more than an abstract idea.
The claims have been analyzed in accordance with the 2019 Revised Patent Subject Matter Eligibility Guidance and October 2019 Patent Eligibility Guidance Update, which sets forth the following inquiries for determining eligibility.
Step 2A Prong One: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
	Independent claim 1, for example, recites “receiving a plurality of event data, wherein each of the event data is a detected activity performed by a user on one of a set of one or more computer systems, wherein the detected activities are performed by the user over a time duration; analyzing the plurality of event data using a plurality of time-based models, wherein each of the time-based models correspond to a different time interval that is included in the time duration, the analysis resulting in a plurality of time-based risk scores pertaining to the user; and performing an action based on a security risk score of the user, wherein the security risk score is calculated based on the plurality of time-based risk scores.” Independent claims 8 and 15 recite analogous limitations.
These limitations, under the broadest reasonable interpretation, cover performance of the steps in the mind but for the recitation of any generic computer components. Therefore, these limitations are considered to be mental processes. These limitations are recited at a high degree of generality and do not contain any specific features that would preclude the above limitations from being a mental process. 
For example, the limitation of “analyzing…using time-based models” does not require a particular degree of computational complexity that would preclude the limitations from being a mental process. A “model,” under the broadest reasonable interpretation of the term, may simply be a pattern derived from observation. Therefore, analysis using such a model falls within the category of mental processes. Note a mental process may include computations performable with the aid of pencil and paper, as stated in MPEP § 2106.04(III): 
If a claim recites a limitation that can practically be performed in the human mind, with or without the use of a physical aid such as pen and paper, the limitation falls within the mental processes grouping, and the claim recites an abstract idea. See, e.g., Benson, 409 U.S. at 67, 65, 175 USPQ at 674-75, 674 (noting that the claimed "conversion of [binary-coded decimal] numerals to pure binary numerals can be done mentally," i.e., "as a person would do it by head and hand.")…

The use of a physical aid (e.g., pencil and paper or a slide rule) to help perform a mental step (e.g., a mathematical calculation) does not negate the mental nature of the limitation, but simply accounts for variations in memory capacity from one person to another.
MPEP § 2106.04(III)(B) (emphasis added). 
performing an action” does not specify any particular action that necessarily distinguishes from, for example, a mental action of determination, judgement or identification.
Independent claim 22 recites “receiving a plurality of event data, wherein each of the event data is a detected activity performed by a user on one of a set of one or more computer systems, wherein the detected activities are performed by the user over a time duration; creating, from the plurality of event data, a plurality of time-based datasets, wherein each of the time-based data sets corresponds to one of a plurality of trained time-based […] models, and wherein each of the trained time-based […] models corresponds to a different time interval; inputting the plurality of time-based datasets to their respective trained time-based […] models; receiving, from the plurality of […] models, a plurality of time-based risk scores, wherein each of the time-based risk scores corresponds to one of the plurality of machine learning models; calculating a security score of the user based on the plurality of time-based risk scores; and performing at least one security action, wherein one of the security actions is […] a user identifier of the user and the user's security score to a report.” Independent claim 24 recites analogous limitations.
These limitations, under the broadest reasonable interpretation, cover performance of the steps in the mind but for the recitation of any generic computer components. These limitations are recited at a high degree of generality and do not contain any specific features that would preclude the above limitations from being a mental process. 
For example, although the claim limitations recite “calculating a security score,” the claims do not require any specific mathematical methodology that is beyond a mental process. See MPEP § 2106.04(III), quoted above, which states that computations may be mental processes. Furthermore, the limitation of “performing an action…” does not specify any 
Therefore, the above limitations recite a mental process. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of the generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Therefore, claims 6 and 16 are directed to a judicial exception in the form of a mental process.    
Step 2A Prong Two: Does the claim recite additional elements that integrate the judicial exception into a practical application?
The judicial exception identified above is not integrated into a practical application.
The claims recite various additional elements, but these additional elements, as identified below, do not integrate the judicial exception into a practical application.
Specifically, the claims recite the following additional elements that are generic computer components: 
“implemented by an information handling system that includes a processor and a memory accessible by the processor” (claim 1)
“one or more processors; a memory coupled to at least one of the processors; and a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions” (claim 8)
“A computer program product stored in a computer readable storage medium, comprising computer program code that, when executed by an information handling system, performs actions
“implemented by an information handling system that includes a processor and a memory accessible by the processor” (claim 22)
“one or more processors; a memory coupled to at least one of the processors; and a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions” (claim 24)
Computer components recited at a high-level of generality amount to no more than mere instructions to apply the judicial exception using a generic computer component. An additional element that merely recites the words “apply it” (or an equivalent) with the judicial exception, or merely includes instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, does not integrate the judicial exception into a practical application.
The claims also recite the following additional elements that are generic computer functions: 
“machine learning” models (claims 22 and 24)
“writing” a user identifier of the user and the user's security score to a report (claims 22 and 24)
The element of “machine learning” is not accompanied any further details of structure or model creation. Therefore, the claimed method and system employ generic computer components performing generic computer functions, and the recitation of “machine learning” may be also be regarded as no more than generally linking the use of a judicial exception to a particular technological environment or field of use, namely the technological environment of machine learning. As stated in MPEP § 2106.04(d), limitations that generally link the use of a 
The element of “writing” constitutes storing information in memory, which is a well‐understood, routine, and conventional functions of a computer, as stated in MPEP § 2106.05(d).
Therefore, the additional elements do not integrate the judicial exception into a practical application.
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
The claims do not include additional elements that are sufficient for the claims to amount to significantly more than the judicial exception. As discussed above with respect to the lack of integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the judicial exception using a generic computer component, as discussed above. Similarly, limitations that do no more than generally linking the use of a judicial exception to a particular technological environment or field of use, namely the technological environment of machine learning, do not amount to significantly more than the judicial exception (see MPEP § 2106.05).  
The remaining dependent claims do not recite additional elements, whether considered individually or in combination, that are sufficient to integrate the judicial exception into a practical application or amount to significantly more than the judicial exception.
Dependent claims 2, 9 and 16 recite “inputting the plurality of event data to a plurality of time-based models, wherein each of the time-based models are machine-learning models, and wherein the analysis is performed using a set of results received from the machine-learning models.” However, these limitations are also mental processes, and do not include any additional element beyond a mental process. 
Dependent claims 6, 13, and 20 recite “calculating one or more non-time-based risk scores …” “calculating one or more rule-based risk scores … and “combining…” However, these limitations are also mental processes, and do not include any additional element beyond a mental process. Similar to the discussion of the independent claim features, these claim limitations do not require any specific mathematical methodology that is beyond a mental process.
Dependent claims 7, 14, and 21 recite “storing…”, “identifying…” and “forming…” The “storing” limitation constitutes storing information in memory, which is a well‐understood, routine, and conventional functions of a computer, as stated in MPEP § 2106.05(d). The remaining limitations are mental processes, and do not include any additional element beyond a mental process. 
Dependent claims 23 and 25 recite “calculating…” and “identifying…” However, these limitations are also mental processes, and do not include any additional element beyond a mental process. Similar to the discussion of the independent claim features, the “calculating” step does not require any specific mathematical methodology that is beyond a mental process.
Therefore, the rejected claims are directed to a judicial exception and do not recite additional elements, whether considered individually or in combination, that are sufficient to integrate the judicial exception into a practical application or amount to significantly more than the judicial exception. Therefore, these claims are not patent-eligible under § 101.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1-5, 7-12, 14-19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (US 2017/0286671 A1) (“Chari”) in view of Chanda et al. (US 2020/0065212 A1) (“Chanda”).
As to claim 1, Chari teaches a method implemented by an information handling system that includes a processor and a memory accessible by the processor [[0031]: data processing system 200 includes…processor unit 204, memory 206”], the method comprising:
receiving a plurality of event data, wherein each of the event data is a detected activity performed by a user on one of a set of one or more computer systems, [[0064]: “Malicious user activity detector 302 may receive input, such as, for example, static user data 304, dynamic user data 306.” [0066]: “Dynamic user data 306 may include information, such as, for example, activity logs 306A, social networks 306B, communication patterns 306C, and threat feeds 306D. Activity logs 306A include records of the user's asset access behavior.” Note that the user is a user of a computer, as described in [0026]: “Users of client devices 110, 112, and 114 may use client devices 110, 112, and 114 to access assets 116.”] wherein the detected activities are performed by the user over a time duration; [As noted above, the data includes activity logs, which are over a time duration are further described in [0037]: “User asset access activity logs 226 represent a historical record of current and past asset access behavior by the user.”]
analyzing the plurality of event data using a plurality of time-based models, [[0099]: “the computer applies a plurality of analytics on the profile corresponding to the user that accesses the set of protected assets using conflict free parallelization (step 504). The plurality of analytics may be, for example, analytic 1 326, analytic 2 328, and analytic i 330 in FIG. 3.” That is, each “analytic” corresponds to a “model.” The limitation of “time-based” is described in [0057] (“features such as…time series-based preprocessing”), [0058] (“auto correlation (i.e., correlation of user activity in a current time window against the user's activity in past time windows)”), [0062] (“aggregate the received input data corresponding to the user into a set of one or more defined windows based on time and/or the user”), and [0072] (“malicious user activity detector 302 may accept input data both in batches (e.g., data files covering specified periods of time) and as a stream (e.g., a continuous series of messages in order by time).”).], […] the analysis resulting in a plurality of time-based risk scores pertaining to the user; [[0069]: “In this example, analytic 1 326 and analytic i 330 generate risk score j 332 and analytic 2 328 generates risk score j+1 334. Risk score j 332 and risk score j+1 334 may be, for example, user asset access activity scores 228 in FIG. 2.” That is, each “analytic” corresponds to a “model” and generates a risk score, so as to result in a plurality of risk scores. The limitation of “time-based” is taught by ] and
performing an action based on a security risk score of the user, wherein the security risk score is calculated based on the plurality of time-based risk scores. [[0070]: “If aggregated risk score k 336 is greater than an alert threshold, such as, for example, an alert threshold in user asset access activity alert threshold values 230 in FIG. 2, then malicious user activity detector 302 may generate one or more alerts 338.” That is, the “aggregated risk” score constitutes a security risk score.]
Chari does not explicitly teach the limitation of “wherein each of the time-based models correspond to a different time interval that is included in the time duration.”
Chanda, in an analogous art, teaches the above limitation. Chanda teaches an “anomaly detection framework” (title) “for detecting anomalous values in data streams using forecasting models” (see abstract, first sentence). Therefore, Chanda is in the same field of endeavor as the claimed invention, namely data processing and analytics.  In general, the method of Chanda generates a score for anomaly detection, wherein “if the final score exceeds the score threshold, the computer may generate a notification that indicates that the data value is an anomaly” (Chanda).
  In particular, Chanda teaches wherein each of the time-based models correspond to a different time interval that is included in the time duration [Abstract: “Models can be selected based on the time interval, where each of the models has a different periodicity.” [0028]: “For example, if the sampling frequency is once per day (e.g., a daily total of visits) and the new data value corresponds to the first Monday of the month, the detection framework may select a weekly model that corresponds to the Monday of each week (i.e., the Monday model) and a monthly model that corresponds to the first Monday of each month (i.e., the first monthly Monday model).” [0064]: “the model manager 304 may select the daily model, a weekly model that corresponds to the Sunday of each week, a monthly model that corresponds to the 25th day of each month, another monthly model that corresponds to the last Sunday of each month, and a 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari with the teachings of Chanda by modifying a plurality of the models in Chari to be time-based models as taught in Chanda, such that “each of the time-based models correspond to a different time interval that is included in the time duration.” The motivation would have been to analyze “data [that is] received in the form of a time series, where discrete data values are periodically received over time” (Chanda, [0001]), particular in a manner that accounts for various patterns (Chanda, [0006]: “the monitoring service can expect newer data values of the data stream to follow one or more patterns, which may include trend patterns, seasonal patterns, and cyclical patterns”). 

As to claim 2, the combination of Chari and Chanda teaches the method of claim 1 further comprising:
inputting the plurality of event data to a plurality of time-based models, [Chari, [0068]: “In addition, malicious user activity detector 302 may normalize the collected user data at 316…. Further, malicious user activity detector 302 may use feature extractors, such as feature extractors 220 in FIG. 2, to extract feature 1 318, feature 2 320, through feature i 322 from the against the extracted features of the user's profile.” As shown in FIG. 3 of Chari, the data is inputted in feature-extracted form into analytic 1, analytic 2. Note that Chanda is consistent with these teachings (see Chana, [0095]: “feeding the historical data values to each of the models.” Therefore, this limitation is taught by Chari, as modified in the combination of references.] wherein each of the time-based models are machine-learning models, [Chanda, [0066]: “To account for complex combinations of patterns that may be followed by the data stream, each of the selected models may correspond to a Holt-Winters triple exponential forecasting model.” This model is described through [0070]. [0069] states that “the smoothing parameters α, β* and γ may be manually or automatically chosen by the model manager 304.” See also [0007]: “the server computer can use predictive modeling.” Since the model has computer-determined parameters, and is based on historical data (see [0063]: “based on the historical data values of the data stream”), the model is considered to be a “machine-learning” model. The term “machine-learning model” has been interpreted to broadly cover models whose parameters are learned by a machine, as the instant claim does not require a specific type of model or learning algorithm.] and wherein the analysis is performed using a set of results received from the machine-learning models. [As noted in the rejection of claim 1 in regards to the limitation of “the analysis resulting in,” in Chari, each “analytic” corresponds to a “model” and generates a risk score, so as to result in a plurality of risk scores. Chanda is compatible with this technique since Chanda, abstract teaches: “For each of the selected models, the computer may generate a score by generating a prediction value based on the model and generating the score based on the prediction value and the received value. A final score can then be generated 

As to claim 3, the combination of Chari and Chanda teaches the method of claim 2, as set forth in the rejection above. 
Chanda further teaches further comprising:
training the plurality of time-based machine-learning models using the plurality of event data, [Chanda, [0069] states that “the smoothing parameters α, β* and γ may be manually or automatically chosen by the model manager 304.”] wherein each of the time-based machine-learning models is trained for a different time interval; [Chanda, abstract: “each of the models has a different periodicity”]
correlating a set of machine-learning risk scores based on a plurality of results received from the plurality of time-based machine-learning models, [Chanda, [0085]: “Generating the final score based on the one or more scores may be done in multiple ways. Examples may include selecting the lowest score out of the one or more scores, calculating a weighted average of the one or more scores, selecting the mode of the one or more scores, and selecting the highest score out of the one or more scores.” It is noted that the term “correlating” is not defined in this application to require a specific mathematical operation. Therefore, any operation that determines a relationship among the scores, such as calculating an average value or selecting the mode/highest score (which implies comparing the scores) is considered to be an operation “correlating.”] wherein each set of machine-learning risk scores pertains to a modeled risk of the user corresponding to the respective time intervals of the time-based machine-learning models; [Chanda, [0008]: “the server computer can generate a score for each and
evaluating the correlated set of machine-learning risk scores to calculate the user's security risk score. [Chanda, [0085]: “Generating the final score based on the one or more scores may be done in multiple ways. Examples may include selecting the lowest score out of the one or more scores, calculating a weighted average of the one or more scores, selecting the mode of the one or more scores, and selecting the highest score out of the one or more scores.”]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated, into the thus-far combination of Chari and Chanda, the above further teachings of Chanda by modifying the method to further comprise “training the plurality of time-based machine-learning models using the plurality of event data, wherein each of the time-based machine-learning models is trained for a different time interval; correlating a set of machine-learning risk scores based on a plurality of results received from the plurality of time-based machine-learning models, wherein each set of machine-learning risk scores pertains to a modeled risk of the user corresponding to the respective time intervals of the time-based machine-learning models; and evaluating the correlated set of machine-learning risk scores to calculate the user's security risk score.” The motivation for doing so would have been to analyze “data [that is] received in the form of a time series, where discrete data values are periodically received over time” (Chanda, [0001]), particular in a manner that accounts for various patterns (Chanda, [0006]: “the monitoring service can expect newer data values of the data stream to follow one or more patterns, which may include trend patterns, seasonal patterns, and cyclical patterns”). 

As to claim 4, the combination of Chari and Chanda teaches the method of claim 3 further comprising:
continuously performing the training of the time-based machine-learning models as new event data is received that pertains to the user. [Chanda teaches that the determining model parameters (i.e., training) is performed continuous upon the receipt of new data. See Chanda, [0052]: “the anomaly detection server 104 may be responsible for storing new data values received from the data stream interface 102 into the historical data store 106.” [0007]: “if the latest new data value deviates significantly from historical data values, the server computer can use predictive modeling to determine whether the latest data value is (1) is likely to be anomalous (i.e., erroneous) and warrants further investigation.” That is, the process described in Chanda is continuous in that the historical data values are continuously updated. Since the models are based on historical data values, the modeling (training) is continuous.]

As to claim 5, the combination of Chari and Chanda teaches the method of claim 3, as set forth above. 
Chanda further teaches the method further comprising:
utilizing an empirical distribution approach to perform the evaluating. [Chanda, [0077] “A variance calculator 402 may be programmed and/or configured to perform functionality associated with determining a variance based on the historical data values of a data stream. The variance calculator 402 may calculate the variance (e.g., a standard deviation) of the historical data values of the data stream. As an example, the variance may be equal to the average of the squared differences of each of the historical data values from the mean of the 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated, into the thus-far combination of Chari and Chanda, the above further teachings of Chanda by modifying the method to further comprise utilizing an empirical distribution approach to perform the evaluating. The motivation would have been to utilize a method for evaluating model scores based on the characteristics of historical data, as suggested by Chanda, paragraph [0076] (“the threshold calculation module 218 may provide a score threshold that represents how much variance in the data values is tolerable.”) and parts quoted above.

As to claim 7, the combination of Chari and Chanda teaches the method of claim 1 further comprising:
storing the plurality of event data in a main dataset; [Chari, [0066]: “Dynamic user data 306 may include information, such as, for example, activity logs 306A, social networks asset access behavior.”]
identifying one or more subset datasets, wherein each of the subset datasets pertain to a different one of the time-based models; [The models of Chanda, as discussed in the rejection of claim 1, above, utilizes data subsets. See Chanda, [0065]: “For each of the one or more selected forecast models, a set of historical data values of the data stream that match the periodicity of the forecast model may be retrieved from the historical data store 106. As examples, historical data values that correspond to each day may be retrieved for the daily model, historical data values that correspond to each Tuesday may be retrieved for the weekly model that corresponds to the Tuesday of each week”] and
forming the subset datasets from the main dataset, [Chanda, [0065], part quoted above, which teaches “…may be retrieved from the historical data store 106…”] wherein the analysis is performed by inputting each of the subset datasets to the respective subset datasets' time-based model. [Chanda, [0065]: “Next, each matching set of historical data values are fed to their corresponding models.”]

As to claims 8-12 and 14, these claims are directed to a system for performing operations that are the same or substantially the same as those recited in claims 1-5 and 7, respectively. Therefore, the rejections made to claims 1-5 and 7 are applied to claims 8-12 and 14, respectively.
Furthermore, Chari teaches an information handling system comprising: one or more processors; a memory coupled to at least one of the processors; and a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions [[0013]: “The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.” [0031]: data processing system 200 includes…processor unit 204, memory 206”. See also [0014]-[0019].]

As to claims 15-19 and 21, these claims are directed to a computer readable medum for performing operations that are the same or substantially the same as those recited in claims 1-5 and 7, respectively. Therefore, the rejections made to claims 1-5 and 7 are applied to claims 15-19 and 21, respectively.
Furthermore, Chari teaches a computer program product stored in a computer readable storage medium, comprising computer program code that, when executed by an information handling system, performs actions [[0013]: “The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.” [0031]: data processing system 200 includes…processor unit 204, memory 206.” See also [0014]-[0019].]

2.	Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Chanda, and further in view of Shenoy et al. (US 2019/0098037 A1) (“Shenoy”).
As to claim 6, the combination of Chari and Chanda teaches the method of claim 1 further comprising:
calculating one or more rule-based risk scores corresponding to the user, wherein the rule-based risk scores are calculated using one or more risk algorithms; [Chari, [0078]: “When defining an analytic, an analyst may define alert groups for the analytic.” Chari, [0076]: “Pipelined analytics execution is an ordered list of execution steps, along with all of the execution steps dependencies. All dependencies of an execution step must be completed before moving to the next execution step in the ordered list.” That is, the analytics in Chari are also considered to be “rule-based” and thus determine rule-based risk scores, because they have some set of rules in the form of their definition, execution steps, and/or dependencies.] and
combining the time-based risk scores, […] and the rule-based risk scores to form the security risk score of the user. [Chari, [0069]: “Malicious user activity detector 302 combines risk score j 332 and risk score j+1 334 to generate aggregated risk score k 336.”; Chari, [0087]: “malicious user activity detector 302 may aggregate user-specific risk scores corresponding to all malicious user activity alerts and all assets associated with that particular user.”] 
The combination of references does not explicitly teach “calculating one or more non-time-based risk scores corresponding to the user, wherein the non-time-based risk scores use one or more non-time based machine learning models” and the limitation that the combining also combines the “non-time-based risk scores.”
Shenoy, in an analogous art, teaches the above limitations. Shenoy generally teaches “cloud-based threat detection” (title) for various “user accounts” (see abstract). Therefore, Shenoy is in the same field of endeavor as the claimed invention, namely data processing and analytics.  
calculating one or more non-time-based risk scores corresponding to the user, [[0114]: “Another example of a threat scenario is an unusual geolocation scenario. An unusual geolocation scenario may refer to activities being originated in locations that are unexpected or outside of an established pattern.” [0143]: “Algorithm 3 provides an example of an algorithm that can be used for analytics of multiple application behavior. In algorithm 3, user IP addresses associated with various cloud service activities (such as logging in) are resolved to geolocation coordinates IP1 (Latitude 1, Longitude 1), IP2 (Latitude 2, Longitude 2), IP3 (Latitude 3, Longitude 3), etc. If a user has different usernames with different cloud services, the various usernames associated with that user can be mapped to a unique user specific identity that identifies the user across the services…”] wherein the non-time-based risk scores use one or more non-time based machine learning models [[0158]: “feedback can be obtained using…machine learning algorithms, such as decision trees and neural networks.” Note that in [0158], the machine learning algorithm is used to adjust the weights of the indicators in [0156]. [0162]: “These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations”]. Shenoy, when its teachings are applied to Chari, suggests combining the “non-time-based risk scores” [[0156]: “In various examples, a risk score can be computed as a weighted sum of the available indicators.” Furthermore, Chari generally teaches the use of “a wide range of analytics” and the concept of aggregation].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari and Chanda with the teachings of Shenoy by performing the further operation of “calculating one or more non-time-based risk scores corresponding to the user, wherein the non-time-based risk scores use one or 

As to claim 13, the further limitations recited in this claim are the same or substantially the same as those recited in claim 6. Therefore, the rejection made to claim 6 is applied to claim 13.

As to claim 20, the further limitations recited in this claim are the same or substantially the same as those recited in claim 6. Therefore, the rejection made to claim 6 is applied to claim 20.

2.	Claims 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Chanda, and further in view of Haim et al., “Visualizing Insider Threats: An Effective Interface for Security Analytics” (poster), IUI 2017 Companion, March 13–16, 2017, Limassol, Cyprus (“Haim”).
As to claim 22, Chari teaches a method implemented by an information handling system that includes a processor and a memory accessible by the processor, [[0031]: data processing system 200 includes…processor unit 204, memory 206”] the method comprising:
receiving a plurality of event data, wherein each of the event data is a detected activity performed by a user on one of a set of one or more computer systems, [[0064]: “Malicious user activity detector 302 may receive input, such as, for example, static user data 304, dynamic user data 306.” [0066]: “Dynamic user data 306 may include information, such as, for example, activity logs 306A, social networks 306B, communication patterns 306C, and threat feeds 306D. Activity logs 306A include records of the user's asset access behavior.” Note that the user is a user of a computer, as described in [0026]: “Users of client devices 110, 112, and 114 may use client devices 110, 112, and 114 to access assets 116.”] wherein the detected activities are performed by the user over a time duration; [As noted above, the data includes activity logs, which are over a time duration are further described in [0037]: “User asset access activity logs 226 represent a historical record of current and past asset access behavior by the user.”]
receiving, from the plurality of […] models, a plurality of time-based risk scores, [[0099]: “the computer applies a plurality of analytics on the profile corresponding to the user that accesses the set of protected assets using conflict free parallelization (step 504). The plurality of analytics may be, for example, analytic 1 326, analytic 2 328, and analytic i 330 in FIG. 3.” That is, each “analytic” corresponds to a “model.” The limitation of “time-based” is described in [0057] (“features such as…time series-based preprocessing”), [0058] (“auto correlation (i.e., correlation of user activity in a current time window against the user's activity in past time windows)”), [0062] (“aggregate the received input data corresponding to the user into a set of one or more defined windows based on time and/or the user”), and [0072] (“malicious user activity detector 302 may accept input data both in batches (e.g., data files covering specified periods of time) and as a stream (e.g., a continuous series of messages in order by time).”).] wherein each of the time-based risk scores corresponds to one of the plurality of […] models;  [[0069]: “In this example, analytic 1 326 and analytic i 330 generate risk score j 332 and analytic 2 328 generates risk score j+1 334. Risk score j 332 and risk score j+1 334 may be, for example, user asset access activity scores 228 in FIG. 2.” That is, each “analytic” corresponds to a “model” and generates a risk score, so as to result in a plurality of risk scores. The limitation of “time-based” is taught by ]
calculating a security score of the user based on the plurality of time-based risk scores; [[0069]: “Malicious user activity detector 302 combines risk score j 332 and risk score j+1 334 to generate aggregated risk score k 336.”; Chari, [0087]: “malicious user activity detector 302 may aggregate user-specific risk scores corresponding to all malicious user activity alerts and all assets associated with that particular user.”] and
performing at least one security action, [[0070]: “If malicious user activity detector 302 determines that aggregated risk score k 336 is greater than an alert threshold, such as, for example, an alert threshold in user asset access activity alert threshold values 230 in FIG. 2, then malicious user activity detector 302 may generate one or more alerts 338.”] 
Chari does not explicitly teach:
(1)	the operations of “creating, from the plurality of event data, a plurality of time-based datasets, wherein each of the time-based data sets corresponds to one of a plurality of trained time-based machine learning models, and wherein each of the trained time-based machine learning models corresponds to a different time interval” and “inputting the plurality of time-based datasets to their respective trained time-based machine learning models”, and the related limitation of models in the subsequent operation Chari being said “machine learning models.”
wherein one of the security actions is writing a user identifier of the user and the user's security score to a report.”
Chanda, in an analogous art, teaches limitations (1) listed above. Chanda teaches an “anomaly detection framework” (title) “for detecting anomalous values in data streams using forecasting models” (see abstract, first sentence). Therefore, Chanda is in the same field of endeavor as the claimed invention, namely data processing and analytics. In general, the method of Chanda generates a score for anomaly detection, wherein “if the final score exceeds the score threshold, the computer may generate a notification that indicates that the data value is an anomaly” (Chanda).
In particular, Chanda teaches creating, from the plurality of event data, a plurality of time-based datasets, wherein each of the time-based data sets corresponds to [[0065]: “For each of the one or more selected forecast models, a set of historical data values of the data stream that match the periodicity of the forecast model may be retrieved from the historical data store 106. As examples, historical data values that correspond to each day may be retrieved for the daily model, historical data values that correspond to each Tuesday may be retrieved for the weekly model that corresponds to the Tuesday of each week”] one of a plurality of trained time-based [The models are time-based, as addressed below in connection with “wherein each of the trained time-based machine learning models corresponds to a different time interval.” With respect to the limitation of “machine learning,” see [[0066]: “To account for complex combinations of patterns that may be followed by the data stream, each of the selected models may correspond to a Holt-Winters triple exponential forecasting model.” This model is described through [0070]. [0069] states that “the smoothing parameters α, β* and γ may be manually or automatically chosen by the model manager 304.” See also [0007]: “the server computer can use predictive modeling.” Since the model has computer-determined parameters, and is based on historical data (see [0063]: “based on the historical data values of the data stream”), the model is considered to be a “machine-learning” model. The term “machine-learning model” has been interpreted to broadly cover models whose parameters are learned by a machine, as the instant claim does not require a specific type of model or learning algorithm.] and wherein each of the trained time-based machine learning models corresponds to a different time interval [Abstract: “Models can be selected based on the time interval, where each of the models has a different periodicity.” [0028]: “For example, if the sampling frequency is once per day (e.g., a daily total of visits) and the new data value corresponds to the first Monday of the month, the detection framework may select a weekly model that corresponds to the Monday of each week (i.e., the Monday model) and a monthly model that corresponds to the first Monday of each month (i.e., the first monthly Monday model).” [0064]: “the model manager 304 may select the daily model, a weekly model that corresponds to the Sunday of each week, a monthly model that corresponds to the 25th day of each month, another monthly model that corresponds to the last Sunday of each month, and a special model.” Note that the concept of different periodicities refers to different corresponding time intervals. For example, a daily model has a daily interval, whereas a weekly model has a weekly interval.] Therefore, Chanda teaches the limitation of the models “machine learning” models that is not specifically taught in Chari.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari with the teachings of Chanda by modifying a plurality of the models in Chari to be time-based models as taught in Chanda, and to perform operations of “creating, from the plurality of event data, a plurality of time-based datasets, wherein each of the time-based data sets corresponds to one of a plurality of 
Haim, in an analogous art, teaches “wherein one of the security actions is writing a user identifier of the user and the user's security score to a report.” Haim teaches an “interface for security analytics” (title), particularly the user behavior analytics tool of IBM’s QRadar security analytics environment (page 40, bottom-left paragraph). Therefore, Haim is in the same field of endeavor as the claimed invention. 
In particular Haim teaches “wherein one of the security actions is writing a user identifier of the user and the user's security score to a report.” [Page 41, bottom left bullet points: “Insiders with highest risk score - List of monitored insiders which appear to have the riskiest behavior among the others, and their overall accumulated score is the highest (Fig. 3).” For applicant’s convenience, FIG. 3 of this reference is reproduced below. The color version of this document can be downloaded from the URL shown in the attached form PTO-892.

    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
FIG. 3 of Haim
As shown, Haim teaches writing a user identifier (e.g., “ujpc”) and the security score (e.g., “417”) to a report (the interface shown in the figure).]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari and Chanda with the teachings of Haim by implementing the feature that “one of the security actions is writing a user identifier of the user and the user's security score to a report.” The motivation would have been to implement an interface to support the task of analysis that offers micro views of individual insider, its assets, actions and risk evaluation (Haim, page 41, upper left: “we highlight the main interfaces of the UBA tool which were designed support the above-mentioned tasks of the analyst. The tool, as shown below, offers visual components ranging from…to micro views of  individual insider, its assets, actions and risk evaluation”). 

As to claim 23, the combination of Chari, Chanda, and Haim teaches the method of claim 22 further comprising:
calculating a plurality of security scores, wherein each of the plurality of security scores corresponds to one of a plurality of users; [Chari, [0027]: “Storage 108 may store, for example, names and identification numbers of a plurality of users, profiles corresponding to the plurality of users.” Chari, [0069]: “Aggregated risk score k 336 represents the level of risk associated with a particular user accessing a set of one or more protected assets of an enterprise.”] and
identifying one or more of the plurality of users with risky behavior based on the users' corresponding security scores. [Haim, FIG. 3 and related disclosures, as discussed above in the rejection of claim 22]. 

As to claims 24-25, these claims are directed to a system for performing operations that are the same or substantially the same as those recited in claims 22-23. Therefore, the rejections made to claims 22-23 are applied to 24-25, respectively. 
Furthermore, Chari teaches an information handling system comprising: one or more processors; a memory coupled to at least one of the processors; and a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions [[0013]: “The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.” [0031]: data processing system 200 includes…processor unit 204, memory 206”. See also [0014]-[0019].]

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following documents depict the state of the art.
Varghese et al., US20060282660A1 teaches fraud monitoring using rule-based rules.
Bird et al., US9607144B1, teaches determining user risk levels in security information and event management

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YAO DAVID HUANG whose telephone number is (571)270-1764. The examiner can normally be reached Monday - Friday 8:30 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang can be reached on (571) 270-7092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Y.D.H./Examiner, Art Unit 2124                                                                                                                                                                                                        

/MIRANDA M HUANG/            Supervisory Patent Examiner, Art Unit 2124