DETAILED ACTION
This office action is in response to the correspondence filed on 01/02/2020. Claims 1-20 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Objections
Claims 9 and 12 are objected to because of the following informalities:
Claim 9, “generating, using the first event data, a data model that is configured to predict how the user will interact with the computing system at in the future” should likely read “generating, using the first event data, a data model that is configured to predict how the user will interact with the computing system [[at]] in the future”, 
Claim 12, the term “SNR” (assuming to mean “signal-to-noise ratio”) should be explicitly defined in claim 11, which claim 12 depends, before the acronym is used.
Appropriate correction is required.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:


Claims 10-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 
Regarding claim 10, it is unclear that the term “an interaction” in the limitation refers to one of the second interactions that was previously recited in independent claim 1 or a different interaction.
Examiner notes that for the purpose of examination, one of the second interactions is assumed.
Regarding claim 11, it is unclear that “allocating the first event data to between a first signal-to-noise ratio category and a second signal-to-noise ratio category” should mean the allocation is to be between the first category and the second category OR either the first category or the second category. Examiner was not able to get a clearer understanding from the specification.
Examiner notes that for the purpose of examination, allocating the first event data to be between a first signal-to-noise ratio category and a second signal-to-noise ratio category is assumed.
Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-8, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kaidi (US Pub No. 2021/0126926 A1, referred to as Kaidi), in view of McGrew et al. (US Pub No. 2016/0234234 A1, referred to as McGrew).
Regarding claim 1, Kaidi discloses,
1. A system for detecting anomalous user interactions with a computing resource, the system comprising:
a processor; (Kaidi: [0060])
a memory communicatively coupled to the processor and configured with instructions, which cause the processor to perform operations comprising: (Kaidi: [0060])
…the interactions comprising causing the computing resource to execute an operation to access data objects hosted by a storage resource that is coupled to the computing resource; (Kaidi: Fig. 1; [0025]; while the user 103 views or interacts with the resource 105 (storage resource), scanner module 108 may monitor communications between the user device 102 and the server computer system 104 (computing resource) for items of sensitive data (data objects).)
obtaining first event data from the computing resource, the first event data comprising information that is indicative of first interactions of the user with the computing resource prior to… (an action); (Kaidi: [0021]; scanner module 108 may monitor network traffic and perform one or more scans to detect leaks of sensitive data by the user 103 or the user device 102. Scanner module 108 may perform one or more data loss prevention operations prior to, or independent of, the detection of a triggering event. [0023]; performing an initial scan may include determining initial contents of the resource, for purposes of making a later comparison to see if the user uploaded sensitive data via the resource. The initial scan can also include parsing at least a portion of the resource 105 to determine whether resource 105 includes any data from the sensitive data repository 114 (e.g. if sensitive data is already present on the page). [0025]; subsequent scan may be performed in response to an action (initial scan to determine and obtain first event data of potential sensitive date access before a subsequent scan triggered by an action).)
obtaining second event data from the computing resource, the second event data comprising information that is indicative of second interactions of the user with the computing resource after … (an action); (Kaidi: [0023]; subsequent scan may be performed in response to an action (subsequent scan to determine and obtain second event data of potential sensitive date access after triggered by an action).)
determining, based on the first event data and the second event data, whether a deviation between the first interactions and the second interactions satisfies an indicated criteria; and (Kaidi: [0027], [0015]; based on the initial (first) and subsequent scans (second), the disclosed techniques may determine whether any data loss prevention rules (indicated criteria) of the organization were violated.)
generating a security alert based on the determination. (Kaidi: [0027], [0015]; based on the initial and subsequent scans, the disclosed techniques may determine whether any data loss prevention rules of the organization were violated and, if so, initiate an appropriate corrective action. [0028]; the corrective actions may include notifying one or more parties associated with the user 103 (e.g., the user 103's manager or team leader, an incident response team in the organization 120, etc.).)
Kaidi does not explicitly disclose, however McGrew teaches,
…receiving a request to monitor interactions of a user with the computing resource, (an action) (McGrew: [0016], [0041]; a request to monitor traffic between a user and an endpoint (a computing resource) with specified priority (a request can be used to trigger monitoring).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings McGrew of into the teachings of Kaidi with a motivation to make the best use of limited monitoring resources on the network by using requests with a numeric priority for detection of important events (McGrew: [0016]).


Regarding claim 6, the combination of Kaidi and McGrew discloses, 
6. The system of claim 1, 
Kaidi further discloses,
wherein the computing resource comprises at least one of an endpoint device, a hosted computing environment, a computing server, or a cloud-based computing environment. (Kaidi: Fig. 1; [0021]; server computer system 104)


Regarding claim 7, the combination of Kaidi and McGrew discloses, 
7. The system of claim 1, 
Kaidi further discloses,
wherein the storage resource comprises at least one of a hard disk drive, a removable storage device, a network-based storage system, or a cloud-based storage drive. (Kaidi: Fig. 1; [0020]; access resource 105 can be a text storage site (network-based storage system).)


Regarding claim 8, the combination of Kaidi and McGrew discloses, 
8. The system of claim 1, 
Kaidi further discloses,
the interactions of the user with the computing resource comprises at least one of:
a user executed operation to read a data object, (Kaidi: [0025]; the user 103 views or interacts with the resource 105 (read data objects on the resource), scanner module 108 may monitor 
a user executed operation to transmit a data object to a remote computing system, or (Kaidi: [0025]; monitoring scan may be performed on the network layer, scanning any requests, responses, and payloads that may include sensitive data (transmitting a data object by the payload).).)
a user executed operation to copy a data object to a removeable storage device. 


Regarding claim 19, Kaidi discloses,
19. A non-transitory machine-readable medium comprising instructions, which when executed by a machine, causes the machine to perform operations comprising: (Kaidi: [0062])
…the data access operations comprising causing the endpoint device to execute an operation to access data objects hosted by a storage resource that is coupled to the endpoint device; (Kaidi: Fig. 1; [0025]; while the user 103 views or interacts with the resource 105 (data access to data objects hosted by storage resource), scanner module 108 may monitor communications between the user device 102 and the server computer system 104 (endpoint device) for items of sensitive data.)
obtaining first event data from the endpoint device, the first event data comprising information that is indicative of first data access operations executed by the user of the endpoint device prior to… (an action); (Kaidi: [0021]; scanner module 108 may monitor network traffic and perform one or more scans to detect leaks of sensitive data by the user 103 or the user device 102. Scanner module 108 may perform one or more data loss prevention operations prior to, or independent of, the detection of a triggering event. [0023]; performing an initial scan may include determining initial contents of the resource, for purposes of making a later comparison to see if the user uploaded sensitive data via the resource. The initial scan can also include parsing at least a portion of the resource 105 to (initial scan to determine and obtain first event data of potential sensitive date access before a subsequent scan triggered by an action).)
obtaining second event data from the endpoint device, the second event data comprising information that is indicative of second access operations executed by the user of the endpoint device after… (an action); (Kaidi: [0023]; subsequent scan may be performed in response to an action (subsequent scan to determine and obtain second event data of potential sensitive date access after triggered by an action).)
determining, based on the first event data and the second event data, whether a deviation between the first data access operations and the second data access operations satisfies an indicated criteria; and (Kaidi: [0027], [0015]; based on the initial (first) and subsequent scans (second), the disclosed techniques may determine whether any data loss prevention rules (indicated criteria) of the organization were violated.)
generating a security alert based on the determination. (Kaidi: [0027], [0015]; based on the initial and subsequent scans, the disclosed techniques may determine whether any data loss prevention rules of the organization were violated and, if so, initiate an appropriate corrective action. [0028]; the corrective actions may include notifying one or more parties associated with the user 103 (e.g., the user 103's manager or team leader, an incident response team in the organization 120, etc.).)
Kaidi does not explicitly disclose, however McGrew teaches,
…receiving a request to monitor data access operations executed by user of an endpoint device, (McGrew: [0016], [0041]; a request to monitor traffic between a user and an endpoint with specified priority (a request can be used to trigger monitoring).)
.


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Kaidi, in view of McGrew, further in view of Koottayi et al. (US Pub No. 2018/0288063 A1, referred to as Koottayi).
Regarding claim 5, the combination of Kaidi and McGrew discloses, 
5. The system of claim 1, wherein the instructions further cause the processor to perform operations comprising:
The combination of Kaidi and McGrew does not explicitly disclose, however Koottayi teaches,
receiving, from the computing resource prior to receiving the request, historic event data comprising the first event data; and (Koottayi: [0015]; obtaining, by the access management and threat detection system, a plurality of historical access requests associated with the user over a period of time to generate a plurality of behavior models. [0007]; the selection of behavior model is based on the data associated with the access request (behavior models are generated before a request that needs analyzing, and one of them is selected based on the data associated with the request).)
generating a database comprising the historic event data. (Koottayi: [0015]; generate the plurality of behavior models (database). [0069] Access management and threat detection system 105 may comprise one or more computers and/or servers including database servers.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Koottayi into the combination of Kaidi and McGrew with a motivation to managing access to a target resource based on a threat perception of a user that is .


Claims 9-10, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kaidi, in view of McGrew, further in view of Wolff et al. (US Pub No. 2020/0259852 A1, referred to as Wolff).
Regarding claim 9, the combination of Kaidi and McGrew discloses, 
9. The system of claim 1, 
Kaidi further discloses,
wherein to determine whether the deviation between the first interactions and the second interactions satisfies an indicated criteria, the instructions cause the processor to perform operations comprising: (Kaidi: [0027], [0015]; based on the initial (first) and subsequent scans (second), the disclosed techniques may determine whether any data loss prevention rules (indicated criteria) of the organization were violated.)
The combination of Kaidi and McGrew does not explicitly disclose, however Wolff teaches,
generating, using the first event data, a data model that is configured to predict how the user will interact with the computing system at in the future; and (Wolff: [0005]; generating, based on the activity data and the state data (first event data), one or more predictive models configured to detect deviations from normal user behavior across the application platforms.)
evaluating a prediction of the data model against the second event data. (Wolff: [0005]; providing, as input to the one or more predictive models, the activity data and the state data for at least one of the users (second event data); receiving, as output from the one or more predictive models, an indication that an activity of the at least one of the users deviates from the normal user behavior (use a data model to evaluate).)



Regarding claim 10, the combination of Kaidi and McGrew discloses, 
10. The system of claim 1, 
Kaidi further discloses,
wherein to generate the security alert, the instructions cause the processor to perform operations comprising: (Kaidi: [0027], [0015]; based on the initial and subsequent scans, the disclosed techniques may determine whether any data loss prevention rules of the organization were violated and, if so, initiate an appropriate corrective action. [0028]; the corrective actions may include notifying one or more parties associated with the user 103 (e.g., the user 103's manager or team leader, an incident response team in the organization 120, etc.).)
The combination of Kaidi and McGrew does not explicitly disclose, however Wolff teaches,
causing presentation, on an interface of a second computing resource, a report comprising at least one of an indicator of an interaction that is associated with the second event data that caused the deviation, an indicator of a metric used to determine the deviation, or metadata associated with the interaction. (Wolff: [0040], 2nd coln; a security expert/employee management component 238 can provide an interface to both the security expert and the end user that can be used to provide additional information and responses to rules, models, and actions taken by the system 200 (metadata about the interaction or other information regarding security risks can be displayed).)



Regarding claim 20, the combination of Kaidi and McGrew discloses, 
20. The non-transitory machine-readable medium of claim 19, the operations further comprising:
Kaidi further discloses,
…wherein the security alert comprises event data that is associated with the identified data access operation. (Kaidi: [0028]; the corrective actions may include notifying one or more parties associated with the user 103 (e.g., the user 103's manager or team leader, an incident response team in the organization 120, etc.) (the notification would include information about the identified data access).)
The combination of Kaidi and McGrew does not explicitly disclose, however Wolff teaches,
…generating, using the first event data, a data model that is configured to predict data access operations the user will likely execute using the endpoint device in the future; and (Wolff: [0005]; generating, based on the activity data and the state data (first event data), one or more predictive models configured to detect deviations from normal user behavior across the application platforms.)
evaluating a prediction of the data model against the second event data to identify a data access operation executed by the user using the endpoint device that deviates from the prediction;  (Wolff: [0005]; providing, as input to the one or more predictive models, the activity data and the state data for at least one of the users (second event data); receiving, as output from the one or more (use a data model to evaluate).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Wolff into the combination of Kaidi and McGrew with a motivation to provide contextual threat detection for entities by using predictive modeling based in part on data retrieved to and from, as well as activity on, various application platforms, including extracting user and event data from transaction logs, databases, and/or exposed web services (Wolff: [0004]).


Claims 14-16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kaidi in view of Wolff.
Regarding claim 14, Kaidi discloses,
14. A method for detecting anomalous user interactions with a hosted computing environment, the method comprising:
identifying a triggering event that initiates an investigation of a user of a hosted computing environment; (Kaidi: [0021]; the term "triggering event" refers to an occurrence that, in response to its detection, scanner module 108 performs one or more data loss prevention operations (investigation). One non-limiting example of a triggering event includes the user device 102 accessing a resource that is included in the restricted resource list 112.)
obtaining first event data that are indicative of first data access operations executed by the hosted computing environment on the behalf of the user prior to the triggering event; (Kaidi: [0021]; scanner module 108 may monitor network traffic and perform one or more scans to detect leaks of sensitive data by the user 103 or the user device 102. Scanner module 108 may perform one or more data loss prevention operations prior to, or independent of, the detection of a triggering event. [0023]; (initial scan to determine and obtain first event data of potential sensitive date access before a subsequent scan triggered by an action).)
obtaining second event data that are indicative of second data access operations executed by the hosted computing environment on the behalf of the user after the triggering event; (Kaidi: [0023]; subsequent scan may be performed in response to an action (subsequent scan to determine and obtain second event data of potential sensitive date access after triggered by an action).)
…identifying… a change in a pattern of data access operations executed by the hosted computing environment on the behalf of the user; and (Kaidi: [0027], [0015]; based on the initial (first) and subsequent scans (second), the disclosed techniques may determine whether any data loss prevention rules of the organization were violated.)
generating a security alert based on the change the pattern of data access operations. (Kaidi: [0027], [0015]; based on the initial and subsequent scans, the disclosed techniques may determine whether any data loss prevention rules of the organization were violated and, if so, initiate an appropriate corrective action. [0028]; the corrective actions may include notifying one or more parties associated with the user 103 (e.g., the user 103's manager or team leader, an incident response team in the organization 120, etc.).)
Kaidi does not explicitly disclose, however Wolff teaches,
…generating a security risk model based on the first event data, the security risk model configured to predict how the user will access data using the hosted computing environment after the triggering event; (Wolff: [0005]; generating, based on the activity data and the state data (first event data), one or more predictive models configured to detect deviations from normal user behavior across the application platforms (the models are used to analyze subsequent events.).)
identifying, based on the security risk model and the second event data, a change in a pattern of data access operations… (Wolff: [0005]; providing, as input to the one or more predictive models, the activity data and the state data for at least one of the users (second event data); receiving, as output from the one or more predictive models, an indication that an activity of the at least one of the users deviates (change) from the normal user behavior (use a security risk model to identify).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Wolff into the teachings of Kaidi with a motivation to provide contextual threat detection for entities by using predictive modeling based in part on data retrieved to and from, as well as activity on, various application platforms, including extracting user and event data from transaction logs, databases, and/or exposed web services (Wolff: [0004]).


Regarding claim 15, the combination of Kaidi and Wolff discloses, 
15. The method of claim 14, further comprising:
Kaidi further discloses,
identifying, based on the first event data, an anomalous data access operation executed by the hosted computing system on the behalf of the user, (Kaidi: [0021]; when user device 102 sends a request to access resource 105 hosted by server computer system 104, scanner module 108 may monitor network traffic and perform one or more scans to detect leaks of sensitive data (anomalous data access) by the user 103 or the user device 102.) the anomalous data access operation executed prior to the triggering event; and (Kaidi: [0021]; scanner module 108 may perform one or more data loss prevention operations prior to, or independent of, the detection of a triggering event.)
generating the security alert based on the anomalous operations. (Kaidi: [0027], [0015]; based on the initial and subsequent scans, the disclosed techniques may determine whether any data loss prevention rules of the organization were violated and, if so, initiate an appropriate corrective action. [0028]; the corrective actions may include notifying one or more parties associated with the user 103 (e.g., the user 103's manager or team leader, an incident response team in the organization 120, etc.).)


Regarding claim 16, the combination of Kaidi and Wolff discloses, 
16. The method of claim 14, further comprising:
Kaidi further discloses,
identifying an anomalous data access operation in the second data access operations based on the change in the pattern of data access operations; (Kaidi: [0027], [0015]; based on the initial and subsequent scans, scanner module 108 may determine what changes, if any, have been made to the resource 105 during the connection with the user device 102. The disclosed techniques may determine whether any data loss prevention rules of the organization were violated (anomalous data access operation).)
wherein the security alert comprises event data associated with the anomalous data access operation. (Kaidi: [0028]; the corrective actions may include notifying one or more parties associated with the user 103 (e.g., the user 103's manager or team leader, an incident response team in the organization 120, etc.) (the notification would include information about the anomalous data access).)


claim 18, the combination of Kaidi and Wolff discloses, 
18. The method of claim 14, wherein the first data access operations or the second data access operations comprise:
Kaidi further discloses,
a user executed operation to read a data object, (Kaidi: [0025]; the user 103 views or interacts with the resource 105 (read data objects on the resource), scanner module 108 may monitor communications between the user device 102 and the server computer system 104 for items of sensitive data.)
a user executed operation to transmit a data object to a remote computing system, or (Kaidi: [0025]; monitoring scan may be performed on the network layer, scanning any requests, responses, and payloads that may include sensitive data (transmitting a data object by the payload).)
a user executed operation to copy a data object to a removeable storage device.


Allowable Subject Matter
Claims 2-4, 12-13, and 17 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claim.
Claim 11 contains allowable subject matter but remain rejected under 112 rejection. It is also objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims; and the stated rejection(s) are resolved.

The following is an examiner’s statement of reasons for allowance: 
Although prior arts Kaidi, McGrew, Koottayi and Wolff above disclose all the limitations of the prior claims (see rejections above), none of the prior arts of record alone or in combination discloses adjusting, based on the change in the security risk of the user, a metric used to determine whether the deviation between the first interactions and the second interactions satisfies an indicated criteria; and allocating the first event data to be between a first signal-to-noise ratio category and a second signal-to-noise ratio category based on a likelihood that the first event data is indicative of interactions that pose a security risk as described in the claims.
At the effective filing date of the application, the above limitations would not have been obvious over the prior arts of record. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The listed references disclose relevant inventions of monitoring and preventing data breaches.
Castinado; Joseph Benjamin et al.	US-PGPUB	US 20180254895 A1
PALUMBO; Paolo et al.			US-PGPUB	US 20190182272 A1
FORD					US-PGPUB	US 20180332063 A1

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435