DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The applicant amended claims 1, 3-5, 8-12, 14 and 16-18 in the amendment received on 2/15/2022.

The claims 1-20 are pending.

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot in view of the new grounds of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

Claims 1-6, 8-12 and 14-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Biswas et al. (U.S. Publication No. 2020/0128047 A1) in view of Kraus et al. (U.S. Publication No. 2020/0285737 A1).
With respect to claim 1, Biswas discloses a method for detecting and preventing web service usage anomalies, comprising: forecasting, based on a model, a number of resource instances for one or more web services for a time period (i.e., In some examples, the storage 122 can include security information 126 (“security info”) that includes security analysis performed by the security monitoring and control system 102. In some examples, the security information 126 can include separate entries for different customers of the security monitoring and control system 102. In some examples, the security information 126 includes historic data: the results of past analysis (e.g., from the last month, last three months, last year, or some other past time period) which can be consulted when needed [a number of resource instances for one or more web services for a time period], ¶ 64.  In some examples, collection of activity data is scheduled to occur periodically (e.g., every four hours, every six hours, or at some other time interval) [a number of resource instances for one or more web services for a time period], ¶ 107.  The analytics performed by the prediction analytics application 212 can include identifying and predicting security threats from patterns of activity and behavioral models [a method for detecting and preventing web service usage anomalies, comprising: forecasting, based on a model]. Analytics performed by the descriptive analytics application 207 and the prediction analytics application 212 can be performed using data stored in the analytics and threat intelligence repository 211, ¶ 117). 
Biswas also discloses receiving, after the time period has elapsed, a detected number of resource instances for the one or more web services for the time period (i.e., In various examples, the analytics engine 300 receives updated activity data 310 once per day, every other day, or periodically over another time interval. In some examples, the analytics engine 300 receives activity data 310 when certain events occur, such as a service indicating that an event has occurred (e.g., the service has been updated or the service has detected a network threat or another event originating at the service), the organization indicating that an event has occurred (e.g., the organization having added users to the service or a network administrator requesting an updated analysis or another event originating at the organization), or the security management and control system indicating that an event has occurred (e.g., receipt of new threat intelligence data 314 or another event originating at the security management and control system, ¶ 129.  n various examples, activity profiles can cover different time periods. In some examples, activity profiles can use a fixed moving window covering a time period measured in weeks. In some examples, an “emerging profile” can be generated, which capture events that are relatively recent, such as within the last week or within a week prior to a target date, ¶ 134.  Statistics such as those illustrated above can be combined into a feature vector. Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24 hour time period, and/or other measures. Feature vectors may be aggregated per cloud application and/or per user per cloud application [receiving, after the time period has elapsed, a detected number of resource instances for the one or more web services for the time period], ¶ 137). 
Biswas further discloses comparing the detected number of resource instances to the forecasted number of resource instances (i.e., In various examples, the analytics engine 300 can detect the threat scenarios discussed above, as well as other threat scenarios, by examining various external and internal data sources. External data sources can provide activity data 310 obtained from cloud service providers. In some examples, external data can optionally include tenant base lines 317 and third-party data 318. In some examples internal data sources can include data models determined by a behavioral analytics engine 304 and can optionally include threat intelligence data 314 maintained by the security management and control system, ¶ 127.  Thus, the forecasted number of resource instances can be external baseline predicted normal.  ¶ 130 goes on to describe that normalizing the activity data 310 include reformatting the activity data 310 such data from different services and/or service providers is comparable, has the same meaning, and/or bears the same significance and relevance [comparing the detected number of resource instances to the forecasted number of resource instances]. After normalization, the behavioral analytics engine 304 can aggregate and compare data from different cloud services in meaningful ways. For example, a series of failed login attempts by one user with one cloud service may be deemed not to be a threat. However, a series of failed logins by the same user but at multiple different cloud services indicate a concerted effort to crack the user's password and should thus set off an alarm, ¶ 130.  ¶ 202 further describes that as another example, the graphs can be used to determine historical patterns or impressions. As another example, a graph pattern may show anomalies compared to historical patterns [forecasted number of resource instances]. While the policy checking is based on finite set of rules and variates, user behavior anomaly checking can be computed based on probabilistic modeling of the same rules and historical patterns that can be used to determine a deviation from the norm [comparing the detected number of resource instances to the forecasted number of resource instances], ¶ 202). 
Biswas also discloses determining, based on the comparing, a usage anomaly (i.e., In various examples, activity profiles determined by the behavioral analytics engine 304 can be used by the threat detection engine 302 to identify usage of a cloud service that may pose a threat to an organization that is using the cloud service, ¶ 140.  As another example, the graphs can be used to determine historical patterns or impressions. For example, a graph pattern may show a similarity with known security problems. As another example, a graph pattern may show anomalies compared to historical patterns. While the policy checking is based on finite set of rules and variates, user behavior anomaly checking can be computed based on probabilistic modeling of the same rules and historical patterns that can be used to determine a deviation from the norm [determining, based on the comparing, a usage anomaly], ¶ 202). 
Biswas discloses outputting an indication of the usage anomaly and the threat of the usage anomaly (i.e., Threat models can be developed to detect threats that are known or unknown or emerging. Threats can also be identified by comparing activity data with external threat intelligence information, such as information provided by third-party providers, as discussed further below. In various examples, data in the analytics and threat intelligence repository 211 can further be used to generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things [outputting an indication of the usage anomaly and the threat of the usage anomaly], ¶ 114.  In various examples, activity profiles determined by the behavioral analytics engine 304 can be used by the threat detection engine 302 to identify usage of a cloud service that may pose a threat to an organization that is using the cloud service [outputting an indication of the usage anomaly and the threat of the usage anomaly]. In some examples, the threat detection engine 302 applies security policies to identify a threat. A security policy can describe an event that, when the event occurs, the event is brought to the attention of the organization and/or the security management and control system. For example, security policies can specify actions, such as downloading a file containing credit card numbers, copying encryption keys, elevating privileges of a normal user, and so on, that need to be brought to the attention of the organization [outputting an indication]. In some examples, a security policy can also describe an action that is to be taken when an event is detected, such as blocking access to a service, or disabling a user account, ¶ 140). 
Biswas may not explicitly disclose determining whether the usage anomaly is a false positive based on whether a specified event occurred during the time period.
However, Kraus discloses determining whether the usage anomaly is a false positive based on whether a specified event occurred during the time period (i.e., 204 event in a computing system, e.g., an attempt to access a resource; unless clearly indicated otherwise by context or definition, includes both failed attempts and successful attempts; may be, e.g., in the form of a packet, a procedure call, a method invocation, an interrupt, a signal, or another form; may be documented in an event list 216, ¶ 114.  418 history restrictor, e.g., Boolean condition specifying a set of one or more IP addresses of interest, a time period of interest [determining whether the usage anomaly is a false positive based on whether a specified event occurred during the time period], or other criteria for restricting an anomalousness context to a proper subset of a full available history [0134] 420 coarse detector, e.g., an intrusion detection system whose false positive rate or count is greater than the false positive rate of the sequence anomaly detector and therefore benefits to accuracy or efficiency or both may be achieved by using the sequence anomaly detector to exclude as false some of the event sequences flagged as positive by the coarse detector [determining whether the usage anomaly is a false positive based on whether a specified event occurred], ¶ 133-134.  516 maximum time between chronologically ordered events which is allowed by code in an extracted sequence that approximates a user session; may refer to chronological gap between any two consecutive events of a sequence, or to the chronological gap between earliest and latest event in sequence; may be measured in wall clock time, system time, processor cycles, system ticks, or another unit that measures passage of time [based on whether a specified event occurred during the time period] [0150] 518 machine learning model hyperparameter, i.e., parameter whose values often impact the efficiency, correctness, speed, or other performance characteristic(s) of the machine learning model, and which can be imposed independently of the model's content and status as opposed to learned parameters which can be derived automatically from datasets used in training/testing/tuning the model, ¶ 149-150.  1214 detect a precursor condition, e.g., a coarse detector may use signatures or simple statistics or rules to detect a condition which leads to a possible false positive which is then tested by a sequence anomaly detector [determining whether the usage anomaly is a false positive based on whether a specified event occurred], ¶ 209.  218 get a restriction condition, e.g., via a user interface [0212] 1220 apply a restriction condition to a history [based on whether a specified event occurred during the time period] [0213] 1222 delimit a candidate event sequence, e.g., by extracting only sequences that meet conditions such as a max number of events 514 or max time between events 516 [based on whether a specified event occurred during the time period], ¶ 211) in order to perform or provide a anomalous sequence detection (¶ 5).
Kraus also discloses determining an impact of the usage anomaly (i.e., Intuitively, one may assume that a malicious attack is characterized by abnormal activity. With suitable insight, this assumption may lead to a specific goal of identifying anomalous sequences in logged events, or event streams, or in other event lists [determining an impact of the usage anomaly], ¶ 26.  In addition, this algorithm predicts sequence anomaly compared to a dynamically defined subset of the modelled sequences. This fine-grained capability provides a fine-grained anomaly prediction, which is highly useful for investigation purposes. For example, one may explore a sequence's anomalousness relative to sequences that used some given IP address, or that occurred in a specified time interval. Defining different history subsets dynamically while using only a single trained model of the history relieves the detection system from pre-training and constructing multiple models upfront, which in turn helps make approaches taught here highly scalable, and also saves model computation and storage costs, ¶ 31.  420 coarse detector, e.g., an intrusion detection system whose false positive rate or count is greater than the false positive rate of the sequence anomaly detector and therefore benefits to accuracy or efficiency or both may be achieved by using the sequence anomaly detector to exclude as false some of the event sequences flagged as positive by the coarse detector, ¶ 134.  The coarseness of the false positive is an impact indicator for usage anomalies).
Therefore, based on Biswas in view of Kraus, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Kraus to the system of Biswas in order to perform or provide a anomalous sequence detection.

With respect to claim 2, Biswas discloses wherein the indication of the usage anomaly and the impact of the usage anomaly is output as one or more of: user interface output; an email alert; a chat message; or an instant message (i.e., In various examples, alerts 322 can be provided in visualizations 328 that can be viewed using a user interface that is accessible to an organization. Alternatively or additionally, alerts 322 can be provided through other communication channels, such as email, text messages, Short Message Service (SMS) messages, voicemail, or another communication method. In some examples, alerts 322 can be communicated as secure messages (e.g., over a secure communication channel or requiring a key or login credentials to view), ¶ 174.  The incident management system may return a status to the security management and control system (e.g., complete or not complete). In this way, remediation may be delegated to an external system with the results reported back to the security management and control system to “close the loop.” For example, if a password reset is desired for a user account, an action can include sending an alert or message to an organization's internal Information Technology (IT) system managing the user account, ¶ 181). 

With respect to claim 3, Biswas discloses receiving feedback in response to the indication, wherein the feedback indicates that the usage anomaly is a false positive and indicates a reason for the false positive (i.e., Automated anomaly-based threat detection logic also requires regular updates to incorporate feedback from the security experts as well as tenants to eliminate false positives [receiving feedback in response to the indication, wherein the feedback indicates that the usage anomaly is a false positive], ¶ 36.  In some examples, the analytics engine 300 may obtain feedback on the validity and/or accuracy of a risk score. As an example, network administrators of an organization can provide feedback. As another example, administrators of the security management and control system can provide feedback. Alternatively or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks. In some examples, the analytics engine 300 can adjust weights, indicators, and/or sources using the feedback, including possibly removing sources or indicators. In these and other examples, the threat detection engine 302 can compute a new risk score with the adjusted indicators and weights, ¶ 165.  After one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback) [receiving feedback in response to the indication, wherein the feedback indicates that the usage anomaly is a false positive and indicates a reason for the false positive], the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system. Thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives). Activity data collected from various parameters over a period of time can be used with machine learning algorithms to generate patterns referred to as user behavior profiles. The activity data can include contextual information such as IP address and geographic location, ¶ 170). 

With respect to claim 4, Biswas discloses further comprising creating, based on the feedback, a rule that defines an exception based on the reason for the false positive (i.e., One reason that the security monitoring and control system may output many false positives is a referred to as the “cold boot problem.” Knowledge based system monitoring based on security controls and policies requires a deep understanding of the cloud service and usage pattern of the cloud applications. When the cloud application monitoring begins, the usage pattern is undefined. Thus, the system does not yet have an understanding of usage of the cloud services. Tuning and adjustment of the monitoring system can reduce false positives and ensure that only important alerts that are impactful and actionable are generated, ¶ 31.  Another reason that the security monitoring and control system may output many false positives is due to changes in system and changes in usage patterns. Even when the predefined knowledge-based security control and policies work initially, user activity patterns may change, and additional new scenarios may develop. Lack of security controls and policies that accommodate these changes may cause the system to miss important events or fail to respond to an incident in a timely fashion. Additionally, when some of the events become a standard pattern rather than an exception, associated policies must be updated to ensure that the system triggers only on risky scenarios, ¶ 35.  Automated anomaly-based threat detection logic also requires regular updates to incorporate feedback from the security experts as well as tenants to eliminate false positives [wherein taking the action to improve future anomaly detection based on the feedback comprises creating, based on the feedback], ¶ 36.  Alerts can be constructed based on pre-defined rules that can include specific events and thresholds [a rule that defines an exception], ¶ 168). 

With respect to claim 5, Biswas discloses receiving context information related to the detected number of resource instances (i.e., In some examples, the behavioral analytics engine 304 can include contextual data in the activity profile for a user [receiving context information related to the detected number of resource instances]. Contextual data can be obtained, for example, from third-party data 318, where the source of the third-party data 318 is a reputation system, a social media system, a news aggregator or provider, or another system that can maintain information about a user. Examples of contextual data include, travel location and itinerary from travel applications or email, employee status from healthcare management systems, sensitive financial time period from a Salesforce application, and/or sensitive emails from email servers, among other data. In some examples, contextual data can additionally or alternatively be obtained from client devices used by the user. In these examples the contextual data can include, for example, identification of a type of the client device, IP addresses used by the client device, geolocation data computed by a Global Positioning System (GPS) receiver of the client device, and other information about the client device or that can be obtained from the client device, ¶ 133.  After one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system. Thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives) [applying one or more rules to the context information to determine whether the usage anomaly is a false positive]. Activity data collected from various parameters over a period of time can be used with machine learning algorithms to generate patterns referred to as user behavior profiles. The activity data can include contextual information such as IP address and geographic location [receiving context information related to the detected number of resource instances], ¶ 170). 
However, Kraus discloses applying one or more rules to the context information to determine whether the specified event occurred during the time period (i.e., Boolean condition specifying a set of one or more IP addresses of interest, a time period of interest, or other criteria for restricting an anomalousness context to a proper subset of a full available history, ¶ 133) in order to perform or provide a anomalous sequence detection (¶ 5).


With respect to claim 6, Biswas discloses wherein the model comprises a finite rank deep kernel learning model (i.e., In these and other examples, the learning system 178 can generate models that capture patterns that the learning system 178 has learned, which can be stored in the storage 122 along with other data for an organization, ¶ 84.  Another class of analytics that can be generated is predictive and heuristic analytics. These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations, rare and infrequent events, and behavior analytics to derive suspicious behavior of a user, among others. Algorithms and profiles can be trained to intelligently predict whether an unusual behavior is a security risk. Third-party feeds from providers such as, but not limited to, MaxMind, FireEye, Qualys, Mandiant, AlienVault, and Norse STIX can be integrated to augment the threat intelligence. These third-party feeds can provide external information about and relating to potential security threats such as, for example, IP address reputation, malware, identification of infected node points, vulnerable web browser versions, use of proxy or Virtual Private Network (VPN) server by a user, and known attacks on clouds. In some examples, threat information is expressed in the Structured Threat Information eXpression (STIX) data format. For example, one or more services may contribute information concerning a particular IP address, such as a reputation (e.g., known for having software vulnerabilities, a host of malicious software, or source of attacks) and/or a geographic location associated with the IP address. This information can be combined with retrieved activity data involving the IP address, such as what time logins were attempted from that IP address, and information derived from activity data, such as how far apart the logins attempts were. These factors can be used to determine a “login velocity” metric. Metrics can be determined for other activities such as file accesses, sales transactions, or instances of virtual machines, ¶ 169.  Any of these models are considered a form of finite rank deep kernel learning). 

With respect to claim 8, Biswas discloses receiving, by a computing device from a usage tracking service, a plurality of usage values related to a web service (i.e., In some embodiments, provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis. In various examples, the analysis may include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service [receiving, by a computing device from a usage tracking service, a plurality of usage values related to a web service], ¶ 37). 
Biswas further discloses wherein each respective usage value of the plurality of usage values is associated with a respective time period of a plurality of sequential time periods (i.e., In some examples, collection of activity data is scheduled to occur periodically (e.g., every four hours, every six hours, or at some other time interval) [associated with a respective time period of a plurality of sequential time periods], ¶ 107). 
Biswas further discloses forecasting, by the computing device, a usage value for a given time period immediately following the plurality of sequential time periods by: providing the plurality of usage values as inputs to a forecasting model (i.e., In some examples, the security information 126 includes historic data: the results of past analysis (e.g., from the last month, last three months, last year, or some other past time period) which can be consulted when needed [a usage value for a given time period immediately following the plurality of sequential time periods], ¶ 64.  In some examples, collection of activity data is scheduled to occur periodically (e.g., every four hours, every six hours, or at some other time interval) [a usage value for a given time period immediately following the plurality of sequential time periods], ¶ 107.  The analytics performed by the prediction analytics application 212 can include identifying and predicting security threats from patterns of activity and behavioral models [forecasting, by the computing device, a usage value by: providing the plurality of usage values as inputs to a forecasting model]. Analytics performed by the descriptive analytics application 207 and the prediction analytics application 212 can be performed using data stored in the analytics and threat intelligence repository 211, ¶ 117.  Detection can further include detecting anomalous characteristics in the spatial data, and predicting a threat from this information, ¶ 121). 
Biswas also discloses receiving the usage value as an output from the forecasting model (i.e., In various implementations, the behavioral analytics engine 304 can use statistical data generated from the activity data 310 to determine activity profiles, which are also referred to herein as behavioral profiles. For example, the behavioral analytics engine 304 can generate an activity profile that describes the common or typical usage pattern of a service by the users of a particular organization [usage values]. As another example, the behavioral analytics engine 304 can generate an activity profile for a particular user or group of users, ¶ 132.  In various implementations, the analytics engine 300 can include a recommendation engine 308 that receives the output of the threat detection engine 302, the behavioral analytics engine 304 [receiving the usage value as an output from the forecasting model], and the other analytics 306. In various examples, the recommendation engine 308 can raise alerts 322, make recommendations 324, automatically perform actions 326, and provide visualizations 328 that an organization can use to understand the organization's use of a cloud service, detected security risks, and remediation of the security risks, among other things, ¶ 173.  Also see 304, 302 and 308 in figure 3). 
Biswas further discloses receiving, by the computing device from the usage tracking service, a detected usage value for the given time period (i.e., In various implementations, the behavioral analytics engine 304 can use statistical data generated from the activity data 310 to determine activity profiles, which are also referred to herein as behavioral profiles. For example, the behavioral analytics engine 304 can generate an activity profile that describes the common or typical usage pattern of a service by the users of a particular organization [receiving, by the computing device from the usage tracking service, a detected usage value for the given time period]. As another example, the behavioral analytics engine 304 can generate an activity profile for a particular user or group of users, ¶ 132.  In various examples, the analytics engine 300 can perform various other analytics 306 on the activity data 310 obtained from service providers [receiving, by the computing device from the usage tracking service, a detected usage value for the given time period]. In some examples, various types of algorithms can be particularly useful for analyzing the data. Decision tree, time series, naive Bayes analysis, and techniques used to build user behavior profiles are examples of machine learning techniques that can be used to generate predictions based on patterns of suspicious activity and/or external data feeds. Techniques such as clustering can be used to detect outliers and anomalous activity. For example, a threat can be identified based on an account accessing one or more files or failing a series of login attempts from an IP address that is flagged (by a third party feed or otherwise) as malicious. In a similar way, a threat can also be based on different patterns of activity with one cloud application or across multiple cloud applications, possibly over time [receiving, by the computing device from the usage tracking service, a detected usage value for the given time period], ¶ 167). 
Biswas further discloses determining, by the computing device, that the detected usage value is a usage anomaly based on the forecasted usage value (i.e., Detection can further include detecting anomalous characteristics in the spatial data, and predicting a threat from this information, ¶ 121.  In various implementations, an algorithm can simulate normal user activities using previously acquired user activity data. For example, the tenant base lines 317 can include records of users' past use of a cloud service. The simulation can be used to train other machine learning algorithms to learn the normal behavior of an organization's users. In general, a particular security issue may not always repeat, and hence may not be detected by a purely supervised algorithm. However, techniques such as outlier detection can establish a baseline that is useful for detecting anomalous activities. Such anomalous activities along with contextual threat intelligence can provide more accurate prediction of threats with low prediction errors, ¶ 171). 
Biswas also discloses identifying, by the computing device, at least one alert recipient based on a recipient list associated with the web service (i.e., A remediation action can include, for example, sending a notification to the user who caused the violation, to network administrators of the organization 130, to administrators of the security management and control system 102, and/or to another entity, ¶ 79). 
Biswas further discloses transmitting, by the computing device, an alert regarding the usage anomaly to the at least one recipient (i.e., A remediation action can include, for example, sending a notification to the user who caused the violation, to network administrators of the organization 130, to administrators of the security management and control system 102, and/or to another entity [transmitting, by the computing device, an alert regarding the usage anomaly to the at least one recipient], ¶ 79). 
Biswas also discloses wherein the alert comprises: a first link to view additional information related to the alert; and a second link to provide feedback related to the alert (i.e., Data in a report can be displayed on a user interface as an event viewer showing a “wall” of events along with actions that a user can take in response to or to remediate an event. Alerts can be constructed based on pre-defined rules that can include specific events and thresholds [wherein the alert comprises: a way to view additional information related to the alert], ¶ 166.  After one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback) [to provide feedback related to the alert], the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system, ¶ 170.  An alert can include information about a detected event such as, for example, an event identifier, a date, a time, a risk level, an event category, a user account and/or security controls associated with the event, a service associated with the event, a description of the event, a remediation type (e.g., manual or automatic), and/or an event status (e.g., open, closed) among other information [wherein the alert comprises: a way to view additional information related to the alert]. Information in an alert about each risk event can include, for example, an identifier for the affected cloud service or instance a category, a priority, a date and time, a description, a recommended remediation type [to provide feedback related to the alert], and/or a status, among other information. A risk event may also have a user-selectable action, such as editing, deleting, marking status complete, and/or performing a remediation action [alert comprises: a way to view additional information related to the alert]. Selection of a remediation action may invoke an application such as the incident remediation application and/or cloud seeder application to perform the selected remediation. An alert and/or other information concerning an identified threat can be sent to an entity external to security monitoring and control system [to provide feedback related to the alert], ¶ 174.  It would be obvious to one of ordinary skill in the art to use different links to provide the different functionalities for a web application such as this). 
Biswas may not explicitly disclose determining whether the usage anomaly is a false positive based on whether a specified event occurred during the given time period.
(i.e., 204 event in a computing system, e.g., an attempt to access a resource; unless clearly indicated otherwise by context or definition, includes both failed attempts and successful attempts; may be, e.g., in the form of a packet, a procedure call, a method invocation, an interrupt, a signal, or another form; may be documented in an event list 216, ¶ 114.  418 history restrictor, e.g., Boolean condition specifying a set of one or more IP addresses of interest, a time period of interest [determining whether the usage anomaly is a false positive based on whether a specified event occurred during the given time period], or other criteria for restricting an anomalousness context to a proper subset of a full available history [0134] 420 coarse detector, e.g., an intrusion detection system whose false positive rate or count is greater than the false positive rate of the sequence anomaly detector and therefore benefits to accuracy or efficiency or both may be achieved by using the sequence anomaly detector to exclude as false some of the event sequences flagged as positive by the coarse detector [determining whether the usage anomaly is a false positive based on whether a specified event occurred], ¶ 133-134.  516 maximum time between chronologically ordered events which is allowed by code in an extracted sequence that approximates a user session; may refer to chronological gap between any two consecutive events of a sequence, or to the chronological gap between earliest and latest event in sequence; may be measured in wall clock time, system time, processor cycles, system ticks, or another unit that measures passage of time [based on whether a specified event occurred during the given time period] [0150] 518 machine learning model hyperparameter, i.e., parameter whose values often impact the efficiency, correctness, speed, or other performance characteristic(s) of the machine learning model, and which can be imposed independently of the model's content and status as opposed to learned parameters which can be derived automatically from datasets used in training/testing/tuning the model, ¶ 149-150.  1214 detect a precursor condition, e.g., a coarse detector may use signatures or simple statistics or rules to detect a condition which leads to a possible false positive which is then tested by a sequence anomaly detector [determining whether the usage anomaly is a false positive based on whether a specified event occurred], ¶ 209.  218 get a restriction condition, e.g., via a user interface [0212] 1220 apply a restriction condition to a history [based on whether a specified event occurred during the given time period] [0213] 1222 delimit a candidate event sequence, e.g., by extracting only sequences that meet conditions such as a max number of events 514 or max time between events 516 [based on whether a specified event occurred during the given time period], ¶ 211) in order to perform or provide a anomalous sequence detection (¶ 5).
Therefore, based on Biswas in view of Kraus, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Kraus to the system of Biswas in order to perform or provide a anomalous sequence detection.

With respect to claim 9, Biswas discloses wherein the first link, when activated, causes a visualization of the usage anomaly to be displayed via a graphical user interface (i.e., The connection may also include providing a service Uniform Resource Locator (URL) [first link that can be activated], ¶ 97.  It would be obvious to one of ordinary skill in the art to use different links to provide the different functionalities for a web application such as this.  Further, ¶ 87 teaches an interface 120 can provide, for example, a graphical user interface (GUI) that can display a control panel or dashboard that enables the organization's administrative users to configure the services of the security management and control system 102 [displayed via a graphical user interface], ¶ 87.  In various examples, the user interface components 215 include an administration console 214 and an analytics visualization console 216. Using the administration console 214, the tenant 220 can configure the security controls for the services of the service provider 230. Configuration of the security controls can include, for example, enabling or disabling or disabling access to the service by the tenant's users, enabling or disabling features of the service that the tenant's users can use, and other configurations that are available to the tenant 220. The analytics visualization console 216 can be used to view analytics generated by the cloud security system 200. For example, using the analytics visualization console 216, the tenant 220 can view reports of security incidents involving the tenant's users and a service to which the tenant 220 is subscribing [causes a visualization of the usage anomaly to be displayed via a graphical user interface]. In various examples, the information displayed in the administration console 214 and the analytics visualization console 216 can be obtained from the data stores of the cloud security system 200, ¶ 92.  In various implementations, the analytics visualization console 216 can display security indicators in a library format with risk factors that are color coded (such as red, green, yellow). Other statistics or metrics may be displayed such as, for example, user logins attempts, groups with the most newly added users, deleted files, users with the most deleted files, and/or users downloading the most files, among other metrics. Some types of information may be specific to a particular service provider. For example, for Salesforce.com, the metrics can include the identities of users that are downloading opportunity or budget data, contracts, or contacts. In some examples, the analytics visualization console 216 provides a unified view of security controls for a tenant's cloud services. The analytics visualization console 216 may display a values set for any or all security controls set for different cloud services, as well as deviations of the current values from values associated with predetermined policies or configurations, ¶ 94.  In some examples, counts of events in different event categories over time can be provided as a graphical visualization, such as a chart. The chart may display, for example, a count of events by date in each of the color coded categories such as activities at an unusual time, after-hours downloads, failed logins, etc. The visual representation (e.g., a line) of an event category can be toggled on and off [wherein the first link, when activated, causes a visualization of the anomaly to be displayed via a graphical user interface]. In some examples, threats can also be displayed in a summary view, ¶ 176). 

With respect to claim 10, Biswas discloses wherein the second link, when activated, allows the at least one recipient to provide an indication of whether the usage anomaly is a false positive and an indication of a reason that the usage anomaly is a false positive (i.e., Automated anomaly-based threat detection logic also requires regular updates to incorporate feedback from the security experts as well as tenants to eliminate false positives [when activated, allows the recipient to provide an indication of whether the usage anomaly is a false positive], ¶ 36.  In some examples, the analytics engine 300 may obtain feedback on the validity and/or accuracy of a risk score. As an example, network administrators of an organization can provide feedback. As another example, administrators of the security management and control system can provide feedback [an indication of a reason that the usage anomaly is a false positive]. Alternatively or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks. In some examples, the analytics engine 300 can adjust weights, indicators, and/or sources using the feedback, including possibly removing sources or indicators. In these and other examples, the threat detection engine 302 can compute a new risk score with the adjusted indicators and weights, ¶ 165.  After one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback) [when activated, allows the recipient to provide an indication of whether the usage anomaly is a false positive and an indication of a reason that the usage anomaly is a false positive], the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system. Thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives). Activity data collected from various parameters over a period of time can be used with machine learning algorithms to generate patterns referred to as user behavior profiles. The activity data can include contextual information such as IP address and geographic location, ¶ 170.  In some instances, information (e.g., a link) may be sent to the customer that enables the customer to start using and availing the benefits of the requested services [a first and second link], ¶ 258). 

With respect to claim 11, Biswas discloses receiving feedback from the at least one recipient via the second link and creating, based on the feedback, a rule that defines an exception based on the feedback (i.e., One reason that the security monitoring and control system may output many false positives is a referred to as the “cold boot problem.” Knowledge based system monitoring based on security controls and policies requires a deep understanding of the cloud service and usage pattern of the cloud applications. When the cloud application monitoring begins, the usage pattern is undefined. Thus, the system does not yet have an understanding of usage of the cloud services. Tuning and adjustment of the monitoring system can reduce false positives and ensure that only important alerts that are impactful and actionable are generated [receiving feedback from the recipient and creating, based on the feedback, a rule that defines an exception based on the feedback], ¶ 31.  Another reason that the security monitoring and control system may output many false positives is due to changes in system and changes in usage patterns. Even when the predefined knowledge-based security control and policies work initially, user activity patterns may change, and additional new scenarios may develop. Lack of security controls and policies that accommodate these changes may cause the system to miss important events or fail to respond to an incident in a timely fashion. Additionally, when some of the events become a standard pattern rather than an exception, associated policies must be updated to ensure that the system triggers only on risky scenarios [rule creation], ¶ 35.  Automated anomaly-based threat detection logic also requires regular updates to incorporate feedback from the security experts as well as tenants to eliminate false positives [rule updating], ¶ 36.  Alerts can be constructed based on pre-defined rules that can include specific events and thresholds [a rule that defines an exception], ¶ 168.  In some instances, information (e.g., a link) may be sent to the customer that enables the customer to start using and availing the benefits of the requested services [a first and second link], ¶ 258). 

With respect to claim 12, Biswas discloses receiving, by the computing device from the usage tracking service, a plurality of additional usage values for the web service (i.e., n some embodiments, a method for detecting usage anomalies in a multi-tenant cloud environment may include obtaining activity data from a service provider system. The activity data may describe actions performed during use of a cloud service. The actions may be performed by one or more users associated with a tenant. The service provider system may provide the tenant with a tenant account. The tenant account may enable the one or more users to access the cloud service. The method may also include determining, from the activity data, actions performed by a particular user. The method may additionally include generating, using the actions, a directed graph, ¶ 6.  In some embodiments, provided are systems and methods for analyzing actions performed by users in using a cloud service, and adjusting the configuration of a security management and control system based on the analysis. In various examples, the analysis may include generating a weighted directed graph that reflects a user's use of the cloud service, and/or reflects the tenant's overall use of the cloud service [receiving, by the computing device from the usage tracking service, a plurality of additional usage values for the web service], ¶ 37). 
(i.e., Automated anomaly-based threat detection that uses learning can be self-tuning and self-configuring [re-training in order to produce a re-trained model], ¶ 33.  Additionally, when some of the events become a standard pattern rather than an exception, associated policies must be updated to ensure that the system triggers only on risky scenarios, ¶ 35.  Automated anomaly-based threat detection logic also requires regular updates to incorporate feedback from the security experts as well as tenants to eliminate false positives [re-training in order to produce a re-trained model based on the additional usage values], ¶ 36.  In various examples, the analytics engine 300 receives updated activity data 310 once per day, every other day, or periodically over another time interval. In some examples, the analytics engine 300 receives activity data 310 when certain events occur, such as a service indicating that an event has occurred (e.g., the service has been updated or the service has detected a network threat or another event originating at the service), the organization indicating that an event has occurred (e.g., the organization having added users to the service or a network administrator requesting an updated analysis or another event originating at the organization), or the security management and control system indicating that an event has occurred (e.g., receipt of new threat intelligence data 314 or another event originating at the security management and control system, ¶ 129). 
Biswas also discloses determining whether to replace the forecasting model with the re-trained model based on one or more model quality metrics (i.e., Additionally, when some of the events become a standard pattern rather than an exception, associated policies must be updated to ensure that the system triggers only on risky scenarios, ¶ 35.  The analytics performed by the prediction analytics application 212 can include identifying and predicting security threats from patterns of activity and behavioral models. Analytics performed by the descriptive analytics application 207 and the prediction analytics application 212 can be performed using data stored in the analytics and threat intelligence repository 211, ¶ 117.  In various examples, anomalous activity that is detected for a user of one cloud service can be used by the threat detection engine 302 to calculate or re-calculate the likelihood of a threat in the use of another cloud service [determining whether to replace the forecasting model with the re-trained model based on one or more model quality metrics]. In this way, new events occurring during the use of one cloud service can be screened proactively to detect and/or predict threats in the use of another cloud service. In various examples, multiple data points across different cloud services can be correlated to increase the accuracy of a threat score, ¶ 149.  n various examples, the threat detection engine 302 can perform regression analysis on each indicator used to compute a risk score, and/or on the risk score. Regression analysis may include building and updating a linear regression model. The coefficients c.sub.1 computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected, ¶ 166.  Therefore, the model is constantly changing/learning and being replaced and updated). 



With respect to claim 15, the limitations of claim 15 are rejected in the analysis of claim 2 above, and the claim is rejected on that basis.

	With respect to claim 16, the limitations of claim 16 are rejected in the analysis of claim 3 above, and the claim is rejected on that basis.

	With respect to claim 17, the limitations of claim 17 are rejected in the analysis of claim 4 above, and the claim is rejected on that basis.

With respect to claim 18, the limitations of claim 18 are rejected in the analysis of claim 5 above, and the claim is rejected on that basis.

With respect to claim 19, the limitations of claim 19 are rejected in the analysis of claim 6 above, and the claim is rejected on that basis.

Claims 7 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Biswas et al. (U.S. Publication No. 2020/0128047 A1) in view of Kraus et al. (U.S. Publication No. 2020/0285737 A1), and further in view of Kirti et al. (U.S. Publication No. 2018/0375886 A1).

However, Kirti discloses wherein determining the impact of the usage anomaly on the owner of the one or more web services comprises using cost information and the detected number of resource instances to determine a cost estimate related to the usage anomaly (i.e., At step 606, the process 600 includes identifying, using the activity data, a set of users who performed the one or more actions, wherein the set of users is determined from the one or more users associated with the tenant, ¶ 205.  In some examples, identifying set of users can include using the one or more actions and past activity data to generate a model. In these examples, the model can describe a pattern of usage of the cloud service that is privileged with respect to the cloud service. For example, supervised or unsupervised learning can be used to train a neural network to recognized an action or a sequence of actions that are privileged with respect to a particular cloud service. In a supervised learning example, the neural network can be provided with labeled training data that identifies actions that are or are not privileged. In an unsupervised learning example, the neural network can be configured to minimize a cost function, where the cost function models changes to cloud service [determining the impact of the usage anomaly on the owner of the one or more web services comprises using cost information and the detected number of resource instances to determine a cost estimate related to the usage anomaly]. In these and other examples, the model can be used to identify a set of users, ¶ 206) in order to provide a security monitoring (¶s 56 and 75).
Therefore, based on Biswas in view of Kraus, and further in view of Kirti, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Kirti to the system of Biswas and Kraus in order to provide a security monitoring and control system that can include various modules that implement different features including a data analysis system which can conduct analysis on network data and activity data to perform operations such as discovery of applications being used, activity pattern learning and recognition, anomaly detection, and network threat detection.

With respect to claim 20, the limitations of claim 20 are rejected in the analysis of claim 7 above, and the claim is rejected on that basis.

Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Biswas et al. (U.S. Publication No. 2020/0128047 A1) in view of Kraus et al. (U.S. Publication No. 2020/0285737 A1), and further in view of Komashinskiy et al. (U.S. Publication No. 2018/0159871 A1).
With respect to claim 13, Biswas discloses the one or more model quality metrics (i.e., While specific threat scenarios and types of information that can be used to discern these scenarios are discussed above, one skilled in the art would recognize that threat detection and prediction may utilize any of a variety of information and formulas, ¶ 126). 
Biswas and Kraus may not explicitly disclose the one or more model quality metrics comprise one or more of: a negative log-likelihood; or a normalized root mean squared error (NRMSE).
However, Komashinskiy discloses the one or more model quality metrics comprise one or more of: a negative log-likelihood; or a normalized root mean squared error (NRMSE) (i.e., In particular, in FIG. 8, the result of associating the PDF classification model (straight line) described in this example with a dedicated anomalous data detection model (concentric shapes/contours). The contours of the anomalous data detection model represent the levels of negative log-likelihood outputs of a Gaussian Mixture—based anomaly detection model that was obtained by training with the same training data, ¶ 117) in order to allow for the processing of mobile operators' data for detecting “anomalous” instances such as events, states and so forth (¶ 10).
Therefore, based on Biswas in view of Kraus, and further in view of Komashinskiy, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Komashinskiy to the system of Biswas and Kraus in order to allow for the processing of mobile operators' data for detecting “anomalous” instances such as events, states and so forth.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisoryaction is not mailed until after the end of the THREE-MONTH shortened statutoryperiod, then the shortened statutory period will expire on the date the advisoryaction is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will becalculated from the mailing date of the advisory action. In no event, however, willthe statutory period for reply expire later than SIX MONTHS from the date of thisfinal action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAREN M MEANS whose telephone number is (571)270-7202.  The examiner can normally be reached on 12pm-6pm ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






Jaren M. Means
/J.M.M./
Patent Examiner
Art Unit 2447	
3/11/2022

/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447