DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are presented for examination.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 908 (Figure 9).  
Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 11, 12, 14, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lecue et al. (US 2018/0225372 A1 and Lecue hereinafter).
As to claims 1 and 20, Lecue discloses a system and method for user classification based on multimodal information, the system and method having:
obtaining, from a data storage and access system associated with an enterprise system, access data for an entity, wherein the access data comprises a plurality of access entries associated with network elements the entity uses to access the enterprise system, wherein each of the plurality of access entries comprises a plurality of data elements (0057, lines 1-16); 
generating a network graph baseline profile based on the plurality of data elements, wherein the network graph baseline profile comprises a plurality of baseline network graphs, and wherein each network graph comprises a plurality of baseline nodes and a plurality of baseline edges (0072, lines 2-11; 0076, lines 2-9; 0077, lines 3-6; 0080, lines 1-3; 0095, lines 5-10); 
generating a network graph current profile based on the plurality of data elements, wherein the network graph current profile comprises one or more current network graphs, wherein the one or more current network graphs comprise a plurality of current nodes and a plurality of current edges, and wherein each of the plurality of baseline network graphs and the one or more current network graphs are associated with an access entry from the plurality of access entries (0072, lines 2-11; 0076, lines 2-9; 0077, lines 3-6; 0080, lines 1-3; 0081, lines 1-3); 
generating comparison data based on comparing the plurality of baseline network graphs with the one or more current network graphs, and comparing the plurality of baseline nodes and the plurality of baseline edges with the plurality of current nodes and the plurality of current edges (0099, lines 2-4); 
providing the anomaly data indicating the flagged network accesses to an authentication system (0124, lines 4-11).
Lecue does not explicitly disclose determining, based on the comparison data, anomaly data comprising one or more flagged network accesses to the enterprise system. However, since Lecue discloses identifying common nodes and edges, it is obvious to one of ordinary skill that nodes and edges that are not common (i.e. anomaly data) would also be known (0099, lines 2-4).

As to claim 11, Lecue discloses:
a processor (0002, lines 1-2); 
non-transitory computer-readable medium having processor-executable instructions stored thereon, wherein the processor-executable instructions, when executed, facilitate (0004, lines 2-4): 
obtaining access data for an entity, wherein the access data comprises a plurality of access entries associated with network elements the entity uses to access the enterprise system, wherein each of the plurality of access entries comprises a plurality of data elements (0057, lines 1-16); 
generating a network graph baseline profile based on the plurality of data elements, wherein the network graph baseline profile comprises a plurality of baseline network graphs, and wherein each network graph comprises a plurality of baseline nodes and a plurality of baseline edges (0072, lines 2-11; 0076, lines 2-9; 0077, lines 3-6; 0080, lines 1-3; 0095, lines 5-10); 
generating a network graph current profile based on the plurality of data elements, wherein the network graph current profile comprises one or more current network graphs, wherein the one or more current network graphs comprise a plurality of current nodes and a plurality of current edges, and wherein each of the plurality of baseline network graphs and the one or more current network graphs are associated with an access entry from the plurality of access entries (0072, lines 2-11; 0076, lines 2-9; 0077, lines 3-6; 0080, lines 1-3; 0081, lines 1-3); 
generating comparison data based on comparing the plurality of baseline network graphs with the one or more current network graphs, and comparing the plurality of baseline nodes and the plurality of baseline edges with the plurality of current nodes and the plurality of current edges (0099, lines 2-4); 
providing the anomaly data indicating the flagged network accesses to an authentication system (0124, lines 4-11).
Lecue does not explicitly disclose determining, based on the comparison data, anomaly data comprising one or more flagged network accesses to the enterprise system. However, since Lecue discloses identifying common nodes and edges, it is obvious to one of ordinary skill that nodes and edges that are not common (i.e. anomaly data) would also be known (0099, lines 2-4).

As to claims 2 and 12, Lecue discloses:
wherein the plurality of access entries comprise a plurality of first access entries corresponding to a first time period and a plurality of second access entries corresponding to a second time period, wherein the second time period is subsequent to the first time period, wherein generating the network graph baseline profile is based on using the plurality of data elements from the plurality of first access entries, and wherein generating the network graph current profile is based on using the plurality of data elements from the plurality of second access entries (0080, lines 1-3; 0081, lines 1-3; 0092, lines 1-8).

As to claims 4 and 14, Lecue discloses:
wherein the plurality of baseline nodes are associated with the plurality of data elements within a first time period and the plurality of baseline edges are associated with connections between the plurality of data elements within the first time period, and wherein the plurality of current nodes are associated with the plurality of data elements within a second time period and the plurality of current edges are associated with connections between the plurality of data elements within the second time period (0077, lines 3-6; 0080, lines 1-3; 0081, lines 1-3).

Claims 6, 7, 16, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lecue as applied to claims 1 and 11 above, in view of Vasseur et al. (US 2016/0219066 A1 and Vasseur hereinafter), and further in view of Baltatu et al. (US 2010/0287128 A1 and Baltatu hereinafter).
As to claims 6 and 16, Lecue fails to specifically disclose:
wherein comparing the plurality of baseline network graphs with the one or more current network graphs is based on using graph based anomaly detection (GBAD), 
wherein comparing the plurality of baseline nodes and the plurality of baseline edges with the plurality of current nodes and the plurality of current edges is based on using intrusion detection expert system (IDES).

Vasseur discloses a system and method for event correlation in a network merging local graph models from distributed nodes, the system and method having:
wherein comparing the plurality of baseline network graphs with the one or more current network graphs is based on using graph based anomaly detection (GBAD) (Abstract).
Given the teaching of Vasseur, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Lecue with the teachings of Vasseur by using graph based anomaly detection. Vasseur recites motivation by disclosing that a graph based anomaly detection is used to detect network anomalies, therefore providing network security (Abstract).

Lecue in view of Vasseur fails to specifically disclose:
wherein comparing the plurality of baseline nodes and the plurality of baseline edges with the plurality of current nodes and the plurality of current edges is based on using intrusion detection expert system (IDES).
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Lecue in view of Vasseur, as taught by Baltatu.
Baltatu discloses a system and method for anomaly detection for link-state routing protocols, the system and method having:
wherein comparing the plurality of baseline nodes and the plurality of baseline edges with the plurality of current nodes and the plurality of current edges is based on using intrusion detection expert system (IDES) (0008, lines 1-7).
Given the teaching of Baltatu, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the 

As to claims 7 and 17, Lecue discloses:
wherein determining the anomaly data is based on using a machine learning dataset and the comparison data (0024, lines 7-11; 0094, lines 1-9; 0099, lines 1-11; 0100, lines 1-5; 0124, lines 1-11).

Claims 8-10, 18, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lecue as applied to claims 1 and 11 above, and further in view of Saxena et al. (WO 2019/204778 A1 and Saxena hereinafter).
As to claims 8 and 18, Lecue fails to specifically disclose:
determining the one or more flagged network accesses to the enterprise system based on inputting the comparison data into a machine learning dataset, wherein the one or more flagged network accesses are statistical outliers that are output from the machine learning dataset.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Lecue, as taught by Saxena.
Saxena discloses a system and method for automated access control management, the system and method having:
determining the one or more flagged network accesses to the enterprise system based on inputting the comparison data into a machine learning dataset, wherein the one or more flagged network accesses are statistical outliers that are output from the machine learning dataset (00133, lines 22-25).
Given the teaching of Saxena, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Lecue with the teachings of Saxena by determining accesses as outliers. Saxena recites motivation by disclosing that determining outliers can identify inconsistent patterns and detect anomalies, which may indicate unauthorized access and provide security (00133, lines 22-25). It is obvious that the teachings of Saxena would have improved the teachings of Lecue by determining accesses as outliers in order to indicate unauthorized access and provide security.

As to claims 9 and 19, Lecue fails to specifically disclose:
receiving, from the authentication system, authentication data for the machine learning dataset; 
training the machine learning dataset based on the one or more flagged network accesses and the authentication data.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Lecue, as taught by Saxena.
Saxena discloses:
receiving, from the authentication system, authentication data for the machine learning dataset (0021, lines 1-4); 
training the machine learning dataset based on the one or more flagged network accesses and the authentication data (0021, lines 4-6).
Given the teaching of Saxena, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Lecue with the teachings of Saxena by training a machine learning dataset. Saxena recites 

As to claim 10, Lecue fails to specifically disclose:
wherein providing the anomaly data indicating the one or more flagged network accesses to the authentication system comprises providing instructions to the authentication system to determine whether the one or more flagged network accesses are unauthorized intrusions to the enterprise system.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Lecue, as taught by Saxena.
Saxena discloses:
wherein providing the anomaly data indicating the one or more flagged network accesses to the authentication system comprises providing instructions to the authentication system to determine whether the one or more flagged network accesses are unauthorized intrusions to the enterprise system (00228, lines 1-5).
Given the teaching of Saxena, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Lecue with the teachings of Saxena by determine whether accesses are unauthorized intrusions. Please refer to the motivation recited above with respect to claims 8 and 18 as to why it is obvious to apply the teachings of Saxena to the teachings of Lecue.

Allowable Subject Matter
Claims 3, 5, 13, and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Bertiger et al. (US 2021/0194907 A1) discloses a system and method for detecting anomalous network activity.
Gilbert et al. (US 2007/0226796 A1) discloses a system and method for tactical and strategic attack detection and prediction.
Gottschlich et al. (US 2018/0330253 A1) discloses a system and method for generating anomaly detection datasets.
Neil (US Patent 9,038,180 B2) discloses a system and method for using new edges for anomaly detection in computer networks.
Parker (US 2020/0104518 A1) discloses a system and method for automatic graph-based detection of unlikely file possession.
Saraf et al. (US 2019/0364065 A1) discloses a system and method for anomaly detection associated with communities.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SARAH SU/Primary Examiner, Art Unit 2431