DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/07/2020, 6/04/2021, 8/18/2021, 9/16/2021, 11/17/2021, and 3/30/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
For step 1, a claim is determined whether it falls within one of the four statutory categories. Claims 1-6 are directed to a method, claims 7-12 are directed to a system comprising hardware components, and claims 13-20 are directed to a non-transitory computer-readable storage medium. Therefore, claims 1-20 fall within at least one of the statutory categories of invention and passes step 1.
For step 2A (Prong One), a claim is determined whether it recites an abstract idea, law of nature, or natural phenomenon. Independent claims 1, 7, and 13 recite limitations for:
“identifying a security related activity…” 
“analyzing the security related activity…”
“generating entity behavior catalog data…” 
“using the entity behavior catalog data…to generate a hierarchical set of entity behaviors…”
However, there are no elements recited in those limitations that would preclude them from being practically performed in the mind, or with pen/paper, under broadest reasonable interpretation. Both limitations A and B are directed to identifying information. For example, limitation A identifies information (“security related activity”) based upon an observable from an electronic source. The term “based upon” fails to provide any details and/or correlation of how information is derived from a source. Humans can visually, or mentally, perform the identification steps off a computer screen. In limitations and C and D, a catalog and hierarchical set of data are generated. However, the generation processes are not explained in detail within the claims, hence it is not explicitly limited to a function that can only be performed by a computer. For example, the “generating” can be a human action to write up a catalog, or a draft a hierarchy to represent information. Furthermore, the generating steps merely provide a result rather than how the result is obtained. For example, in limitation D, the hierarchical set of entity behaviors are generated from entity behavior catalog data and the associated abstraction level. The steps that lead to the arrival of the hierarchical set of entity behaviors are not recited. It is unclear how the hierarchical set of entity behaviors was constructed or how the hierarchy is structured and can be interpreted as human mental actions. Thus, the independent claims present at least one limitation that falls within the “Mental Processes” and/or “Certain Method of Organizing Human Activities” grouping of abstract ideas. Accordingly, the independent claims recite an abstract idea. 
For step 2A (Prong Two), a claim is determined whether it recites additional elements that integrate the judicial exception into a practical application. These additional elements are:
“storing the hierarchical set of entity behaviors within an entity behavior catalog…”
Various recitations of a computer performing the steps (e.g. a “computer-implemented” method, a “processor”, and “computer program code” that are executed).
However, these elements fail to add something more meaningful to the judicial exception as generic computer components – e.g. a “system” in claim 7 – are used to apply the exception. See MPEP 2106.05(f). Furthermore, the additional elements are directed to mere data storage (e.g. limitation E), which have been identified as an insignificant extra-solution activity and does not impose a more meaningful addition to the judicial exception. See MPEP 2106.05(g). They fail to define a specific meaningful activity that would show improvement to the functioning of the computer or technological field (e.g. how is the hierarchical set of data used to improve the security of a computer/computer system?). For example, in contrast with Enfish v. Microsoft, their claims recited a specific data structure which was described in the specification as improving the way computers store and retrieve data from memory. The current claims fail to provide enough details in how the generation steps are achieved and/or the structural features of a hierarchical set of entity behaviors that would be meaningful when applied to a security operation. The current limitations only have a nominal relationship to the exception. Thus, the independent claims fail to present enough elements to integrate the abstract idea into a practical application. Accordingly, the independent claims are directed to an abstract idea.
For step 2B, a claim is determined whether any elements, or combination of elements, are enough to ensure that the claims amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements to perform the steps amounts to no more than mere instructions to apply the exception using a generic computer component. Since these elements are recited at a high level of generality, such that they can be represented as ordinary computer systems. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Having a computer system with a processor to perform such elements does not instantly preclude it from mental activities if the act itself is presented in a generic/abstract manner – it would be mere instructions to apply an exception (see MPEP 2106.05(f)). Hence, the independent claims are not patent eligible.

Dependent Claims: The dependent claims further define the “abstraction level” as specific categories. However, these are nominal limitations that do not provide more than an insignificant relationship to the exception. Thus, none of the elements in those limitations would preclude them from being performed mentally nor they present additional meaningful elements that are more than an abstract idea

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 10,192,058: Log file data is organized by identifying portions of each log file and classifying the portions into one or more categories. See col. 4, line 59 – col. 5, line 25. The organized log file information is made available to a threat score evaluator to determine threat scores. See col. 5, lines 37-45.
US 2018/0314835: An input stream of data instances are received and separated into at least one principle value and a set of categorical attributes. The set of data instances are grouped based on continuous time intervals, where set functions are applied to generate an anomaly score. See [0061]-[0063].

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        4-14-2022