DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 2/7/2022 has been entered. Claims 1-2, 7-8, 13-14 are currently amended claims. Claims 1-20 are pending in the application.
The objection of claims 1-2, 7-8, 13-14 due to informalities has been withdrawn in light of applicant’s amendment to the claims. 
The provisional nonstatutory double patenting rejection has been withdrawn in light of applicant’s filed and approved Terminal Disclaimer on 2/7/2022.
The rejection of claims 1-5, 7-11, 13-17 under 35 USC 102 (a)(2) has been withdrawn in light of applicant’s amendment to the claims. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/30/2022, 4/20/2022 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS form 1449 filed as stated above are attached to the instant Office Action.
Response to Arguments
Applicant’s arguments, see pg. 8-9 of the Remarks filed 2/7/2022 regarding claims rejected under 35 USC 102 have been fully considered and examiner agrees Myneni reference does not specifically teach the amended features below. Therefore, the rejection under 35 USC 102 has been withdrawn.
Examiner acknowledges that applicant has amended independent claim 1 (similarly claim 7, claim 13) underlined reciting “the entity behavior catalog comprising an entity behavior profiles repository, the entity behavior profiles repository containing a plurality of entity behavior profiles, each entity behavior profile comprising information that describes an identity of a particular entity and behavior associated with the particular entity, each entity behavior profile comprising a user entity mindset profile, the user entity mindset profile comprising information that reflects an inferred mental state of the entity”. 
Applicant specifically argued that “entity behavior catalog as disclosed and claimed is patentably distinct from the logged event data disclosed by Myneni”. Examiner respectively disagrees with applicant. Entity behavior catalog under BRI is interpreted as collection of event data on entity behavior. And the entity behavior catalog is equivalent to the event logger of Myneni as indicated in the office action mailed 11/16/2021, whereas the logged event data of Myneni is equivalent to the entity behavior catalog data. Further in response to applicant’s amended features above, a newly found reference Ford is asserted to teach those amended features. Therefore, a new ground of rejection under 35 USC 103 is presented below.
Applicant is suggested to further incorporate innovative features into independent claims to advance the case.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 7-11, 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over  Myneni et al (US20210006542A1, hereinafter, "Myneni"), in view of Ford (US20180332063A1, hereinafter, "Ford").
Regarding claim 1, Myneni teaches:
A computer-implementable method for performing a security operation, 2comprising:  
3monitoring an entity, the monitoring observing at least one electronically-observable 4data source (Myneni, [0018] Event logger 106 (i.e. electronically-observable 4data source) can provide functionality for components (e.g., directory manager 102, host machines 108) in datacenter 100 to log or otherwise record user activity in the datacenter as events 162. And referring to Fig. 2 and [0025] At operation 202, datacenter 100 can detect (i.e. monitoring) computer-related actions performed by a user (i.e. entity) …);  
5deriving an observable based upon the monitoring of the electronically-observable 6data source (Myneni, [0025] Events 162 (i.e. observable) can be reported by any component in the datacenter. For example, directory manager 102 can log events such as creation/deletion of users);  
7identifying a security related activity of the entity, the security related activity being 8based upon the observable derived from the electronically-observable data source, the 9security related activity being of analytic utility (Myneni, [0025] Events 162 can be reported by any component in the datacenter. For example, directory manager 102 can log events such as creation/deletion of users, groups, etc. Users' computer-related actions can include failed login attempts, accessing files, accessing servers in the enterprise, accessing the network, installing software, executing processes (i.e. security related activity). And [0027] event logger can record each event 162 in a suitable log file such as an event log (not shown).  Such information can analyzed and monitored to assess network security (i.e. being of analytic utility));  
10converting the security related activity to entity behavior catalog data, the entity 11behavior catalog data providing an inventory of entity behaviors (Myneni, [0026] At operation 204, datacenter 100 can log the user's computer-related actions. Referring to FIG. 1, …, the user's actions can be reported to event logger 106 (i.e. inventory of behavior catalog) as events 162. And [0028] At operation 206, datacenter 100 can compute or update the user's behavior-based risk score based on the logged events). Examiner notes converting is interpreted as logging and updating;  
12accessing an entity behavior catalog based upon the entity behavior catalog data (Myneni, [0048] At operation 604, rule builder 148 can access the user's behavior-based risk score that corresponds to the type of event in the received logged event. Examiner notes rule builder is building rules based on logged event data in order to regulate the user’s computer-related actions. It is obvious the rule builder needs to access the logged event data, i.e. entity behavior catalog data), [the entity behavior catalog comprising an entity behavior profiles repository, the entity behavior profiles repository containing a plurality of entity behavior profiles, each entity behavior profile comprising information that describes an identity of a particular entity and behavior associated with the particular entity, each entity behavior profile comprising a user entity mindset profile, the user entity mindset profile comprising information that reflects an inferred mental state of the entity;](see Ford below for limitations in bracket)
and 13performing a security operation via a security system, the security operation using the 14entity behavior catalog data stored within the entity behavior catalog based 15upon the security related activity (Myneni, [0030] At operation 210, datacenter 100 can regulate the user's computer-related actions according the behavior-based firewall rules associated with the user. Also [0057] At operation 610, rule builder 148 can insert the generated behavior-based firewall rule into firewall table 142.  When the firewall table is subsequently distributed (pushed) to host machines 108 and installed in their respective firewall engines 186, the user's actions can be regulated according to the behavior-based firewall rule).  
While Myneni teaches the main concept of the invention of behavior based security, but does not explicitly teach the following limitations however in the same field of endeavor Ford teaches:
[accessing an entity behavior catalog based upon the entity behavior catalog data] (see Myneni above), the entity behavior catalog comprising an entity behavior profiles repository, the entity behavior profiles repository containing a plurality of entity behavior profiles (Ford, discloses method for performing a security analysis operation on electronically observable user behavior about a particular entity, see [Abstract]. And see Fig. 6, User Profile Data, i.e. entity behavior profiles repository), each entity behavior profile comprising information that describes an identity of a particular entity and behavior associated with the particular entity (Ford, Fig. 6 User Profile 602, [0066] a user profile attribute 606 broadly refers to data or metadata that can be used, individually or in combination with other user profile attributes 606, to uniquely ascertain the identity of a user. Also see, for instance Fig. 8 User “A” 802 or User “B” 862), each entity behavior profile comprising a user entity mindset profile, the user entity mindset profile comprising information that reflects an inferred mental state of the entity (Ford, see Fig. 6, Fig. 7, User Mindset Profile 630, and [0077] As likewise used herein, a user mindset profile 630 broadly refers to a collection of information that reflects an inferred mental state of a user at a particular time during the occurrence of an event or an enactment of a user behavior);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ford in the method of monitoring user actions with behavior-based security of Myneni by managing user profile based on user profile data. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify security risk based on analysis of user profile related to the user mental state (Ford, [Abstract], [0001-0003]).

Regarding claim 7, Myneni-Ford combination teaches:
A system comprising: 2a processor; 3a data bus coupled to the processor; and 4a non-transitory, computer-readable storage medium embodying computer program 5code, the non-transitory, computer-readable storage medium being coupled to 6the data bus, the computer program code interacting with a plurality of 7computer operations and comprising instructions executed by the processor (Myneni, See Fig. 7 Processor(s), Storage Subsystem and Bus Subsystem, and [0064] Memory subsystem 708 includes a number of memories including main random access memory (RAM) 718 for storage of instructions) 8and configured for: performing steps substantially similar to the method steps of claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 13, Myneni-Ford combination teaches:
A non-transitory, computer-readable storage medium embodying computer 2program code, the computer program code comprising computer executable instructions (Myneni, [0064] Memory subsystem 708 includes a number of memories including main random access memory (RAM) 718 for storage of instructions) 3configured for: 4performing steps substantially similar to the method steps of claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above. 

Regarding claim 2, similarly claim 8, claim 14, Myneni-Ford further teaches:
The method of claim 1, the system of claim 7, the non-transitory, computer-readable storage medium of claim 13, wherein: 2the entity behaviors comprise at least one of a user entity behavior and a non-user 3entity behavior (Myneni, [0026] for example, the client can include information that identifies the user who performed the computer-related action and information about the action itself. For example, if the action is a failed login attempt, the thin client can report the username (i.e. user entity behavior) that was used and where the login was attempted from (e.g., host machine, laptop, etc.) (i.e. non-user entity behavior)).  

Regarding claim 3, similarly claim 9, claim 15, Myneni-Ford further teaches:
The method of claim 2, the system of claim 8, the non-transitory, computer-readable storage medium of claim 14, wherein: 2an entity behavior has an associated attribute, the associated attribute comprising at 3least one of a user entity attribute associated with the user entity behavior and 4a non-user entity attribute associated with the non-user entity behavior (Myneni, [0026] … If the action is accessing a file or a server, the thin client can report the location/ name of the file or server being accessed along with attributes of the file or server (e.g., required access level, protections, etc.)).  

Regarding claim 4, similarly claim 10, claim 16, Myneni-Ford further teaches:
The method of claim 1, the system of claim 7, the non-transitory, computer-readable storage medium of claim 13, wherein: 2the entity behavior catalog comprises an entity behavior catalog repository, the entity 3behavior catalog repository comprising at least one of a security vulnerability scenarios repository, a risk use cases repository, an entity behavior profiles -107-Attorney Docket No.: FP00186-US4repository, an entity attributes repository, an entity behaviors repository, an 6activities repository and an observables repository (Myneni, Fig. 5 shows score table which can be interpreted as risk use cases repository).  

Regarding claim 5, similarly claim 11, claim 17, Myneni-Ford further teaches:
The method of claim 1, the system of claim 7, the non-transitory, computer-readable storage medium of claim 13, wherein:  2the security operation uses the entity behavior catalog to determine whether an event 3is of analytic utility (Myneni, [0027] The event logger can record each event 162 in a suitable log file such as an event log (not shown). Such information can analyzed and monitored to assess network security. An event log can capture many different types of information; for example, an event log can capture all logon sessions to a network, along with account lockouts, failed password attempts, etc. An event log can also record different types of application events, such as application errors, closures or other related events (i.e. analytic utility)).  

Claims 6, 12, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Myneni-Ford combination as applied above, further in view of Stockdale et al (US20200244673A1-IDS provided by applicant, hereinafter, “Stockdale”).
Regarding claim 6, similarly claim 12, claim 18, Myneni-Ford combination teaches:
The method of claim 5, the system of claim 11, the non-transitory, computer-readable storage medium of claim 17,
While the combination of Myneni-Ford does not explicitly teach an analytic detection module but in the same field of endeavor Stockdale teaches:
wherein:  2the security system comprises an analytic detection module, the analytic detection 3module determining whether the event is of analytic utility (Stockdale, discloses anomaly detector detecting a cyber-attack, see [Abstract]. And referring to Fig. 1 Cyber Threat Module (i.e. analytic detection module). And [0009] FIG. 1 illustrates a block diagram of an embodiment of a cyber threat defense system with a cyber threat module that references machine-learning models to identify cyber threats by identifying deviations from normal behavior).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stockdale in the method of monitoring user actions with behavior-based security of Myneni-Ford by using cyber threat module as analytic detection in the cyber threat defense system for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify malicious activity distributed across multiple devices in the network for anomaly detection (Stockdale, [Abstract]).

Regarding claim 19, Myneni-Ford combination teaches:
The non-transitory, computer-readable storage medium of claim 13, 
While the combination of Myneni-Ford does not explicitly teach but in the same field of endeavor Stockdale teaches:
wherein: 2the computer executable instructions are deployable to a client system from a server 3system at a remote location (Stockdale, [0032] The cyber threat defense system 100 may protect against cyber security threats from an e-mail system or other communication system, as well as its network. The network may be …, a Cloud environment (i.e. remote). Examiner notes in a cloud environment, the server and client system may be remote from each other). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stockdale in the method of monitoring user actions with behavior-based security of Myneni-Ford by using cyber threat module as analytic detection in the cyber threat defense system in a cloud based network for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify malicious activity distributed across multiple devices in the cloud based network for anomaly detection (Stockdale, [Abstract]).

Regarding claim 20, Myneni-Ford combination teaches: 
The non-transitory, computer-readable storage medium of claim 13, 
While the combination of Myneni-Ford does not explicitly teach but in the same field of endeavor Stockdale teaches:
wherein: 2the computer executable instructions are provided by a service provider to a user on an on-demand basis (Stockdale, [0186] A cloud provider platform (i.e. service provider) may include one or more of the server computing systems. And [0187] Cloud-based remote access can be coded to utilize a protocol, such as Hypertext Transfer Protocol ("HTTP"), to engage in a request (i.e. on-demand) and response cycle with an application on a client computing system such as a web-browser application resident on the client computing system).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stockdale in the method of monitoring user actions with behavior-based security of Myneni-Ford by using cyber threat module as analytic detection in the cyber threat defense system in a cloud based network for anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify malicious activity distributed across multiple devices in the cloud based network for anomaly detection (Stockdale, [Abstract]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Muddu et al (US20170134415A1) discloses method for performing user/entity behavioral analytics to detect security related animalities and threats. 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MICHAEL M LEE/Examiner, Art Unit 2436 

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436