DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1 – 9, 11-17 and 19 - 25 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Elsner, publication number: US 2019/034391.

As per claim 1, Elsner teaches a method for detection of abnormal network authentication activity, comprising: 
generating a plurality of hierarchical structures corresponding to a plurality of entity types, wherein the hierarchical structure represents a relationship between entities of the same type and the entities are associated with one or more attributes (Groups 600 and 602, [0050]); 
identifying access data corresponding to an entity type of the plurality of entity types (User 604 behavior, [0050]); and 
evaluating the access data using a hierarchical structure of the plurality of hierarchical structures (Checking for anomaly, [0048][0069]).

As per claim 2, Elsner teaches wherein the plurality of hierarchical structures are generated using a machine learning process (Machine learning, [0006]).

As per claim 3, Elsner teaches wherein the relationship between entities of the same type comprises a distance metric (Score, [0064]).

As per claim 4, Elsner teaches wherein generating a plurality of hierarchical structures corresponding to a plurality of entity types comprises at least determining a logical distance between entities of the same type based on feature data extracted from collected access data (User logs, [0007]).

As per claim 5, Elsner teaches wherein generating the plurality of hierarchical structures corresponding to the plurality of entity types comprises: 
generating a first hierarchical structure corresponding to a first entity type, wherein the hierarchical structure represents a first relationship between entities of a first type and the entities of the first type are associated with a first attribute; 
generating a second hierarchical structure corresponding to a second entity type, wherein the hierarchical structure represents a second relationship between entities of a second type and the entities of the second type are associated with a second attribute; and  
generating a third hierarchical structure corresponding to a third entity type, wherein the hierarchical structure represents a third relationship between entities of a third type and the entities of the third type are associated with a third attribute (Clusters, [0050]).

As per claim 6, Elsner teaches wherein evaluating the access data using the hierarchical structure of the plurality of hierarchical structures comprises generating an abnormality score for the first relationship, the second relationship, and the third relationship (Risk score, [0004]).

As per claim 7, Elsner teaches further comprising generating a detection result when the access data is determined to be abnormal, the detection result comprising an abnormality classification determined based on a plurality of abnormalities identified by evaluating the access data using a hierarchical structure of the plurality of hierarchical structures (Risk score, [0004]).

As per claim 8, Elsner teaches wherein access data corresponds to at least requests from hosts to an authentication service or responses from the authentication service to the hosts, requests comprising token or authorization requests, and responses comprising token or authorization responses (access pattern, [0050]).

As per claim 9, Elsner teaches wherein access data is captured by at least one of: packet sniffing and authentication service log parsing (Log, [0007][0036][0049]).

As per claim 11, Elsner teaches wherein evaluating the access data using a hierarchical structure of the plurality of hierarchical structures comprising using two or more of the plurality of hierarchical structures to determine whether the access data is abnormal, the hierarchical structures relating individual entity types to a relationship between the individual entity types and a different entity type (Comparing defined groups, [0050]).

Claims 12-17 and 19 are rejected based on claims 1-5, 7 and 11
Claims 21-25 are rejected based on claims 1-5

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 10, 18 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Elsner, publication number: US 2019/034391 in view of Flatten, patent number: US 10 803 169.

As per claims 10, 18 and 26, Elsner teaches detecting anomalies using Machine Learning. 
Elsner does not teach further comprising generating a confidence score for a detection, wherein the confidence score is based on a stability score, wherein the stability score comprises a metric representing a difference between the plurality of hierarchical structures and previously generated hierarchical structures.

In an analogous art, Flatten teaches further comprising generating a confidence score for a detection, wherein the confidence score is based on a stability score, wherein the stability score comprises a metric representing a difference between the plurality of hierarchical structures and previously generated hierarchical structures (Stability scores and machine learning models, col.15, lines 25 - 26).

Therefore, it would have been obvious to one of ordinary skill in the art to modify Elsner’s machine learning system to include stability scores as described in Flatten’s threat detection system for the advantage of reducing the probability of a false positive. 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494