DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to applicant’s filing on 
June, 16, 2020.
Claims 1-20 are pending.

                                                               Information Disclosure Statement
The information disclosure statement (IDS) submitted on June 16, 2020. The submission is
 in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
 The drawings are objected to because in paragraph 40, line 2 indicates “output, visualization, and/or feedback (step 414)”. However, in Fig. 4, step 414 was not shown.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

                                                              Specification
The disclosure is objected to because of the following informalities:
The paragraph labels are not in order.
Appropriate correction is required. 

                                                                        Claim Objections
Claim 20 is objected to because of the following informalities:
In claim 20, “positive, ,and”. For better clarity the examiner suggests to the applicant for further amend the limitation to “positive, and;”.
Appropriate correction is required.

                                                            Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti et al. (US10,701,094 B2) in view of Shekar et al. (US 2021/0357196 A1).

In regards to claim 1, Kirti discloses a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors to perform steps of (Kirti, Para. 0026, may be implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors cores)): 
utilizing a grouping model to identify a function of a user of a tenant (Kirti, Para. 0206, the model can be used to identify a set of users and Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service);
 utilizing one or more behavior models to identify normal behavior and abnormal behavior of the user based on the function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity);
Kirti fails to disclose utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models; and utilizing an active learning model to improve the orchestration model. 
However, Shekar teaches utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models (Shekar, Para. 0043, the orchestration service 206 can authenticate user 202 and the user's request 204 to execute an analytic model by requesting authentication processing via the catalog service 210 from the security service 214 and Para. 0024, the deployment score can also be determined based on historical execution of the model and/or based on an amount of time taken to execute the model in the past, note analytic model which can be interpret as orchestration model since it is determined by an orchestration service); and 
utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050, the model deployment systems and interfaces described herein improve the operation of computing devices configured to deploy analytic models in a container-orchestration system, note the model deployment systems which can be interpret as active learning model). 
 Kirti and Shekar are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Shekar to include utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models (Shekar, Para. 0043); and 
utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050). Doing so would aid to provide faster model deployment, faster model execution, and more rapid generation of model results compared to some traditional model deployment systems. And such improvements can improve safety when modeling operationally-critical models which may need to be deployed and executed frequently to ensure the physical system corresponding to the analytic model is operating as expected.

In regards to claim 2, the combination of Kirti and Shekar teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include causing a security technique based on the score (Kirti, Para. 0209, risk scores indicate a degree of security risk to the tenant from actions performed by a user in using the cloud service).  

In regards to claim 3, the combination of Kirti and Shekar teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include providing feedback based on the score to the one or more behavior models (Kirti, Para. 0163, as another example, administrators of the security management and control system can provide feedback. Alternatively, or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks).  
 
In regards to claim 4, the combination of Kirti and Shekar teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include providing multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system). 

In regards to claim 5, the combination of Kirti and Shekar teaches the non-transitory computer-readable storage medium of claim 1, wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions (Kirti, Para. 0206 and Para. 0207, the neural network can be configured to minimize a cost function, where the cost function models change to cloud service. In these and other examples, the model can be used to identify a set of users).  

In regards to claim 6, the combination of Kirti and Shekar teaches the non-transitory computer-readable storage medium of claim 1, wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage correlation among different behavior models to reduce false positives (Kirti, Para. 0169, thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives)).  
                                                                                                                     
In regards to claim 7, the combination of Kirti and Shekar teaches the non-transitory computer-readable storage medium of claim 1, wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).  

In regards to claim 8, the combination of Kirti and Shekar teaches the non-transitory computer-readable storage medium of claim 1, wherein the abnormal behavior includes the user being suspected of leaving the tenant (Kirti, Para. 0138, a security policy can also describe an action that is to be taken when an event is detected, such as blocking access to a service, or disabling a user account).  

In regards to claim 9, Kirti discloses a system comprising: 
a network interface (Kirti, Para. 077); 
a processor communicatively coupled to the network interface (Kirti, Para. 0255); and 
memory storing computer-executable instructions that (Kirti, Para. 0026), when executed, cause the processor to utilize a grouping model to identify a function of a user of a tenant (Kirti, Para. 0206, the model can be used to identify a set of users and Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service); utilize one or more behavior models to identify normal behavior and abnormal behavior of the user based on the function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity); 
Kirti fails to disclose utilize an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models; and utilize an active learning model to improve the orchestration model.  
However, Shekar teaches utilize an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models (Shekar, Para. 0043, the orchestration service 206 can authenticate user 202 and the user's request 204 to execute an analytic model by requesting authentication processing via the catalog service 210 from the security service 214 and Para. 0024, the deployment score can also be determined based on historical execution of the model and/or based on an amount of time taken to execute the model in the past, note analytic model which can be interpret as orchestration model since it is determined by an orchestration service); and utilize an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050, the model deployment systems and interfaces described herein improve the operation of computing devices configured to deploy analytic models in a container-orchestration system, note the model deployment systems which can be interpret as active learning model).  
 Kirti and Shekar are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Shekar to include utilize an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models (Shekar, Para. 0043); and utilize an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050). Doing so would aid to provide faster model deployment, faster model execution, and more rapid generation of model results compared to some traditional model deployment systems. And such improvements can improve safety when modeling operationally-critical models which may need to be deployed and executed frequently to ensure the physical system corresponding to the analytic model is operating as expected.

In regards to claim 10, the combination of Kirti and Shekar teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor cause a security technique based on the score (Kirti, Para. 0209, risk scores indicate a degree of security risk to the tenant from actions performed by a user in using the cloud service).    

In regards to claim 11, the combination of Kirti and Shekar teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor provide feedback based on the score to the one or more behavior models (Kirti, Para. 0163, as another example, administrators of the security management and control system can provide feedback. Alternatively, or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks).  

In regards to claim 12, the combination of Kirti and Shekar teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor provide multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system). 

In regards to claim 13, the combination of Kirti and Shekar teaches the system of claim 9, wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions (Kirti, Para. 0206 and Para. 0207, the neural network can be configured to minimize a cost function, where the cost function models change to cloud service. In these and other examples, the model can be used to identify a set of users).  

In regards to claim 14, the combination of Kirti and Shekar teaches the system of claim 9, wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives (Kirti, Para. 0169, thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives)).  

In regards to claim 15, the combination of Kirti and Shekar teaches the system of claim 9, wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).    



In regards to claim 16, Kirti discloses a method comprising: 
utilizing a grouping model to identify a function of a user of a tenant (Kirti, Para. 0206, the model can be used to identify a set of users and Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service); 
utilizing one or more behavior models identify normal behavior and abnormal behavior of the user based on the function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity);
 Kirti fails to disclose utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models; and 
utilizing an active learning model to improve the orchestration model.  
However, Shekar teaches utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models (Shekar, Para. 0043, the orchestration service 206 can authenticate user 202 and the user's request 204 to execute an analytic model by requesting authentication processing via the catalog service 210 from the security service 214 and Para. 0024, the deployment score can also be determined based on historical execution of the model and/or based on an amount of time taken to execute the model in the past, note analytic model which can be interpret as orchestration model since it is determined by an orchestration service); and 
utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050, the model deployment systems and interfaces described herein improve the operation of computing devices configured to deploy analytic models in a container-orchestration system, note the model deployment systems which can be interpret as active learning model).  Kirti and Shekar are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Shekar to include teaches utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user, based on the one or more behavior models (Shekar, Para. 0043); and 
utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050). Doing so would aid to provide faster model deployment, faster model execution, and more rapid generation of model results compared to some traditional model deployment systems. And such improvements can improve safety when modeling operationally-critical models which may need to be deployed and executed frequently to ensure the physical system corresponding to the analytic model is operating as expected.

In regards to claim 17, the combination of Kirti and Shekar teaches the method of claim 16, further comprising causing a security technique based on the score (Kirti, Para. 0209, risk scores indicate a degree of security risk to the tenant from actions performed by a user in using the cloud service).  

In regards to claim 18, the combination of Kirti and Shekar teaches the method of claim 16, further comprising providing feedback based on the score to the one or more behavior models (Kirti, Para. 0163, as another example, administrators of the security management and control system can provide feedback. Alternatively, or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks). 

In regards to claim 19, the combination of Kirti and Shekar teaches the method of claim 16, further comprising providing multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).  

In regards to claim 20, the combination of Kirti and Shekar teaches the method of claim 16, wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions (Kirti, Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service, and identifying a group of actions that includes an action that is privileged. For example, a K-means clustering technique can be used to plot the actions in the activity data, and the users who performed to actions to identify users who performed similar actions), wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives, (Kirti, Para. 0169, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives). Activity data collected from various parameters over a period of time can be used with machine learning algorithms to generate patterns referred to as user behavior profiles) and 
wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device, and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).  


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
DICHIU et al (US 2020/0186545 A1) teaches a computer system comprises at least one hardware processor configured, in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters, to select a client cluster from the plurality of client clusters, the selected client cluster comprising multiple client systems.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496