DETAILED ACTION
The following claims are pending in this office action: 1-17
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 10/21/2020 are accepted.  
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 10/21/2020, 06/16/2021, and 04/19/2022 have been considered.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed 10/21/2020, 06/16/2021, and 04/19/2022 are attached to the instant Office action. 
Allowable Subject Matter
Claims 4 and 7 would be allowable if rewritten to overcome the rejections under 35 U.S.C. 112(b) set forth in this Office action and to include all of the limitations of the base claim, and any intervening claims.
Claim Objections
Claims 1-17 are objected to because of the following informalities:
Claims 1-17 recites the limitation “a central vector of each aggregation class” (claim 1, ln. 8; claim 9, ln. 11). It is unclear whether applicant intends to refer to “multiple aggregation classes” (claim 1, ln. 7; claim 9, ln. 10).  If so, examiner suggests “a central vector of each of the multiple aggregation classes”.  
Claims 1-17 recites the limitation “a central vector of an aggregation class” (claim 1, ln. 10; claim 9, ln. 13).  It is unclear whether applicant intends to refer to “multiple aggregation classes” (claim 1, ln. 7; claim 9, ln. 10).  If so, examiner suggests “a central vector of one of the multiple aggregation classes”
Claims 2-4, and 8 recites the limitation “extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions” (claim 2, ln. 3-4); “determining eigenvectors for the user behavior data based on the multiple eigenvalues” (claim 2, ln. 7-8); and “obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm and acquiring a central vector of each aggregation class” (claim 2, ln. 11-12).  It is unclear whether applicant intends to refer to “extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions” (claim 1, ln. 3-4); “determining eigenvectors for the user behavior data based on the multiple eigenvalues” (claim 1, ln. 5-6); and “obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm and acquiring a central vector of each aggregation class” (claim 1, ln. 11-12).  If so, examiner suggests “extracting the multiple eigenvalues of the user behavior data under the preset multiple behavior dimensions”; “determining the eigenvectors for the user behavior data based on the multiple eigenvalues”; and “obtaining the multiple aggregation classes by clustering the eigenvectors through the preset clustering algorithm and acquiring the central vector of each of the multiple aggregation classes”.
Claims 2-4, and 8 recites the limitation “user behavior data of each user” (claim 2, ln. 5).  It is unclear whether applicant intends to refer to “multiple users” (claim 2, ln. 1-2).  If so, examiner suggests “user behavior data of each user of the multiple users”.  Also see similar language in claim 10.  
Claims 2-4, 8, 10-11, and 14 recites the limitation “multiple eigenvalues of this user” (claim 2, ln. 9-10; claim 10, ln. 5-6).  It is unclear whether applicant intends to refer to “a user” (claim 1, ln. 2; claim 9, ln. 5).  If so, examiner suggests “multiple eigenvalues of the user”.  
Claims 2-4, 8, 10-11, and 14 recites the limitation “a preset clustering algorithm” (claim 2, ln. 15; claim 10, ln. 8).  It is unclear whether applicant intends to refer to “a preset clustering algorithm” (claim 1, ln. 7-8; claim 9, ln. 10-11).  If so, examiner suggests “the preset clustering algorithm”.  
Claims 3-4 recites the limitation “multiple user classes by clustering the user eigenvectors of the multiple users through a preset clustering algorithm” (claim 3, ln. 1-3).  It is unclear whether applicant intends to refer to “multiple user classes by clustering the user eigenvectors of the multiple users through a preset clustering algorithm” (claim 2, ln. 14-15).  If so, examiner suggests “the preset clustering algorithm”.  
Claims 3-4, and 11 recites the limitation “multiple user classes” (claim 3, ln. 11; claim 11, ln. 9).  It is unclear whether applicant intends to refer to “multiple user classes” (claim 2, ln. 14; claim 10, ln. 7).  If so, examiner suggests “the multiple user classes”.  
Claims 3-4, and 11 recites the limitation “a central vector of this initial user class” (claim 3, ln. 18; claim 11, ln. 16).  It is unclear whether applicant intends to refer to “second initial user class” (claim 3, ln. 18; claim 11, ln. 15).  If so, examiner suggests “a central vector of the second initial user class”.  
Claims 4 recites the limitation “a summation operation” (claim 4, ln. 15).  It is unclear whether applicant intends to refer to “a summation operation” (claim 4, ln. 13).  If so, examiner suggests “the summation operation”.
Claims 4 recites the limitation “a user eigenvector” (claim 4, ln. 19-20).  It is unclear whether applicant intends to refer to “a user eigenvector” (claim 2, ln. 9).  If so, examiner suggests “the user eigenvector”.
Claim 4 recites the limitation “a user class” (claim 4, ln. 20).  It is unclear whether applicant intends to refer to “this user class” (claim 2, ln. 17).  If so, examiner suggests “the user class”.
Claims 5-7, and 16 recites the limitation “extracting multiple eigenvalues of the user behavior data under preset multiple user behavior dimensions” (claim 5, ln. 4-5); “determining eigenvectors for the user behavior data based on the multiple eigenvalues” (claim 5, ln. 10-11); “obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class” (claim 5, ln. 15-16); and determining a difference eigenvector (claim 5, ln. 22).  It is unclear whether applicant intends to refer “extracting multiple eigenvalues of the user behavior data under preset multiple user behavior dimensions” (claim 1, ln. 3-4); “determining eigenvectors for the user behavior data based on the multiple eigenvalues” (claim 1, ln. 5-6); “obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class” (claim 1, ln. 7-8); and determining a difference eigenvector (claim 1, ln. 9).  If the limitation is intended to refer to the corresponding elements, examiner suggests “extracting the multiple eigenvalues of the user behavior data under the preset multiple user behavior dimensions”; “determining the eigenvectors for the user behavior data based on the multiple eigenvalues”; “obtaining the multiple aggregation classes by clustering the eigenvectors through the preset clustering algorithm, and acquiring the central vector of each of the multiple aggregation classes”; and determining the difference eigenvector.  
Claims 5-7, 12-13, and 16-17 recites the limitation “historical user behavior data” (claim 5, ln. 6-7; claim 5, ln. 12-13; claim 12, ln. 5-6; claim 12, ln. 8).  It is unclear whether applicant intends to refer “historical user behavior data” (claim 5, ln. 2; claim 12, ln. 2). If the limitation is intended to refer to the corresponding element, examiner suggests “the historical user behavior data”.  
Claims 5-7, 12-13, and 16-17 recites the limitation “a preset clustering algorithm” (claim 5, ln. 19; claim 12, ln. 12).  It is unclear whether applicant intends to refer “a preset clustering algorithm” (claim 1, ln. 8; claim 9, ln. 10-11). If the limitation is intended to refer to the corresponding element, examiner suggests “the preset clustering algorithm”.  
Claims 5-7, 12-13, and 16-17 recites the limitation “the distance” (claim 5, ln. 19; claim 12, ln. 17).  It is unclear whether applicant intends to refer “a distance between the second data eigenvector and the central vector of the first data class” (claim 5, ln. 23-24; claim 12, ln. 15-16). If the limitation is intended to refer to the corresponding element, examiner suggests “the distance between the second data eigenvector and the central vector of the first data class”.  
Claims 5-7, 12-13, and 16-17 recites the limitation “a preset distance range” (claim 5, ln. 19; claim 12, ln. 17).  It is unclear whether applicant intends to refer “a preset distance range” (claim 5, ln. 18; claim 12, ln. 16). If the limitation is intended to refer to the corresponding element, examiner suggests “the preset distance range”.  
Claims 5-7, 12-13, and 16-17 recites the limitation “a difference eigenvector” (claim 5, ln. 20; claim 12, ln. 18).  It is unclear whether applicant intends to refer “a difference eigenvector” (claim 1, ln. 9; claim 9, ln. 12). If the limitation is intended to refer to the corresponding element, examiner suggests “the difference eigenvector”.  
Claims 6-7 recites the limitation “multiple data classes by clustering the multiple first data eigenvectors and the second data eigenvector through a preset clustering algorithm” (claim 6, ln. 1-3).  It is unclear whether applicant intends to refer to “multiple data classes by clustering the multiple first data eigenvectors and the second data eigenvector through a preset clustering algorithm” (claim 5, ln. 18-19).  If so, examiner suggests “the multiple data classes by clustering the multiple first data eigenvectors and the second data eigenvector through the preset clustering algorithm”. 
Claims 6-7, and 13 recites the limitation “multiple data classes” (claim 6, ln. 13; claim 13, ln. 12).  It is unclear whether applicant intends to refer to “multiple data classes” (claim 5, ln. 18; claim 12, ln. 11).  If so, examiner suggests “the multiple data classes”.  
Claims 6-7 recites the limitation “a central vector of this initial user class” (claim 6, ln. 19).  It is unclear whether applicant intends to refer to “the second initial data class” (claim 6, ln. 18).  If so, examiner suggests “a central vector of the second initial data class”.  
Claim 7 recites the limitation “a summation operation” (claim 7, ln. 16).  It is unclear whether applicant intends to refer to “a summation operation” (claim 7, ln. 14).  If so, examiner suggests “the summation operation”.
Claim 7 recites the limitation “a data eigenvector” (claim 7, ln. 11; claim 7, ln. 20-21).  It is unclear whether applicant intends to refer to “a data eigenvector” (claim 7, ln. 7).  If so, examiner suggests “the data eigenvector”.
Claims 8 and 16 recites the limitation “a user characterized by the different eigenvector as an abnormal user” (claim 8, ln. 1-2; claim 16, ln. 1-2).  It is unclear whether applicant intends to refer to “a user characterized by the different eigenvector as an abnormal user” (claim 1, ln. 12-13; claim 9, ln. 15-16).  If so, examiner suggests “the user characterized by the different eigenvector as the abnormal user”.
Claims 8, 16 and 17 recites the limitation “the data eigenvalue” (claim 8, ln. 6; claim 14, ln. 6; claim 16, ln. 6; claim 17, ln. 6).  It is unclear whether applicant intends to refer to “a data eigenvalue for the difference eigenvector” (claim 8, ln. 3; claim 14, ln. 3; claim 16, ln. 3; claim 17, ln. 3).  If so, examiner suggests “the data eigenvalue for the eigenvector”.
Claims 8, 16 and 17 recites the limitation “an abnormal user” (claim 8, ln. 8-9; claim 14, ln. 8-9; claim 16, ln. 8-9; claim 17, ln. 8-9).  It is unclear whether applicant intends to refer to “an abnormal user” (claim 1, ln. 13; claim 9, ln. 15-16).  If so, examiner suggests “the abnormal user”.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 4-7, and 16 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 4 recites the limitation “the aggregate value” (claim 4, ln. 19). This limitation lacks antecedent basis.  Examiner suggests replacing the limitation with “the first aggregate value and the second aggregate value”, or clarify accordingly what “the aggregate value” is referring to.   
Claims 5-7, and 16 recites the limitation “the multiple first data eigenvectors” (claim 5, ln. 18; claim 6, ln. 2; claim 6, ln. 4; claim 12, ln. 11; and claim 13, ln. 3). This limitation lacks antecedent basis.  Examiner suggests replacing the first instance with “multiple first data eigenvectors”, or clarify accordingly what “the multiple first data eigenvectors” is referring to.   
Claim 7 recites the limitation “the aggregate value” (claim 7, ln. 20). This limitation lacks antecedent basis.  Examiner suggests replacing the limitation “the third aggregate value and the fourth aggregate value”, or clarify accordingly what “the aggregate value” is referring to.   
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 9-14 and 17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claims 9-14 and 17 do not fall within at least one of the four categories of patent eligible subject matter because, using the broadest reasonable interpretation, the claims are directed to signals per se.  Claims 9-14 and 17 recites an electronic device comprising a processor and a machine readable storage medium which stores machine executable instructions that can be executed by the processor.  None of the claims or the specifications disclose that the processor is a software processor, and the machine readable storage medium is non-transitory.  For example pg. 47 of the specification discloses that the machine readable storage medium MAY include RAM or NVM, and the processor MAY be a DSP, ASIC, FPGA or a discrete hardware component.  The examiner suggests that the applicant change claim 11 to add the words “non-transitory” before “machine readable storage medium”.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5, 9-10, 12, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (US Pub. 2019/0116193) (hereinafter “Wang”) in view of Meng et al., Anomaly Detection Model of User Behavior Based on Principle Component Analysis, Journal of Ambient Intelligence and Humanized Computing, January 21, 2016, pg. 547-554 (hereinafter “Meng”) and in view of Convertino et al. (US Pub. 2016/0335260) (hereinafter “Convertino”)

As per claim 1, Wang teaches an abnormal user identification method, comprising: acquiring user behavior data of a user; ([Wang, para. 0015-0016] an event reporting agent detects entity behavior [user behavior] which can include parameters such as the IP address of the device used, the type of device used, physical location, number of login attempts, date and time, and more)
obtaining multiple aggregation classes by clustering the vectors through a preset clustering algorithm, ([Wang, para. 0032] the risk assessment engine collects and constructs the user profile [during a training period – see para. 0045], multiple clusters [aggregation classes – see para. 0006] based on the received events that are event vectors [see – para. 0006; para. 0052], using well known machine learning algorithms such as K-Means; Fig. 4 shows an entity profile that evolves from a cluster into two clusters [multiple aggregation classes]; obtaining, and using eigenvectors obtained from user behavior is taught by Meng below, and an eigenvector is one type of vector) and acquiring a central vector of each aggregation class; ([Wang, para. 0041] the risk assessment engine computes a risk score of the event based on the vector distance between the event vector and the cluster center vector [each central vector of each aggregation class]; [para. 0053] the center [central vector] of a user’s event cluster [each aggregation class] is dynamically updated [acquired])
determining a difference vector, wherein a distance between the difference vector and a central vector of an aggregation class to which the difference vector belongs is not within a preset distance range; and ([Wang para. 0041] the risk assessment engine calculates [determines] the risk score, a vector distance between the event vector [difference vector] and the cluster center [central vector of an aggregation class].  The vector is determined to be high risk [a difference vector] if is not within, for example, 30 minutes distance in vector distance [a preset distance range], from the cluster center.  Obtaining, and using eigenvectors obtained from user behavior is taught by Meng below, and an eigenvector is one type of vector)
Wang does not clearly teach extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions; determining eigenvectors for the user behavior data based on the multiple eigenvalues; and determining a user characterized by the difference eigenvector as an abnormal user.
However, Meng teaches extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions; and ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] feature values [eigenvalues] are calculated by extracting user behavior by using a covariance matrix) 
determining eigenvectors for the user behavior data based on the multiple eigenvalues.  ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] based on the feature value [eigenvalue] the eigenvector which represents the biggest correlation between data dimensions is determined)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang with the teachings of Meng to include extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions; and determining eigenvectors for the user behavior data based on the multiple eigenvalues.  One of ordinary skill in the art would have been motivated to make this modification because using such a method of principal component analysis describes the user’s behavior more completely and improves the efficiency and stability of the algorithm in order to more precisely and effectively detect abnormal user behavior.  (Meng, abstract)
Wang in view of Meng does not clearly teach determining a user characterized by the difference eigenvector as an abnormal user.
However, Convertino teaches determining a user characterized by the difference vector as an abnormal user.  ([Convertino, para. 0073-0074] a semantic similarity that is a representation of the Euclidean distance between a centroid vector and a metric vector [a distance vector] is determined.  The metric vectors with similarity score above a threshold are provided as metric recommendations [an abnormal user – see para. 0004 – the method is used to determine intrusion attempts or unusual activities of users’ behavior])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng with the teachings of Convertino to include determining a user characterized by the difference vector as an abnormal user.  One of ordinary skill in the art would have been motivated to make this modification because, by using such a method, a user specific recommendation may be provided to identify the metric users that are most similar to the user vector based on the similarity scores.  (Covertino, para. 0077)

As per claim 2, Wang in view of Meng and Convertino teaches claim 1.  
Wang does not clearly teach wherein when the user includes multiple users, extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions comprises: extracting multiple user eigenvalues of user behavior data of each user under multiple user behavior dimensions; determining eigenvectors for the user behavior data based on the multiple eigenvalues comprises: determining a user eigenvector of each of the multiple users based on multiple user eigenvalues of this user; obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple user classes by clustering the user eigenvectors of the multiple users through a preset clustering algorithm; and determining a central vector of each of the multiple user classes based on a user eigenvector contained in this user class.
However, Meng teaches extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions comprises: extracting multiple user eigenvalues of user behavior data of each user under multiple user behavior dimensions; ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] feature values [eigenvalues] are calculated by extracting user behavior by using a covariance matrix; [Pg. 4, Section 3.2] in the user behavior processing stage, the user behavior apparatus transform user behavior of users [a plurality of different users as vectors are made according to normal user behaviors and other types of user’s behaviors, and vectors are made of features which belong to one user’s behavior] to feature values [multiple user eigenvalues of behavior data of each user], and calculates each feature value, such as database access behavior and Web browsing behavior [multiple user behavior demensions])
determining eigenvectors for the user behavior data based on the multiple eigenvalues comprises: determining a user eigenvector of each of the multiple users based on multiple user eigenvalues of this user.  ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] based on the feature value [eigenvalue] the eigenvector which represents the biggest correlation between data dimensions is determined.  [Pg. 4, Section 3.2] in the training phase the system converts the audit logs of normal user behaviors into eigenvectors [determining a user eigenvector of each of the multiple users] and groups these vectors according to their users [based on this user].  As the eigenvectors are based on the feature values, and feature values for a plurality of users are calculated, each of the eigenvectors are based on the multiple user eigenvalues)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Wang, Meng and Convertino for the same reasons as disclosed above.  
Wang in view of Meng does not clearly teach wherein when the user includes multiple users (however, see Meng above where behavior data for multiple users is extracted from obtained data), obtaining multiple aggregation classes by clustering the vectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple user classes by clustering the user vectors of the multiple users through a preset clustering algorithm; and determining a central vector of each of the multiple user classes based on a user vector contained in this user class.  
However, Convertino teaches wherein when the user includes multiple users, ([Convertino, para. 0040] the data management module monitors and captures activity of multiple users in various roles across different organizations using log metrics)
obtaining multiple aggregation classes by clustering the vectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple user classes by clustering the user vectors of the multiple users through a preset clustering algorithm; and ([Convertino, para. 0060; para. 0066] clusters for various aggregations/classes [multiple aggregation classes] of the metrics vectors of the multiple users [see para. 0040; 0059 – the log metrics of multiple users are represented by metric vectors] with respect to different values of the various parameterizations, such as role, time period, operation, location or a combination thereof [multiple classes] are generated using a clustering algorithm such as k clustering [preset clustering algorithm].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
determining a central vector of each of the multiple user classes based on a user vector contained in this user class.  ([Convertino, para. 0059-0060] the recommendation module is configured to generate centroid vectors for each of the various aggregation classes [multiple user classes].  A centroid vector is a representation of the metrics [a user vector as log metrics of users are represented by the metric vectors] in a class [this user class].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng with the teachings of Convertino to include wherein when the user includes multiple users, obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple user classes by clustering the user eigenvectors of the multiple users through a preset clustering algorithm; and determining a central vector of each of the multiple user classes based on a user eigenvector contained in this user class.  One of ordinary skill in the art would have been motivated to make this modification because a centroid vector aggregated by different users provides an unintuitive perspective which allows an enterprise to benefit from such metrics by users across the enterprise.  (Convertino, para. 0010; para. 0088)

As per claim 5, Wang in view of Meng and Convertino teaches claim 1.  
Wang also teaches when the user includes one user, ([Wang, para. 0031] the Event Reporting Agent captures activity of one user) the user behavior data contains at least one piece of historical user behavior data ([para. 0056] the method captures long-term memory data relating to behavior which does not change or only gradually changes over a long period [at least one piece of historical data]) and one piece of current user behavior data; ([para. 0056] the method captures short-term memory data which represents the entity’s temporary behavior, for example, events collected in a current travelling week [one piece of current user behavior data])
extracting multiple first data values of each piece of historical user behavior data under the multiple user behavior dimensions, ([Wang, para. 0056; Fig. 5] multiple pieces of data values [multiple first data values] are extracted from long-term historical user data, such as when a user checks work emails, long-term login time of day, and long-term login city [multiple user behavior dimensions].  Obtaining, and using eigenvalues obtained from user behavior is taught by Meng below, and an eigenvalue is one type of value) and multiple second data values of the current user behavior data under the multiple user behavior dimensions; ([para. 0056; Fig. 5] multiple pieces of data values are extracted from current behavior [multiple second data values], such as current login city, and current login time of day [multiple user behavior dimensions].  Obtaining, and using eigenvalues obtained from user behavior is taught by Meng below, and an eigenvalue is one type of value)
determining a first data vector of each piece of historical user behavior data based on the multiple first data values, ([Wang, para. 0056; Fig. 5] long-term data vectors [first data vector of each piece of historical user behavior data] are determined from the long-term data values [multiple first data values].  Obtaining, and using eigenvalues and eigenvectors obtained from user behavior is taught by Meng below; an eigenvalue is one type of value, and an eigenvector is one type of vector) and a second data vector of the current user behavior data based on the multiple second data value; ([para. 0056; Fig. 5] a short-term data vector [second data vector of the current user behavior data] is determined from the short-term login data values [multiple second data values].  Obtaining, and using eigenvalues and eigenvectors obtained from user behavior is taught by Meng below; an eigenvalue is one type of value, and an eigenvector is one type of vector)
obtaining multiple aggregation classes by clustering the vectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple data classes by clustering the multiple first data vectors and the second data vector through a preset clustering algorithm ([Wang, para. 0032] the risk assessment engine collects and constructs the user profile [during a training period – see para. 0045], multiple clusters [aggregation classes – see para. 0006] based on the received events that are event vectors [see – para. 0006; para. 0052], using well known machine learning algorithms such as K-Means; [para. 0056; Fig. 5] the multiple first data vectors and the second data vectors are clustered within event clusters.  Obtaining, and using eigenvectors from user behavior is taught by Meng below, and an eigenvector is one type of vector)
Wang does not clearly teach extracting multiple eigenvalues of the user behavior data under preset multiple user behavior dimensions; and determining eigenvectors for the user behavior data based on the multiple eigenvalues; teach determining a central vector of a first data class to which the second data vector belongs; determining a difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and if the distance is not within a preset distance range, determining the second data vector as a difference vector. 
However, Meng teaches extracting multiple eigenvalues of the user behavior data under preset multiple user behavior dimensions; and ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] feature values [eigenvalues] are calculated by extracting user behavior by using a covariance matrix)
determining eigenvectors for the user behavior data based on the multiple eigenvalues.  ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] based on the feature value [eigenvalue] the eigenvector which represents the biggest correlation between data dimensions is determined)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Wang, Meng and Convertino for the same reasons as disclosed above.  
Wang in view of Meng does not clearly teach determining a central vector of a first data class to which the second data vector belongs; determining a difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and if the distance is not within a preset distance range, determining the second data vector as a difference vector. 
However, Convertino teaches determining a central vector of a first data class to which the second data vector belongs; ([Covertino, Para. 0101] For each period of time parameterization, a time period vector is generated, as the centroid of metric vectors [a central vector] which specified the particular time period as an attribute of the matrix, for example, a time period vector would be generated for metrics that had time period of interest for the previous 24 hours [to which the second data vector belongs], week, month range, quarter, year, and so forth [a central vector of a first data class].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
determining a difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and ([Covertino, para. 0102] the similarity [a distance – see para. 0073] between each of the M vectors in a target set [second data vector] and each of the time period vectors [a central vector of a first data class] is computed.  This identifies the subset Mp of the vectors deemed associated with the metric time period [a preset distance range, as association/similarity is a distance calculation – see para. 0073, and the metric time period is generated at the time of creation of the metric – see para. 0101].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
if the distance is not within a preset distance range, determining the second data vector as a difference vector. ([Covertino, para. 0074; para. 0102] the metric vectors with similarity score below a threshold [a preset distance range] are provided as not in the subset of metric vectors deemed associated with the metric time period [a difference vector])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng with the teachings of Convertino to include determining a central vector of a first data class to which the second data vector belongs; determining a difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and if the distance is not within a preset distance range, determining the second data vector as a difference vector.  One of ordinary skill in the art would have been motivated to make this modification because it allows the system to aggregate the behavior usage according to a time period in order to make use of the similarity of metrics, for example, gain insights into end user behavior associated with the time period parameters.   (Convertino, para. 0006, para. 0009)

As per claim 9, Wang teaches an electronic device comprising a processor and a machine readable storage medium which stores machine executable instructions that can be executed by the processor.  ([Wang, claim 19] a computer-readable medium having executable instructions coupled to computer [processor] to perform the instructions is disclosed)
The machine executable instructions cause the processor to execute the method of claim 1, has language that is identical or substantially similar to the attack detection device of claim 1, and thus the claim is rejected with the same rational applied against claim 1.  

As per claim 10, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 12, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 15, Wang in view of Meng and Convertino teaches claim 1.
Wang in view of Meng does not clearly teach a non-transitory machine readable storage medium, which stores machine executable instructions that, when called and executed by a processor, cause the processor to perform a method.  
However, Convertino teaches a non-transitory machine readable storage medium, which stores machine executable instructions that, when called and executed by a processor, cause the processor to perform a method.  ([Convertino, claim 21] a non-transitory computer readable storage medium storing program code that implements a computer executed method [machine executable instructions]; [para. 0035] the computer system includes processors that are used to run the code)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng with the teachings of Convertino to include a non-transitory machine readable storage medium, which stores machine executable instructions that, when called and executed by a processor, cause the processor to perform a method.  One of ordinary skill in the art would have been motivated to make this modification because memory and processors allows an application layer of software to interact with the method in a computer system.  (Convertino, para. 0033)

Claims 3, 6, 11, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Wang in view of Meng in view of Convertino and further in view of Jang et al. (US 2015/0127243) (hereinafter “Jang”) included in the IDS dated 04/19/2022.

As per claim 3, Wang in view of Meng and Convertino teaches claim 2.  
Wang does not clearly teach wherein, obtaining multiple user classes by clustering the user eigenvectors of the multiple users through a preset clustering algorithm, comprises: obtaining K initial user classes by clustering wherein K is a positive integer; acquiring a first initial user class and a second initial user class in the K initial user classes; obtain a combined initial user class by combining the first initial user class and the second initial user class; obtaining multiple user classes by taking the combined initial user class and other initial user classes that are not combined in the K initial user classes respectively as clustered user classes; wherein, the first initial user class is an initial user class, in the K initial user classes, in which the number of user eigenvectors is less than a preset number threshold; the second initial user class is an initial user class in the K initial user classes, wherein the distance between a central vector of this initial user class and a central vector of the first initial user class is minimum.
However, Jang teaches wherein obtaining multiple user classes by clustering the user vectors of the multiple users through a preset clustering algorithm, comprises: obtaining K initial user classes by clustering the user vectors of the multiple users through a K-means clustering algorithm, wherein K is a positive integer; ([Jang, para. 0018-0019] the server is configured to divide data [user vectors of the multiple users – see para. 0019] into a plurality of clusters using K-means clustering.  K random numbers are selected between 1 and N [a positive integer].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent on, and an eigenvector is one type of vector)
acquiring a first initial user class and a second initial user class in the K initial user classes; ([Jang, para. 0019-0021] the server selects a set of initial daily vectors, and designates each initial daily vector as the center of a cluster [a first and second initial user class], where there are K initial daily vectors, and K corresponding initial clusters [K initial user classes].  Then the server analyzes the remaining daily vectors to iteratively assign them to a cluster based on their distance to the center vector)
obtain a combined initial user class by combining the first initial user class and the second initial user class; ([Jang, para. 0038] two clusters [the first and second initial user classes – see para. 0019] are merged forming a merged cluster [a combined initial user class] when the centroids are less than a predetermined distance apart)
obtaining multiple user classes by taking the combined initial user class and other initial user classes that are not combined in the K initial user classes respectively as clustered user classes; ([Jang, para. 0037-038] the server may be configured to merge clusters [the combined initial user class].  The clusters may be merged recursively [as clustered user classes] such that clusters [combined initial user class] may be merged with another cluster [initial user class not combined].  [Para. 0036] the initial user classes are K initial user classes)
wherein, the first initial user class is an initial user class, in the K initial user classes, in which the number of user vectors is less than a preset number threshold; ([Jang, para. 0037] the server combines clusters when the number of vectors in a cluster [first initial user class] is less than a minimum value [a preset number threshold].  [Para. 0018-0019] The first initial user class is an initial user class in the K initial user classes as all classes are combined using K-means clustering.  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent on, and an eigenvector is one type of vector)
the second initial user class is an initial user class in the K initial user classes, wherein the distance between a central vector of this initial user class and a central vector of the first initial user class is minimum.  ([Jang, para. 0037] the server combines clusters the cluster where the number of vectors is less than a minimum with the cluster having the nearest [minimum distance] centroid [the second initial user class].  [Para. 0018-0019] The second initial user class is an initial user class in the K initial user classes as all classes are combined using K-means clustering)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng and Convertino with the teachings of Jang to include wherein obtaining multiple user classes by clustering the user vectors of the multiple users through a preset clustering algorithm, comprises: obtaining K initial user classes by clustering the user vectors of the multiple users through a K-means clustering algorithm, wherein K is a positive integer; acquiring a first initial user class and a second initial user class in the K initial user classes; obtain a combined initial user class by combining the first initial user class and the second initial user class; obtaining multiple user classes by taking the combined initial user class and other initial user classes that are not combined in the K initial user classes respectively as clustered user classes; wherein, the first initial user class is an initial user class, in the K initial user classes, in which the number of user vectors is less than a preset number threshold; the second initial user class is an initial user class in the K initial user classes, wherein the distance between a central vector of this initial user class and a central vector of the first initial user class is minimum.  One of ordinary skill in the art would have been motivated to make this modification because 1) K-means clustering allows similar sets of data to be identified; and 2) combining clusters allows for an optimization of the K value for the clustering algorithm so that the value that the value may be used for subsequent requests, and to better identify variance among vectors.  (Jang, para. 0018; para. 0036)

As per claim 6, Wang in view of Meng and Convertino teaches claim 5.  
Wang also teaches obtaining K initial data classes by clustering the multiple first data vector and the second data vector through a K-means clustering algorithm ([Wang para. 0033] the risk assessment engine uses K-Means to determine if an event belongs in a cluster.  [Para. 0056] the events include long-term memory events [first data vector as this is historic behavior data] and short-term memory [second data vector as this is current behavior data].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent upon, and an eigenvector is one type of vector.  Wherein K is a positive integer is taught by Jang below.)
acquiring a first initial data class in the K initial data classes, ([Wang, para. 0033] the risk assessment engine uses K-means to obtain a cluster [first initial data class in the K initial data classes] representative of the user behavior data.  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector.  Wherein, the first initial data class contains N data vectors, and N is a positive integer is taught by Jang below)
wherein, the first initial data class is an initial data class to which the second data vector belongs.  ([Wang, para. 0033; para. 0056] the vector representative of short-term memory [second data vector] belongs in a cluster determined using K-Means [first initial data class in the K initial data classes].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent upon, and an eigenvector is one type of vector.  Wherein, the first initial data class contains N data vectors, and N is a positive integer is taught by Jang below)
Wang in view of Meng and Convertino does not teach wherein K is a positive integer; wherein, the first initial data class contains N data eigenvectors, and N is a positive integer; if N is less than a preset number threshold, acquiring a second initial data class in the K initial data classes; obtaining a combined initial data class by combining the first initial data class and the second initial data class; obtaining multiple data classes by taking the combined initial data class and other initial data classes that are not combined in the K initial data classes respectively as clustered data classes; the second initial data class is an initial data class in the K initial user classes, wherein the distance between a central vector of this initial data class and a central vector of the first initial user class is minimum.
However, Jang teaches wherein K is a positive integer; ([Wang, para. 0033; para. 0056] the vector representative of short-term memory [second data vector] belongs in a cluster determined using K-Means [first initial data class in the K initial data classes].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector.  Wherein, the first initial data class contains N data vectors, and N is a positive integer is taught by Jang below)
wherein, the first initial data class contains N data vectors, and N is a positive integer; ([Jang, para. 0018-0019] the server divides initial daily vector K as 3, 5, 10, 30, 100 [a positive integer] include clusters [the first initial data class].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent upon, and an eigenvector is one type of vector)
if N is less than a preset number threshold, acquiring a second initial data class in the K initial data classes; ([Jang, para. 0037] two clusters [the first and second initial user classes – see para. 0019] are merged when the number of vectors in a cluster [first initial user class] is less than a minimum threshold)
obtaining a combined initial data class by combining the first initial data class and the second initial data class; ([Jang, para. 0037] the server may be configured to merge the two clusters, forming a merged cluster [the combined initial user class] when the number of vectors is less than a minimum)
obtaining multiple data classes by taking the combined initial data class and other initial data classes that are not combined in the K initial data classes respectively as clustered data classes; ([Jang, para. 0037-038] the server may be configured to merge clusters [the combined initial user class].  The clusters may be merged recursively [as clustered user classes] such that clusters [combined initial user class] may be merged with another cluster [initial user class not combined].  [Para. 0036] the initial user classes are K initial user classes)
	the second initial data class is an initial data class in the K initial user classes, wherein the distance between a central vector of this initial data class and a central vector of the first initial user class is minimum.  ([Jang, para. 0038]  the server combines clusters when the centroid [central vector] of the initial k-means cluster [second initial data class] is less than a predetermined distance apart [a minimum] between the initial k-means cluster of another k-means cluster [first initial data class].  Examiner takes first and second initial data classes as interchangeable as they are both initial data classes created during generation of clusters during K-means clustering.  [Para. 0018-0019] The second initial user class is an initial user class in the K initial user classes as all classes are combined using K-means clustering.  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent on, and an eigenvector is one type of vector)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Wang, Meng, Convertino, and Jang for the same reasons as disclosed above.  

As per claim 11, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 13, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

Claims 8, 14, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Wang in view of Meng in view of Convertino and further in view of Chari et al. (US 2018/0359270) (hereinafter “Chari”)

As per claim 8, Wang in view of Meng and Convertino teaches claim 2.  
Wang in view of Meng and Convertino does not clearly teach determining a user characterized by the difference eigenvector as an abnormal user comprises: determining whether a data eigenvalue for the difference eigenvector exceeds a preset baseline eigenvalue based on each of the multiple user behavior dimensions; and if the data eigenvalue exceeds the preset baseline eigenvalue, determining that a user behavior characterized under the user behavior dimension is an abnormal user behavior, and that a user characterized by the difference eigenvector is an abnormal user.
However, Chari teaches determining a user characterized by the difference vector as an abnormal user comprises: determining whether a data value for the difference vector exceeds a preset baseline value based on each of the multiple user behavior dimensions; ([Chari, para. 0036] the anomalous user behavior detector uses distance metrics corresponding to the user group distance vector [difference vector] to identify anomalous behavior.  First, the detector determines whether the distance metric corresponding to the user is greater than [exceeds] a distance threshold [preset baseline value].  [Para. 0034] this determination is based on user activities of a plurality of users [multiple user behavior dimensions])
and if the data value exceeds the preset baseline value, determining that a user behavior characterized under the user behavior dimension is an abnormal user behavior, and that a user characterized by the difference eigenvector is an abnormal user.  ([Chari, para. 0036] if the distance metrics [data value] is greater than the distance threshold, then the anomalous user behavior detector identifies that the user vector is associated with anomalous user behavior.  Anomalous user behavior represents one or more users that indicates a security threat [an abnormal user])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng and Convertino with the teachings of Chari to include wherein when the user includes multiple users, obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple user classes by clustering the user eigenvectors of the multiple users through a preset clustering algorithm; and determining a central vector of each of the multiple user classes based on a user eigenvector contained in this user class.  One of ordinary skill in the art would have been motivated to make this modification because such a modification allows detection of anomalous user behavior by learning which users have similar behavior and adapting to new user behavior.  (Chari, para. 0046)

As per claim 14, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

As per claim 16, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

As per claim 17, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Lin et al. (US Pub. 2020/0228557) discloses creating a behavior model that captures a user’s daily pattern and events to identify anomalous user network activity based on multiple data sources, and using eigenvalues and eigenvectors to perform Principal Component Analysis as part of detection of the activity. 
Verma et al. (US Pub. 2019/0132224) discloses using link prediction derived from eigenvectors to calculate a metric for a plurality of nodes in the context of identifier outliers who are indicative of abnormal activity.  
Eldardiry et al. (US pub. 2015/0235152) discloses a system for identifying malicious insiders that constructs feature vectors based on work practice data and clusters the data to determine whether a user is a malicious outsider.  
Kirti et al. (US Pub. 2018/0375886) discloses techniques for monitoring privileged users and detecting anomalous activities where clustering is used to determine clusters of users using K-means clustering technique to identify groups of users that are associated with risk indicators.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493