DETAILED ACTION

Response to Arguments
Claims 1-23 are currently pending. Claims 1, 2, 4, 7-10, 12, and 16-19 were amended. Claims 21-23 were added.

Re: Rejections under 35 U.S.C. § 112
Applicant’s arguments, see pg. 8 of the REMARKS, with respect to the 112(b) rejection of claims 4, 7, 12, 16, and 17 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. 

Re: Claim Rejections – 35 U.S.C. § 102
Applicant’s arguments, see pp. 8-10 of the REMARKS, with respect to the 102 rejection of independent claims 1, 9, and 19 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground of Koottayi in view of Yu and Hurley (see Claim Rejections - 35 USC § 103 below for details) has been asserted.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4-6, 8-10, 12-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Koottayi et al. (hereinafter, “Koottayi”), US 2018/0288063 in view of Yu et al. (hereinafter, “Yu”), US 2020/0213336 and in further view of Hurley et al. (hereinafter, “Hurley”), US 2007/0156771.
As per claim 1: Koottayi discloses: A computer-implemented method comprising: training a machine-learning model to recognize anomalies in access patterns relating to a plurality of service endpoints of a cloud-based service by capturing metadata associated with accesses by users to the plurality of service endpoints (Fig. 9 illustrates a process for generating behavior models for a user and determining whether an access request of a user to a target system having a resource is anomalous based on the behavior models [Koottayi, ¶0142]; In steps 920 and 925, collected data from a plurality of access requests are analyzed to generate behavior models [Koottayi, ¶¶0144-0145; Fig. 9]; the resources include cloud-based applications and/or cloud services [Koottayi, ¶0070]), wherein the metadata for a given access of the accesses includes information regarding a particular user that initiated the given access (the collected data from the plurality of access requests include user identity [Koottayi, ¶0143]), a particular device utilized by the particular user (client context, such as host name, IP address, user-agent identifier [Koottayi, ¶0143]), a particular location of the particular device (GPS location [Koottayi, ¶0143]) (requesting authentication credentials from the user [Koottayi, ¶0079]), identifying an anomaly in relation to an access by a user to a service endpoint of the plurality of service endpoints by monitoring the access patterns and applying the machine-learning model to metadata associated with the access (receiving access request by a computing device from a user (step 935); collecting data from the access request (step 940); the collected data is analyzed against the behavior model(s) to determine whether the access request is anomalous (step 950) [Koottayi, ¶¶0146-0147; Fig. 9]); based on a degree of risk to the cloud-based service associated with the identified anomaly (obtaining an overall deviation of the collected data from the one or more data clusters in the behavior model (step 950) [Koottayi, ¶0147; Fig. 9]; policies are categorized by threat levels; for example if the distance (e.g. deviation) is above a threshold, the policy may indicate a block to activities [Koottayi, ¶0106]), determining a mitigation action of a plurality of predefined mitigation actions; and proactively protecting the cloud-based service by programmatically applying the determined mitigation action (a threat score is derived from the deviation score, wherein the threat score is used to enforce rules and policies, such as blocking the user, challenging the user, or allow the user [Koottayi, ¶¶0123-0124]).
Koottayi does not disclose the plurality service endpoints as “one or more Application Programming Interfaces (APIs) provided by the cloud-based service”. However, Yu discloses end users interacting with an application that employs RESTful APIs, wherein artificial intelligence (e.g. machine learning) is used to detect inappropriate activity in presence of unauthenticated API requests [Yu, ¶¶0088-0089].
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement the techniques of Koottayi for detecting anomalous access for applications with RESTful APIs, such as disclosed in Yu. Koottayi is not strictly limited to protecting specific types of resources, but is open to all types and forms of resources [Koottayi, ¶0070]. REST is a known program interface specification that ignores the details of component implementation and protocol syntax to focus on the roles of components, the constraints upon their interaction with other components. Therefore, RESTful applications are simple and uniform and protecting such applications would be desired.
Koottayi does not disclose “the metadata of a given access” includes information regarding “one or more workloads associated with the given access”. However, the collected data in Koottayi are not strictly limited in the disclosure. For example, various contexts, such as resource, server, user, session, and so on, about an access by a user is collected [Koottayi, ¶0100]. Hurley discloses determining malicious workload patterns by collecting a training set of workload patterns beforehand and using the set to evaluate a subsequent workload pattern [Hurley, ¶0008]. The number of accesses to elements are monitored over a predetermined time interval to form a workload pattern [Hurley, ¶0029]
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to include the collection of workload patterns in Koottayi for determining anomalous and/or malicious access. For example, denial of service attacks would have been detected via higher-than-normal workload patterns. Furthermore, using workload patterns as a criterion for detecting anomalies would have enabled proper allocation of resources during network/resource access by specific entities.

As per claim 2: Koottayi in view of Yu and Hurley disclose all limitations of claim 1. Furthermore, Koottayi discloses: further comprising receiving from a security administrator a policy defining permissible access to a service endpoint of the plurality of service endpoints for the user (an administrator generates a policy [Koottayi, ¶¶0092-0094]).

As per claim 4: Koottayi in view of Yu and Hurley disclose all limitations of claim 2. Furthermore, Koottayi discloses: wherein said identifying an anomaly in relation to an access by a user to a service endpoint of the plurality of service endpoints includes determining the policy has been violated based the metadata associated with the access (data associated with the access request is analyzed against data collected concerning previous interaction between the user and one or more enforcement policies to obtain a rule or policy based risk for the user [Koottayi, ¶0150]).

As per claim 5: Koottayi in view of Yu and Hurley disclose all limitations of claim 1. Furthermore, Koottayi discloses: further comprising training the machine-learning model to recognize a plurality of degrees of risk associated with the access patterns (threat levels may be determined based on a distance calculated from the center of a cluster (e.g. the deviation) [Koottayi, ¶0106]).

As per claim 6: Koottayi in view of Yu and Hurley disclose all limitations of claim 1. Furthermore, Koottayi discloses: wherein the plurality of predefined mitigation actions include requiring the user to confirm their identity via multi-factor authentication (requesting a second factor authentication [Koottayi, ¶¶0105, 0118]), sending an alert to the security administrator (transmitting an alert to the target system in the form of an SMS or email [Koottayi, ¶0153]), prohibiting access by the user to the cloud-based service for a predefined or configurable period of time (rules may include a time duration [Koottayi, ¶0088]), or prohibiting access by the user to the cloud-based service (blocking a user [Koottayi, ¶¶0105]).

As per claim 8: Koottayi in view of Yu and Hurley disclose all limitations of claim 1. Furthermore, Yu discloses: wherein the plurality of service endpoints comprise one or more Representational State Transfer (REST) APIs (an application employs RESTful APIs, wherein artificial intelligence (e.g. machine learning) is used to detect inappropriate activity in presence of unauthenticated API requests [Yu, ¶¶0088-0089]).

As per claim 9: Claim 9 is different from overall scope of claim 1. However, claim 9 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 1. Therefore, the response to claim 1 above is applicable to claim 9.

As per claim 10: Claim 10 incorporates all limitations of claim 9. Claim 10 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 2. Therefore, the response to claims 2 and 9 are applicable to claim 10.

As per claim 12: Claim 12 incorporates all limitations of claim 10. Claim 12 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 4. Therefore, the response to claims 4 and 10 are applicable to claim 12.

As per claim 13: Claim 13 incorporates all limitations of claim 9. Claim 13 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 5. Therefore, the response to claims 5 and 9 are applicable to claim 13.

As per claim 14: Koottayi in view of Yu and Hurley disclose all limitations of claim 13. Furthermore, Koottayi discloses: wherein the degree of risk is determined based on said applying the machine-learning model to metadata associated with the access (threat levels are determined based on the distance calculated from the center of a cluster [Koottayi, ¶0106]; the cluster is generated from a user model and used to obtain a deviation from data of an access request [Koottayi, ¶0117]).

As per claim 15: Claim 15 incorporates all limitations of claim 9. Claim 15 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 6. Therefore, the response to claims 6 and 9 are applicable to claim 15.

As per claim 17: Koottayi in view of Yu and Hurley disclose all limitations of claim 9. Furthermore, Koottayi discloses: further comprising instructions to generate a report for a specified period of time containing information associated with each identified anomaly during the specified period of time (generating and publishing reports [Koottayi, ¶0097]; collected data within a time period is presented to a security administrator [Koottayi, ¶0126]).

As per claim 18: Claim 18 incorporates all limitations of claim 9. Claim 18 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 8. Therefore, the response to claims 8 and 9 are applicable to claim 18.

As per claim 19: Claim 19 is different from overall scope of claim 1. However, claim 19 is directed to a system comprising of a non-transitory computer-readable medium storing instructions corresponding to the method of claim 1. Therefore, the response to claim 1 above is applicable to claim 19.

As per claim 20: Claim 20 incorporates all limitations of claim 19. Claim 20 is directed to a system comprising of a non-transitory computer-readable medium storing instructions corresponding to the method of claim 6. Therefore, the response to claims 6 and 19 are applicable to claim 20.

As per claim 21: Koottayi in view of Yu and Hurley disclose all limitations of claim 1. The same motivation for incorporating Hurley with Koottayi presented in claim 1 is also applicable to claim 21. Therefore, Hurley discloses: wherein the information regarding the one or more workloads associated with the given access comprises information indicative of a hostile workload pattern (assessing a given workload pattern to determine to be malicious or not malicious [Hurley, ¶0041]).

As per claim 22: Claim 22 incorporates all limitations of claim 10. Claim 22 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 21. Therefore, the response to claims 10 and 21 are applicable to claim 22.

As per claim 23: Claim 23 incorporates all limitations of claim 19. Claim 23 is directed to a system performing the method of claim 21. Therefore, the response to claims 19 and 21 are applicable to claim 23.

Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Koottayi in view of Yu, Hurley and Shetty et al. (hereinafter, “Shetty”), US 2016/0315964.
As per claim 3: Koottayi in view of Yu and Hurley disclose all limitations of claim 2. Furthermore, Koottayi discloses: wherein the policy excludes (the system learns and adapts from the default or static policies and the behavior models to determine from a user behavior pattern that the system should not trigger an anomalous activity when the user is traveling to another location [Koottayi, ¶0095]).
While Koottayi discloses using conditions of a device/user’s location to exclude from a policy, Koottayi does not disclose excluding conditions of the type of device. Yu and Hurley also fail to disclose excluding conditions of the type of device However, Shetty discloses defining the types of device (“conditions relating to a type of device”) in a policy that are allowed to join a network [Shetty, ¶0048].
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to include attributes related to device types for controlling access in Koottayi. In the example of a user traveling in [Koottayi, ¶0095], including device type for controlling access (or detecting anomalous access), would have supplemented the location attribute. If a user is traveling, a mobile device type (in contrast to the user using a desktop PC when not mobile) may have been utilized and would have been included in a whitelist in the example of Koottayi, such that subsequent accesses with a certain device are not falsely identified as anomalous accesses.

As per claim 11: Claim 11 incorporates all limitations of claim 10. Claim 11 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 3. Therefore, the response to claims 3 and 10 are applicable to claim 11.

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Koottayi in view of Yu, Hurley, and Altman (hereinafter, “Altman”), US 9,396,316.
As per claim 7: Koottayi in view of Yu and Hurley disclose all limitations of claim 1. Koottayi, Yu, and Hurley do not disclose the limitations of claim 7. However, Altman discloses: further comprising: receiving from the security administrator a whitelist specifying an override access pattern for which none of the plurality of predefined mitigation actions are to be applied (an account owner or system administrator can set a threshold in an access pattern for a whitelisting deviation [Altman, col. 16, lines 29-39]); and wherein said identifying an anomaly in relation to an access by a user to a service endpoint of the plurality of service endpoints excludes the override access pattern (the whitelisting deviation allows an abnormal user access request to be performed without enabling a second factor authentication [Altman, col. 16, lines 8-28]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to enable an administrator to custom define a whitelist for access patterns that are expected or access patterns with outliers that are legitimate.

As per claim 16: Claim 16 incorporates all limitations of claim 9. Claim 16 is directed to a non-transitory machine readable medium storing instructions corresponding to the method of claim 7. Therefore, the response to claims 7 and 9 are applicable to claim 16.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2014/0289418: Discloses detecting workloads that causes anomalies associated with the execution of an application.
US 2011/0271146: Discloses detecting anomalies in database systems by extracting workload features from queries and applying a feature model.
T. Wang, W. Zhang, J. Wei and H. Zhong, "Workload-Aware Online Anomaly Detection in Enterprise Applications with Local Outlier Factor," 2012 IEEE 36th Annual Computer Software and Applications Conference, 2012, pp. 25-34, doi: 10.1109/COMPSAC.2012.12. (Discloses online anomaly detection for recognizing workload patterns with an incremental clustering algorithm and detecting anomalies in specific workload patterns.)
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        5-26-2022