DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continuation
This application is a continuation application of US 16/410,306 (filed on May 13, 2019 – now US Patent No. 10,911,474), which is a continuation application of US 15/260,189 (filed on Sep. 8, 2016 – now US Patent No. 10,291,638). The prosecution history and references cited in the above applications have been fully considered.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-6 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 5-7, and 10-11 of US Patent No. 10,291,638 and claims 1-4 and 6-7 of US Patent No. 10,911,474. Although the claims at issue are not identical, they are not patentably distinct from each other because the cited claims of the conflicting patents contain every element of claims 1-6 of the instant application and thus anticipates the claims of the instant application. Therefore, claims 1-6 of the instant application are not patentably distinct from the earlier patent claims and is unpatentable over obvious-type double patenting. “A later patent claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus)." ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit on PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001). 
Claims 7-12 are directed to a system with computer components performing the method of claims 1-6 of the instant application. Claims 13-18 are directed to a non-transitory computer-readable medium with instructions corresponding to the method claims 1-6 of the instant application. Thus, claims 8-18 differ only in scope from claims 1-6 but remains patent indistinct from claims 1-6. Hence, claims 7-18 are rejected under obviousness-type double patenting in view of the conflicting patents previously stated.
The following is a comparison table between exemplary claims:
Instant application (17/131,430)
Conflicting patent (10,911,474)
1. A method of detecting anomalies in usage activities at one or more cloud-based service providers, the method comprising:
1. A method of detecting anomalies in usage activities at one or more cloud-based service providers, the method comprising:

generating, using a hardware processor, a user behavior model, for each user of a plurality of users of the one or more cloud-based service providers, comprising one or more coefficients describing cloud usage behavior of the user; analyzing, using the hardware processor, the user behavior models of the plurality of users to form user groups with similar user behavior; generating, using the hardware processor, a generalized user behavior model for each user group of the user groups, each of the generalized user behavior model comprising one or more coefficients describing cloud usage behavior of a corresponding user group;
determining that a user does not have sufficient usage activity data to generate a user behavior model for the user;
determining that another user does not have sufficient usage activity data to generate a user behavior model for the other user;
assigning, using the hardware processor, the user to an assigned user group of a plurality of user groups, wherein each of the plurality of user groups represents similar user behavior of users in the user group and has a corresponding generalized user behavior model;
assigning, using the hardware processor, the other user to an assigned user group of the user groups; 
assigning, using the hardware processor, the generalized user behavior model of the assigned user group as a user behavior model for the user;
assigning, using the hardware processor, the generalized user behavior model of the assigned user group as a user behavior model for the other user;
generating, using the hardware processor, a threat detection threshold for the user using coefficients of the user behavior model of the user;
generating, using the hardware processor, a threat detection threshold for the other user using the coefficients of the user behavior model of the other user;
receiving, using the hardware processor, cloud usage activity data of the user;
receiving, using the hardware processor, an event stream of cloud usage activity data of the other user for a current time period;
detecting, using the hardware processor, an anomaly in the cloud usage activity data of the user using the threat detection threshold of the user, the anomaly indicating a potential security risk associated with usage activities at the cloud-based service providers; 
detecting, using the hardware processor, an anomaly in the cloud usage activity data of the other user in the event stream using the threat detection threshold of the other user, the anomaly indicating a potential security risk associated with usage activities at the cloud-based service providers; 
and performing an action based on the detected anomaly.
and performing an action based on the detected anomaly.




Instant application (17/131,430)
Conflicting patent (10,291,638)
1. A method of detecting anomalies in usage activities at one or more cloud-based service providers, the method comprising:
1. A method of detecting anomalies in usage activities at one or more cloud-based service providers associated with users of an enterprise, the method comprising:

receiving, using a hardware processor, cloud usage activity data from activity logs of users accessing the one or more cloud-based service providers on behalf of the enterprise; aggregating, using the hardware processor, the cloud usage activity data of the users over predetermined time intervals; analyzing, using the hardware processor, the aggregated cloud usage activity data to generate a user behavior model for each user comprising one or more coefficients describing the user's cloud usage behavior; analyzing, using the hardware processor, the user behavior models of the users to form user groups with similar user behavior; generating, using the hardware processor, a generalized user behavior model for each user group, the generalized user behavior model comprising one or more coefficients describing the user group's cloud usage behavior;
determining that a user does not have sufficient usage activity data to generate a user behavior model for the user; assigning, using the hardware processor, the user to an assigned user group of a plurality of user groups, wherein each of the plurality of user groups represents similar user behavior of users in the user group and has a corresponding generalized user behavior model; assigning, using the hardware processor, the generalized user behavior model of the assigned user group as a user behavior model for the user; 
for a user having sparse cloud usage activity data, assigning, using the hardware processor, the user to a user group and assigning, using the hardware processor, the generalized user behavior model of the user group as the user behavior model for the user; (Note: from an earlier limitation: “the user behavior models of the users to form user groups with similar user behavior”, which corresponds to the groups representing similar user behavior in the instant claim)
generating, using the hardware processor, a threat detection threshold for the user using coefficients of the user behavior model of the user;
generating, using the hardware processor, a threat detection threshold for each user using the coefficients of the user behavior model of the user and prior cloud usage data of the user belonging to a prior time period;
receiving, using the hardware processor, cloud usage activity data of the user;
receiving, using the hardware processor, an event stream of cloud usage activity data of the users for a current time period;
detecting, using the hardware processor, an anomaly in the cloud usage activity data of the user using the threat detection threshold of the user, the anomaly indicating a potential security risk associated with usage activities at the cloud-based service providers;
detecting, using the hardware processor, anomalies in the cloud usage activities data of each user in the event stream using the threat detection threshold of the respective user, the anomalies indicating potential security risk associated with usage activities at the cloud-based service providers;
and performing an action based on the detected anomaly.
and performing an action based on the detected anomalies.


Notes on Prior Art
No prior art rejections are asserted for the claims as currently presented. However, the Examiner notes the following prior arts relevant to the claimed invention.
The cited prior art generally discloses using models of user behavior or activity patterns for detecting anomalous and threat events in networks. For example, US 9,338,187 discloses creating a model on collected user activities with a network and using that model to determine abnormal patterns over a period. In another example, US 2015/0067846 discloses generating a model from a set of user activity over a given period as input and producing a model of roles defined by said set of user activities. In another example, US 9,185,095 discloses using historical usage data of a user to develop a behavioral profile, wherein the profile is used to identify deviations in current sessions. Therefore, the concept of generating user behavior-based models and enforcing said models to detect abnormal or inconsistent user activities on a network was known in the art.
Furthermore, it was commonly known in the field of machine learning that a lack of historical datasets would have prevented proper generation of a reliable model for detecting malicious network patterns (see US 2004/0117478; ¶6). In another example, US 2014/0156568 discloses using the “most generic model” when there is little to no historical data available to train a more specific model; see ¶25. In another example, JP 2010198243 discloses an expansion process is used on variable inputs when the amount of data in a behavior model of an individual is insufficient; see ¶0105-0107. However, careful review of the prior art of record lacked enough teachings to the specific claimed solution of network anomaly detection using generalized user behavior models derived from common user behavior model groupings in the scenario of insufficient user activity data (“determining that a user does not have sufficient usage activity data to generate a user behavior model…”, “assigning…the user to an assigned user group…corresponding to a generalized user behavior model”, and “detecting…an anomaly…using the threat detection threshold [generated by using coefficients from the generalized user behavior model]”).
Also see the overviews of other relevant prior arts in the following section.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2010/0146622: Discloses detecting intrusion by analyzing user interaction/activity data stored in a buffer, wherein the analysis is performed by a predetermined user model. The analysis is only performed when the buffer is full or there is enough data stored in the buffer. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453.  The examiner can normally be reached on Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        6-01-2022