DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Information Disclosure Statement

2.	The information disclosure statement (IDS) submitted on 6/05/2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


3.	Claims 13-35 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 10,021,138 B2 to Gill et al(hereafter referenced as Gill), in view of Pub.No.: US 2017/0236080 A1 to SINGH et al(hereafter referenced as SINGH).
Regarding claim 13, Gill discloses “a system for fraud detection and remediation”(threat and fraud detection correlation engine [Fig.1/item 102]) , comprising: at least one processor (processor [Fig.39/item 1602]) ; and at least one non-transitory computer-readable medium containing operation instructions that, when executed by the at least one processor, cause the system to perform operations comprising: determining a first location in a multidimensional array” (field programmable gate array ( FPGA ) , programmable logic array[Col.46/lines 54-57]), “the first location determined based on first event data for a first event or first attempted event”(risk analysis 604 and correlation utilizing event alerting 628 [Fig.6/item628]) , “the first event or the first attempted event corresponding to a first entity”(risk engine compares set of rules with actions and events being performed [Col.9/lines 22-26]); “comparing the first location to at least one first cluster location in the multidimensional array”(i.e. applicant specification defines a multi-dimensional array as described as each time an embodiment of the invention notes a new entity event, it compares the event to the entity’s behavior history as recorded in its entity profile to determine aberrant behavior and therefore increased risk. Gill teaches a risk engine in [Col.9/lines 22-26] which compares set rules with actions being performed and if any of the rules are violated the system identifies the particular action as a risk and notifies the administrator).
Gill does not explicitly disclose “the at least one first cluster location corresponding to the first entity; determining, based on the comparison of the first location and the at least one first cluster location, a risk score for the first event or the first attempted event ; identifying, based on the risk score and a rule, a remedial action; and providing remediation instructions to perform the remedial action in response to the first event or the first attempted event.”
However, SINGH in an analogous art discloses “the at least one first cluster location corresponding to the first entity” (density based clustering techniques are applied to specific parameters and data corresponding to the valid devices and sensors in the IOT environment SINGH[par.0273]) ; “determining, based on the comparison of the first location and the at least one first cluster location, a risk score for the first event or the first attempted event” (SINGH FIG.9 illustrates a sample screen shot of a behavioral pattern view for viewing the user risk score built on behavior, activity, access, and usage SINGH[par.0052]) ; “identifying, based on the risk score and a rule”(risk score assessment SINGH [Fig.1]) , “a remedial action”(action rule SINGH [par.0116]); “and providing remediation instructions to perform the remedial action in response to the first event or the first attempted event.”(predictive analytics engine SINGH [Fig.1]).
	Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gill’s Policy rule engine and multi-compliance framework with SINGH’s system  for interconnected devices comprising a risk management process used to provide additional security. One of ordinary skill in the art would have been motivated to combine because Gill teaches a system that defines, detects and prevents. Singh also discloses a system that detects and provides a risk management process, and both are from the same field of endeavor.
Regarding claim 14 in view of claim 13, the references combined disclose “wherein: an axis of the multidimensional array corresponds to one of an event date, an event time, a geographic location associated with the event, a type of device associated with the event, an internet protocol address, or a number of prior events associated with the event.”(common services platform 604 contains a risk engine, geospatial services 628, and remedial action scripts within a meta data repository Gill[Col.6/lines 5-15]).
Regarding claim 15 in view of claim 13, the references combined disclose “wherein: the operations further comprise: obtaining, from an event reporting agent, unprocessed first event data; and generating the first event data using the unprocessed first event data.”(reporting too generates reports after analyzing data from underlying systems Gill[Col.8/lines 51-58]).
Regarding claim 16 in view of claim 15, the references combined disclose “wherein: generating the first event data comprises converting first categorical values of the unprocessed first event data into first numerical values” (the extracted data / event is converted to a uniform data format for later processing step by reducer SINGH[par.0196]).



Regarding claim 17 in view of claim 13, the references combined disclose “wherein: the operations further comprise updating the at least one first cluster location using the first event data” (density based clustering techniques are applied to specific parameters and data corresponding to the valid devices and sensors in the IOT environment SINGH[par.0273]). 
Regarding claim 18 in view of claim 13, the references combined disclose “wherein: the operations further comprise applying the rule to at least one attribute of the first event or the first attempted event; and wherein the first location is compared to the at least one first cluster location based on a result of the application of the rule.” Gill teaches a risk engine in [Col.9/lines 22-26] which compares set rules with actions being performed and if any of the rules are violated the system identifies the particular action as a risk and notifies the administrator).
Regarding claim 19 in view of claim 13, the references combined disclose “wherein: the operations further comprise: obtaining a first stream of event data, the first stream including the first event data” (Upstream and downstream impact analysis Gill[Col.15/line 23]); “updating clusters corresponding to entities using the first stream of event data, the entities including the first entity” (density based clustering techniques are applied to specific parameters and data corresponding to the valid devices and sensors in the IOT environment SINGH[par.0273]; “and applying a rule queue to the first stream, the rule queue including the rule; and the first location is compared to the at least one first cluster location based on a result of the application of the first stream to the rule queue.” (Gill teaches a risk engine in [Col.9/lines 22-26] which compares set rules with actions being performed and if any of the rules are violated the system identifies the particular action as a risk and notifies the administrator).
Regarding claim 20 in view of claim 13, the references combined disclose “wherein: the first event data is for the first event, the risk score is for the first event” (SINGH FIG.9 illustrates a sample screen shot of a behavioral pattern view for viewing the user risk score built on behavior, activity, access, and usage SINGH[par.0052]), “and the remedial action is performed in response to the first event” (action rule SINGH [par.0116]; “and the first event comprises at least one of a login event, application access event, privileged resource event, mobile device management event, command-use event, or authorization escalation event.” (predictive analytics engine SINGH [Fig.1]).
Regarding claim 21 in view of claim 13, the references combined disclose “wherein: the first event data is for the first event, the risk score is for the first event” (SINGH FIG.9 illustrates a sample screen shot of a behavioral pattern view for viewing the user risk score built on behavior, activity, access, and usage SINGH[par.0052]), “and the remedial action is performed in response to the first event; and the first event occurs during a session and the remedial action comprises at least one of terminating the session” (action rule SINGH [par.0116]), “restricting access to computing resources available in the session, limiting privileges of the first entity in the session, or providing a notification.”(prevention process module Gill[Col.11/lines 21-25 also see [Fig.1/item 108]).

Regarding claim 22 in view of claim 13, the references combined disclose “wherein: the first event data is for the first attempted event, the risk score is for the first attempted event” (SINGH FIG.9 illustrates a sample screen shot of a behavioral pattern view for viewing the user risk score built on behavior, activity, access, and usage SINGH[par.0052]), “and the remedial action is performed in response to the first attempted event” (action rule SINGH [par.0116]) ; “the remediation instructions are provided to an access control service; and the remedial action comprises: denying, by the access control service, the first attempted event, or requiring, by the access control service, additional authentication to perform the first attempted event.” (prevention process module Gill[Col.11/lines 21-25 also see [Fig.1/item 108]).
Regarding claim 23 in view of claim 22, the references combined disclose “wherein: the remedial action comprises denying the first attempted event” (action rule SINGH [par.0116]), “and the operations further comprise: obtaining, from an event reporting agent, second event data concerning the denial of the first attempted event; and updating the at least one first cluster location using the second event data” (i.e. applicant specification defines a multi-dimensional array as described as each time an embodiment of the invention notes a new entity event, it compares the event to the entity’s behavior history as recorded in its entity profile to determine aberrant behavior and therefore increased risk. Gill teaches a risk engine in [Col.9/lines 22-26] which compares set rules with actions being performed and if any of the rules are violated the system identifies the particular action as a risk and notifies the administrator).

Regarding claim 24 in view of claim 22, the references combined disclose “wherein: the first attempted event is a login event and the operations further comprise obtaining the first event data from the access control service”(event , alerting module Gill[Fig.6/item 628]).
Regarding claim 25, Gill discloses “method for fraud detection and remediation” (threat and fraud detection correlation engine [Fig.1/item 102]), “comprising: by a risk assessment engine: determining a first location in a multidimensional array” (field programmable gate array ( FPGA ) , programmable logic array[Col.46/lines 54-57]), “the first location determined based on first event data for a first event corresponding to a first entity” (risk analysis 604 and correlation utilizing event alerting 628 [Fig.6/item628]).
Gill does not explicitly disclose “comparing the first location to at least one first cluster location, the at least one first cluster location corresponding to the first entity; and determining, based on the comparison of the first location and the at least one first cluster location, a risk score for the first event; and by a streaming threat remediation engine: obtaining, from the risk assessment engine, the risk score; identifying, based on the risk score and a rule, a remedial action; and providing remediation instructions to perform the remedial action in response to the first event” 
However, SINGH in an analogous art discloses “comparing the first location to at least one first cluster location, the at least one first cluster location corresponding to the first entity” (density based clustering techniques are applied to specific parameters and data corresponding to the valid devices and sensors in the IOT environment SINGH[par.0273]); “and determining, based on the comparison of the first location and the at least one first cluster location, a risk score for the first event” (SINGH FIG.9 illustrates a sample screen shot of a behavioral pattern view for viewing the user risk score built on behavior, activity, access, and usage SINGH[par.0052]); “and by a streaming threat remediation engine: obtaining, from the risk assessment engine” (action rule SINGH [par.0116]), “the risk score; identifying, based on the risk score and a rule, a remedial action” (predictive analytics engine SINGH [Fig.1]); and providing remediation instructions to perform the remedial action in response to the first event” (predictive analytics engine SINGH [Fig.1]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gill’s Policy rule engine and multi-compliance framework with SINGH’s system  for interconnected devices comprising a risk management process used to provide additional security. One of ordinary skill in the art would have been motivated to combine because Gill teaches a system that defines, detects and prevents. Singh also discloses a system that detects and provides a risk management process, and both are from the same field of endeavor.
Regarding claim 26 in view of claim 25, the references combined disclose “wherein: an axis of the multidimensional array corresponds to one of an event date, an event time, a geographic location associated with the event, a type of device associated with the event, an internet protocol address, or a number of prior events associated with the event” (common services platform 604 contains a risk engine, geospatial services 628, and remedial action scripts within a meta data repository Gill[Col.6/lines 5-15]).
Regarding claim 27 in view of claim 25, the references combined disclose “wherein: the method further comprises: by an event ingestion service: obtaining, from an event reporting agent, unprocessed first event data” (reporting too generates reports after analyzing data from underlying systems Gill[Col.8/lines 51-58]); “generating the first event data using the unprocessed first event data; and providing the first event data to the risk assessment engine” (threat and fraud detection correlation engine [Fig.1/item 102]).
Regarding claim 28 in view of claim 27, the references combined disclose “wherein: generating the first event data comprises converting first categorical values of the unprocessed first event data into first numerical values” (the extracted data / event is converted to a uniform data format for later processing step by reducer SINGH[par.0196]).
Regarding claim 29 in view of claim 25, the references combined disclose “wherein: the method further comprises: by the risk assessment engine: obtaining the first event data from an event ingestion service” (reporting too generates reports after analyzing data from underlying systems Gill[Col.8/lines 51-58]); updating the at least one first cluster location using the first event data; and providing the first event data to the streaming threat remediation engine” (threat and fraud detection correlation engine [Fig.1/item 102]).
Regarding claim 30 in view of claim 25, the references combined disclose “wherein: the method further comprises: by the streaming threat remediation engine: obtaining the first event data from the risk assessment engine” (threat and fraud detection correlation engine [Fig.1/item 102]); “applying the rule to at least one attribute of the first event” (action rule SINGH [par.0116]); “and providing to the risk assessment engine a request for the risk score based on a result of the application of the rule” (SINGH FIG.9 illustrates a sample screen shot of a behavioral pattern view for viewing the user risk score built on behavior, activity, access, and usage SINGH[par.0052]).
Regarding claim 31, Gill discloses “a non-transitory computer-readable medium containing operation instructions that, when executed by at least one processor of a system, cause the system to perform operations comprising: obtaining a first event corresponding to a first entity”(event, alerting and geospatial service module Gill[Fig.7/item 628]) ; “updating at least one first cluster location in a multidimensional array corresponding to the first entity using the first event” (system 4040 updates the review status corresponding user Gill[Col.23/lines 14-17]).
Gill does not explicitly disclose “determining, based on a rule queue and the first event, that the first event requires a first risk assessment; performing the first risk assessment by comparing a first location of the first event in the multidimensional array to the at least one first cluster location; and providing, based at least in part on a result of the first risk assessment, remediation instructions to perform a first remedial action concerning the first entity.”
However, SINGH in an analogous art teaches “determining, based on a rule queue and the first event”(action rule SINGH [par.0116]), “that the first event requires a first risk assessment” (risk analysis 604 and correlation utilizing event alerting 628 Gill [Fig.6/item628]); “performing the first risk assessment by comparing a first location of the first event in the multidimensional array to the at least one first cluster location” (density based clustering techniques are applied to specific parameters and data corresponding to the valid devices and sensors in the IOT environment SINGH[par.0273]; “and providing, based at least in part on a result of the first risk assessment” (risk score assessment SINGH [Fig.1]), “remediation instructions to perform a first remedial action concerning the first entity” (action rule SINGH [par.0116]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gill’s Policy rule engine and multi-compliance framework with SINGH’s system  for interconnected devices comprising a risk management process used to provide additional security. One of ordinary skill in the art would have been motivated to combine because Gill teaches a system that defines, detects and prevents. Singh also discloses a system that detects and provides a risk management process, and both are from the same field of endeavor.
Regarding claim 32 in view of claim 31, the references combined disclose “wherein: an axis of the multidimensional array corresponds to one of an event date, an event time, a geographic location associated with the event, a type of device associated with the event, an internet protocol address, or a number of prior events associated with the event.” (i.e. applicant specification defines a multi-dimensional array as described as each time an embodiment of the invention notes a new entity event, it compares the event to the entity’s behavior history as recorded in its entity profile to determine aberrant behavior and therefore increased risk. Gill teaches a risk engine in [Col.9/lines 22-26] which compares set rules with actions being performed and if any of the rules are violated the system identifies the particular action as a risk and notifies the administrator).
Regarding claim 33 in view of claim 31, the references combined disclose “wherein: the operations further comprise: obtaining a second attempted event corresponding to a second entity” (risk engine compares set of rules with actions and events being performed Gill[Col.9/lines 22-26]); “performing a second risk assessment by comparing a second location of the second attempted event to at least one second cluster location corresponding to the second entity” (system 4040 updates the review status corresponding user Gill[Col.23/lines 14-17]; “and providing, based at least in part on a result of the second risk assessment, instructions to perform a second remedial action concerning the second attempted event” (risk score assessment SINGH [Fig.1])
Regarding claim 34 in view of claim 31, the references combined disclose “wherein: the operations further comprise: obtaining a third event corresponding to the second entity, the third event indicating performance of the second remedial action” (action rule SINGH [par.0116]); and updating the at least one second cluster location based on the third event” (risk score assessment SINGH [Fig.1]) 
Regarding claim 35 in view of claim 32, the references combined disclose “wherein: the first event comprises at least one of a login event, application access event, privileged resource event, mobile device management event, command-use event, or authorization escalation event.” (predictive analytics engine SINGH [Fig.1]).


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/           Examiner, Art Unit 2433               

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433