DETAILED ACTION
This action is in response to the amendment filed 2/21/2022.  Claims 1-8, 10-15 and 17-20 are pending.  Claims 1-3, 6-8, 10-12, 14-15 and 17-20 have been amended.  Claims 9 and 16 have been cancelled.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
In response to the amendment filed 2/21/2022:  Applicant has amended the specification, and the corresponding objections have been withdrawn.  Applicant has amended the claims, and the objections have been withdrawn.
Applicant has amended the claims, and the corresponding rejections have been altered to address the amended language.
Response to Arguments
Applicant's arguments filed 2/21/2022 have been fully considered but they are not persuasive.
Applicant argues against the combination of Muddu and Yamada with regards to the newly amended claims 1, 12 and 19. Applicant’s arguments are moot as Examiner now relies upon Muddu, in combination with Pela and Lin for the rejections of claims 1-8, 10, 12-15, 17, 19-20.  Specifically, Pela is relied upon for the unauthorized location determination of a user connected to a network, and Lin is relied upon the “guest” role of a user profile for a user connected to a network (see below).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Examiner’s Note:  Examiner replaced the Muddu et al. (US 10,139,901 B2) reference used in the First action interview – office action, with the printed publication version of the same reference Muddu et al. (US 2017/0063897 A1) for ease of citation, the referenced subject matter has not changed.
Claims 1-8, 10, 12-15, 17, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US 2017/0063897 A1), published Mar. 2, 2017, in view of Pela (US 2007/0162954 A1), published Jul. 12, 2007, in view of Lin et al. (US 2015/0169864 A1), published Jun. 18, 2015.
As to claim 1, Muddu substantially discloses a method (Muddu [0137] data processing and analytics system performing anomalous activity detection) comprising:	receiving, at a security platform, profile data associated with a user (Muddu Fig. 41 showing user profile; [0195]  identity intake from active directory; Fig. 8);	receiving, at a security platform, monitored network activity data on the network, the monitored network activity data comprising a network activity associated with a client device (Muddu [0141] receiving network monitoring; [0147] event data on entity network activity);	attributing, at a security platform, the network activity associated with the client device to the user (Muddu Fig. 40D; [0455] link between device and user);	generating, at a security platform, a timeline comprising an event at a particular time point on the timeline corresponding to the network activity associated with the client device that is attributed to the user (Muddu Fig. 6 item 612, 614; [0183] create behavior baseline for user);	updating, at a security platform, the timeline to include subsequent network activities of the monitored network activity data that are attributed to the user (Muddu [0185] baseline continuously updated); and	monitoring, at a security platform, the updated timeline to detect a security anomaly (Muddu [0186] detect anomaly based upon baseline), wherein the detected security anomaly indicates a user location associated with the user (Muddu Fig. 43 showing details of anomaly on timeline having location of user).	Muddu fails to explicitly disclose a first, second and third network device, the profile data indicating that the user is a guest user in a network; and wherein the detected security anomaly indicates that a user location associated with the guest user is an unauthorized location.	However, Muddu discloses the above methods being performed by a security platform having many server based configurations/deployments (Muddu [0141]-[0144]).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to implement the security platform of Muddu in a separate three device/server configuration (policy, analysis and monitoring), as a design choice to meet specific configuration needs.	Muddu fails to explicitly disclose the profile data indicating that the user is a guest user in a network; and wherein the detected security anomaly indicates that a user location associated with the guest user is an unauthorized location.	Pela describes a network security system based on physical location.	With this in mind, Pela discloses wherein the detected security anomaly indicates that a user location associated with the user is an unauthorized location (Pela [0020] security server allows initial access to network based on user/password then determines if user is authorized to access network from that particular physical location, a notification to an admin terminal is made if the user is not authorized in that location).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the physical location monitoring of Pela with the network monitoring system of Muddu, such that a valid user accessing the network from an unauthorized location would be detected as an anomaly or raise an alert, as it would advantageously protect the network from rogue employees (Pela [0005]).	Muddu and Pela fail to explicitly disclose the profile data indicating that the user is a guest user in a network.	Lin describes a method for user-based network onboarding.	With this in mind, Lin discloses he profile data indicating that the user is a guest user in a network (Lin [0067] first-level security profile containing information about user including user’s role “guest” in the organization administering the trusted network).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine on-boarding of Lin with the network monitoring system of Muddu and Pela, such that a baseline profile for a user indicates that the user’s role is that of a guest, as it would advantageously ensure network access security for an organization while not making the security processes inconvenient for users (Lin [0003]).
As to claim 2, Muddu, Pela and Lin disclose the invention as claimed as described in claim 1, including wherein the first network device is a User and Entity Behavior Analytics (UEBA) server that detects potential intrusions and malicious activities at least in part through baselining user activity and behavior and peer group analysis (Muddu [0181]-[0182] User-Entity Behavior Analysis – baseline analysis of user entities; [0140] peer group analysis).  
As to claim 3, Muddu, Pela and Lin disclose the invention as claimed as described in claim 1, including wherein the second network device is a policy manager server that authenticates login data (Muddu [0195]-[0196] active directory is a policy manager).  
As to claim 4, Muddu, Pela and Lin disclose the invention as claimed as described in claim 1, including wherein the third network device is a network monitoring server that monitors network activity data (Muddu [0141] part of security platform deployed for network monitoring; [0144] installed in data center).  
As to claim 5, Muddu, Pela and Lin disclose the invention as claimed as described in claim 1, including wherein the timeline is associated with a header, the header comprising the profile data associated with the user (Muddu Fig. 40A threat review window having timeline with user section, clicking on user opens window shown in Fig. 41 which is user profile).  
As to claim 6, Muddu, Pela and Lin disclose the invention as claimed as described in claim 1, including further comprising:	detecting, by the first network device, the security anomaly (Muddu [0137] detect anomaly);	transmitting, from the first network device to the second network device, a notification that the security anomaly is detected (Muddu [0138] send to SIEM application); and	enforcing, in response to the notification, a security policy against the guest user (Muddu [0138] enforcement; [0151] triggering enforcement action).
As to claim 7, Muddu, Pela and Lin disclose the invention as claimed as described in claim 5, including further comprising causing display of the timeline and the header that includes the profile data and a risk score identifying a security risk level of the guest user (Muddu Fig. 40A threat review window having timeline with user section (with user risk score in circles next to each user), clicking on user opens window shown in Fig. 41 which has user profile with “User Score Trend” showing user risk score varying over time).  
As to claim 8, Muddu, Pela and Lin disclose the invention as claimed as described in claim 7, including wherein the displayed timeline comprises a login time of the guest user (Muddu [0442]-[0443] views generated based on network activities including “log-ins” which includes time stamped data).
As to claim 10, Muddu, Pela and Lin disclose the invention as claimed as described in claim 6, including wherein enforcing the security policy against the guest user comprises denying the guest user from accessing the network (Muddu [0151] anomaly triggers action including shutting down network access).
As to claim 11, Muddu, Pela and Lin disclose the invention as claimed as described in claim 1, including wherein the timeline further comprises the user location associated with the guest user (Muddu Fig. 43 showing details of anomaly on timeline having location of user), and a device type associated with the client device (Lin [0444] when device accesses network machine data that identifies device is generated; [0052] profile may include device information including hardware and software configurations).
As to claim 12, Muddu substantially discloses a system (Muddu [Abstract] security platform employing a variety of technique to detect security related anomalies and threats) comprising:	a processor (Muddu Fig. 85 item 8510 processor; [0742]); and	a non-transitory storage medium storing instructions executable on the processor (Muddu Fig. 85 item 8520 memory; [0742]) to:		receive profile data associated with a user (Muddu Fig. 41 showing user profile; [0195]  identity intake from active directory; Fig. 8);		receive monitored network activity data comprising a network activity associated with a client device (Muddu [0141] receiving network monitoring; [0147] event data on entity network activity);		attribute the network activity associated with the client device to the user (Muddu Fig. 40D; [0455] link between device and user);		generate a timeline comprising an event at a particular time point on the timeline corresponding to the network activity associated with the client device that is attributed to the user (Muddu Fig. 6 item 612, 614; [0183] create behavior baseline for user);		update the timeline to include subsequent network activities of the monitored network activity data that are attributed to the user (Muddu [0185] baseline continuously updated);		detect a security anomaly based on the updated timeline (Muddu [0186] detect anomaly based upon baseline), wherein the detected security anomaly indicates a user location associated with the user (Muddu Fig. 43 showing details of anomaly on timeline having location of user);		transmit a notification that the security anomaly is detected (Muddu [0138] send to SIEM application); and		enforce a security policy against the user (Muddu [0138] enforcement; [0151] triggering enforcement action).	Muddu fails to explicitly disclose the profile data indicating that the user is a guest user in a network; and wherein the detected security anomaly indicates that a user location associated with the guest user is an unauthorized location.	Pela discloses wherein the detected security anomaly indicates that a user location associated with the user is an unauthorized location (Pela [0020] security server allows initial access to network based on user/password then determines if user is authorized to access network from that particular physical location, a notification to an admin terminal is made if the user is not authorized in that location).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the physical location monitoring of Pela with the network monitoring system of Muddu, such that a valid user accessing the network from an unauthorized location would be detected as an anomaly or raise an alert, as it would advantageously protect the network from rogue employees (Pela [0005]).	Muddu and Pela fail to explicitly disclose the profile data indicating that the user is a guest user in a network.	Lin discloses he profile data indicating that the user is a guest user in a network (Lin [0067] first-level security profile containing information about user including user’s role “guest” in the organization administering the trusted network).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine on-boarding of Lin with the network monitoring system of Muddu and Pela, such that a baseline profile for a user indicates that the user’s role is that of a guest, as it would advantageously ensure network access security for an organization while not making the security processes inconvenient for users (Lin [0003]).
As to claim 13, Muddu, Pela and Lin disclose the invention as claimed as described in claim 12, including wherein the timeline is associated with a header, the header comprising the profile data associated with the user (Muddu Fig. 40A threat review window having timeline with user section, clicking on user opens window shown in Fig. 41 which is user profile).
As to claim 14, Muddu, Pela and Lin disclose the invention as claimed as described in claim 13, including wherein the instructions are executable on the processor to cause display of the timeline and the header that includes the profile data and a risk score identifying a security risk level of the guest user (Muddu Fig. 40A threat review window having timeline with user section (with user risk score in circles next to each user), clicking on user opens window shown in Fig. 41 which has user profile with “User Score Trend” showing user risk score varying over time).
As to claim 15, Muddu, Pela and Lin disclose the invention as claimed as described in claim 14, including wherein the displayed timeline comprises a login time of the guest user (Muddu [0442]-[0443] views generated based on network activities including “log-ins” which includes time stamped data).
As to claim 17, Muddu, Pela and Lin disclose the invention as claimed as described in claim 14, including wherein the instructions to enforce the security policy against the guest user comprises instructions to deny the guest user from accessing the network (Muddu [0151] anomaly triggers action including shutting down network access).
As to claim 18, Muddu, Pela and Lin disclose the invention as claimed as described in claim 12, including wherein the timeline further comprises the user location associated with the guest user (Muddu Fig. 43 showing details of anomaly on timeline having location of user), and a device type associated with the client device (Lin [0052 profile may include device information including hardware and software configurations).
As to claim 19, Muddu substantially discloses a non-transitory machine-readable storage medium comprising instructions that upon execution cause a security platform to:	receive, profile data associated with a user (Muddu Fig. 41 showing user profile; [0195]  identity intake from active directory; Fig. 8);	receive, monitored network activity data on the network, the monitored network activity data comprising a network activity associated with a client device (Muddu [0141] receiving network monitoring; [0147] event data on entity network activity);	attribute the network activity associated with the client device to the user (Muddu Fig. 40D; [0455] link between device and user);	generate a timeline comprising an event at a particular time point on the timeline corresponding to the network activity associated with the client device that is attributed to the user (Muddu Fig. 6 item 612, 614; [0183] create behavior baseline for user);	update the timeline to include subsequent network activities of the monitored network activity data that are attributed to the user (Muddu [0185] baseline continuously updated); and	detect a security anomaly based on the updated timeline  (Muddu [0186] detect anomaly based upon baseline), wherein the detected security anomaly indicates a user location associated with the user (Muddu Fig. 43 showing details of anomaly on timeline having location of user).	Muddu fails to explicitly disclose a User and Entity Behavior Analytics (UEBA) server, a policy manager server and a network monitoring server, the profile data indicating that the user is a guest user in a network; and wherein the detected security anomaly indicates that a user location associated with the guest user is an unauthorized location.	However, Muddu discloses User and Entity Behavior Analytics (UEBA) (Muddu [0181]-[0182] User-Entity Behavior Analysis – baseline analysis of user entities), policy management (Muddu [0195]-[0196] active directory is a policy manager) and network monitoring (Muddu [0141] part of security platform deployed for network monitoring; [0144] installed in data center) performed by a security platform having many server based configurations/deployments (Muddu [0141]-[0144]).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to implement the security platform of Muddu in a separate three device/server configuration (policy, analysis and monitoring), as a design choice to meet specific configuration needs.	Muddu fails to explicitly disclose the profile data indicating that the user is a guest user in a network; and wherein the detected security anomaly indicates that a user location associated with the guest user is an unauthorized location.	Pela discloses wherein the detected security anomaly indicates that a user location associated with the user is an unauthorized location (Pela [0020] security server allows initial access to network based on user/password then determines if user is authorized to access network from that particular physical location, a notification to an admin terminal is made if the user is not authorized in that location).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the physical location monitoring of Pela with the network monitoring system of Muddu, such that a valid user accessing the network from an unauthorized location would be detected as an anomaly or raise an alert, as it would advantageously protect the network from rogue employees (Pela [0005]).	Muddu and Pela fail to explicitly disclose the profile data indicating that the user is a guest user in a network.	Lin discloses he profile data indicating that the user is a guest user in a network (Lin [0067] first-level security profile containing information about user including user’s role “guest” in the organization administering the trusted network).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine on-boarding of Lin with the network monitoring system of Muddu and Pela, such that a baseline profile for a user indicates that the user’s role is that of a guest, as it would advantageously ensure network access security for an organization while not making the security processes inconvenient for users (Lin [0003]).
As to claim 20, Muddu, Pela and Lin disclose the invention as claimed as described in claim 19, including wherein the instructions upon execution cause the UEBA server to:	transmit, from the UEBA server to the policy manager server, a notification that the security anomaly is detected (Muddu [0138] send to SIEM application), to cause enforcement of a security policy against the guest user (Muddu [0138] enforcement; [0151] triggering enforcement action).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Mower (US 2016/0226842 A1) is related to guest WiFi authentication based on physical proximity.
Ciziunas et al. (US 2019/0377893 A1) is related to detecting, tracking, and analyzing access to digital information.
Wu et al. (US 2007/0091858 A1) is related to tracking unauthorized nodes within a network.
Carpenter et al. (US 2006/0205489 A1) is related to detection of operation of a device in an unauthorized location.
Binder (US 2018/0091855A1) is related to a content access device geolocation verification.
Ting et al. (US 2009/0292814 A1) is related to guest membership status in a profile of a social network.
Becker et al. (US 2016/0212116 A1) is related to network authentication systems and methods.
Shahbazi et al. (US 10,509,900 B1) is related to user account management.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654. The examiner can normally be reached Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ERIC W SHEPPERD/Primary Examiner, Art Unit 2492                                                                                                                                                                                                        
ERIC W. SHEPPERD
Primary Examiner
Art Unit 2492