DETAILED ACTION
This non-final office action is in response to claims 1-10 filed on 10/04/2019 for examination. Claims 1-10 are being examined and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Preliminary Amendment
The preliminary amendments to the claims, filed on 10/04/2019, are acknowledged by the examiner. 

Information Disclosure Statement
Information disclosure statement (IDS) submitted on 10/04/2019 have been considered by examiner. 
Drawings
The drawings filed on 10/04/2019 have been accepted. 

Claim Objections
Claim 1 and 9 are objected because of the following informalities:
Examiner suggests to replace “processing circuitry” in line 7 of claim 1 and line 2 of claim 9 with - - a processing circuitry - -.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention
Regarding claim 1, claim recites “classifying the plurality of persons into some clusters” in line 9. The term “some” in claim 1 is a relative term which renders the claim indefinite. The term “some” is not defined by the claim. 
Regarding claim 1, claim recites “by using the learning data and the label to be given to the learning data” in line 14 and 15. The scope of “by using the learning data and the label to be given to the learning data” is not clear because it’s not clear how to use a label that haven’t assigned to the learning data yet.
Regarding claim 1, claim recites “ upon receipt of an input of information indicating a characteristic of a different person from the plurality of persons” on line 17 and 18. The scope of “an input of information indicating a characteristic of a different person from the plurality of persons” is not clear. Any computer system only can analyze inputs/activities received from person/client/application, not sure what kind of information indicating a characteristic of a different person. There is no any detail disclosed in the specification. 
Regarding claim 9 and 10 are different, but with similar limitations, therefore the claim 9 and 10 are rejected for carrying same deficiencies 
Claim 1-8 are rejected for carrying same deficiencies as claim 1.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1, 2, 5, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Shmueli et al. (US20150121518, hereinafter Shm) in view of Muddu et al. US20170063886, hereinafter Mud), and further in view of Natarajan et al. (US20160267224, hereinafter Nat). 
Regarding claim 1 and 10, Shm teaches an evaluation apparatus (Shm: a computer system for determining whether a system is compromised by unauthorized activity; claim 10) comprising: a profile database to store profile information indicating an individual characteristic of each of a plurality of persons (Shm: database (103a), Fig. 2; DB103a maintaining entity behavioral profiles, Para. 0089 wherein entity could be a human user); a security database to store security information indicating, by a number of signs of a security incident, a behavior characteristic of each of the plurality of persons, which may become a security incident factor (Shm:  the DB 103a store user activities, anomalies, incidents; Para. 0088); processing circuitry to perform clustering of the profile information stored in the profile database, thereby classifying the plurality of persons into same clusters (Shm: cluster activities to user groups; Fig. 6); to generate learning data from the profile information (Shm: during training phase, analysis profiles are built for the normal behavior of network entity’s activities;  Para. 0086); to compute, for each cluster, an average of the characteristic indicated by the security information stored in the security database as a label to be given to the learning data (Shm: compute mean; Fig. 6; Para. 0105; compute average of LA and LB respectively which are 20 highest values of corresponding profile; Para. 0113) (examiner note: as a label to be given to the learning data is intended use). 
Yet, Shm does not teach generate learning data from the profile information for each cluster; to derive a model representing a relationship between the characteristic indicated by the profile information stored in the profile database and the characteristic indicated by the security information stored in the security database, by using the learning data and the label to be given to the learning data; to supply, upon receipt of an input of information indicating a characteristic of a different person from the plurality of persons, the input information to the model derived by the processing circuitry and to determine the different person is likely to cause the security incident when a value of the label obtained by the model is equal to or more than a predefined value.
However, in the same field of endeavor, Mud teaches generate learning data from the profile information for each cluster (Mud: during model preparation process, generates group-sepcific data for each group; Para. 0310, 0314); to derive a model representing a relationship between the characteristics stored in the database by using learning data and label to be given to the learning data (Mud: generates event-specific relationship graph, then merges them to a composite relationship graph based on data in the database; Para. 0218 and 0222); and to supply, upon receipt of an input of information indicating a characteristic of a different person from the plurality of persons (Mud: receive event data indicative of activity by a particular entity; Fig. 25, step 2502), the input information to the model derived by the processing circuitry (Mud: process the event data through an anomaly model; Fig. 25, step 2504) and to determine the different person is likely to cause the security incident when a value of the label obtained by the model is equal to or more than a predefined value (Mud: assign an anomaly score based on the processing of the event data through the model; Fig. 25, step 2506; output an indicator of the particular anomaly if the anomaly score satisfies a specified scoring criterion; Fig. 25, step 2508; Calculating an anomaly score for the particular user and detects the anomaly if the model determines the anomaly score exceeds a threshold value for anomaly scores; Para. 0579). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Shm to include generate learning data from the profile information for each cluster; to derive a model representing a relationship between the characteristic stored in the database by using the learning data and the label to be given to the learning data; to supply, upon receipt of an input of information indicating a characteristic of a different person from the plurality of persons, the input information to the model derived by the processing circuitry and to determine the different person is likely to cause the security incident when a value of the label obtained by the model is equal to or more than a predefined value as disclosed by Mud. One of ordinary skill in the art would have been motivated to make this modification in order to detect security related anomalies and threats based on user/entity behavioral analytics as suggested by Mud (Mud: Para. 0137). 
Yet, combination of Shm and Mud does not teach deriving a model representing a relationship between the characteristics stored in two databases. 
However, in the same field of endeavor, Nat teaches deriving a model representing a relationship between the characteristics stored in two databases (Nat: generating a model representing a probabilistic relationship between two databases; Para. 0005; 0007 and 0043). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include  deriving a model representing a relationship between the characteristics stored in two databases as disclosed by Nat. One of ordinary skill in the art would have been motivated to make this modification in order to discover potentially relationship between variables as suggested by Nat (Nat: Para. 0005). 
Regarding claim 2, combination of Shm, Mud and Nat teaches the evaluation apparatus according to claim 1. In addition, Shm further teaches wherein the processing circuitry computes, for each cluster, a standard deviation of the characteristic indicated by the security information and computes the average as the label to be given to the learning data when the standard deviation is held within a range defined in advance (Shm: calculate mean and standard deviation; Para. 0075, 0103; 0105; 0102; Fig. 6).
In addition, Mud teaches wherein the processing circuitry determines that the different person is likely to cause the security incident when the average is obtained from the model and the value of the label obtained from the model is equal to or more than the predefined value (Mud: Para. 0579).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the processing circuitry determines that the different person is likely to cause the security incident when the average is obtained from the model and the value of the label obtained from the model is equal to or more than the predefined value as disclosed by Mud. One of ordinary skill in the art would have been motivated to make this modification in order to detect security related anomalies and threats based on user/entity behavioral analytics as suggested by Mud (Mud: Para. 0137).
Regarding claim 5, combination of Shm, Mud and Nat teaches the evaluation apparatus according to claim 1. In addition, Shm further teaches a countermeasure database to store countermeasure information that defines one or more countermeasures against a security incident; and the processing circuitry to identify a countermeasure against the security incident that may be caused by a behavior indicating the characteristic estimated, as the factor, by referring to the countermeasure information stored in the countermeasure database and to output information indicating the identified countermeasure (Shm: database 103a, Fig. 2; perform various actions on anomalies; Para. 0094; 0079)
Claim 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Shm in view of Mud and Nat, and further in view of Blevins et al. (US2015026121, hereinafter Blevins). 
Regarding claim 3, combination of Shm, Mud and Nat teaches the evaluation apparatus according to claim 1.
Yet, the combination does not explicitly teach wherein the processing circuitry computes a correlation between the characteristic indicated by the profile information and the characteristic indicated by the security information before the processing circuitry derives the model, and excludes, from the profile information, the information indicating the characteristic for which the correlation computed is less than a threshold value. 
However, in the same field of endeavor, Blevins teaches wherein the processing circuitry computes a correlation between the characteristic indicated by the profile information and the characteristic indicated by the security information before the processing circuitry derives the model (Blevins: estimate the degree of associations between elements stored in the database; Para. 0087 and 0118), and excludes, from the profile information, the information indicating the characteristic for which the correlation computed is less than a threshold value (Blevins: excludes the elements from the model if the degree of association is significantly less than a threshold; Para. 0087). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the processing circuitry computes a correlation between the characteristic indicated by the profile information and the characteristic indicated by the security information before the processing circuitry derives the model, and excludes, from the profile information, the information indicating the characteristic for which the correlation computed is less than a threshold value as disclosed by Blevins. One of ordinary skill in the art would have been motivated to make this modification in order to build a better model which fully representative of the actual system as suggested by Blevins (Blevins: Para. 0008-0009). 
Regarding claim 4, combination of Shm, Mud and Nat teaches the evaluation apparatus according to claim 1.
Yet, the combination does not explicitly teach wherein the processing circuitry computes a correlation between the characteristic indicated by the profile information and the characteristic indicated by the security information before the processing circuitry derives the model, and excludes, from the security information, the information indicating the characteristic for which the correlation computed is less than a threshold value.
However, in the same field of endeavor, Blevins teaches wherein the processing circuitry computes a correlation between the characteristic indicated by the profile information and the characteristic indicated by the security information before the processing circuitry derives the model (Blevins: estimate the degree of associations between elements stored in the database; Para. 0087 and 0118), and excludes, from the security information, the information indicating the characteristic for which the correlation computed is less than a threshold value (Blevins: excludes the elements from the model if the degree of association is significantly less than a threshold; Para. 0087). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the processing circuitry computes a correlation between the characteristic indicated by the profile information and the characteristic indicated by the security information before the processing circuitry derives the model, and excludes, from the security information, the information indicating the characteristic for which the correlation computed is less than a threshold value as disclosed by Blevins. One of ordinary skill in the art would have been motivated to make this modification in order to build a better model which fully representative of the actual system as suggested by Blevins (Blevins: Para. 0008-0009).
Claim 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Shm in view of Mud and Nat, and further in view of Basel et al. (US20100169067, hereinafter Basel). 
Regarding claim 6, combination of Shm, Mud and Nat teaches the evaluation apparatus according to claim 1.
Yet, the combination does not explicitly teach the processing circuitry to collect the profile information from at least one of the Internet and a system that is operated by an organization to which the plurality of persons belong and to store the profile information in the profile database.
However, in the same field of endeavor, Basel teaches the processing circuitry to collect the profile information from at least one of the Internet and a system that is operated by an organization to which the plurality of persons belong and to store the profile information in the profile database (Basel: receiving profile information from the internet; Para. 0070). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include the processing circuitry to collect the profile information from at least one of the Internet and a system that is operated by an organization to which the plurality of persons belong and to store the profile information in the profile database.as disclosed by Basel. One of ordinary skill in the art would have been motivated to make this modification in order to obtain profile information as suggested by Basel (Basel: Para. 0070).
Regarding claim 7, combination of Shm, Mud, Nat and Basel teaches the evaluation apparatus according to claim 1. In addition, Mud teaches wherein the processing circuitry collects the security information from the system and stores the security information in the security database (Mud: collect event data that gives rise to the detection made by the analysis module and store them in the database 378; Para. 0529 and 0171).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the processing circuitry collects the security information from the system and stores the security information in the security database as disclosed by Mud. One of ordinary skill in the art would have been motivated to make this modification in order to detect security related anomalies and threats based on user/entity behavioral analytics as suggested by Mud (Mud: Para. 0137).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Shm in view of Mud and Nat, and further in view of Nonoichi (JP6032449, hereinafter Nono).
Regarding claim 8, combination of Shm, Mud and Nat teaches the evaluation apparatus according to claim 1.
Yet, the combination does not teach a mail content database to store content of a training mail that is a mail for performing training against the security incident; and to customize the content of the training mail stored in the mail content database according to the characteristic indicated by the profile information, to transmit, to each of the plurality of persons, the training mail including the content customized, to generate the security information by observing a behavior for the training mail transmitted, and to store the security information in the security database.
However, in the same field of endeavor, Nono teaches a mail content database to store content of a training mail that is a mail for performing training against the security incident (Nono: a training subject information storage unit 16, which stores contents of training mail, Para. 0072, 0001); and to customize the content of the training mail stored in the mail content database according to the characteristic indicated by the profile information (Nono: training mail is created as training file, can be configured to include a separate content for each training subject; Para. 0063-0064; 0023), to transmit, to each of the plurality of persons, the training mail including the content customized (Nono: transmitting the training mail to a large number of targets; Para. 0010, 0107), to generate the security information by observing a behavior for the training mail transmitted, and to store the security information in the security database (Nono: recording Para. 0010, 0100, 0103). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include a mail content database to store content of a training mail that is a mail for performing training against the security incident; and to customize the content of the training mail stored in the mail content database according to the characteristic indicated by the profile information, to transmit, to each of the plurality of persons, the training mail including the content customized, to generate the security information by observing a behavior for the training mail transmitted, and to store the security information in the security database as disclosed by Nono. One of ordinary skill in the art would have been motivated to make this modification in order to identify cyber attack using training mail as suggested by Nono (Nono:  Para. 0002-0006). 
Regarding claim 9, Shm teaches an evaluation method (Shm: A computer-implemented method for determining whether a computer network is compromised by unauthorized activity; abstract) comprising: by processing circuitry, acquiring, from a database, profile information indicating an individual characteristic of each of a plurality of persons and security information indicating, by a number of signs of a security incident, a behavior characteristic of each of the plurality of persons that may become a security incident factor (Shm: Database (103a) maintaining entity behavioral profiles, user activities, anomalies incidents; Fig. 2, Para. 0089 and 0088) (examiner note: any information in the database can be retrieved); performing clustering of the profile information stored in the profile database, thereby classifying the plurality of persons into same clusters (Shm: cluster activities to user groups; Fig. 6); to generate learning data from the profile information (Shm: during training phase, analysis profiles are built for the normal behavior of network entity’s activities;  Para. 0086); to compute, for each cluster, an average of the characteristic indicated by the security information stored in the security database as a label to be given to the learning data (Shm: compute mean; Fig. 6; Para. 0105; compute average of LA and LB respectively which are 20 highest values of corresponding profile; Para. 0113) (examiner note: as a label to be given to the learning data is intended use). 
Yet, Shm does not teach generating learning data from the profile information for each cluster; deriving a model representing a relationship between the characteristic indicated by the profile information stored in the profile database and the characteristic indicated by the security information stored in the security database, by using the learning data and the label to be given to the learning data; upon receipt of an input of information indicating a characteristic of a different person from the plurality of persons, supplying the input information to the model derived by the processing circuitry and to determine the different person is likely to cause the security incident when a value of the label obtained by the model is equal to or more than a predefined value.
However, in the same field of endeavor, Mud teaches generating learning data from the profile information for each cluster (Mud: during model preparation process, generates group-sepcific data for each group; Para. 0310, 0314); deriving a model representing a relationship between the characteristics stored in the database by using learning data and label to be given to the learning data (Mud: generates event-specific relationship graph, then merges them to a composite relationship graph based on data in the database; Para. 0218 and 0222); and upon receipt of an input of information indicating a characteristic of a different person from the plurality of persons (Mud: receive event data indicative of activity by a particular entity; Fig. 25, step 2502), supplying the input information to the model derived by the processing circuitry (Mud: process the event data through an anomaly model; Fig. 25, step 2504) and to determine the different person is likely to cause the security incident when a value of the label obtained by the model is equal to or more than a predefined value (Mud: assign an anomaly score based on the processing of the event data through the model; Fig. 25, step 2506; output an indicator of the particular anomaly if the anomaly score satisfies a specified scoring criterion; Fig. 25, step 2508; Calculating an anomaly score for the particular user and detects the anomaly if the model determines the anomaly score exceeds a threshold value for anomaly scores; Para. 0579). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Shm to include generating learning data from the profile information for each cluster; deriving a model representing a relationship between the characteristic stored in the database by using the learning data and the label to be given to the learning data; upon receipt of an input of information indicating a characteristic of a different person from the plurality of persons, supplying the input information to the model derived by the processing circuitry and to determine the different person is likely to cause the security incident when a value of the label obtained by the model is equal to or more than a predefined value as disclosed by Mud. One of ordinary skill in the art would have been motivated to make this modification in order to detect security related anomalies and threats based on user/entity behavioral analytics as suggested by Mud (Mud: Para. 0137). 
Yet, combination of Shm and Mud does not teach deriving a model representing a relationship between the characteristics stored in two databases. 
However, in the same field of endeavor, Nat teaches deriving a model representing a relationship between the characteristics stored in two databases (Nat: generating a model representing a probabilistic relationship between two databases; Para. 0005; 0007 and 0043). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include  deriving a model representing a relationship between the characteristics stored in two databases as disclosed by Nat. One of ordinary skill in the art would have been motivated to make this modification in order to discover potentially relationship between variables as suggested by Nat (Nat: Para. 0005). 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Yan et al. US20110289025: grouping user behavior data based on input rules, generate a training set for each rule, training each classifier for each rule, obtaining the confidence level for each set of training date, removing any noise and bias from the training set.
Seong et al. KR20170056045: multiple DBs, DB 410 for user profile and DB 420 for abnormal behavior 
Lada et al. US20170331910: generating training data set for each group
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable, except Wednesday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/L.C./Examiner, Art Unit 2438                                                                                                                                                                                                                                                                                                        /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438