DETAILED ACTION
Applicant’s amendment filed 4/1/2022 has been fully considered. 
Claims 1-20 are pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
The objection to the specification is withdrawn.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Applicant’s arguments with respect to claim(s) the prior art have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-5 and 7-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kirti (20180375886).
Regarding claims 1, 17, and 19, Kirti teaches A method comprising: / A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device: / An apparatus comprising: at least one processing device comprising a processor coupled to a memory; the at least one processing device being configured (abstract, par.199-206):
monitoring user behavior in an information technology infrastructure, wherein monitoring the user behavior comprises monitoring traffic to and from one or more cloud services managed by a third party external to the information technology infrastructure (par.35-37, 48-53, 65-73);
identifying a given user of the information technology infrastructure associated with a given portion of the monitored user behavior (par.6-8, 30-33, 40-42, 63-64, 106-110, 130-135);
determining a predicted impact of compromise of the given user on the information technology infrastructure, wherein determining the predicted impact of compromise of the given user comprises determining a likelihood of compromise of the given user based at least in part on at least one (i) types of the one or more cloud services utilized by the given user, (ii) data accessed by the given user from the one or more cloud services, and (iii) data provided to the one or more cloud services by the given user (par.12-20, 50-53, 65-70, 83-86, 106-119, 169-175, 199-212);
generating a risk score for the given user based on the predicted impact of compromise and the given portion of the monitored user behavior (par.8-12, 112-115, 145-150, 169-175, 199-212);
identifying one or more remedial actions to reduce the risk score for the given user (par.51-55, 78-83); and
implementing, prior to detecting compromise of the given user, at least one of the remedial actions to modify a configuration of at least one asset in the information technology infrastructure, the at least one asset comprising at least one of a physical computing resource and a virtual computing resource in the information technology infrastructure (par.76-83, 110-120, 177-187);
wherein the method is performed by at least one processing device comprising a processor coupled to a memory (abstract).
Regarding claim 2, Kirti teaches wherein monitoring the user behavior utilizes one or more monitoring tools deployed on one or more assets in the information technology infrastructure, the one or more monitoring tools comprising at least one of an endpoint monitoring tool, a network monitoring tool, a cloud services monitoring tool and an Internet of Things (IoT) gateway monitoring tool (par.42-45, 51-57, 73-78).
Regarding claim 3, Kirti teaches wherein monitoring the user behavior further comprises analyzing endpoint assets in the information technology infrastructure to determine at least one of: browsing habits of one or more users of a given endpoint asset; installed applications on the given endpoint asset; system configuration of the given endpoint asset; system hygiene of the given endpoint asset; past susceptibility of the given endpoint asset to compromise; critical data stored on the given endpoint asset; access by the given endpoint asset to one or more other designated critical assets in  the information technology infrastructure; location of the given endpoint asset; and communication habits of the one or more users of the given endpoint asset (par.8-12, 50-56, 61-66, 115-120).
Regarding claim 4, Kirti teaches wherein monitoring the user behavior further comprises analyzing network traffic of assets in the information technology infrastructure to determine at least one of: network traffic from a given asset to one or more designated entities; network traffic from the given asset to one or more entities external to the information technology infrastructure; network traffic from the given asset while the given asset is located in one or more designated high risk geographic areas; and network traffic between the given asset and one or more entities located in the one or more designated high risk geographic areas (par.73-77).
Regarding claim 5, Kirti teaches wherein the one or more cloud services utilized by the given user comprise software-as-a- service applications accessed by the given user (par.2-4, 52-56, 92-94). 
Regarding claim 7, Kirti teaches wherein identifying the given user of the information technology infrastructure associated with the given portion of the monitored user behavior comprises associating transactional data to the given user utilizing one or more identifiers in the transactional data, the one or more identifiers comprising at least one of an Internet Protocol (IP) address, a Media Access Control (MAC) address, a user name, an email address, a machine name and a host name (par.64-74).
Regarding claim 8, Kirti teaches wherein identifying the given user of the information technology infrastructure associated with the given portion of the monitored user behavior comprises associating transactional data for a given transaction obtained utilizing two or more different monitoring tools to the given user utilizing at least one of data normalization, document similarity measures and one or more clustering algorithms (par.99-110, 128-135, 165-170).
Regarding claim 9, Kirti teaches wherein determining the impact of compromise of the given user on the information technology infrastructure is based at least in part on at least one of: a placement of the given user on an organizational chart associated with a given enterprise operating the information technology infrastructure; and the given user’s role within the given enterprise, the given user’s role being determined at least in part based on one or more functions of the given user within the given enterprise (par.76-80).
Regarding claim 10, Kirti teaches wherein determining the impact of compromise of the given user on the information technology infrastructure is based at least in part on at least one of: association of the given user with one or more critical processes of the information technology infrastructure; and association of the given user with one or more assets utilized by the one or more critical processes of the information technology infrastructure (par.76-80).
Regarding claim 11, Kirti teaches wherein determining the impact of compromise of the given user on the information technology infrastructure is based at least in part on at least one of: entitlements of the given user to access assets of the information technology infrastructure; and access privileges delegated to the given user to access assets of the information technology infrastructure (par.95-97, 194-200).
Regarding claim 12, Kirti teaches wherein generating the risk score for the given user utilizes at least one of a heuristic algorithm, a weighted average of two or more of a plurality of risk attributes of the given user, a decision tree based on two or more of the plurality of risk attributes of the given user, and a machine learning algorithm (par.12-13, 34-35, 82-85, 111-115, 142-146, 167-170).
Regarding claim 13, Kirti teaches wherein the risk score for the given user is a function of time (par.126-135, 152-165).
Regarding claims 14, 18, and 20, Kirti teacheswherein generating the risk score for the given user comprises generating a multi-level risk score, the multi-level risk score comprising an overall risk score at a top level and two or more lower-level risk scores, the overall risk score being a function of the two or more lower-level risk scores (par.126-135, 152-165).
Regarding claim 15, Kirti teaches wherein the two or more lower-level risk scores comprise: an impact risk score based at least in part on the predicted impact of compromise of the given user; and two or more risk attribute scores associated with different types of monitored behavior of the given user (par.126-135, 152-165).
Regarding claim 16, Kirti teaches wherein the two or more risk attribute scores comprise two or more of: a first risk attribute score associated with user behavior monitored on endpoint assets of the information technology infrastructure; a second risk attribute score associated with user behavior monitored via network traffic of the information technology infrastructure; a third risk attribute score associated with user behavior monitored via the one or more cloud services; and a fourth risk attribute score associated with user behavior monitored via one or more Internet of Things (IoT) device gateways (par. 42-45, 51-57, 73-78, 126-135, 152-165).
Claim Rejections - 35 USC § 103
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kirti, and further in view of Chen (10733311). 
Regarding claim 6, Kirti does not expressly disclose, however, Chen teaches wherein monitoring the user behavior further comprises monitoring a set of Internet of Things (IoT) devices via a monitoring tool deployed on an IoT gateway utilized by the set of IoT devices to connect to one or more other assets of the information technology infrastructure (col.6, 55-67, col.8, 1-30).
Therefore, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify Kirti to use IoT devices as taught by Chen.
One of ordinary skill in the art would have been motivated to perform such a modification to further monitor user’s behavior (Chen, cols.1-2, col.6-8).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David Garcia Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI ARMOUCHE can be reached on (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/David Garcia Cervetti/Primary Examiner, Art Unit 2419