DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                                                        Response to Amendment
The Amendment filed on June 14, 2022 has been entered. Claims 1-2, 9-10, 16-17 and 20 were amended. Claims 1-20 are pending, of which claims 1, 9 and 16 are in independent form. 

Applicant’s amendment regarding Fig. 4 obviates the Drawing objection, therefore the Drawing objection is withdrawn.

Applicant’s amendment regarding the paragraph labels obviates the Specification objection, therefore the Specification objection is withdrawn.

Applicant’s amendment regarding claim 20 obviates the claim objection, therefore the claim objection is withdrawn.

                                                          Response to Arguments
In view of the remarks submitted on June 14, 2022, applicant’s arguments have been carefully
considered but they are not persuasive.
On Pages 7-8 of remarks, the applicant argues that Shaker does not teach a “risk score”. However, the examiner is relying on Kirti reference, Para. 0164 wherein the threat detection engine 302 performs regression analysis on each indicator used to compute a risk score, and/or on the risk score, in combination with Paras. 0118, 0123, 0185, and 0193 corresponds to “utilizing an orchestration model with a plurality of rules to score one or more of current and historical behavior of the user in order to identify risk, based on inputs received from the one or more behavior models and the user’s function”. 
In addition, a risk score of Kirti has computed based on a regression model and the model can cause a greater accuracy as more feedback and more data is collected and as such would indicate causing a security technique.

Regarding the combination of Kirti and Shekar with respect to claim 2, 10, and 17, the applicant argues that Kirti does not teach the limitation “utilizing the score received from the orchestration model to cause a security technique”. 
However, the examiner is relying on Kirti reference, Para. 0164 to teach the limitation “utilizing the score received from the orchestration model to cause a security technique”.
Therefore, the applicant’s argument is not persuasive.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti et al. (US 2018/0375886 A1) in view of Shekar et al. (US 2021/0357196 A1).

In regards to claim 1, Kirti discloses a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors to perform steps of: (Kirti, Para. 0026, may be implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors cores)):
utilizing a grouping model to identify a function of a user of a tenant (Kirti, Para. 0206, the model can be used to identify a set of users and Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service);
utilizing one or more behavior models to identify normal behavior and abnormal behavior of the user based on the function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity);
utilizing an orchestration model with a plurality of rules to score one or more of current (Kirti, Para. 0125, internal data sources can include data models determined by a behavioral analytics engine 304 and can optionally include threat intelligence data 314 maintained by the security management and control system and Para. 0193, the unsupervised learning engine 438 can aggregate events daily, weekly, or for a different time period, and in this way gather a body of historical event data for a cloud service) and historical behavior of the user in order to identify risk (Kirti, Para. 0118, the analytics engine 300 can analyze various data sources to identify network threats for an organization whose users are using cloud services), based on inputs received from the one or more behavior models and the user’s function (Kirti, Para. 0185, the statistical analysis engine 432 can output behavioral models 442, which can describe the manner in which the users of an organization use a cloud service or multiple cloud services. For example, the statistical analysis engine 432 can output a model that describes the use of a cloud service by a particular user, the use of a cloud service by a group of users, and/or the use of a cloud service by all the users in an organization); and
Kirti fails to teach utilizing an active learning model to improve the orchestration model.
However, Shekar teaches utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050, the model deployment systems and interfaces described herein improve the operation of computing devices configured to deploy analytic models in a container-orchestration system, note the model deployment systems which can be interpret as active learning model).
Kirti and Shekar are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Shekar to include utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048-0050). Doing so would aid to provide faster model deployment, faster model execution, and more rapid generation of model results compared to some traditional model deployment systems. And such improvements can improve safety when modeling operationally-critical models which may need to be deployed and executed frequently to ensure the physical system corresponding to the analytic model is operating as expected.

In regards to claim 2, the combination of Kirti and Shekar teaches the non-transitory computer- readable storage medium of claim 1, wherein the steps further include utilizing the score received from the orchestration model to cause a security technique (Kirti, Para. 0164, the coefficients ci computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected).

In regards to claim 3, the combination of Kirti and Shekar teaches the non-transitory computer- readable storage medium of claim 1, wherein the steps further include providing feedback based on the score to the one or more behavior models (Kirti, Para. 0163, as another example, administrators of the security management and control system can provide feedback. Alternatively, or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks).

In regards to claim 4, the combination of Kirti and Shekar teaches the non-transitory computer- readable storage medium of claim 1, wherein the steps further include providing multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).

In regards to claim 5, the combination of Kirti and Shekar teaches the non-transitory computer- readable storage medium of claim 1, wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions (Kirti, Para. 0206 and Para. 0207, the neural network can be configured to minimize a cost function, where the cost function models change to cloud service. In these and other examples, the model can be used to identify a set of users).

In regards to claim 6, the combination of Kirti and Shekar teaches the non-transitory computer- readable storage medium of claim 1, wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage correlation among different behavior
models to reduce false positives (Kirti, Para. 0169, thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives)).

In regards to claim 7, the combination of Kirti and Shekar teaches the non-transitory computer- readable storage medium of claim 1, wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).

In regards to claim 8, the combination of Kirti and Shekar teaches the non-transitory computer- readable storage medium of claim 1, wherein the abnormal behavior includes the user being suspected of leaving the tenant (Kirti, Para. 0138, a security policy can also describe an action that is to be taken when an event is detected, such as blocking access to a service, or disabling a user account).

In regards to claim 9, Kirti discloses a system comprising:
a network interface (Kirti, Para. 077);
a processor communicatively coupled to the network interface (Kirti, Para. 0255); and
memory storing computer-executable instructions that (Kirti, Para. 0026), when executed, cause the processor to 
utilize a grouping model to identify a function of a user of a tenant (Kirti, Para. 0206, the model can be used to identify a set of users and Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service); 
utilize one or more behavior models to identify normal behavior and abnormal behavior of the user based on the function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity);
utilize an orchestration model with a plurality of rules to score one or more of current (Kirti, Para. 0125, internal data sources can include data models determined by a behavioral analytics engine 304 and can optionally include threat intelligence data 314 maintained by the security management and control system and Para. 0193, the unsupervised learning engine 438 can aggregate events daily, weekly, or for a different time period, and in this way gather a body of historical event data for a cloud service) and historical behavior of the user in order to identify risk (Kirti, Para. 0118, the analytics engine 300 can analyze various data sources to identify network threats for an organization whose users are using cloud services), based on inputs received from the one or more behavior models and the user’s function (Kirti, Para. 0185, the statistical analysis engine 432 can output behavioral models 442, which can describe the manner in which the users of an organization use a cloud service or multiple cloud services. For example, the statistical analysis engine 432 can output a model that describes the use of a cloud service by a particular user, the use of a cloud service by a group of users, and/or the use of a cloud service by all the users in an organization); and 
Kirti fails to disclose utilize an active learning model to improve the orchestration model.
However, Shekar teaches utilize an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050, the model deployment systems and interfaces described herein improve the operation of computing devices configured to deploy analytic models in a container-orchestration system, note the model deployment systems which can be interpret as active learning model).
Kirti and Shekar are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Shekar to include utilize an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050). Doing so would aid to provide faster model deployment, faster model execution, and more rapid generation of model results compared to some traditional model deployment systems. And such improvements can improve safety when modeling operationally-critical models which may need to be deployed and executed frequently to ensure the physical system corresponding to the analytic model is operating as expected.

In regards to claim 10, the combination of Kirti and Shekar teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor utilizing the score received from the orchestration model to cause a security technique (Kirti, Para. 0209, risk scores indicate a degree of security risk to the tenant from actions performed by a user in using the cloud service).

In regards to claim 11, the combination of Kirti and Shekar teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor provide feedback based on the score to the one or more behavior models (Kirti, Para. 0164, the coefficients ci computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected).

In regards to claim 12, the combination of Kirti and Shekar teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor provide multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).

In regards to claim 13, the combination of Kirti and Shekar teaches the system of claim 9, wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions (Kirti, Para. 0206 and Para. 0207, the neural network can be configured to minimize a cost function, where the cost function models change to cloud service. In these and other examples, the model can be used to identify a set of users).

In regards to claim 14, the combination of Kirti and Shekar teaches the system of claim 9, wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives (Kirti, Para. 0169, thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives)).

In regards to claim 15, the combination of Kirti and Shekar teaches the system of claim 9, wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).

In regards to claim 16, Kirti discloses a method comprising:
 	utilizing a grouping model to identify a function of a user of a tenant (Kirti, Para. 0206, the model can be used to identify a set of users and Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service);
utilizing one or more behavior models identify normal behavior and abnormal behavior of the user based on the function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity);
	utilizing an orchestration model with a plurality of rules to score one or more of current (Kirti, Para. 0125, internal data sources can include data models determined by a behavioral analytics engine 304 and can optionally include threat intelligence data 314 maintained by the security management and control system and Para. 0193, the unsupervised learning engine 438 can aggregate events daily, weekly, or for a different time period, and in this way gather a body of historical event data for a cloud service) and historical behavior of the user in order to identify risk (Kirti, Para. 0118, the analytics engine 300 can analyze various data sources to identify network threats for an organization whose users are using cloud services), based on inputs received from the one or more behavior models and the user’s function (Kirti, Para. 0185, the statistical analysis engine 432 can output behavioral models 442, which can describe the manner in which the users of an organization use a cloud service or multiple cloud services. For example, the statistical analysis engine 432 can output a model that describes the use of a cloud service by a particular user, the use of a cloud service by a group of users, and/or the use of a cloud service by all the users in an organization); and
Kirti fails to disclose utilizing an active learning model to improve the orchestration model.
However, Shekar teaches utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050, the model deployment systems and interfaces described herein improve the operation of computing devices configured to deploy analytic models in a container-orchestration system, note the model deployment systems which can be interpret as active learning model). Kirti and Shekar are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Shekar to include utilizing an active learning model to improve the orchestration model (Shekar, Paragraphs. 0048- 0050). Doing so would aid to provide faster model deployment, faster model execution, and more rapid generation of model results compared to some traditional model deployment systems. And such improvements can improve safety when modeling operationally-critical models which may need to be deployed and executed frequently to ensure the physical system corresponding to the analytic model is operating as expected.

In regards to claim 17, the combination of Kirti and Shekar teaches the method of claim 16, further comprising utilizing the score received from the orchestration model to cause a security technique (Kirti, Para. 0164, the coefficients ci computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected).

In regards to claim 18, the combination of Kirti and Shekar teaches the method of claim 16, further comprising providing feedback based on the score to the one or more behavior models (Kirti, Para. 0163, as another example, administrators of the security management and control system can provide feedback. Alternatively, or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks).

In regards to claim 19, the combination of Kirti and Shekar teaches the method of claim 16, further comprising providing multi-tenant insights as feedback (Kirti, Para. 0169, after one or more
flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).

In regards to claim 20, the combination of Kirti and Shekar teaches the method of claim 16, wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions (Kirti, Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service, and identifying a group of actions that includes an action that is privileged. For example, a K-means clustering technique can be used to plot the actions in the activity data, and the users who performed to actions to identify users who performed similar actions), 
wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives, (Kirti, Para. 0169, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives). Activity data collected from various parameters over a period of time can be used with machine learning algorithms to generate patterns referred to as user behavior profiles) and
wherein the one or more behavior models define the normal behavior and the abnormal behavior for the function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device, and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).

                                                                    Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/               Supervisory Patent Examiner, Art Unit 2496