DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding to claims 1, 8 and 15, limitation “generating an alert based on determining whether the action represents an outlier” is not clear because the result of “determining whether the action represents an outlier” can be yes or no. It’s unclear in which condition that the alert is generated. 
Dependent claims 2-7, 10-14 and 16-20 are rejected under 35 U.S.C. 112 (b) for inheriting the deficiencies of the independent claims from which they depend on.

	
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1-4, 6-8 and 15 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Watson et al. (Pub. No.: US 2018 / 0248895, hereinafter Watson).
Regarding claim 1: Watson discloses A method of detecting anomalous user behavior in cloud environments (Watson - Fig. 1, [0015]: cloud environments [0024]: The service can identify and surface anomalous behavior or engagement with data, alerting the customer of a potential breach or attack), the method comprising:
receiving a count of an action taken during a current time interval in a cloud environment (Watson - [0026]: Such data loss prevention service can utilize the quantities, frequencies, or other such metric(s) of documents accessed over a given period of time as an input. [0027]: the count of documents and topics being accessed are fed as input to an unsupervised classifier);
determining whether the count of the action is greater by more than a threshold amount than a statistical characterization of previous times when the action was taken across a peer group (Watson - [0026]: The activity of the peers, and others with whom a user frequency interacts, can help to predict information such as the types of topics and the quantity of documents with which a user will interact. [0027]: When a user deviates more than a determined amount (i.e., more than a threshold or maximum allowed amount) from the types or frequency of access predicted, as well as that of a peer group);
determining whether the action represents an outlier (Watson - [0027]: the neural network can detect the deviation); and
generating an alert based on determining whether the action represents an outlier (Watson - [0027]: generate an alert for a security group or other appropriate entity).
Regarding claim 2: Watson discloses wherein the count of the action taken during the current time interval comprises a count of a single action type performed by a single user (Watson - [0027]: a user deviates more than a determined amount (i.e., more than a threshold or maximum allowed amount) from the types or frequency of access predicted). (action: doc/resource access, user is a single user)
Regarding claim 3: Watson discloses wherein the count of the action taken during the current time interval comprises a count of a single action type performed on a single resource (Watson - [0029]: a customer can utilize a client device, here operating a customer console 102, to access resources of a resource provider environment 106). (access – access and single resource – console 102)
Regarding claim 4: Watson discloses further comprising generating the count of the action taken during the current time interval by aggregating actions by a single user or on a single resource from an action log recorded during the current time interval (Watson - [0036]: the error between expected and actual activity for a user can be accumulated, and the summary of errors over a time series analyzed to identify users with excessively large error values, which can be indicative of suspicious activity).
Regarding claim 6: Watson discloses wherein determining whether the count of the action is greater by more than a threshold amount comprises:
providing the count of the action and a type of the action to a neural network (Watson - [0026]: utilize the quantities, frequencies, or other such metric(s) of documents accessed over a given period of time as an input to a recurrent neural network trained on the user, as well as the user's peers); and
receiving an output from the neural network indicating whether the action represents an outlier (Watson - [0027]: the neural network can detect the deviation and generate an alert for a security group).
Regarding claim 7: Watson discloses wherein the neural network is trained using the count of the action, the type of the action, and a response to the alert (Watson - [0022]: The types of topics and security elements, and the associated risk scores, can be learned and adapted over time using, for example, a neural network, set of models, trained regressor, or other such mechanism).
Regarding claim 8: this claim defines a computer readable medium claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Therefore, claim 8 is rejected with the same rational as in the rejection of claim 1. 
Regarding claim 15: this claim defines a system claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Therefore, claim 15 is rejected with the same rational as in the rejection of claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Watson et al. (Pub. No.: US 2018/0248895, hereinafter Watson) in view of Huang et al. (Pub. No.: US 2020/0184245, hereinafter Huang).
Regarding claim 5: Watson doesn’t explicitly teach but Huang discloses wherein the threshold amount comprises a predetermined number of standard deviations above the statistical characterization of the previous times when the action was taken across the peer group (Huang - [0049]: thresholds generator 476 can generate thresholds 462 and 464 by multiplying standard deviation σ with a multiplier value (e.g., three) set by standard deviation multiplier 480 to generate a multiple … Each of comparators 472 can compare the shifted output data element against thresholds 462 and 464 provided by thresholds generator 476 to determine whether the shifted output data element is an outlier).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Huang so that threshold is generated for determining an outlier. The modification would have allowed the system to find an outlier.

Claims 9, 11-14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Watson et al. (Pub. No.: US 2018/0248895, hereinafter Watson) in view of Stolfo et al. (Pub. No.: US 2003/0167402, hereinafter Stolfo).
Regarding claim 9: Watson doesn’t explicitly teach but Stolfo discloses wherein the operations further comprise:
calculating a first vector that is representative of actions taken during a plurality of previous time intervals in the cloud environment;
calculating a similarity between the first vector and a second vector that comprises counts of actions taken during a current time interval, wherein the second vector also comprises the count of the action;
comparing the similarity to a baseline threshold to determine whether one or more anomalous actions have occurred; and
generating an alert based at least in part on a determination that the one or more anomalous actions have occurred in the cloud environment (Stolfo - [0068]: A histogram for normal behavior may be taken over one time period, and histogram for new behavior may be taken over a second time period. [0069]: Once such histograms have been created, the histogram of the baseline behavior is compared with the histogram of the selected behavior to determine whether the new behavior represents a deviation that may be classified as a violation of email security policy … A histogram can be represented by a vector. [0064]: Where the selected behavior of the particular email account deviates from this profile of prior or baseline behavior, the system 10 may issue an alert that a violation of an email security policy has occurred).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Stolfo so that the histogram of the baseline behavior is compared with the histogram of the selected behavior to determine whether the new behavior represents a deviation that may be classified as a violation. 
Regarding claim 11: Watson doesn’t explicitly teach but Stolfo discloses wherein each entry in the first vector comprises an average event score during the plurality of previous time intervals (Stolfo - [0066]: a histogram may record the average number of emails sent by an email account each day during the previous month, wherein each bin represents a day, hour, or other time period).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Stolfo so that a histogram may record the average number of emails sent by an email account each day during the previous month. The modification would have allowed the system to use histogram computed over the twelve months to serve as a statistical model of baseline behavior of the email account.
Regarding claim 12: Watson doesn’t explicitly teach but Stolfo discloses wherein each of the plurality of previous time intervals comprises one day (Stolfo - [0066]: a histogram may record the average number of emails sent by an email account each day during the previous month).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Stolfo so that the time period can be one day. The modification would have allowed the system to be flexible.
Regarding claim 13: Watson doesn’t explicitly teach but Stolfo discloses wherein the plurality of previous time intervals comprises a sliding window of days, wherein the sliding window of days adds the current time interval to the sliding window of days and removes a least-recent time interval from the sliding window of days after each time interval (Stolfo - [0066]: Each bin in the histogram counts some number of events in fixed time periods).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Stolfo so that Each bin in the histogram counts some number of events in fixed time periods. The modification would have allowed the system to use bin to accumulate events.
Regarding claim 14: Watson doesn’t explicitly teach but Stolfo discloses wherein the first vector is representative of actions taken during the plurality of previous time intervals by storing a histogram of event counts for each of the plurality of previous time intervals (Stolfo - [0066] and [0067]: histograms that may be stored for an email account).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Stolfo so that histograms that may be stored. The modification would have allowed the system to do further analysis.
Regarding claim 19: Watson doesn’t explicitly teach but Stolfo discloses wherein the action comprises a number of emails that are sent by a particular user (Stolfo - [0064]: The statistics gathered about the prior transmission of email to and from a particular email account can be used as training data to create a probabilistic or statistical model of an email account).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Stolfo so that he statistics gathered about the prior transmission of email to and from a particular email account. The modification would have allowed the system to create a probabilistic or statistical model of an email account.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Watson et al. (Pub. No.: US 2018/0248895, hereinafter Watson) in view of Bagheri et al. (Pub. No.: US 2020/0134188).
Regarding claim 10: Watson doesn’t explicitly teach but Bagheri discloses wherein the similarity is calculated using a cosine similarity (Bagheri - [0058]: cosine similarity to evaluate similarity between two vectors).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Bagheri so that cosine similarity is used to evaluate similarity between two vectors.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Watson et al. (Pub. No.: US 2018/0248895, hereinafter Watson) in view of DORMODY et al. (Pub. No.: US 2019/0360804).
Regarding claim 16: Watson doesn’t explicitly teach but DORMODY discloses wherein determining whether the action represents an outlier comprises:
performing a second determination of whether the count of the action is greater than a global mean of action counts multiplied by a scale factor for the action (DORMODY - [0062]: the new global success average may be determined by weighting the current global success average using any suitable weight and adding it to a weighted access count for the deallocated page (again using any suitable weight). [0066]: If the global access average is less than the global access average threshold, but the global success average is greater than or equal to the global success average threshold).
It would have been prima facie obviou)s to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with DORMODY so that t the global access average threshold is used to determine an outlier. 

Claims 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Watson et al. (Pub. No.: US 2018/0248895, hereinafter Watson) in view of DORMODY et al. (Pub. No.: US 2019/0360804) and Muralidharan et al. (Pub. No : US 2019/0102361, hereinafter Muralidharan).
Regarding claim 17: Watson as modified doesn’t explicitly teach but Muralidharan discloses wherein determining whether the action represents an outlier comprises:
calculating the scale factor as a ratio of a local mean of action counts over the global mean of action counts (Muralidharan - [0028]: analysis apparatus 202 may use the O/E ratios, score distribution, and/or other performance metrics 122 calculated over each 15-minute period to produce a mean, variance, percentile, count, sum, and/or other summary statistics for performance metrics 122 that span the same period).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson, DORMODY with Muralidharan so that the O/E ratio doe performance metrics.
Regarding claim 18: Watson as modified doesn’t explicitly teach but Muralidharan discloses wherein determining whether the action represents an outlier comprises:
replacing an existing scale factor for the action when the scale factor is greater than the existing scale factor (Muralidharan - [0030]: analysis apparatus 202 may compare recent values of performance metrics 122 and/or time series 210 with historical or baseline values of performance metrics 122 and/or time series 210 to detect deviations 214).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson, DORMODY with Muralidharan so deviation can be detected.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Watson et al. (Pub. No.: US 2018/0248895, hereinafter Watson) in view of Rouatbi et al. (Pub. No.: US 2019/0104147, hereinafter Rouatbi).
Regarding claim 20: Watson doesn’t explicitly teach but Rouatbi discloses wherein the action comprises a number of folders created by a particular user (Rouatbi - [0029]: the same or similar action may presented as different actions in the artifacts … User/Favorites folder was created as an action).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Watson with Rouatbi so that an action can be creating User/Favorites folder. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Peer (Patent No.: US 8,621,586) - Using baseline profiles in adaptive authentication
Pugsley et al. (Pub. No.: US 2019/0087341) - Method and system for coordinating baseline and secondary prefetchers
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437