DETAILED ACTION

A response was received on 16 March 2022.  By this response, Claims 1-4, 7, and 11-15 have been amended.  New Claims 16-20 have been added.  No claims have been canceled.

Response to Amendment

A supplemental amendment was received on 11 April 2022.  A supplemental reply is not entered as a matter of right unless filed within a period of suspension of action under 37 CFR 1.103(a) or (c), as per 37 CFR 1.111(a)(2).  The supplemental reply is not clearly limited to the situations set forth in 37 CFR 1.111(a)(2)(i).  Although the Examiner provided, in the telephonic interview conducted 30 March 2022, broad suggestions for the type of amendment which may be sufficient to overcome the outstanding rejection under 35 U.S.C. 101, no specific claim language was suggested such that the Applicant’s amendments are not clearly limited to adoption of Examiner suggestions.  The supplemental reply is also not clearly limited to any of the other situations set forth in 37 CFR 1.111(a)(2)(i).  As a courtesy, this supplemental amendment will be entered; however, it is noted that any subsequent supplemental reply which does not clearly comply with 37 CFR 1.111(a)(2) will not be entered.  Interviews are encouraged to be conducted prior to the filing of a response to the outstanding Office action.
By the above supplemental amendment, Claims 1, 3, 4, and 11 have been further amended.  No claims have been added or canceled.  Claims 1-20 are currently pending in the present application.

Response to Arguments

Applicant’s arguments with respect to the rejection of Claims 1-15 under 35 U.S.C. 102(a)(1) have been considered but are moot in view of the new grounds of rejection set forth below.
Applicant's arguments filed 11 April 2022 have been fully considered but they are not persuasive.
Regarding the rejection of Claims 1-15 under 35 U.S.C. 101, first, it is noted that Applicant refers throughout to the 2019 Revised Patent Subject Matter Eligibility Guidance; however, such guidance has since been incorporated throughout MPEP § 2106 et seq.  With particular reference to amended independent Claim 1, Applicant argues that “the additional elements of the claimed limitations integrate to form a practical application” and therefore the claims are not directed to an abstract idea or other judicial exception (pages 11-12 of the present response).  However, Applicant does not explain which additional elements of which limitations provide a practical application of the recited abstract ideas, nor does Applicant state what the asserted practical application is considered to be.  Applicant further argues that the claimed limitations represent significantly more than a mere abstract idea or mathematical concept and go beyond what is well-understood, routine, and conventional (pages 12-13 of the present response); however, Applicant does not provide any explanation for these conclusory statements.  Applicant argues that, similar to DDR Holdings, the claimed limitations are rooted in computer and communication technology (page 13 of the present response).  However, Applicant overly simplifies the holdings of this decision, and further, Applicant does not provide any explanation for what limitations are necessarily rooted in computer technology or how the claims are otherwise similar to those at issue in DDR.  Similarly, Applicant argues that the claims are similar to those at issue in Trading Technologies (page 13 of the present response) but again fails to provide any explanation of the similarities between the present claims and the claims at issue in that case.  Although Applicant argues that the claims “require specific structure elements for performing specific functions that are not generic computer functions” and that the claims specifically include a transformation (page 13 of the present response), Applicant does not identify what such specific structural elements, specific functions, or transformations are relied upon, and provides no explanation for these conclusory statements.  Applicant also argues that the claims recite a practical application in a manner similar to Data Engine Technologies v. Google (pages 13-14 of the present response), but once again does not provide any explanation for the asserted similarity between the present claims and the claims at issue in that decision.
Applicant further argues that the newly added limitations of providing an anomaly-based intrusion ranking in the supplemental amendment are directed to subsequent use of the claimed calculations and comparison to integrate the abstract idea into a practical application (page 14 of the present response).  However, merely providing the result of a comparison or calculation constitutes insignificant extra-solution activity because it amounts to necessary data output, as per MPEP § 2106.05(g).
Therefore, for the reasons detailed above, the Examiner maintains the rejections as set forth below.

Drawings

The objection to the drawings is withdrawn in light of the amended drawings filed on 16 March 2022.

Specification

The objection to the disclosure for informalities is NOT withdrawn, because the amendments have raised new issues and/or because not all issues have been addressed, as detailed below.
The disclosure is objected to because of the following informalities:  
The specification includes minor grammatical and other errors.  For example, in paragraph 0014, line 7 (see page 3 of the 16 March 2022 response), it appears that the phrase “train user sessions” should read “trained user sessions”.  In paragraph 0025, line 3 (page 3 of the 16 March 2022 response), the phrase “a stealth of credentials” is not in clear idiomatic English.
Appropriate correction is required.  Applicant’s cooperation is again requested in correcting any other errors of which applicant may become aware in the specification
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required:  Independent Claims 1 and 11 have been amended to recite “providing an anomaly-based intrusion ranking for said plurality of records of said plurality of user sessions in said audit log” or similar limitations.  There appears to be no mention of providing a ranking for records of user sessions as claimed, and therefore, there is not proper antecedent basis for the claimed subject matter in the specification.  Additionally, new Claims 19 and 20 recite “in a first scenario the user session is attributed to a single user, and in another scenario the user session is attributed to different users”.  There appears to be no mention of attributing a session to a single user or to different users as claimed, and therefore, there is not proper antecedent basis for the claimed subject matter in the specification.  For further detail, see below regarding the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement.

Claim Rejections - 35 USC § 101

The rejection of Claims 1-15 under 35 U.S.C. 101 is NOT withdrawn for the reasons detailed above.
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract ideas without significantly more. 
Independent Claim 1 recites a method that includes predicting probabilities, constructing a user group, determining an anomaly score, detecting an intrusion based on a comparison of the anomaly score with a threshold, and providing a ranking.  Predicting the probabilities and determining an anomaly score are mathematical calculations that fall into the grouping of mathematical concepts, which is one of the groupings of abstract ideas set forth in MPEP § 2106.04(a)(2).  As further evidence, see the specific equations recited in Claim 17.  Constructing the user group, comparing the anomaly score to a threshold, and providing a ranking of scores are mental processes including a comparison of data.  Mental processes are another grouping of abstract ideas set forth in MPEP § 2106.04(a)(2).  Abstract ideas are judicial exceptions as per MPEP § 2106.04(I).  See also Alice Corporation Pty. Ltd. v. CLS Bank, International, et al, 573 U.S. 208, 110 USPQ2d 1976 (2014).
The judicial exception is not integrated into a practical application because there is no subsequent use of the result of the detection/comparison.  The claim does not recite any use or further action with respect to the result of the detecting step. There is nothing that would result in a particular transformation, as per MPEP § 2106.05(c), nor does the claim require the use of the abstract idea in conjunction with a particular machine or manufacture, as per MPEP § 2106.05(b).  The recitation of the user session only serves to link the abstract idea to a particular technological environment, as per MPEP § 2106.05(h).  The recitation of providing the ranking constitutes, at most, insignificant post-solution activity, as per MPEP § 2106.05(g).  The recitations relating to reducing false positives only recite an intended use of the claimed steps without clearly linking how the steps would result in the intended use or result.  There are no additional elements that apply or use the abstract idea in a meaningful way beyond merely linking the use of the judicial exception to a particular technological environment.  There is no subsequent significant use of the result of the detecting step. Therefore, the claim is not directed to a practical application of the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception for similar reasons as detailed above with respect to the question of a practical application of the judicial exception.  Therefore, the claim as a whole, whether the steps are considered individually or as an ordered combination, is not directed to significantly more than the abstract idea.
Dependent Claims 2-10, 17, and 19 only recite further details of the abstract ideas, such as use of a matrix or other algorithms, which do not provide a practical application or significantly more than the abstract ideas as detailed above.  These claims are abstract for the same reasons as the independent claim and do not add significantly more to the abstract idea recited in the independent claim.
Independent Claim 11 recites a computer system having functionality corresponding to that of the method of Claim 1.  This functionality is directed to an abstract idea for similar reasons as detailed above with respect to Claim 1.  This judicial exception is not integrated into a practical application for similar reasons as detailed with respect to Claim 1.  The recitations of a computer system are at a generic level and constitute nothing more than mere instructions to implement the abstract idea on a computer. See MPEP § 2106.05(f).  Therefore, the claim is not directed to a practical application of the abstract idea, and is not directed to significantly more for similar reasons as discussed above.
Dependent Claims 12-16, 18, and 20 only recite further details of the abstract ideas, such as use of a matrix or other algorithms, which do not provide a practical application or significantly more than the abstract ideas as detailed above.  These claims are abstract for the same reasons as the independent claim and do not add significantly more to the abstract idea recited in the independent claim.
Based upon consideration of all of the relevant factors with respect to the claims as an ordered combination and as a whole, Claims 1-20 are determined to be directed to abstract ideas without a practical application and without significantly more, as detailed above.  Therefore, based on the above analysis, the claimed inventions are not directed to patent eligible subject matter.

Claim Rejections - 35 USC § 112

The rejection of Claims 1-15 under 35 U.S.C. 112(b) as indefinite is NOT withdrawn because the amendments have raised new issues, as detailed below.
The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Independent Claims 1 and 11 have been amended to recite “providing an anomaly-based intrusion ranking for said plurality of records of said plurality of user sessions in said audit log” or similar limitations.  Although Applicant generally points to pages 3-5 of the specification for support for the claims as amended (page 9 of the present response), there appears to be no mention of providing a ranking for records of user sessions as claimed in the cited portion or elsewhere in the specification.  Therefore, there is not clear written description of the claimed subject matter in the specification.
New Claims 19 and 20 recite “in a first scenario the user session is attributed to a single user, and in another scenario the user session is attributed to different users”.  Although Applicant generally points to pages 3-5 of the specification for support for the claims as amended (page 9 of the present response), there appears to be no mention in the cited portion or elsewhere in the specification of attributing a session to a single user or to different users as claimed.  Therefore, there is not clear written description of the claimed subject matter in the specification.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claims contain subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
A determination of a failure to comply with the enablement requirement is made considering the undue experimentation factors set forth in MPEP § 2164.01(a).  In the present application, the factors which appear to weigh most heavily are the breadth of the claims (MPEP § 2164.08), the amount of direction provided by the inventor (MPEP § 2164.03), and the existence of working examples.  Independent Claims 1 and 11 broadly recite users are grouped together based on a similarity threshold “to reduce false positives in a [sic] presence of indistinguishable users” and “detecting an intrusion if the anomaly score of the user session and the claimed user exceeds a predetermined threshold to reduce said false positives in the presence of said indistinguishable users” or similar limitations.  The only mentions of false positives in the specification are in paragraphs 0017, 0022, and 0024.  These paragraphs generally mention reduction of false positives in similar language as that of the claims, but do not clearly describe how grouping users would reduce false positives, and do not describe anything similar to detecting an intrusion based on a threshold to reduce false positives or how such a detection would reduce false positives.  The specification provides no clear detail or explicit examples (e.g. evidence, data, or analysis) of how false positives would or could be reduced.  The lack of details or examples in any detail beyond the claim language suggests that there is little direction provided by the inventor.  Combined with the broad scope of the claims, this suggests that the enablement of the description is not commensurate in scope with the claims (MPEP § 2164.08) and that undue experimentation would be required to make or use the invention based on the disclosure (MPEP § 2164.06).

The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “the user session” in lines 4, 5, and throughout the claim.  However, because the claim recites a plurality of user sessions, it is not clear to which of the plural sessions these limitations are intended to refer.  Similarly, the claim recites “the user” in line 7; however, because the claim recites a plurality of users, it is not clear to which of the plural users this limitation is intended to refer.  The claim further recites “similar activity features” in line 12.  The term “similar” is a relative term, and it is not clear from the claims or specification how similar activities must be to be included in the user group.  See MPEP § 2173.05(b).  The claim additionally recites “to reduce false positives in a presence of indistinguishable users” in line 15.  It is not clear how the grouping of users reduces false positives.  The claim also recites “the probability that the user session belongs to the user group” in lines 20-21 and 27-28.  Although the claim previously recited plural probabilities, there is not clear antecedent basis for this more detailed limitation in the claims.  The claim further recites “a lower the probability that the user session belongs to the user group, a more anomalous the user session is” in lines 27-28.  The phrases “a lower the probability” and “a more anomalous” are grammatically unclear and not in proper idiomatic English.  The claim additionally recites “detecting an intrusion if the anomaly score of the user session and the claimed user exceeds a predetermined threshold to reduce said false positives in the presence of said indistinguishable users” in lines 29-31.  It is not clear how detecting an intrusion if a score exceeds a threshold would result in reducing false positives.  The claim also recites “providing an anomaly-based intrusion ranking” in line 32.  It is not clear what is actually ranked in this ranking; further, if the anomaly score is used in the ranking, it is not clear how other comparative anomaly scores may be obtained or when this ranking is performed, which amounts to a gap in the claim.  The above ambiguities render the claim indefinite.
Claim 3 recites “said plurality of user sessions of claimed users reattributed to the claimed users” in lines 2-3 and “the plurality of user sessions of said claimed users reattributed to other users” in lines 4-5.  Although Claim 1 recites a plurality of user sessions, there is not clear antecedent basis for these more detailed limitations in the claims.
Claim 7 recites “the user session” in line 2.  However, because Claim 1 recites a plurality of user sessions, it is not clear to which of the plural sessions this limitation is intended to refer.
Claim 11 recites “a detection unit that detects intrusions” in line 3 and “a clustering unit that constructs a user group”.  It is not clear how the claimed system would include a step of detecting or constructing.  Similarly, it is not clear how the system would include the steps of determining the anomaly score, detecting an intrusion, or providing an anomaly-based intrusion ranking.  It appears that these may be intended to recite that the monitoring unit is configured or programmed to perform these various functions or steps.  The claim further recites “the user session” in lines 6, 11, and throughout the claim.  However, because the claim recites a plurality of user sessions, it is not clear to which of the plural sessions these limitations are intended to refer.  The claim additionally recites “similar activity features” in line 7.  The term “similar” is a relative term, and it is not clear from the claims or specification how similar activities must be to be included in the user group.  See MPEP § 2173.05(b).  The claim also recites “to reduce false positives in a presence of indistinguishable users” in line 9.  It is not clear how the grouping of users reduces false positives.  The claim further recites that the detection unit “detects an intrusion if the anomaly score exceeds a predetermined threshold to reduce said false positives in the presence of said indistinguishable users” in lines 19-20.  It is not clear how detecting an intrusion if a score exceeds a threshold would result in reducing false positives.  The claim additionally recites that the detection unit “provides an anomaly-based intrusion ranking” in line 21.  It is not clear what is actually ranked in this ranking; further, if the anomaly score is used in the ranking, it is not clear how other comparative anomaly scores may be obtained or when this ranking is performed, which amounts to a gap in the claim.  The above ambiguities render the claim indefinite
Claim 12 recites that “the clustering unit constructs the user group”.  It is not clear how the system includes the step of constructing.  It appears that this may be intended to recite that the clustering unit is configured or programmed to construct the group.  The claim additionally recites “the user session” in line 2.  However, because Claim 11 recited a plurality of user sessions, it is not clear to which of the plural sessions this limitation is intended to refer.
Claim 14 recites “the probability” in line 1; however, Claims 12 and 13 recite plural probabilities, and it is not clear to which of the plural probabilities this limitation is intended to refer.  Claim 14 further recites “the user” and “the user session” in line 2; however, because the claims recite a plurality of users and a plurality of sessions, it is not clear to which these limitations are intended to refer.
Claim 16 recites “a lower the probability that the user session belongs to the user group, a more anomalous the user session is” in lines 3-4.  The phrases “a lower the probability” and “a more anomalous” are grammatically unclear and not in proper idiomatic English.
Claim 17 recites “the user session” in lines 5 and 7 and “the user” in line 6.  However, because the claims recite a plurality of users and a plurality of sessions, it is not clear to which these limitations are intended to refer.
Claim 18 recites “the user session” in lines 5, 6, and 7 and “the user” in line 6.  However, because the claims recite a plurality of users and a plurality of sessions, it is not clear to which these limitations are intended to refer.
Claim 19 recites “the user session” in lines 1 and 2.  However, because the claims recite a plurality of sessions, it is not clear to which session these limitations are intended to refer.
Claim 20 recites “the user session” in lines 1 and 2.  However, because the claims recite a plurality of sessions, it is not clear to which session these limitations are intended to refer.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over McGeehan et al, US Patent 8869243, in view of Lin et al, US Patent 11178168.
In reference to Claim 1, McGeehan discloses a method that includes predicting probabilities that a user session belongs to a user; constructing a user group including users with similar activity features based on the probabilities; determining an anomaly score for a user session based on a probability; detecting an intrusion if the anomaly score exceeds a threshold; and providing a ranking of the plurality of records in the logs (see column 4, lines 36-57, degrees of suspicion, probabilities; see also column 5, lines 17-37, and column 7, lines 19-39, use of logs; column 11, lines 35-57, rankings of records).  However, McGeehan does not explicitly disclose that the probability is a sum over all predictions of plural probabilities.
Lin discloses a method that includes determining probabilities related to sessions by summing all predictions of probabilities for a session (see column 4, lines 18-67).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of McGeehan to include the summation of Lin in order to provide more information from the combined probability (see Lin, column 4, lines 61-67, for example).
In reference to Claims 2-4, McGeehan and Lin further disclose constructing a matrix of values that identify sessions and users (McGeehan, column 4, lines 36-57).
In reference to Claims 5, 6, 8, and 9, McGeehan and Lin further disclose various learning models (McGeehan, column 13, lines 24-60).
In reference to Claim 7, McGeehan and Lin further disclose the anomaly score based on the probability (McGeehan, column 4, lines 36-57).
In reference to Claim 10, McGeehan and Lin further disclose training the model (McGeehan, column 13, lines 24-60).
In reference to Claim 17, McGeehan and Lin further disclose an anomaly score represented by an equation including the sum of probabilities as claimed (see Lin, column 4, lines 30-35).
In reference to Claim 19, McGeehan and Lin further disclose attributing a session to a single or multiple users (see McGeehan, column 7, lines 19-39).

Claims 11-16 are directed to systems having functionality corresponding to the methods of at least Claims 1 and 2, and Claims 18 and 20 are directed to systems having functionality corresponding to the methods of Claims 17 and 19, and are rejected by a similar rationale, mutatis mutandis.

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Zachary A. Davis/Primary Examiner, Art Unit 2492