Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/30/2022 has been entered.
 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ford et al. (US Patent No. 9,882,918 (hereinafter referred to as “Ford”) in view of Steiman et al. (US Patent No. 10,496,815, hereinafter referred to as “Steiman”), in further view of Beauchesne et al. (WO 201681520, hereinafter, referred to as “Beauchasne”).

Regarding claim 1, Ford teaches a computer-implementable method for performing a security operation, 2comprising: 
3monitoring a plurality of electronically-observable actions of an entity, the plurality 4of electronically-observable actions of the entity corresponding to a respective 5plurality of events enacted by the entity (abstract - monitoring user interactions between a user and an information handling system), the monitoring comprising 6monitoring the plurality of electronically-observable actions via a protected 7endpoint (col. 8, line 29-32 - the points of observation may occur during various user interactions, such as user/device 228, user/network 242, user/resource 248, and user/user 260 interactions); 
8converting the plurality of electronically-observable actions of the entity to electronic 9information representing the plurality of actions of the entity (abstract -  converting the user interactions and the information about the user into electronic information representing the user interactions); 
10generating a representation of occurrences of a particular event from the plurality of 11events enacted by the entity (abstract - generating a unique cyber behavior profile based upon the electronic information representing the user interactions and the information about the user); and 
12performing an anomaly detection operation based upon the representation of 13occurrences of the particular event from the plurality of events enacted by the 14entity (col. 3, lines 35-38 - the user behavior monitoring system 118 performs a detection operation to determine whether a particular behavior associated with a given user is acceptable, unacceptable, anomalous, or malicious); and wherein the protected endpoint tracks occurrences of the particular event resulting from the plurality of electronically-observable actions of the entity (abstract - monitoring user interactions between a user and an information handling system), and the representation of occurrence of the particular event is based upon tracking occurrences of the particular event (abstract - generating a unique cyber behavior profile based upon the electronic information representing the user interactions and the information about the user).
However, Ford does not explicitly teach the anomaly detection operation determining when the representation 15of occurrences of the particular event exceeds a predetermined threshold, the anomaly detection operation being performed during an endpoint event anomaly baseline time period to detect an anomalous endpoint event, the endpoint event anomaly baseline time period comprising a sliding window implemented for a predetermined period of time to identify and omit false positives of anomalous behavior; and wherein the protected endpoint comprises an endpoint event counter feature pack; the endpoint event counter feature pack comprises an endpoint event counter module.  
In an analogous art, Steiman teaches the anomaly detection operation determining when the representation 15of occurrences of the particular event exceeds a predetermined threshold (col. 3, lines 12-27 - for each of certain user label(s) (“select user labels”), the system creates a data model that reflects monitored assets used by user with the user label (step 120). Each time a user associated with one of the select user labels accesses a monitored asset (or an applicable type of monitored asset), the system updates the applicable data model to reflect the access event. The applicable data model is the data model that corresponds to the select user label in the access event. In certain embodiments in which a risk score is calculated for a user's session (see description of FIG. 5 below), the system refrains from updating the data model with the access event if the user's risk score is above a threshold (i.e., considered abnormal). This prevents data from a user session that is considered high risk or significantly abnormal from skewing the data models); and 
wherein the protected endpoint comprises an endpoint event counter feature pack (col. 2, lines 27-29 - the system creates a counter data model that reflects monitored assets used by users without the select user label); 
the endpoint event counter feature pack comprises an endpoint event counter module (col. 2, lines 27-29 - the system creates a counter data model that reflects monitored assets used by users without the select user label).
Before the effective filing date of the invention, one ordinary skill in the art would have been motivated to determine anomaly when an event exceeds a predetermined threshold in order allow the monitored asset to be classified (col. 2, lines, 8-13), and to employ event counter pack in order to keep track of events, thus preventing data from a user session that is considered high risk or significantly abnormal from skewing the data models (col. 3, lines 12-27). 
In another analogous art, Beauchasne teaches the anomaly detection operation being performed during an endpoint event anomaly baseline time period to detect an anomalous endpoint event, the endpoint event anomaly baseline time period comprising a sliding window implemented for a predetermined period of time to identify and omit false positives of anomalous behavior ([0025] the time window module may operate as a sliding window of a discrete duration. For example, if the sliding window time duration is 6 hours then metadata instances in the clusters that are older than 6 hours are expired and removed from the cluster. The expiring and removing of old metadata instances using a sliding window can protect against false positives caused by potential build-up of unrelated metadata instances over very long periods of time. Further, though specific examples are used here for the threshold size limit (e.g., 3) and the time duration (e.g., six hours), one of ordinary skill in the art appreciates that such parameters can be modified or customized per implementation, as required. [0027] a training window or period may be implemented, where the metadata instances are grouped into clusters to generate a baseline state of the network. The training period may be set to a time duration such as 24 hours.). Before the effective filing date of the invention, one of ordinary skill in the art would have been motivated to perform anomaly detection during an endpoint event anomaly baseline time period the endpoint event anomaly baseline time period comprising a sliding window in order to remove old metadata instances, which protects against false positives, thus the potentially malicious activity may be combined with other unrelated anomalies to generate an automatic alarm or network administrators or security administrators can further monitor the network activity and manually generate an alarm as required (Beauchasne [0026]).
Regarding claim 12, Ford teaches the method of claim 1, wherein: 2the protected endpoint comprises an endpoint device (col. 8, line 29-32 - user/device 228) and an endpoint agent (col. 16, lines 14 - program codes on the device).  

Regarding claim 13, Ford does not explicitly teach the method of claim 1, wherein: 2the representation of occurrences of the particular event comprises a numeric 3representation of a number of occurrences of the particular event.  In an analogous art, Steiman teaches the representation of occurrences of the particular event comprises a numeric 3representation of a number of occurrences of the particular event (col. 2, lines 27-29 - the system creates a counter data model that reflects monitored assets used by users). Before the effective filing date of the invention, one of ordinary skill in the art would have been motivated to employ a numeric representation of occurrences so that they can be counted and properly assigned threshold value. 

Regarding claim 14, Ford teaches the method of claim 1, wherein: 2the protected endpoint comprises an event analytics module (col. 6, lines 10-13 - data analysis information). 

Regarding claim -77-Attorney Docket No.: FP00202-US5, Ford does not explicitly teach the method of claim 4, wherein: 2the endpoint event counter feature pack comprises an event data detector 3module, and an endpoint event data 4collector module.  However, Steiman teaches the endpoint event counter feature pack comprises an event data detector 3module (col. 4, lines 6-7 - the system detects a potential misuse of the monitored asset by the user), and an endpoint event data 4collector module (col. 6, lines 32-35 - event logs). The motivation to combine is same as claim 3 above.

Regarding claim 16, Ford teaches the method of claim 1, further comprising: 2determining whether an event of the respective plurality of events is of analytic 3utility (col. 9, line 64).  

Claims 7-12 are system version of claims 1-6, respectively. Therefore are rejected under the same rationale. 

Claims 13-18 are non-transitory computer readable storage medium version of claims 1-6, respectively. Therefore are rejected under the same rationale. 

-80-Attorney Docket No.: FP00202-US	Regarding claim 19, Ford teaches the non-transitory, computer-readable storage medium of claim 13, wherein: 2the computer executable instructions are deployable to a client system from a server 3system at a remote location (col. 18, lines 16-18 - wherein the computer executable instructions are deployable to a client system from a server system at a remote location.).  

Regarding claim 120, Ford teaches the non-transitory, computer-readable storage medium of claim 13, wherein: 2the computer executable instructions are provided by a service provider to a user on an on-demand basis (col. 18, lines 20-22 - wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.).

Response to Arguments
Applicant's arguments have been fully considered but they are in moot in view of the new cited art. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
1. Robert Ross, WO 2006099218, generating, training, and evaluating anomaly detector.
	2. Michael Cantrell, US 20200117177, create an anomaly detection model to detect anomalies in multivariate data originating from a given data source by extracting a model object for the anomaly detection model using a first set of training data.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALINA N BOUTAH whose telephone number is (571)272-3908. The examiner can normally be reached M-F 7:00 AM - 3:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ALINA BOUTAH
Primary Examiner
Art Unit 2442



/ALINA A BOUTAH/Primary Examiner, Art Unit 2442