Detailed Action
Claims 1-24 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
Figures 5 and 6 are objected to because they are substantially blurry and illegible. Please submit corrected figures.

Claim Objections
Claims 2 and 3 are objected to because they recite the terms “the contribution” without antecedent basis. For the purpose of examination, Claims 2 is interpreted as reciting “a contribution”.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4 and 8-24 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al (US Pub.No.2017/0111381) In view of Futty (US Pub.No.2016/0065608).

Re Claim 1. Jones discloses a system for assessing security risk associated with a computer network, the system comprising: a risk assessment database; and a risk analysis subsystem operably connected to said risk assessment database and one or more data sources, wherein the one or more data sources comprise user activity data,  wherein the risk analysis system comprises at least one processor and associated memory, wherein the memory stores instructions executable by the at least one processor for performing operations comprising: monitoring the one or more data sources to obtain user activity data associated with users of the computer network; (i.e. the compromise determination engine 110 can be in communication with, or in some implementations maintain, a user account summary database 104 storing historical information regarding user accounts (e.g., the system 100 can monitor network actions of each user account, and determine summary data to include in the user account summary database 104)) [Jones, para.0049, Fig.2], processing the user activity data to generate a plurality of user profiles, wherein each user profile is associated with a respective user (i.e. The compromise determination engine 110 can determine user compromise scores for a particular user by utilizing information obtained from the network interaction database 102 (e.g., data describing user behavior of the particular user account), and one or more models (e.g., machine learning models) describing normal (e.g., expected, measures of central tendency of) user behavior of user accounts with the business (e.g., user accounts associated with a same employee role as the particular user account). As an example, the compromise determination engine 110 can monitor user behavior (e.g., user actions, network actions, and so on) and update the normal behavior of each user account (e.g., upon the occurrence of any action, or periodically) [Jones, para.0047], (i.e. in FIG. 1, the example user interface includes user compromise scores that measure user behavior associated with “Remote Access”, which can be user behavior associated with initially accessing user accounts or network accessible systems. As an example, the user behavior can include the specific systems (e.g., user devices) used to access the network(s) and/or user accounts, the specific network accessible systems accessed, geographic locations from which user accounts were accessed, and so on) [Jones, para.0029, Fig.1]; processing the user profiles to classify the users into a plurality of user groups (i.e. one or more models (e.g., machine learning models) describing normal (e.g., expected, measures of central tendency of) user behavior of user accounts with the business (e.g., user accounts associated with a same employee role as the particular user account)) [Jones, para.0047], ; storing the user profiles and the user groups in the risk assessment database (i.e. the compromise determination engine 110 can be in communication with, or in some implementations maintain, a user account summary database 104 storing historical information regarding user accounts (e.g., the system 100 can monitor network actions of each user account, and determine summary data to include in the user account summary database 104)….. the compromise determination engine 110 can determine user compromise scores from user account summary data describing normal (e.g., expected, measures of central tendency of) user behavior and also normal user behavior of other user accounts) [Jones, para.0049-0050]; and generating a composite security risk measure associated with a given user, wherein the composite security risk measure is generated, at least in part, by combining: a first security risk measure generated by processing the user profile associated with the given user; and a second security risk measure  (i.e. Since the anomaly score is an aggregate of user compromise scores across network actions, the system can utilize the anomaly score as an overall user compromise score which can be used, for example, to rank (e.g., prioritize) user accounts for review) [Jones, para.0099] based on a comparison between a current user group associated with the given user and a previous user group associated with the given user (i.e. the models can identify a frequency that user accounts transition to other user accounts, and specifically a frequency in which user accounts transition to user accounts with escalated privileges (e.g., escalated access rights associated with an access control list (ACL))…………………… The system can determine a user chaining score based off a comparison of user behavior of the user account to the normal user behavior (e.g., the system can assign a higher user chaining score, such as 1, 2, 3, to each determined deviation from the normal user behavior). Additionally, the system can compare user behavior of the user account to normal user behavior of user accounts associated with a same employee role. For instance, if the user account is associated with a human resources (HR) employee, and the normal user behavior for HR employees does not include transitioning to a privileged user account, the system can assign a higher user chaining score) [Jones, para.0091-0093].
 	Jones does not explicitly disclose whereas Futty does: each user group having an associated risk level (i.e. when calculating the access risk score of a group of members, ARCM 140 may also calculate the access risk score for each user 135 in the group of members) [Futty, para.0045].
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Jones with Futty because it facilitates rapid identification of excessive outlier access [Futty, para.0045].

Re Claim 24. This claim recites features similar to those recited in claim 1, therefore it is rejected in a similar manner.

Re Claim 2. Jones in view of Futty discloses the system according to claim 1, Futty further discloses: wherein the risk analysis subsystem is configured such that the contribution of the second security risk measure to the composite security risk measure increases when a risk level of the current user group exceeds a risk level of the previous user group (i.e. ARCM 140 may determine the difference between the original access risk score and the updated access risk score and compare that difference to a threshold. In this example, ARCM 140 may determine the risk score jumped from 5,000 to 16,120 with a difference of 11,120 and may also determine this difference is greater than a threshold of 5,000, which may cause an alert) [Futty, para.0049].
	The same motivation to modify with Futty, as in claim 1, applies.

Re Claim 3. Jones in view of Futty discloses the system according to claim 2, Futty further discloses: wherein the risk analysis subsystem is configured such that a magnitude of the contribution of the second security risk measure to the composite security risk measure is dependent on a difference between the risk level of the current user group and the risk level of the previous user group (i.e. ARCM 140 may determine the difference between the original access risk score and the updated access risk score and compare that difference to a threshold. In this example, ARCM 140 may determine the risk score jumped from 5,000 to 16,120 with a difference of 11,120 and may also determine this difference is greater than a threshold of 5,000, which may cause an alert. By focusing on the change in access risk score, ARCM 140 may be able to differentiate between small changes in permissions or access rights and much larger, more significant changes that may require review by a group leader or administrator) [Futty, para.0049], (i.e. As another example, if the access risk score changes by 10,000, then ARCM 140 may communicate a high alert notification to the administrator of system) [Futty, para.0035].
	The same motivation to modify with Futty, as in claim 1, applies.

Re Claim 4. Jones in view of Futty discloses the system according to claim 1, Jones further discloses: wherein the risk analysis subsystem is configured to communicate the associated security risk when the composite security risk measure associated with the given user exceeds a threshold (i.e. The user accounts 12 are ordered according to a rank 14 determined from a combination (e.g., a weighted combination) of the user compromise scores 20. In some implementations, the rank can be based solely off the “Anomaly Score”, described below with reference to FIG. 4. In this way, user accounts can be prioritized for review.) [Jones, para.0032, Fig.1, Examiner interprets that when the composite risk exceeds the others, it is ranked 1].

Re Claim 8. Jones in view of Futty discloses the system according to claim 1, Jones further discloses: wherein the risk analysis subsystem is configured such that the plurality of user groups are calculated, at least in part, based on historical user profile data (e.g., the compromise determination engine 110 can utilize machine learning models (e.g., k-means clustering) to determine user behavior of user accounts with respect to other user accounts (e.g., cluster user accounts together). The machine learning models can also describe features that are indicative of user accounts being compromised, and can compare the features to user behavior being monitored. In this way, the compromise determination engine 110 can determine whether a particular user account's behavior is anomalous, or otherwise is an outlier with respect to determined normal user account behavior (e.g., normal to the particular user accounts behavior or to other user accounts)) [Jones, para.0047].

Re Claim 9. Jones in view of Futty discloses the system according to claim 8, Jones further discloses: wherein the risk analysis subsystem is configured such that the historical user profile data comprises, for at least one user, a plurality of user profile records generated in the past and stored in the risk assessment database (i.e. an anomaly score (e.g., a score based on summary behavior of the particular user account in comparison to known or historical behavior of the particular user account)……….. the compromise determination engine 110 can be in communication with, or in some implementations maintain, a user account summary database 104 storing historical information regarding user accounts (e.g., the system 100 can monitor network actions of each user account, and determine summary data to include in the user account summary database 104) [Jones, para.0044, 0049].

Re Claim 10. Jones in view of Futty discloses the system according to claim 1, Jones further discloses: wherein the risk analysis subsystem is configured such that the plurality of user groups are determined according to a clustering algorithm (e.g., the compromise determination engine 110 can utilize machine learning models (e.g., k-means clustering) to determine user behavior of user accounts with respect to other user accounts (e.g., cluster user accounts together). The machine learning models can also describe features that are indicative of user accounts being compromised, and can compare the features to user behavior being monitored. In this way, the compromise determination engine 110 can determine whether a particular user account's behavior is anomalous, or otherwise is an outlier with respect to determined normal user account behavior (e.g., normal to the particular user accounts behavior or to other user accounts)) [Jones, para.0047].

Re Claim 11. Jones in view of Futty discloses the system according to claim 1, Futty further discloses: wherein the risk analysis subsystem is configured such that a risk level associated with a given user group is generated according to a respective group profile associated with the given user group, wherein the respective group profile is generated based on the user profiles of the users belonging to the given user group (i.e. when calculating the access risk score of a group of members, ARCM 140 may also calculate the access risk score for each user 135 in the group of members. By calculating the access risk score for each individual user 135, ARCM 140 facilitates rapid identification of excessive outlier access, for example if one user 135 of the group of members has an access risk score that is a certain threshold higher than the rest) [Futty, para.0045].
 	The same motivation to modify with Futty, as in claim 1, applies.

Re Claim 12. Jones in view of Futty discloses the system according to claim 1, Jones further discloses: wherein the risk analysis system is further configured such that the one or more data sources are monitored to detect online activity and network user activity associated with users of the computer network, wherein the online user activity data associated with a given user is associated with online interactions involving the given user and a remote network that is interfaced with the computer network, and wherein the network user activity data associated with a given user is associated with offline interactions involving the given user and the computer network in the absence of interaction with the remote network (i.e. the user interface 1000 identifies user accounts 1012 that transitioned to a different user account, along with information describing the transition. For instance, a first entry identifies an “Event Time” (e.g., a time the transition occurred), a source user account 1012 (e.g., “add64”), an internal Internet Protocol (IP) address associated with the source user account 1012, a “Match Type” (e.g., a transition type which as illustrated is “Privileged Match”), a target user account (e.g., “cm-add64”), and a “Target Host” (e.g., a target network accessible system)) [Jones, para.0137, Note: monitoring login to internal IP address is interpreted as offline activity in the absence of interaction with the remote network and transitioning to a network accessible system is interpreted as online activity], (i.e. the example user interface includes user compromise scores that measure user behavior………………………….As an example for a particular user account, user behavior can include tracking the particular user account switching user accounts to a different user account (e.g., a privileged user account with administrator or escalated access privileges to network accessible systems or user accounts), processes (e.g., operating system processes) that the particular user account initiates, or otherwise executes, on network accessible systems ) [Jones, para.0030, Note: switching to a privileged user account and initiating operating system processes are interpreted as offline activities].

Re Claim 13. Jones in view of Futty discloses the system according to claim 12, Jones further discloses: wherein the risk analysis subsystem is configured such that processing the user activity data to generate a plurality of user profiles comprises: processing the online user activity data to generate a plurality of online user profiles (i.e. The “Host Score” 24 can be based off a number of network accessible systems an average user account utilizes, and a number of network accessible systems the particular user account normally uses) [Jones, para.0034], (i.e. the models can identify a number of network accessible systems that a normal user account accesses (e.g., in a period of time)) [Jones, para.0091]; processing the network user activity data to generate a plurality of network user profiles (i.e. if the particular user account is associated with an employee that is in Human Resources (HR), the user behavior of the particular user account can be compared to user behavior of other user accounts associated with employees in HR, or similar non-technical employee divisions. Similarly, if the particular user account is associated with a system administrator, or an employee engaged in network security, the user behavior of the particular user account can be compared to user behavior of other similar user accounts) [Jones, para.0048]; and storing the online user profiles and the network user profiles in the risk assessment database (i.e. using the user account summary database 104, the compromise determination engine 110 can determine that the location score should be lower, since the particular user account has historically been accessed from the different location) [Jones, para.0049]; and wherein, when generating the composite security risk measure associated with the given user, the first security risk measure generated by processing the online user profile associated with the given user associated with the given user (i.e. the “Host Score” 24 can be greater if the particular user account has recently used network accessible systems not historically associated with the particular user account) [Jones, para.0034] and the network user profile associated with the given user (i.e. In this way, the user compromise scores can be relative to normal user behavior of similar user accounts) [Jones, para.0048].

Re Claim 14. Jones in view of Futty discloses the system according to claim 12, Jones in view of Futty further discloses: wherein the risk analysis subsystem is configured such that processing the user profiles to classify the users into a plurality of user groups comprises: processing the online user profiles to classify the users into a plurality of online user groups [Jones as in claims 1 and 13], each online user group having an associated risk level [Futty, as in claim 1]; processing the network user profiles to classify the users into a plurality of network user groups [Jones as in claims 1 and 13], each network user group having a different associated risk level [Futty, as in claim 1]; and storing the online user groups and the network user groups in the risk assessment database (i.e. using the user account summary database 104, the compromise determination engine 110 can determine that the location score should be lower, since the particular user account has historically been accessed from the different location) [Jones, para.0049]; and wherein, when generating the composite security risk measure associated with the given user, the second security risk measure is generated based on: a comparison between a current online user group associated with the given user and a previous online user group associated with the given user (i.e. The system can obtain information describing user behavior after accessing (e.g., logging into) the user account from user access records (e.g., records identifying connections to network accessible systems), from VPN logs, and from system records (e.g., records identifying an IP address connection received by the system, a user account accessed, and a subsequent user account or network accessible system accessed; additionally the records can identify processes initiated by a user account, network requests or traffic to other network accessible systems initiated by a user account; and so on)….. The system can access one or more models identifying normal user behavior of user accounts after the user accounts are accessed. For instance, the models can identify a frequency that user accounts transition to other user accounts, and specifically a frequency in which user accounts transition to user accounts with escalated privileges (e.g., escalated access rights associated with an access control list (ACL)). As an example, a service technician might have a normal user account for performing his/her day to day business, and a special service account with escalated privileges. The system can also obtain information identifying a normal amount of network traffic that a user account might generate (e.g., a malicious actor might execute scripts to obtain large amounts of stored data and provide it over a network to his/her computer). Additionally, the models can identify a number of network accessible systems that a normal user account accesses (e.g., in a period of time). For instance, a malicious attacker might access a large number (e.g., 4, 8, 12) of network accessible systems in a short period of time (e.g., 30 minutes, one hour, 12 hours). The system can determine a user chaining score based off a comparison of user behavior of the user account to the normal user behavior (e.g., the system can assign a higher user chaining score, such as 1, 2, 3, to each determined deviation from the normal user behavior)) [Jones, para.0090-0092]; and a comparison between a current network user group associated with the given user and a previous network user group associated with the given user (i.e. the system can determine user accounts switched to by the user account, and actions the user account took (e.g., initiating processes associated with executable code, or initiating scripts)………….The system can determine a user chaining score based off a comparison of user behavior of the user account to the normal user behavior (e.g., the system can assign a higher user chaining score, such as 1, 2, 3, to each determined deviation from the normal user behavior)) [Jones, para.0090-0092].
	The same motivation to modify with Futty, as in claim 1, applies.

Re Claim 15. Jones in view of Futty discloses the system according to claim 1, Jones further discloses: wherein the risk analysis subsystem is configured such that the first security risk measure is generated, for the given user, at least in part, by: processing the user profile associated with the given user according to a set of predetermined rules to determine, for the given user, a set of threats, each threat having a respective threat score associated therewith; and processing the threat scores to generate the first security risk measure (i.e. The “Anomaly Score” 22 for a particular account is a combination of the “Host Score” 24, “Speed Score” 26, and “Location Score” 28 (e.g., a weighted sum). In some implementations, the “Anomaly Score” 28 is a convolution of the weighted sum taken over time with a user selectable window size. Determining an anomaly score is described below, with reference to FIG.4) [Jones, para.0037].

Re Claim 16. Jones in view of Futty discloses the system according to claim 15, Jones further discloses: wherein the risk analysis subsystem is configured such that the set of threats are determined by: identifying a set of vulnerabilities associated with the given user, and determining the set of threats according to a pre-established association between vulnerabilities and threats (i.e. the system can obtain information describing applications, or other executable code, known to be safe, and increase the lateral movement score upon determining that the user account is initiating applications, or other executable code, not known to be safe. Similarly, the lateral movement score can be increased if the user account initiates applications, or other executable code, known to be malicious) [Jones, para.0088].

Re Claim 17. Jones in view of Futty discloses the system according to claim 16, Jones further discloses: wherein the risk analysis subsystem is configured such that each vulnerability has a vulnerability score associated therewith, and wherein the vulnerability scores are combined with the threat scores of their corresponding threats when generating the first security risk measure (i.e. the system can determine network traffic coming from a virtual private network (VPN) not associated with the business (e.g. an anonymizing VPN). To identify the anonymizing VPN, the system can have information stored identifying IP addresses associated with the VPN. The system can then determine whether network traffic associated with one of the IP addresses is attempting to access (e.g., use) the user account. Upon a positive determination, the system can assign a high score to the location score (e.g., 2, 3, 4 …………………….the system can combine the information (e.g., weight respective location scores determined using the summary data and model information) to determine an overall location score)) [Jones, para.0084, 0086].

Re Claim 18. Jones in view of Futty discloses the system according to claim 16, Jones further discloses: wherein the risk analysis subsystem is configured such that the vulnerabilities associated with the given user comprise behavioral vulnerabilities that are determined by processing the user profile (i.e. the system can access summary data describing user behavior of the user account (e.g., historical user behavior), and determine whether the locations from which the user account was used have never, or atypically, been included in the summary data. Upon a positive determination, the system can assign a high location score (e.g., 1, 2, 3)) [Jones, para.0085].

Re Claim 19. Jones in view of Futty discloses the system according to claim 18, Jones further discloses: wherein the risk analysis subsystem is configured such that the vulnerabilities associated with given user further comprise common vulnerabilities based on one or more of hardware and software associated with the given user (i.e. if the user account transitions to a domain controller (e.g., a network accessible system associated with a high risk level), or other system associated with a high risk level, which the user account has not previously, or rarely, accessed, the lateral movement score can be increased. Furthermore, the system can obtain information describing applications, or other executable code, known to be safe, and increase the lateral movement score upon determining that the user account is initiating applications, or other executable code, not known to be safe. Similarly, the lateral movement score can be increased if the user account initiates applications, or other executable code, known to be malicious) [Jones, para.0088].

Re Claim 20. Jones in view of Futty discloses the system according to claim 15, Jones further discloses: wherein the risk analysis subsystem is configured such that each threat has an impact score associated therewith, and wherein the threat scores are combined with their respectively associated impact scores when generating the first security risk measure (i.e. the system can determine a weighted combination of user compromise scores, and assign the rankings according to an order of the weighted combination. In some implementations, the weights can be based determined using a machine learning model that identifies weights to identify overall user behavior that is most associated with a user account being compromised. In some other implementations, the weights can be user selected, and can be, as one non-limiting example, 0.7 for the speed score, 0.2 for the location score, and 0.1 for the host score) [Jones, para.0057].

Re Claim 21. Jones in view of Futty discloses the system according to claim 1, Jones further discloses: wherein the risk analysis subsystem is configured such that the first security risk measure is generated in part according to a user power measure (i.e. To determine each user compromise score, the system can compare user behavior of a user account to information describing average (e.g., a measure of central tendency of) user behavior of other user accounts associated with the business (e.g., a same employee role), which can be determined from one or more models maintained and updated by the system. Additionally, the system can obtain historical information associated with each user account (e.g., past user behavior of the user account), and compare the user behavior of each user account to its historical information. Thus, to determine each user compromise score for a particular user account, the system can utilize (e.g., combine or weight) user behavior of other user accounts (e.g., user accounts associated with a same employee role as the particular user account) and historical information of the particular user account and/or historical information of user accounts associated with a same employee role) [Jones, para.0025].

Re Claim 22. Jones in view of Futty discloses the system according to claim 21, Jones further discloses: wherein the risk analysis subsystem is configured such that the user power measure is generated according to a product of a user expertise measure, a user access power measure, and a measure of a user's role in a company  (i.e. To determine each user compromise score, the system can compare user behavior of a user account to information describing average (e.g., a measure of central tendency of) user behavior of other user accounts associated with the business (e.g., a same employee role), which can be determined from one or more models maintained and updated by the system. Additionally, the system can obtain historical information associated with each user account (e.g., past user behavior of the user account), and compare the user behavior of each user account to its historical information. Thus, to determine each user compromise score for a particular user account, the system can utilize (e.g., combine or weight) user behavior of other user accounts (e.g., user accounts associated with a same employee role as the particular user account) and historical information of the particular user account and/or historical information of user accounts associated with a same employee role) [Jones, para.0025].

Re Claim 23. Jones in view of Futty discloses the system according to claim 1, Jones further discloses: wherein the risk analysis subsystem is further configured to generate and provide a risk mitigation recommendation and/or perform a risk mitigation action based on the composite security risk measure associated with the given user (i.e. The system can determine user accounts to identify (e.g., flag) for review based on the determined user compromise scores. That is, the system can identify user accounts exhibiting one or more types of behavior indicative of the user account being compromised. The system can then provide user interfaces describing the identified user accounts (e.g., prioritized based on respective user compromise scores), which the reviewing user can quickly review and, at his/her discretion, request more detailed information about. In this way, the reviewing user can review a user account and determine whether the user account is compromised (e.g., determine a risk of compromise from the user compromise scores), and upon a positive determination, take appropriate actions to remedy the compromise) [Jones, para.0027], (i.e. high-risk behavior can be identified and stopped (e.g., through network policies or technical actions), lowering the risk surface of the network and making it harder for an attacker to compromise the network.) [Jones, para.0004].

Claims 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al (US Pub.No.2017/0111381) In view of Futty (US Pub.No.2016/0065608), further in view of Guedalia et al (US Pub.No.2016/0300049).

Re Claim 5. Jones in view of Futty discloses the system according to claim 1, modified Jones does not explicitly disclose whereas Guedalia does: wherein the risk analysis subsystem is configured such that the plurality of user profiles are recalculated at least as frequently as once per hour (i.e. whereas the monitored behaviors used to generate the initial local profile model were observed over an initial training period L, at block 930 the electronic device may monitor the user behavior on the device and rebuild a new local profile model over a time period M, which may be substantially shorter than the initial training period L (e.g., the time period M may be on the order of minutes or hours versus the initial training period L spanning one or more days, weeks, etc.)) [Guedalia, para.0172].
 	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Jones in view of Futty with Guedalia because the baseline profile models are created from aggregate behaviors that various users engage in over time, the baseline profile models may provide an external perspective on the local user profile model and therefore yields robust thresholds [Guedalia, para.0160].

Re Claim 6. Jones in view of Futty discloses the system according to claim 1, modified Jones does not explicitly disclose whereas Guedalia does: wherein the risk analysis subsystem is configured such that the plurality of user profiles are recalculated more frequently than the plurality of user groups (i.e. whereas the monitored behaviors used to generate the initial local profile model were observed over an initial training period L, at block 930 the electronic device may monitor the user behavior on the device and rebuild a new local profile model over a time period M, which may be substantially shorter than the initial training period L (e.g., the time period M may be on the order of minutes or hours versus the initial training period L spanning one or more days, weeks, etc.)) [Guedalia, para.0172].
 	The same motivation to modify with Guedalia, as in claim 5, applies.

Re Claim 7. Jones in view of Futty discloses the system according to claim 1, modified Jones does not explicitly disclose whereas Guedalia does: wherein the risk analysis subsystem is configured such that the plurality of user groups are recalculated at least as frequently as once per day (i.e. whereas the monitored behaviors used to generate the initial local profile model were observed over an initial training period L, at block 930 the electronic device may monitor the user behavior on the device and rebuild a new local profile model over a time period M, which may be substantially shorter than the initial training period L (e.g., the time period M may be on the order of minutes or hours versus the initial training period L spanning one or more days, weeks, etc.)) [Guedalia, para.0172].
 	The same motivation to modify with Guedalia, as in claim 5, applies.





Pertinent prior art made of record, however not relied upon, includes:

Govindavajhala et al (US Pub.No.2009/0271863) describes a system of determining and/or managing potential privilege escalation attacks in a system or network comprising one or more potentially heterogeneous hosts. The step of configuration scanning optionally includes making a list of operating system specific protection mechanism on each host. Vulnerability scanning optionally includes the step of identifying the vulnerability position of each identified program. Transitive closure of all security attacks on the network and potential privilege escalations can be determined. A user interface optionally renders the potential privilege escalations as an appropriate representation.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434