DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant’s amendment filed 15 July 2022 amends claims 1, 2, 8, 9, 15, and 16. Applicant’s amendment has been fully considered and entered.
Response to Arguments
Applicant argues, “However, it is respectfully submitted that the historical data as disclosed and claimed is patentably distinct from the event data indicative of user network activities for similar users. Specifically, the historical data of the claims is stored on the endpoint device associated with the entity, not from a similar user.” In response, the claims do not define the claimed entity. Additionally, the claims where amended to specify that the endpoint device is associated with the entity. This amendment has no bearing on whether the claimed historical data is associated with similar users. Therefore, as long as the historical data in the prior art is stored on a device that is associated with something can be reasonable considered an “entity”, the amended claims have been met. 
Muddu discloses a network anomaly detection system wherein event data indicative of user network activities, from similar users, can be accessed to generate baseline profiles for new enterprise users that just joined the enterprise and do not currently have historical data ([0347] & [0182]-[0185]). Muddu discloses that the user devices can be associated with an organization ([0445]: user devices of Muddu would therefore be “associated” with the users and the organizations whose network they connect. Therefore, the users and the organizations of Muddu could be considered the claimed entity). Muddu does not specify that the new event data/feedback is stored on the user’s device. Harris discloses the local storage, on a user device, of behavior information in the form of offline transactions ([0107]), which meets the limitation of accessing historical data stored on the endpoint device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the behavior profile creation of Muddu to have included the utilization of offline event data locally stored on user devices because offline event data can be utilized to identify fraud and/or hacked devices as suggested by Harris ([0107]).
Applicant argues, “However, it is respectfully submitted that the historical data associated with a newly added security feature as disclosed and claimed is patentably distinct from the updating a baseline profile using new event data and feedback information disclosed by Muddu. Specifically, it is respectfully submitted that nowhere within Muddu, taken alone or in combination is there any disclosure or suggestion of the historical data includes data associated with a newly added security feature executed by the security system, wherein the newly added security feature is added to the security system after the endpoint device has been added to the security system, and wherein the historical data comprises historical data not included in the historical data accessed during the initialization of the endpoint device on the secured network as required by claims 1, 8, and 15.” This argument is not persuasive because updating of baseline profile shows that the information utilized for updating was not included in the event data when the user’s baseline profile was initially generated (Muddu: [0346]-[0347] & [0182]-[0185]). Additionally, the new event data and feedback information is utilized to update baseline profiles and models (Muddu: [0320] & [0346]) and these updated models can be utilized by the system to detect behavior anomalies (Muddu: [0346]). The utilization of an updated model to detect behavior anomalies can be considered a newly added security feature to the extent that behavioral anomaly detection using the updated model did not exist on the system prior to model being updated. The claims do not define the claimed newly added security feature.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu, U.S. Publication No. 2017/0063908, in view of Harris, WO 2019/139595.
Referring to claim 1, Muddu discloses a network anomaly detection system wherein event data indicative of user network activities, from similar users, can be accessed to generate baseline profiles for new enterprise users that just joined the enterprise and do not currently have historical data ([0347] & [0182]-[0185]: enterprise network reads on the claimed secured network; joining the enterprise reads on the claimed initialization), which meets the limitation of accessing historical data [stored on an endpoint during] an initialization of the endpoint device on the secure network. Muddu discloses that the user devices can be associated with an organization ([0445]: user devices of Muddu would therefore be “associated” with the users and the organizations whose network they connect. Therefore, the users and the organizations of Muddu could be considered the claimed entity), which meets the limitation of associating an endpoint device with an entity. Event data indicative of user network activities, from similar users, can be accessed to generate baseline profiles for new enterprise users ([0346]-[0347] & [0182]-[0185]), which meets the limitation of instantiating user behavior baselines for the endpoint device using the accessed historical data. The security platform generates the baseline profiles ([0183]) such that the baseline profiles can be updated ([0185]: continuously updating the baseline profiles shows that the baseline profiles are stored) and used detect anomalies ([0186] & [0346]), which meets the limitation of storing the instantiated user behavior baselines on a security system of the secured network for detecting instances of anomalous user behavior occurring at the endpoint device. Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of accessing historical data [stored on the endpoint], wherein the historical data includes data associated with a newly added security feature executed by the security system, wherein the newly added security feature is added to the security system after the endpoint has been added to the security system, and wherein the historical data comprises historical data not included in the historical data accessed during the initialization of the endpoint device on the secured network.
Muddu does not specify that the new event data/feedback is stored on the user’s device. Harris discloses the local storage, on a user device, of behavior information in the form of offline transactions ([0107]), which meets the limitation of accessing historical data stored on the endpoint device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the behavior profile creation of Muddu to have included the utilization of offline event data locally stored on user devices because offline event data can be utilized to identify fraud and/or hacked devices as suggested by Harris ([0107]).
Referring to claim 2, Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of instantiating a user behavior baseline for use by the newly added security feature using the accessed historical data. 
Muddu does not specify that the new event data/feedback is stored on the user’s device. Harris discloses the local storage, on a user device, of behavior information in the form of offline transactions ([0107]), which meets the limitation of accessing historical data stored on the endpoint device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the behavior profile creation of Muddu to have included the utilization of offline event data locally stored on user devices because offline event data can be utilized to identify fraud and/or hacked devices as suggested by Harris ([0107]).
Referring to claim 3, Muddu discloses that the event data includes internet browsing ([0443]), file transfers ([0445]), email activity ([0443] & [0445]), which meets the limitation of wherein the historical data accessed on the endpoint device during the initialization of the endpoint during the initialization of the endpoint device on the secured network includes historical browser data, historical file access data, historical email data.
Referring to claims 4, 5, Muddu discloses that the security platform generates the baseline profiles ([0183]) such that the baseline profiles can be used detect anomalies ([0186] & [0346]) such as anomalies in internet browsing, file transfers, and email traffic ([0443]), which meets the limitation of wherein the instantiated user behavior baselines include one or more of a browser behavior baseline, a file access behavior baseline, an email behavior baseline, instantiating a composite user behavior baseline using historical data from a plurality of historical data types, wherein the historical data types include a combination of at least two of historical browser data, historical file access data, historical email data. 
Referring to claim 6, Muddu discloses that incoming event data is compared with the baseline profile in order to detect anomalies ([0186]), which meets the limitation of communicating events occurring at the endpoint device to the security system, comparing the communicated events to the user behavior baselines at the security system to determine whether the events correspond to anomalous user behavior. In response to identification of a threat, automated response measures can be triggered ([0151]), which meets the limitation of executing an automated operation if the events correspond to anomalous user behavior.
Referring to claim 7, Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of updating one or more user behavior baselines in response to events occurring at the endpoint device.
Referring to claim 8, Muddu discloses a network anomaly detection system that includes a processor (Figure 85, element 8510), a data bus coupled to the processor (Figure 85, 8560), and memory (Figure 85, 8520) that includes software program code and data structures for implementing the anomaly detection system ([0743]), which meets the limitation of one or more information handling systems, wherein the one or more information handling systems include a processor, a data bus coupled to the processor, and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, wherein the computer program code included in one or more of the information handling systems is executed by the processor of the information handling system so that the information handling system alone or in combination with other information handling systems executes operations. The network anomaly detection system wherein event data indicative of user network activities, from similar users, can be access to generate baseline profiles for new enterprise users that just joined the enterprise and do not currently have historical data ([0347] & [0182]-[0185]: enterprise network reads on the claimed secured network; joining the enterprise reads on the claimed initialization), which meets the limitation of accessing historical data [stored on an endpoint during] an initialization of the endpoint device on the secure network. Muddu discloses that the user devices can be associated with an organization ([0445]: user devices of Muddu would therefore be “associated” with the users and the organizations whose network they connect. Therefore, the users and the organizations of Muddu could be considered the claimed entity), which meets the limitation of associating an endpoint device with an entity. Event data indicative of user network activities, from similar users, can be access to generate baseline profiles for new enterprise users ([0346]-[0347] & [0182]-[0185]), which meets the limitation of instantiating user behavior baselines for the endpoint device using the accessed historical data. The security platform generates the baseline profiles ([0183]) such that the baseline profiles can be updated ([0185]: continuously updating the baseline profiles shows that the baseline profiles are stored) and used detect anomalies ([0186] & [0346]), which meets the limitation of storing the instantiated user behavior baselines on a security system of the secured network for detecting instances of anomalous user behavior occurring at the endpoint device. Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of accessing historical data [stored on the endpoint], wherein the historical data includes data associated with a newly added security feature executed by the security system, wherein the newly added security feature is added to the security system after the endpoint has been added to the security system, and wherein the historical data comprises historical data not included in the historical data accessed during the initialization of the endpoint device on the secured network.
Muddu does not specify that the new event data/feedback is stored on the user’s device. Harris discloses the local storage, on a user device, of behavior information in the form of offline transactions ([0107]), which meets the limitation of accessing historical data stored on the endpoint device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the behavior profile creation of Muddu to have included the utilization of offline event data locally stored on user devices because offline event data can be utilized to identify fraud and/or hacked devices as suggested by Harris ([0107]).
Referring to claim 9, Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of instantiating a user behavior baseline for use by the newly added security feature using the accessed historical data. 
Muddu does not specify that the new event data/feedback is stored on the user’s device. Harris discloses the local storage, on a user device, of behavior information in the form of offline transactions ([0107]), which meets the limitation of accessing historical data stored on the endpoint device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the behavior profile creation of Muddu to have included the utilization of offline event data locally stored on user devices because offline event data can be utilized to identify fraud and/or hacked devices as suggested by Harris ([0107]).
Referring to claim 10, Muddu discloses that the event data includes internet browsing ([0443]), file transfers ([0445]), email activity ([0443] & [0445]), which meets the limitation of wherein the historical data accessed on the endpoint device during the initialization of the endpoint during the initialization of the endpoint device on the secured network includes historical browser data, historical file access data, historical email data.
Referring to claims 11, 12, Muddu discloses that the security platform generates the baseline profiles ([0183]) such that the baseline profiles can be used detect anomalies ([0186] & [0346]) such as anomalies in internet browsing, file transfers, and email traffic ([0443]), which meets the limitation of wherein the instantiated user behavior baselines include one or more of a browser behavior baseline, a file access behavior baseline, an email behavior baseline, instantiating a composite user behavior baseline using historical data from a plurality of historical data types, wherein the historical data types include a combination of at least two of historical browser data, historical file access data, historical email data. 
Referring to claim 13, Muddu discloses that incoming event data is compared with the baseline profile in order to detect anomalies ([0186]), which meets the limitation of communicating events occurring at the endpoint device to the security system, comparing the communicated events to the user behavior baselines at the security system to determine whether the events correspond to anomalous user behavior. In response to identification of a threat, automated response measures can be triggered ([0151]), which meets the limitation of executing an automated operation if the events correspond to anomalous user behavior.
Referring to claim 14, Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of updating one or more user behavior baselines in response to events occurring at the endpoint device.
Referring to claim 15, Muddu discloses a network anomaly detection system wherein event data indicative of user network activities, from similar users, can be access to generate baseline profiles for new enterprise users that just joined the enterprise and do not currently have historical data ([0347] & [0182]-[0185]: enterprise network reads on the claimed secured network; joining the enterprise reads on the claimed initialization), which meets the limitation of accessing historical data [stored on an endpoint during] an initialization of the endpoint device on the secure network. Muddu discloses that the user devices can be associated with an organization ([0445]: user devices of Muddu would therefore be “associated” with the users and the organizations whose network they connect. Therefore, the users and the organizations of Muddu could be considered the claimed entity), which meets the limitation of associating an endpoint device with an entity. Event data indicative of user network activities, from similar users, can be access to generate baseline profiles for new enterprise users ([0346]-[0347] & [0182]-[0185]), which meets the limitation of instantiating user behavior baselines for the endpoint device using the accessed historical data. The security platform generates the baseline profiles ([0183]) such that the baseline profiles can be updated ([0185]: continuously updating the baseline profiles shows that the baseline profiles are stored) and used detect anomalies ([0186] & [0346]), which meets the l imitation of storing the instantiated user behavior baselines on a security system of the secured network for detecting instances of anomalous user behavior occurring at the endpoint device. Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of accessing historical data [stored on the endpoint], wherein the historical data includes data associated with a newly added security feature executed by the security system, wherein the newly added security feature is added to the security system after the endpoint has been added to the security system, and wherein the historical data comprises historical data not included in the historical data accessed during the initialization of the endpoint device on the secured network.
Muddu does not specify that the new event data/feedback is stored on the user’s device. Harris discloses the local storage, on a user device, of behavior information in the form of offline transactions ([0107]), which meets the limitation of accessing historical data stored on the endpoint device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the behavior profile creation of Muddu to have included the utilization of offline event data locally stored on user devices because offline event data can be utilized to identify fraud and/or hacked devices as suggested by Harris ([0107]).
Referring to claim 16, Muddu discloses that new event data and feedback information can be utilized to update the baseline profiles that are used to detect anomalies ([0171] & [0185] & [0186] & [0320] & [0346]), which meets the limitation of instantiating a user behavior baseline for use by the newly added security feature using the accessed historical data. 
Muddu does not specify that the new event data/feedback is stored on the user’s device. Harris discloses the local storage, on a user device, of behavior information in the form of offline transactions ([0107]), which meets the limitation of accessing historical data stored on the endpoint device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the behavior profile creation of Muddu to have included the utilization of offline event data locally stored on user devices because offline event data can be utilized to identify fraud and/or hacked devices as suggested by Harris ([0107]).
Referring to claim 17, Muddu discloses that the event data includes internet browsing ([0443]), file transfers ([0445]), email activity ([0443] & [0445]), which meets the limitation of wherein the historical data accessed on the endpoint device during the initialization of the endpoint during the initialization of the endpoint device on the secured network includes historical browser data, historical file access data, historical email data.
Referring to claims 18, 19, Muddu discloses that the security platform generates the baseline profiles ([0183]) such that the baseline profiles can be used detect anomalies ([0186] & [0346]) such as anomalies in internet browsing, file transfers, and email traffic ([0443]), which meets the limitation of wherein the instantiated user behavior baselines include one or more of a browser behavior baseline, a file access behavior baseline, an email behavior baseline, instantiating a composite user behavior baseline using historical data from a plurality of historical data types, wherein the historical data types include a combination of at least two of historical browser data, historical file access data, historical email data. 
Referring to claim 20, Muddu discloses that incoming event data is compared with the baseline profile in order to detect anomalies ([0186]), which meets the limitation of communicating events occurring at the endpoint device to the security system, comparing the communicated events to the user behavior baselines at the security system to determine whether the events correspond to anomalous user behavior. In response to identification of a threat, automated response measures can be triggered ([0151]), which meets the limitation of executing an automated operation if the events correspond to anomalous user behavior.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN E LANIER/          Primary Examiner, Art Unit 2437