Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant’s arguments with respect to claim(s) have been considered but are not persuasive.
Applicant argues against De-Levie, and Brown as not teaching aggregation of event data, and a graph database.  
Examiner respectfully disagrees with applicant with regard.  Examiner notes that Applicant has moved dependent claim 4 into independent claim 1.  Examiner previously used Bailor US 2015/0310195 to meet the limitations of claim 4, specifically the relations as shown in a graph database.  Examiner relies in part on Bailor below.

Applicant argues De-Levie teaches detecting from a single data source, and aggregation of data sources.  
Examiner asserts that Applicant is interpreting the claim language narrowly.  The Examiner must interpret the language with a broad but reasonable interpretation.  De-Levie teaches plurality of data sources, as Applicant admits, in [0068].  De-Levie teaches constructing a baseline of behavior using said data [0074].  Examiner interprets creating a baseline of behavior from multiple sources to be “aggregation of data”.   
However, Examiner also relies upon Brown for additional teachings of aggregation, as well as Bailor.
Applicant argues that Brown is related to a different technology field and thus non-obvious.
Examiner asserts that Brown uses behavior databases, and aggregates said data to build a model of user behavior.  Examiner believes this is in the same technology field as De-Levie.  Examiner argues using different data sources does not mean the technology is incapable of being an obvious combination.  



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over De-Levie US 2017/0126710 in view of Brown US 2010/0036884 in view of Bailor US 2015/0310195
As per claim 1. De-Levie teaches A method for detecting an abnormal behavior of a user of a computer network system, comprising: selecting at least two data sources from the computer network system, the at least two data sources having respective records regarding a user's behavior; and performing anomaly detection on the user's behavior. [0012][0013][0014][0017][0059][0060][0063][0068]-[0075] (teaches detecting abnormal behavior of a user of a network, including 2 data sources, either via time, and or database sources, having baseline records of user behavior and or current behavior using aggregation. )   De-Levie fails to specifically teach a tensor. 

Brown teaches that in general the data is,  based on the tensor data obtained through aggregation; configuring a tensor data structure corresponding to each data source according to the type of each data source, wherein the tensor data structure defines a plurality of data about the user's behavior which need to be extracted from the corresponding data source; extracting the plurality of data about the user's behavior from the corresponding data sources respectively by using the configured tensor data structure and performing multidimensional aggregation on the extracted data; [0011][0027][0028][0151][0154](teaches a plurality of data about user behavior, multiple sources which is stored in a tensor structure and used by performing multidimentional aggregation on the data )
It would have been obvious to one of ordinary skill in the art to use the tensor data of Brown with the system of De-Levie because it increases correlations without using private information.

De-Levie teaches when a plurality of data regarding user behaviors are extracted from a data source not containing the user identity, data regarding the subject of investigation extracted from the data source are associated with the user identity by using an association stored in a graph database. [0012][0013][0014][0017] [0038] [0059][0060][0063][0068]-[0077] (De-Levie teaches that the data source may be based on behavior and parameters without specifically including a user identity,  De-Levie teaches a separate database with user parameters and baselines with user identities)
Bailor explicitly teaches a graph database and using said database for user anomaly detection by associating a user identity with a user and user behavior. [0008]-[0011][0021][0058][0104][0139]
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the graph databases of Bailor with the previous art combination because it helps detect abuse [0006]As per claim 2. De-Levie teaches The method of claim 1, wherein the plurality of data extracted from the respective data sources regarding user behaviors contains data regarding a subject of investigation that can be associated with the corresponding user. [0012][0013][0014][0017][0058] [0059][0060][0063][0068]-[0075] (teaches data regarding a specific user that bears investigation for being suspicious)
As per claim 3. De-Levie teaches The method of claim 2, wherein each user of the system has a unique user identity for identifying the user. [0060][0061] (teaches data regarding a specific user behavior)As per claim 5. Bailor teaches The method of claim 1, wherein the association is obtained from one or more data dictionaries and/or server dictionaries of the system via a graph data structure, the data dictionaries and/or server dictionaries having recorded therein a correspondence between a subject of investigation of a respective data source and the identity of the user. [0021][0058][0104]  (teaches correlation between subscriber identity data and behavior data source while using graph data structures)As per claim 6. De-Levie teaches The method of claim 1, wherein an association between at least two of the plurality of data about the user's behavior is extracted according to the tensor data structure and stored in a graph database[0068]-[0075], especially (behavior databases)
Bailor explicitly teaches a graph database [0008]-[0011][0021][0104]As per claim 7. De-Levie teaches The method of claim 1, wherein the association stored in the graph database is time-stamped. [0038][0040][0070] (timestamped events/data)Bailor explicitly teaches a graph database [0008]-[0011][0021][0104]
As per claim 8. Brown teaches The method of claim 1, wherein the tensor data obtained through aggregation are stored in a tensor database by taking a data source as a unit. [0026]-[0028]  (teaches storing the plurality of aggregated data sets in a tensor unit matrix)As per claim 9. De-Levie teaches The method of claim 1, wherein the step of detecting abnormality of the user's behavior obtained through aggregation includes: configuring a corresponding anomaly detector according to a feature domain and/or a scalar domain wherein the anomaly detector is used for detecting one of time-series anomaly, numerical anomaly based on features of the user and anomaly based on the features in the group where the user belongs.  [0012][0013][0014][0017] [0038] [0059][0060][0063][0068]-[0075] (teaches detecting abnormal behavior of a user of a network, including 2 data sources, either via time, and or database sources, specifically teaching time-series anomalies having baseline records of user behavior and or current behavior using aggregation, and including groups. )

Brown teaches the behavior models are based on the tensor data. [0011][0027][0028][0151][0154](teaches a plurality of data about user behavior, multiple sources which is stored in a tensor structure and used by performing multidimentional aggregation on the data )

As per claim 10. De-Levie teaches The method of claim 1, wherein an abnormality in the association of the user is detected based on the association stored in the graph database.[0068]-[0075], (comparing baseline to actual behavior)Bailor explicitly teaches a graph database [0008]-[0011][0021][0104]As per claim 11. Bailor teaches The method of claim 5, wherein an association between at least two of the plurality of data about the user's behavior is extracted according to the tensor data structure and stored in a graph database. [0008]-[0011][0021][0104]
Brown teaches the tensor data structure [0011][0027][0028][0151][0154](teaches a plurality of data about user behavior, multiple sources which is stored in a tensor structure and used by performing multidimentional aggregation on the data )
As per claim 12. De-Levie teaches The method of claim 5, wherein the association stored in the graph database is time-stamped. [0038][0040][0070] (timestamped events/data)
Bailor explicitly teaches a graph database [0008]-[0011][0021][0104]As per claim 13. De-Levie teaches The method of claim 6, wherein the association stored in the graph database is time-stamped. [0038][0040][0070] (timestamped events/data)Bailor explicitly teaches a graph database [0008]-[0011][0021][0104]
As per claim 14. Brown teaches The method of claim 2, wherein the tensor data obtained through aggregation are stored in a tensor database by taking a data source as a unit. [0026]-[0028]  (teaches storing the plurality of aggregated data sets in a tensor unit matrix)As per claim 15. Brown teaches The method of claim 3, wherein the tensor data obtained through aggregation are stored in a tensor database by taking data source as a unit. [0026]-[0028]  (teaches storing the plurality of aggregated data sets in a tensor unit matrix)As per claim 16. Brown teaches The method of claim 1, wherein the tensor data obtained through aggregation are stored in a tensor database by taking a data source as a unit. [0026]-[0028]  (teaches storing the plurality of aggregated data sets in a tensor unit matrix)
As per claim 17. The method of claim 2, wherein the step of detecting abnormality of the user's behavior based on the tensor data obtained through aggregation includes: configuring a corresponding anomaly detector according to a feature domain and/or a scalar domain to be detected in the tensor data, wherein the anomaly detector is used for detecting one of time-series anomaly, numerical anomaly based on features of the user and anomaly based on the features in the group where the user belongs.  [0012][0013][0014][0017] [0038] [0059][0060][0063][0068]-[0075] (teaches detecting abnormal behavior of a user of a network, including 2 data sources, either via time, and or database sources, specifically teaching time-series anomalies having baseline records of user behavior and or current behavior using aggregation, and including groups. )Brown teaches the behavior models are based on the tensor data. [0011][0027][0028][0151][0154](teaches a plurality of data about user behavior, multiple sources which is stored in a tensor structure and used by performing multidimentional aggregation on the data )
As per claim 18. The method of claim 3, wherein the step of detecting abnormality of the user's behavior based on the tensor data obtained through aggregation includes: configuring a corresponding anomaly detector according to a feature domain and/or a scalar domain to be detected in the tensor data, wherein the anomaly detector is used for detecting one of time-series anomaly, numerical anomaly based on features of the user and anomaly based on the features in the group where the user belongs.  [0012][0013][0014][0017] [0038] [0059][0060][0063][0068]-[0075] (teaches detecting abnormal behavior of a user of a network, including 2 data sources, either via time, and or database sources, specifically teaching time-series anomalies having baseline records of user behavior and or current behavior using aggregation, and including groups. )
Brown teaches the behavior models are based on the tensor data. [0011][0027][0028][0151][0154](teaches a plurality of data about user behavior, multiple sources which is stored in a tensor structure and used by performing multidimentional aggregation on the data )
As per claim 19. De-Levie teaches The method of claim 5, wherein an abnormality in the association of the user is detected based on the association stored in the graph database. [0068]-[0075]
Bailor explicitly teaches a graph database [0008]-[0011][0021][0104]As per claim 20. De-Levie teaches The method of claim 5, wherein an abnormality in the association of the user is detected based on the association stored in the graph database. [0068]-[0075]
Bailor explicitly teaches a graph database [0008]-[0011][0021][0104]

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439