DETAILED ACTION

Response to Arguments
Applicant's arguments (“REMARKS”) filed July 11, 2022 have been fully considered but they are not persuasive.
Claims 1-20 are currently pending. Claims 1, 7, and 13 were amended.
Applicant argues on pg. 7 of the REMARKS that the amended claims “do not recite matter that falls within one of the enumerated groupings of abstract ideas” and are now “directed to a practical application”. However, the Examiner respectfully disagrees.
The amendments further define the “analyzing” as a function performed by a “security analytics system” (e.g. software system) executing on a “hardware processor.” However, these are mere instructions to implement an abstract idea on a computer, or the “hardware processor.” See MPEP 2106.05(f): “As explained by the Supreme Court, in order to make a claim directed to a judicial exception patent-eligible, the additional element or combination of elements must do "‘more than simply stat[e] the [judicial exception] while adding the words ‘apply it’". Alice Corp. v. CLS Bank, 573 U.S. 208, 221, 110 USPQ2d 1976, 1982-83 (2014) (quoting Mayo Collaborative Servs. V. Prometheus Labs., Inc., 566 U.S. 66, 72, 101 USPQ2d 1961, 1965).” Specifically, the “analyzing” step is merely collecting data (“identifying”) of an event. Regardless of what type of computer component performs this step, it would remain abstract. 
Furthermore, Applicant has not provided any supporting arguments regarding how the amended limitations of the independent claims would constitute as a practical application. The additional amendments recite the “entity behavior catalog” as a “repository” for the “entity behavior catalog data”, which extends the notion that the “storing” limitation is directed to insignificant extra-solution activity. See MPEP 2106.05(g). For example, according to MPEP 2106.04(d), the integration of a judicial exception into a practical application includes, but is not limited to, “[a]n improvement in the functioning of a computer, or an improvement to other technology or technical field”. This raises the question of: how is the act of storing processed data considered an improvement to something?
Furthermore, MPEP 2106.04(d) states that the courts “also identified limitations that did not integrate a judicial exception into a practical application”: 
Merely reciting the words "apply it" (or an equivalent) with the judicial exception, or merely including instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea, as discussed in MPEP § 2106.05(f); 
Adding insignificant extra-solution activity to the judicial exception, as discussed in MPEP § 2106.05(g);
Therefore, the additional amendments of simply adding computer hardware (e.g. “apply it” via a hardware processor) to perform the abstract steps, and that processed data is stored in a catalog provided as a repository (e.g. extra-solution activity) do not incorporate the abstract idea into a practical application.
Examiner suggests amendments to applying the hierarchical set of entity behaviors into use beyond insignificant activities (e.g. storing, transmitting, displaying, etc.) that would show evidence of improving a computer system.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/11/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
For step 1, a claim is determined whether it falls within one of the four statutory categories. Claims 1-6 are directed to a method, claims 7-12 are directed to a system comprising hardware components, and claims 13-20 are directed to a non-transitory computer-readable storage medium. Therefore, claims 1-20 fall within at least one of the statutory categories of invention and passes step 1.
For step 2A (Prong One), a claim is determined whether it recites an abstract idea, law of nature, or natural phenomenon. Independent claims 1, 7, and 13 recite limitations for:
“identifying a security related activity…” 
“analyzing the security related activity…”
“generating entity behavior catalog data…” 
“using the entity behavior catalog data…to generate a hierarchical set of entity behaviors…”
However, there are no elements recited in those limitations that would preclude them from being practically performed in the mind, or with pen/paper, under broadest reasonable interpretation. Both limitations A and B are directed to identifying information. For example, limitation A identifies information (“security related activity”) based upon an observable from an electronic source. The term “based upon” fails to provide any details and/or correlation of how information is derived from a source. Humans can visually, or mentally, perform the identification steps off a computer screen. In limitations and C and D, a catalog and hierarchical set of data are generated. However, the generation processes are not explained in detail within the claims, hence it is not explicitly limited to a function that can only be performed by a computer. For example, the “generating” can be a human action to write up a catalog, or a draft a hierarchy to represent information. Furthermore, the generating steps merely provide a result rather than how the result is obtained. For example, in limitation D, the hierarchical set of entity behaviors are generated from entity behavior catalog data and the associated abstraction level. The steps that lead to the arrival of the hierarchical set of entity behaviors are not recited. It is unclear how the hierarchical set of entity behaviors was constructed or how the hierarchy is structured and can be interpreted as human mental actions. Thus, the independent claims present at least one limitation that falls within the “Mental Processes” and/or “Certain Method of Organizing Human Activities” grouping of abstract ideas. Accordingly, the independent claims recite an abstract idea. 
For step 2A (Prong Two), a claim is determined whether it recites additional elements that integrate the judicial exception into a practical application. These additional elements are:
“storing the hierarchical set of entity behaviors within an entity behavior catalog…the entity behavior catalog providing a repository of entity behavior catalog data”
Various recitations of a computer performing the steps (e.g. a “computer-implemented” method, a “security analytics system executing on a hardware processor”, a “processor”, and “computer program code” that are executed).
However, these elements fail to add something more meaningful to the judicial exception as generic computer components – e.g. a “system” in claim 7 – are used to apply the exception. See MPEP 2106.05(f). Furthermore, the additional elements are directed to mere data storage. Specifically, the steps of the claim accumulate to limitation E, where the “set of entity behaviors” is merely stored in a “catalog” acting as a “repository”. The final step of storing data to a process only recites computing an area of a space (a mathematical relationship), which does not add a meaningful limitation to the process of computing the area. See MPEP 2106.05(g). The limitations fail to define a specific meaningful activity that would show improvement to the functioning of the computer or technological field (e.g. how is the hierarchical set of data utilized to improve the current status/nature of a computer system?). For example, in contrast with Enfish v. Microsoft, their claims recited a specific data structure which was described in the specification as improving the way computers store and retrieve data from memory. The current claims fail to provide enough details in how the generation steps are achieved and/or the structural features of a hierarchical set of entity behaviors that would be meaningful when applied to a security operation. The current limitations only have a nominal relationship to the exception. Thus, the independent claims fail to present enough elements to integrate the abstract idea into a practical application. Accordingly, the independent claims are directed to an abstract idea.
For step 2B, a claim is determined whether any elements, or combination of elements, are enough to ensure that the claims amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements to perform the steps amounts to no more than mere instructions to apply the exception using a generic computer component. Since these elements are recited at a high level of generality, such that they can be represented as ordinary computer systems. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Having a computer system with a processor to perform such elements does not instantly preclude it from mental activities if the act itself is presented in a generic/abstract manner – it would be mere instructions to apply an exception (see MPEP 2106.05(f)). Hence, the independent claims are not patent eligible.

Dependent Claims: The dependent claims further define the “abstraction level” as specific categories. However, these are nominal limitations that do not provide more than an insignificant relationship to the exception. Thus, none of the elements in those limitations would preclude them from being performed mentally nor they present additional meaningful elements that are more than an abstract idea.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Independent claim 7 recites: “the analyzing being performed by a security analytics system executing on a hardware processor.” However, there are no preceding steps or limitations for “analyzing”. It is unclear what the “analyzing” step is further defining. The remaining claims are dependent on claim 7 and are similarly rejected.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        8-31-2022