Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Remarks
	This Office Action is in response to applicant’s amendment filed on May 25, 2022, under which claims 1-3, 5-10, 12-17 and 19-25 are currently pending and under consideration.

Response to Arguments
	Applicant’s amendments have overcome the previous claim objections and the previous rejections under § 101, § 112(b), and § 103. Therefore, these objections and rejections have been withdrawn. However, upon further consideration, a new ground of rejection under § 103 has been made in view of new reference Achin, which has been cited to teach certain new limitations of the claim.
Applicant’s arguments with respect to the previous § 103 rejection of claim 1 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. In particular, Achin has been cited to teach the newly recited limitation of “automatically retraining the plurality of trained time-based machine- learning models using the second set of event data.” Please see the rejections below for details.
Applicant’s arguments with respect to the previous § 103 rejection of dependent claim 6 have been fully considered but are not persuasive. Applicant argues that Chari does not teach “combining the time-based risk scores…to form the security risk scores of the user” on the basis that Chari does not teach time-based risk scores in general. This is not persuasive, because “time-based” is disclosed in Chari, [0057] (“time series-based preprocessing”), [0058] (“auto correlation (i.e., correlation of user activity in a current time window against the user's activity in past time windows)”), [0062] (“aggregate the received input data corresponding to the user into a set of one or more defined windows based on time and/or the user”), and [0072] (“malicious user activity detector 302 may accept input data both in batches (e.g., data files covering specified periods of time) and as a stream (e.g., a continuous series of messages in order by time).”) While Chari does not specifically teach time-based risk scores from time-based models for different time intervals, this feature is taught by Chanda. Therefore, the combination of Chari and Chanda teaches the additional limitations of claim 6. 

Claim Objections
Claims 1, 8, and 15 are objected to because of the following informalities:  
Claims 1, 8, and 15 recite both “the trained plurality of time-based models” (see “analyzing” step of claim 1) and “the plurality of trained time-based models” (see last step of claim 1). For purposes of consistency, the claims should be consistent in using one or the other, and not both. The Examiner suggests amending “the trained plurality of time-based models” to “the plurality of trained time-based models,” since the latter is more commonly used throughout the claims. For purposes of examination, the two terms noted above are considered to be referring to the same thing.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1-3, 5, 7-10, 12, 14-17, 19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (US 2017/0286671 A1) (“Chari”) in view of Chanda et al. (US 2020/0065212 A1) (“Chanda”) and Achin et al. (US 2016/0335550 A1) (“Achin”).
As to claim 1, Chari teaches a method implemented by an information handling system that includes a processor and a memory accessible by the processor [[0031]: data processing system 200 includes…processor unit 204, memory 206”], the method comprising:
receiving a second set of event data, wherein each event data in the second set of event data is a detected activity performed by a user over a time duration on one of a set of one or more computer systems, [[0064]: “Malicious user activity detector 302 may receive input, such as, for example, static user data 304, dynamic user data 306.” [0066]: “Dynamic user data 306 may include information, such as, for example, activity logs 306A, social networks 306B, communication patterns 306C, and threat feeds 306D. Activity logs 306A include records of the user's asset access behavior.” Note that the user is a user of a computer, as described in [0026]: “Users of client devices 110, 112, and 114 may use client devices 110, 112, and 114 to access assets 116.” With respect to the limitation of “by a user over a time duration,” the data includes activity logs, which are over a time duration as further described in [0037]: “User asset access activity logs 226 represent a historical record of current and past asset access behavior by the user.”]
in response to receiving the second set of event data: [[0064]: “Malicious user activity detector 302 may receive input, such as, for example, static user data 304, dynamic user data 306.” Note that the operations described below are performed by the malicious user activity detector 302 based on (i.e., in response to) the received input data. Therefore, the limitation of “in response to…” is taught by this reference.] 
analyzing the second set of event data using […] plurality of time-based models, [[0099]: “the computer applies a plurality of analytics on the profile corresponding to the user that accesses the set of protected assets using conflict free parallelization (step 504). The plurality of analytics may be, for example, analytic 1 326, analytic 2 328, and analytic i 330 in FIG. 3.” That is, each “analytic” corresponds to a “model.” The limitation of “time-based” is described in [0057] (“features such as…time series-based preprocessing”), [0058] (“auto correlation (i.e., correlation of user activity in a current time window against the user's activity in past time windows)”), [0062] (“aggregate the received input data corresponding to the user into a set of one or more defined windows based on time and/or the user”), and [0072] (“malicious user activity detector 302 may accept input data both in batches (e.g., data files covering specified periods of time) and as a stream (e.g., a continuous series of messages in order by time).”).], wherein the analyzing produces a plurality of time-based risk scores pertaining to the user; [[0069]: “In this example, analytic 1 326 and analytic i 330 generate risk score j 332 and analytic 2 328 generates risk score j+1 334. Risk score j 332 and risk score j+1 334 may be, for example, user asset access activity scores 228 in FIG. 2.” That is, each “analytic” corresponds to a “model” and generates a risk score, so as to result in a plurality of risk scores. The limitation of “time-based” (which, as recited in the instant claim, does not require a specific relationship with time) is taught by Chari for the reasons discussed above in regards to the limitation of “time-based models.” Since Chari teaches that the models are “time-based,” the scores from these models are also considered to be “time-based scores.”] 
performing an action based on a security risk score of the user, wherein the security risk score is calculated based on the plurality of time-based risk scores; and [[0070]: “If malicious user activity detector 302 determines that aggregated risk score k 336 is greater than an alert threshold, such as, for example, an alert threshold in user asset access activity alert threshold values 230 in FIG. 2, then malicious user activity detector 302 may generate one or more alerts 338.” That is, the “aggregated risk” score constitutes a security risk score.] […].
Chari does not explicitly teach: 
(1)	the operation of “training a plurality of time-based machine-learning models using a first set of event data, wherein each one of the plurality of time-based machine-learning models is trained for a different time interval over which the first set of event data is taken” and the related limitation that the second set of event data is analyzed using “the trained plurality of time-based models”; and
(2)	the operation of “automatically retraining the plurality of trained time-based machine- learning models using the second set of event data” for the set of operations in response to receiving the second set of event data.
Chanda, in an analogous art, teaches limitations (1) listed above. In general, Chanda relates to an “anomaly detection framework” (title) “for detecting anomalous values in data streams using forecasting models” (see abstract, first sentence). Therefore, Chanda is in the same field of endeavor as the claimed invention, namely data processing and analytics. The method of Chanda generates a score for anomaly detection, wherein “if the final score exceeds the score threshold, the computer may generate a notification that indicates that the data value is an anomaly” (Chanda).
  In particular, Chanda teaches “training a plurality of time-based machine-learning models using a first set of event data” [Abstract: “Models can be selected based on the time interval.” [0069]: “the smoothing parameters α, β* and γ may be manually or automatically chosen by the model manager 304.” Note that these parameters define the Holt-Winters model; thus selection of the parameters constitutes the act of training the model.] “wherein each one of the plurality of time-based machine-learning models is trained for a different time interval over which the first set of event data is taken” [Abstract: “Models can be selected based on the time interval, where each of the models has a different periodicity.” [0028]: “For example, if the sampling frequency is once per day (e.g., a daily total of visits) and the new data value corresponds to the first Monday of the month, the detection framework may select a weekly model that corresponds to the Monday of each week (i.e., the Monday model) and a monthly model that corresponds to the first Monday of each month (i.e., the first monthly Monday model).” [0064]: “the model manager 304 may select the daily model, a weekly model that corresponds to the Sunday of each week, a monthly model that corresponds to the 25th day of each month, another monthly model that corresponds to the last Sunday of each month, and a special model.” Note that the concept of different periodicities refers to different corresponding time intervals. For example, a daily model has a daily interval, whereas a weekly model has a weekly interval. The models generate individual scores, which are then summarized into a final score. See Abstract: “For each of the selected models, the computer may generate a score by generating a prediction value based on the model and generating the score based on the prediction value and the received value. A final score can then be generated based on the scores.”]. Therefore, Chanda also suggests the limitation that the second set of event data is analyzed using “the trained plurality of time-based models” [[0070]: “By evaluating the forecast equation of a model using the data value and the historical data values, the model manager 304 can obtain the prediction value specific to the model and the time interval of the data value.” That is, once a model has been created, it can be applied to new data.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari with the teachings of Chanda by modifying a plurality of the models in Chari to be time-based models as taught in Chanda, particularly by implementing the operation of “training a plurality of time-based machine-learning models using a first set of event data, wherein each one of the plurality of time-based machine-learning models is trained for a different time interval over which the first set of event data is taken” such that the second set of event data is analyzed using said “the trained plurality of time-based models.” The motivation would have been to analyze “data [that is] received in the form of a time series, where discrete data values are periodically received over time” (Chanda, [0001]), particular in a manner that accounts for various patterns (Chanda, [0006]: “the monitoring service can expect newer data values of the data stream to follow one or more patterns, which may include trend patterns, seasonal patterns, and cyclical patterns”). 
Achin, in an analogous art, teaches the remaining limitations of “automatically retraining the plurality of trained time-based machine- learning models using the second set of event data.” Achin generally pertains to “systems and techniques for predictive data analytics” (abstract), suitable for a variety of machine learning models (see [0222]). Therefore, Chanda is in the same field of endeavor as the claimed invention, namely data processing and analytics.  
In particular, Achin teaches “automatically retraining the plurality of trained time-based machine-learning models using the second set of event data” [[0208]: “Information collected directly by the deployment engine 140 about the accuracy of predictions, and/or observations obtained through other channels, may be used to improve the model for a prediction problem (e.g., to “refresh” an existing model, or to generate a model by re-exploring the modeling search space in part or in full). New data can be added to improve a model in the same ways data was originally added to create the model, or by submitting target values for data previously used in prediction.” [0209]: “Some models may be refreshed (e.g., refitted) by applying the corresponding modeling techniques to the new data and combining the resulting new model with the existing model, while others may be refreshed by applying the corresponding modeling techniques to a combination of original and new data.” That is, new data collected during deployment corresponds to the “second set of event data,” since deployment refers to the use of a model that has already been train. The act of refreshing or refitting constitutes “retraining.” In regards to the limitation of “automatically,” see [0212]: “the deployment engine 140 may…automatically refresh the model by re-fitting one or more modeling techniques using the new values to extend the original training data.” Since the refresh is performed by the deployment engine 140, which is a software component, the refresh is performed automatically. See also claim 53: “wherein deploying the fitted model further comprises refreshing the fitted model based, at least in part, on second input data,” which refers to the functions performed by the “predictive modeling apparatus” (thus, performed automatically). It is also noted that “time-based machine-learning models” is already taught by the combination of Chari and Chanda as set forth above. Achin has been relied upon for its teaching of the automatic retraining of models analogous to the claimed models.]
It is also noted that Achin’s teachings discussed above appear in a context analogous to the context described by the term “in response to receiving the second set of event data,” since Achin teaches that the retraining is used on 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari and Chanda with the teachings of Achin by implementing the further operation of “automatically retraining the plurality of trained time-based machine- learning models using the second set of event data” in the set of operations in response to receiving the second set of event data. The motivation would have been to use new data to improve a model, as suggested by Achin ([0208]: “New data can be added to improve a model in the same ways data was originally added to create the model, or by submitting target values for data previously used in prediction.”).

As to claim 2, the combination of Chari, Chanda, and Achin teaches the method of claim 1 further comprising:
wherein the analyzing is performed using a set of results received from the plurality of trained machine-learning models. [As noted in the rejection of claim 1 in regards to the limitation of “the analysis resulting in,” in Chari, each “analytic” corresponds to a “model” and generates a risk score, so as to result in a plurality of risk scores. Chanda is compatible with this technique since Chanda, abstract teaches: “For each of the selected models, the computer may generate a score by generating a prediction value based on the model and generating the score based on the prediction value and the received value. A final score can then be generated based on the scores.” Therefore, this limitation is taught by Chari, as modified in the combination of references.]

As to claim 3, the combination of Chari, Chanda, and Achin teaches the method of claim 2, as set forth in the rejection above. 
Chanda further teaches further comprising:
correlating a set of machine-learning risk scores based on the set of results received from the plurality of trained time-based machine-learning models, [Chanda, [0085]: “Generating the final score based on the one or more scores may be done in multiple ways. Examples may include selecting the lowest score out of the one or more scores, calculating a weighted average of the one or more scores, selecting the mode of the one or more scores, and selecting the highest score out of the one or more scores.” It is noted that the term “correlating” is not defined in this application to require a specific mathematical operation. Therefore, any operation that determines a relationship among the scores, such as calculating an average value or selecting the mode/highest score (which implies comparing the scores) is considered to be an operation “correlating.”] wherein each set of machine-learning risk scores pertains to a modeled risk of the user corresponding to the respective time intervals of the time-based machine-learning models; [Chanda, [0008]: “the server computer can generate a score for each of the selected models. To generate a score for a model, the model can use historical data values of the data stream that match the model's periodicity…” As noted in the rejections of the parent claims, the periodicities corresponds to respective time intervals.] and
evaluating the correlated set of machine-learning risk scores to calculate the user's security risk score. [Chanda, [0085]: “Generating the final score based on the one or more scores may be done in multiple ways. Examples may include selecting the lowest score out of the one or more scores, calculating a weighted average of the one or more scores, selecting the mode of the one or more scores, and selecting the highest score out of the one or more scores.”]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated, into the thus-far combination of Chari and Chanda, the above further teachings of Chanda by modifying the method to further comprise “training the plurality of time-based machine-learning models using the plurality of event data, wherein each of the time-based machine-learning models is trained for a different time interval; correlating a set of machine-learning risk scores based on a plurality of results received from the plurality of time-based machine-learning models, wherein each set of machine-learning risk scores pertains to a modeled risk of the user corresponding to the respective time intervals of the time-based machine-learning models; and evaluating the correlated set of machine-learning risk scores to calculate the user's security risk score.” The motivation for doing so would have been to analyze “data [that is] received in the form of a time series, where discrete data values are periodically received over time” (Chanda, [0001]), particular in a manner that accounts for various patterns (Chanda, [0006]: “the monitoring service can expect newer data values of the data stream to follow one or more patterns, which may include trend patterns, seasonal patterns, and cyclical patterns”). 

As to claim 5, the combination of Chari, Chanda, and Achin teaches the method of claim 3, as set forth above. 
Chanda further teaches the method further comprising:
utilizing an empirical distribution approach to perform the evaluating. [Chanda, [0077] “A variance calculator 402 may be programmed and/or configured to perform functionality associated with determining a variance based on the historical data values of a data stream. The variance calculator 402 may calculate the variance (e.g., a standard deviation) of the historical data values of the data stream. As an example, the variance may be equal to the average of the squared differences of each of the historical data values from the mean of the historical data values…” [0078]: “a variance improver 404 may be programmed and/or configured to perform functionality associated with improving the variance based on internal event data, external event data, and feedback data.” Noe that the variance is used to assess the final score, as described in [0027]: “At some point, the detection framework can generate a score threshold based on the variance of the historical data values. Upon obtaining the final score and the score threshold, the detection framework determines whether the final score exceeds the score threshold.” Regarding the term “empirical distribution,” the Examiner notes that the variance distribution described above is based on empirical evidence, and is thus an empirical distribution.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated, into the thus-far combination of Chari and Chanda, the above further teachings of Chanda by modifying the method to further comprise utilizing an empirical distribution approach to perform the evaluating. The motivation would have been to utilize a method for evaluating model scores based on the characteristics of historical data, as suggested by Chanda, paragraph [0076] (“the threshold calculation module 218 may provide a score threshold that represents how much variance in the data values is tolerable.”) and parts quoted above.

As to claim 7, the combination of Chari, Chanda, and Achin teaches the method of claim 1 further comprising:
storing the second set of event data in a main dataset; [Chari, [0066]: “Dynamic user data 306 may include information, such as, for example, activity logs 306A, social networks 306B, communication patterns 306C, and threat feeds 306D. Activity logs 306A include records of the user's asset access behavior.”]
identifying one or more subset datasets, wherein each of the subset datasets pertain to a different one of the time-based machine-learning models; [The models of Chanda, as discussed in the rejection of claim 1, above, utilizes data subsets. See Chanda, [0065]: “For each of the one or more selected forecast models, a set of historical data values of the data stream that match the periodicity of the forecast model may be retrieved from the historical data store 106. As examples, historical data values that correspond to each day may be retrieved for the daily model, historical data values that correspond to each Tuesday may be retrieved for the weekly model that corresponds to the Tuesday of each week”] and
forming the subset datasets from the main dataset, [Chanda, [0065], part quoted above, which teaches “…may be retrieved from the historical data store 106…”] wherein the analyzing is performed by inputting each of the subset datasets to the respective subset datasets' time-based machine-learning model. [Chanda, [0065]: “Next, each matching set of historical data values are fed to their corresponding models.”]

As to claims 8-10, 12 and 14, these claims are directed to a system for performing operations that are the same or substantially the same as those recited in claims 1-3, 5 and 7, respectively. Therefore, the rejections made to claims 1-3, 5 and 7 are applied to claims 8-10, 12 and 14, respectively.
Furthermore, Chari teaches an information handling system comprising: one or more processors; a memory coupled to at least one of the processors; and a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions [[0013]: “The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.” [0031]: data processing system 200 includes…processor unit 204, memory 206”. See also [0014]-[0019].]

As to claims 15-17, 19 and 21, these claims are directed to a computer readable medium for performing operations that are the same or substantially the same as those recited in claims 1-3, 5 and 7, respectively. Therefore, the rejections made to claims 1-3, 5 and 7 are applied to claims 15-17, 19 and 21, respectively.
Furthermore, Chari teaches a computer program product stored in a computer readable storage medium, comprising computer program code that, when executed by an information handling system, performs actions [[0013]: “The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.” [0031]: data processing system 200 includes…processor unit 204, memory 206.” See also [0014]-[0019].]

2.	Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Chanda and Achin, and further in view of Shenoy et al. (US 2019/0098037 A1) (“Shenoy”).
As to claim 6, the combination of Chari, Chanda, and Achin teaches the method of claim 1 further comprising:
calculating one or more rule-based risk scores corresponding to the user, wherein the rule-based risk scores are calculated using one or more risk algorithms; [Chari, [0078]: “When defining an analytic, an analyst may define alert groups for the analytic.” Chari, [0076]: “Pipelined analytics execution is an ordered list of execution steps, along with all of the execution steps dependencies. All dependencies of an execution step must be completed before moving to the next execution step in the ordered list.” That is, the analytics in Chari are also considered to be “rule-based” and thus determine rule-based risk scores, because they have some set of rules in the form of their definition, execution steps, and/or dependencies.] and
combining the time-based risk scores, […] and the rule-based risk scores to form the security risk score of the user. [Chari, [0069]: “Malicious user activity detector 302 combines risk score j 332 and risk score j+1 334 to generate aggregated risk score k 336.”; Chari, [0087]: “malicious user activity detector 302 may aggregate user-specific risk scores corresponding to all malicious user activity alerts and all assets associated with that particular user.” As noted in the rejection of claim 1, Chari generally teaches the limitation of “time-based” risk scores. See Chari, [0057] (“time series-based preprocessing”), [0058] (“auto correlation (i.e., correlation of user activity in a current time window against the user's activity in past time windows)”), [0062] (“aggregate the received input data corresponding to the user into a set of one or more defined windows based on time and/or the user”), and [0072] (“malicious user activity detector 302 may accept input data both in batches (e.g., data files covering specified periods of time) and as a stream (e.g., a continuous series of messages in order by time).”) Moreover, Chanda teaches time-based models. Therefore, the limitation of “time-based risk scores” is accounted for by Chari, and in the combination of references.] 
The combination of references does not explicitly teach “calculating one or more non-time-based risk scores corresponding to the user, wherein the non-time-based risk scores use one or more non-time based machine learning models” and the limitation that the combining also combines the “non-time-based risk scores.”
Shenoy, in an analogous art, teaches the above limitations. Shenoy generally teaches “cloud-based threat detection” (title) for various “user accounts” (see abstract). Therefore, Shenoy is in the same field of endeavor as the claimed invention, namely data processing and analytics.  
In particular, Shenoy teaches “calculating one or more non-time-based risk scores corresponding to the user, [[0114]: “Another example of a threat scenario is an unusual geolocation scenario. An unusual geolocation scenario may refer to activities being originated in locations that are unexpected or outside of an established pattern.” [0143]: “Algorithm 3 provides an example of an algorithm that can be used for analytics of multiple application behavior. In algorithm 3, user IP addresses associated with various cloud service activities (such as logging in) are resolved to geolocation coordinates IP1 (Latitude 1, Longitude 1), IP2 (Latitude 2, Longitude 2), IP3 (Latitude 3, Longitude 3), etc. If a user has different usernames with different cloud services, the various usernames associated with that user can be mapped to a unique user specific identity that identifies the user across the services…”] wherein the non-time-based risk scores use one or more non-time based machine learning models [[0158]: “feedback can be obtained using…machine learning algorithms, such as decision trees and neural networks.” Note that in [0158], the machine learning algorithm is used to adjust the weights of the indicators in [0156]. [0162]: “These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations”]. Shenoy, when its teachings are applied to Chari, suggests combining the “non-time-based risk scores” [[0156]: “In various examples, a risk score can be computed as a weighted sum of the available indicators.” Furthermore, Chari generally teaches the use of “a wide range of analytics” and the concept of aggregation].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari, Chanda, and Achin with the teachings of Shenoy by performing the further operation of “calculating one or more non-time-based risk scores corresponding to the user, wherein the non-time-based risk scores use one or more non-time based machine learning models” such that the combining also combines the “non-time-based risk scores” is also being combined in the combining. The motivation for doing so would have been to implement an indicator for computing a risk score (as suggested by Shenoy, [0155]: “Indicators used to compute a risk score can provide a particular risk factor”), particularly one that pertains to a known type of threat scenario (as suggested by Shenoy, [0114], as quoted above).

As to claim 13, the further limitations recited in this claim are the same or substantially the same as those recited in claim 6. Therefore, the rejection made to claim 6 is applied to claim 13.

As to claim 20, the further limitations recited in this claim are the same or substantially the same as those recited in claim 6. Therefore, the rejection made to claim 6 is applied to claim 20.

3.	Claims 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Chanda, Haim et al., “Visualizing Insider Threats: An Effective Interface for Security Analytics” (poster), IUI 2017 Companion, March 13–16, 2017, Limassol, Cyprus (“Haim”), and Achin.
As to claim 22, Chari teaches a method implemented by an information handling system that includes a processor and a memory accessible by the processor, [[0031]: data processing system 200 includes…processor unit 204, memory 206”] the method comprising:
receiving a second set of event data, wherein each event data in the second set of event data is a detected activity performed by a user over a time duration on one of a set of one or more computer systems, [[0064]: “Malicious user activity detector 302 may receive input, such as, for example, static user data 304, dynamic user data 306.” [0066]: “Dynamic user data 306 may include information, such as, for example, activity logs 306A, social networks 306B, communication patterns 306C, and threat feeds 306D. Activity logs 306A include records of the user's asset access behavior.” Note that the user is a user of a computer, as described in [0026]: “Users of client devices 110, 112, and 114 may use client devices 110, 112, and 114 to access assets 116.” With respect to the limitation of “by a user over a time duration,” the data includes activity logs, which are over a time duration as further described in [0037]: “User asset access activity logs 226 represent a historical record of current and past asset access behavior by the user.”]
receiving, from […] plurality of […] time-based […] models, a plurality of time-based risk scores, [[0099]: “the computer applies a plurality of analytics on the profile corresponding to the user that accesses the set of protected assets using conflict free parallelization (step 504). The plurality of analytics may be, for example, analytic 1 326, analytic 2 328, and analytic i 330 in FIG. 3.” That is, each “analytic” corresponds to a “model.” The limitation of “time-based,” for both the models and the scores, is described in [0057] (“features such as…time series-based preprocessing”), [0058] (“auto correlation (i.e., correlation of user activity in a current time window against the user's activity in past time windows)”), [0062] (“aggregate the received input data corresponding to the user into a set of one or more defined windows based on time and/or the user”), and [0072] (“malicious user activity detector 302 may accept input data both in batches (e.g., data files covering specified periods of time) and as a stream (e.g., a continuous series of messages in order by time).”). Therefore, both the model and the output of the model are considered to be time-based in some form, noting that the instant claim does not require a specific relationship with time for the term “time-based.”] wherein each of the plurality of time-based risk scores corresponds to one of the plurality of […] time-based […] models;  [[0069]: “In this example, analytic 1 326 and analytic i 330 generate risk score j 332 and analytic 2 328 generates risk score j+1 334. Risk score j 332 and risk score j+1 334 may be, for example, user asset access activity scores 228 in FIG. 2.” That is, each “analytic” corresponds to a “model” and generates a risk score, so as to result in a plurality of risk scores. The limitation of “time-based” for the reasons discussed above.]
calculating a security score of the user based on the plurality of time-based risk scores; [[0069]: “Malicious user activity detector 302 combines risk score j 332 and risk score j+1 334 to generate aggregated risk score k 336.”; Chari, [0087]: “malicious user activity detector 302 may aggregate user-specific risk scores corresponding to all malicious user activity alerts and all assets associated with that particular user.”] and
performing at least one security action, [[0070]: “If malicious user activity detector 302 determines that aggregated risk score k 336 is greater than an alert threshold, such as, for example, an alert threshold in user asset access activity alert threshold values 230 in FIG. 2, then malicious user activity detector 302 may generate one or more alerts 338.”] […].
Chari does not explicitly teach:
(1)	the operation of “training a plurality of time-based machine-learning models using a first set of event data, wherein each one of the plurality of time-based machine-learning models is trained for a different time interval over which the first set of event data is taken” and the related limitation that in the “receiving” step, the models providing the scores are “the plurality of trained time-based models”;
(2)	the operations of “creating, from the second set of event data, a plurality of time-based datasets, wherein each of the time-based data sets corresponds to one of the plurality of trained time-based machine learning models, and wherein each of the trained time-based machine learning models corresponds to a different time interval” and “inputting the plurality of time-based datasets to their respective trained time-based machine learning models”;
(3)	“wherein the at least one security action is writing a user identifier of the user and the user's security score to a report”; and 
(4)	“automatically retraining the plurality of trained time-based machine- learning models using the second set of event data.”
Chanda, in an analogous art, teaches limitations (1) and (2) listed above. Chanda teaches an “anomaly detection framework” (title) “for detecting anomalous values in data streams using forecasting models” (see abstract, first sentence). Therefore, Chanda is in the same field of endeavor as the claimed invention, namely data processing and analytics. In general, the method of Chanda generates a score for anomaly detection, wherein “if the final score exceeds the score threshold, the computer may generate a notification that indicates that the data value is an anomaly” (Chanda).
  In particular, Chanda teaches “training a plurality of time-based machine-learning models using a first set of event data” [Abstract: “Models can be selected based on the time interval.” [0069]: “the smoothing parameters α, β* and γ may be manually or automatically chosen by the model manager 304.” Note that these parameters define the Holt-Winters model; thus selection of the parameters constitutes the act of training the model.] “wherein each one of the plurality of time-based machine-learning models is trained for a different time interval over which the first set of event data is taken” [Abstract: “Models can be selected based on the time interval, where each of the models has a different periodicity.” [0028]: “For example, if the sampling frequency is once per day (e.g., a daily total of visits) and the new data value corresponds to the first Monday of the month, the detection framework may select a weekly model that corresponds to the Monday of each week (i.e., the Monday model) and a monthly model that corresponds to the first Monday of each month (i.e., the first monthly Monday model).” [0064]: “the model manager 304 may select the daily model, a weekly model that corresponds to the Sunday of each week, a monthly model that corresponds to the 25th day of each month, another monthly model that corresponds to the last Sunday of each month, and a special model.” Note that the concept of different periodicities refers to different corresponding time intervals. For example, a daily model has a daily interval, whereas a weekly model has a weekly interval. The models generate individual scores, which are then summarized into a final score. See Abstract: “For each of the selected models, the computer may generate a score by generating a prediction value based on the model and generating the score based on the prediction value and the received value. A final score can then be generated based on the scores.”]. Therefore, Chanda also suggests the use of such models, such that the scores are received from “the plurality of trained time-based models” [[0070]: “By evaluating the forecast equation of a model using the data value and the historical data values, the model manager 304 can obtain the prediction value specific to the model and the time interval of the data value.” That is, once a model has been created, it can be applied to new data.]
Chanda further teaches creating, from the second set of event data, a plurality of time-based datasets, wherein each of the time-based data sets corresponds to [[0065]: “For each of the one or more selected forecast models, a set of historical data values of the data stream that match the periodicity of the forecast model may be retrieved from the historical data store 106. As examples, historical data values that correspond to each day may be retrieved for the daily model, historical data values that correspond to each Tuesday may be retrieved for the weekly model that corresponds to the Tuesday of each week”] one of the plurality of trained time-based machine learning models [The models are time-based, as addressed below in connection with “wherein each of the trained time-based machine learning models corresponds to a different time interval.” With respect to the limitation of “machine learning,” see [[0066]: “To account for complex combinations of patterns that may be followed by the data stream, each of the selected models may correspond to a Holt-Winters triple exponential forecasting model.” This model is described through [0070]. [0069] states that “the smoothing parameters α, β* and γ may be manually or automatically chosen by the model manager 304.” See also [0007]: “the server computer can use predictive modeling.” Since the model has computer-determined parameters, and is based on historical data (see [0063]: “based on the historical data values of the data stream”), the model is considered to be a “machine-learning” model. The term “machine-learning model” has been interpreted to broadly cover models whose parameters are learned by a machine, as the instant claim does not require a specific type of model or learning algorithm.] and wherein each of the trained time-based machine learning models corresponds to a different time interval [Abstract: “Models can be selected based on the time interval, where each of the models has a different periodicity.” [0028]: “For example, if the sampling frequency is once per day (e.g., a daily total of visits) and the new data value corresponds to the first Monday of the month, the detection framework may select a weekly model that corresponds to the Monday of each week (i.e., the Monday model) and a monthly model that corresponds to the first Monday of each month (i.e., the first monthly Monday model).” [0064]: “the model manager 304 may select the daily model, a weekly model that corresponds to the Sunday of each week, a monthly model that corresponds to the 25th day of each month, another monthly model that corresponds to the last Sunday of each month, and a special model.” Note that the concept of different periodicities refers to different corresponding time intervals. For example, a daily model has a daily interval, whereas a weekly model has a weekly interval.] 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari with the teachings of Chanda by modifying a plurality of the models in Chari to be time-based models as taught in Chanda, specifically by implementing the operation of “training a plurality of time-based machine-learning models using a first set of event data, wherein each one of the plurality of time-based machine-learning models is trained for a different time interval over which the first set of event data is taken” such that in the “receiving” step, the models providing the scores are “the plurality of trained time-based models”; and by implementing the operations of “creating, from the second set of event data, a plurality of time-based datasets, wherein each of the time-based data sets corresponds to one of the plurality of trained time-based machine learning models, and wherein each of the trained time-based machine learning models corresponds to a different time interval” and “inputting the plurality of time-based datasets to their respective trained time-based machine learning models.” The motivation would have been to analyze “data [that is] received in the form of a time series, where discrete data values are periodically received over time” (Chanda, [0001]), particular in a manner that accounts for various patterns (Chanda, [0006]: “the monitoring service can expect newer data values of the data stream to follow one or more patterns, which may include trend patterns, seasonal patterns, and cyclical patterns”).
Haim, in an analogous art, teaches “wherein one of the security actions is writing a user identifier of the user and the user's security score to a report.” Haim teaches an “interface for security analytics” (title), particularly the user behavior analytics tool of IBM’s QRadar security analytics environment (page 40, bottom-left paragraph). Therefore, Haim is in the same field of endeavor as the claimed invention. 
In particular Haim teaches “wherein the at least one security action is writing a user identifier of the user and the user's security score to a report.” [Page 41, bottom left bullet points: “Insiders with highest risk score - List of monitored insiders which appear to have the riskiest behavior among the others, and their overall accumulated score is the highest (Fig. 3).” For applicant’s convenience, FIG. 3 of this reference is reproduced below. The color version of this document can be downloaded from the URL shown in the attached form PTO-892.

    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
FIG. 3 of Haim
As shown, Haim teaches writing a user identifier (e.g., “ujpc”) and the security score (e.g., “417”) to a report (the interface shown in the figure).]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari and Chanda with the teachings of Haim by implementing the feature that “the at least one security action is writing a user identifier of the user and the user's security score to a report.” The motivation would have been to implement an interface to support the task of analysis that offers micro views of individual insider, its assets, actions and risk evaluation (Haim, page 41, upper left: “we highlight the main interfaces of the UBA tool which were designed support the above-mentioned tasks of the analyst. The tool, as shown below, offers visual components ranging from…to micro views of  individual insider, its assets, actions and risk evaluation”). 
Achin, in an analogous art, teaches the remaining limitations of “automatically retraining the plurality of trained time-based machine- learning models using the second set of event data.” Achin generally pertains to “systems and techniques for predictive data analytics” (abstract), suitable for a variety of machine learning models (see [0222]). Therefore, Chanda is in the same field of endeavor as the claimed invention, namely data processing and analytics.  
In particular, Achin teaches “automatically retraining the plurality of trained time-based machine- learning models using the second set of event data” [[0208]: “Information collected directly by the deployment engine 140 about the accuracy of predictions, and/or observations obtained through other channels, may be used to improve the model for a prediction problem (e.g., to “refresh” an existing model, or to generate a model by re-exploring the modeling search space in part or in full). New data can be added to improve a model in the same ways data was originally added to create the model, or by submitting target values for data previously used in prediction.” [0209]: “Some models may be refreshed (e.g., refitted) by applying the corresponding modeling techniques to the new data and combining the resulting new model with the existing model, while others may be refreshed by applying the corresponding modeling techniques to a combination of original and new data.” That is, new data collected during deployment corresponds to the “second set of event data,” since deployment refers to the use of a model that has already been train. The act of refreshing or refitting constitutes “retraining.” In regards to the limitation of “automatically,” see [0212]: “the deployment engine 140 may…automatically refresh the model by re-fitting one or more modeling techniques using the new values to extend the original training data.” Since the refresh is performed by the deployment engine 140, which is a software component, the refresh is performed automatically. See also claim 53: “wherein deploying the fitted model further comprises refreshing the fitted model based, at least in part, on second input data,” which refers to the functions performed by the “predictive modeling apparatus” (thus, performed automatically). It is also noted that “time-based machine-learning models” is already taught by the combination of Chari and Chanda as set forth above. Achin has been relied upon for its teaching of the automatic retraining of models analogous to the claimed models.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the teachings of Chari, Chanda, and Haim with the teachings of Achin by implementing the further operation of “automatically retraining the plurality of trained time-based machine- learning models using the second set of event data.” The motivation would have been to use new data to improve a model, as suggested by Achin ([0208]: “New data can be added to improve a model in the same ways data was originally added to create the model, or by submitting target values for data previously used in prediction.”).

As to claim 23, the combination of Chari, Chanda, Haim, and Achin teaches the method of claim 22 further comprising:
calculating a plurality of security scores, wherein each of the plurality of security scores corresponds to one of a plurality of users; [Chari, [0027]: “Storage 108 may store, for example, names and identification numbers of a plurality of users, profiles corresponding to the plurality of users.” Chari, [0069]: “Aggregated risk score k 336 represents the level of risk associated with a particular user accessing a set of one or more protected assets of an enterprise.”] and
identifying one or more of the plurality of users with risky behavior based on the users' corresponding security scores. [Haim, FIG. 3 and related disclosures, as discussed above in the rejection of claim 22]. 

As to claims 24-25, these claims are directed to a system for performing operations that are the same or substantially the same as those recited in claims 22-23. Therefore, the rejections made to claims 22-23 are applied to 24-25, respectively. 
Furthermore, Chari teaches an information handling system comprising: one or more processors; a memory coupled to at least one of the processors; and a set of computer program instructions stored in the memory and executed by at least one of the processors in order to perform actions [[0013]: “The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.” [0031]: data processing system 200 includes…processor unit 204, memory 206”. See also [0014]-[0019].]


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following documents depict the state of the art.
Bansal (US 7,310,590 B1) teaches time series anomaly detection using multiple statistical models (title)
He et al. (US 2020/0311487 A1) teaches the continuous training of multiple different types of time-based models.
Kootaayi et al. (US 2018/0288063 A1) teaches detection of user-related anomaly based on a plurality of models.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YAO DAVID HUANG whose telephone number is (571)270-1764. The examiner can normally be reached Monday - Friday 9:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Miranda Huang can be reached on (571) 270-7092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Y.D.H./Examiner, Art Unit 2124                                                                                                                                                                                                        




/MIRANDA M HUANG/Supervisory Patent Examiner, Art Unit 2124