Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.        This action is in response to application amendments filed on 8-26-2022. 
2.        Claims 23 - 29, 31 - 37, 39 - 42 are pending.  Claims 23, 31, 39 have been amended.  Claims 1 - 22, 30, 38 have been canceled.  Claims 23, 31, 39 are independent.  This action is responding to application papers filed on 11-17-2021.  

Response to Arguments

3.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 8-26-2022, with respect to the rejection(s) under Sakamoto in view of Dupont have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Sakamoto in view of Paretti and further in view of Dupont.

A.  Applicant argues on pages 7-8 of Remarks:    ...   Sakamoto and Dupont, either alone or in combination, fail to disclose and would not have rendered obvious:   ...   determining, by the UBA module, that one or more events in the event log data satisfy a policy that is created and managed by a policy automation engine, the policy indicative of behavior of at least one user in the enterprise computing environment;   ...   . 

    The Examiner respectfully disagrees.  Sakamoto discloses a policy created based upon user behavior.  (see Sakamoto paragraph [0006], lines 1-10: user behavior information collected, analyzed and compared with statistically derived norm and/or one or more policies to detect anomalous activity; collected user behavior data includes audit trails (i.e. collected log event data) and dynamic views utilizing database management system; paragraph [0035]; [0100]: Java database connectivity API allowing user to any data source utilizing the Java programming language; paragraph [0058], lines 1-9: database object level monitoring includes monitoring database accesses for a selected critical or sensitive database object; database object such as a database table, database view, or database stored procedure; critical database object is a company's (or enterprise’s) table; (company computing environment analogous to enterprise computing environment))
    Paretti discloses a policy automation engine utilized to automatically create a policy based upon user behavior. (see Paretti paragraph [0045], lines 1-8: configured to provide users with recommendations regarding creation of new privacy policies or modification of existing privacy policies; location tracking privacy engine configured to automatically provide such recommendations to a user based on a detected pattern of user behaviors and/or activities; paragraph [0078], lines 1-9: automatically provide recommendations responsive to a detected pattern of user behaviors and/or activities, wherein detected pattern is identified by analyzing W4 data associated with the user and stored in database over time)

B.  Applicant argues on page 8 of Remarks:    ...   Sakamoto’s rule-based policy is not created and managed by a policy automation engine.

    The Examiner respectfully disagrees.  Paretti discloses the newly amended policy automation engine utilized to automatically create a policy based upon user behavior. (see Paretti paragraph [0045], lines 1-8: configured to provide users with recommendations regarding creation of new privacy policies or modification of existing privacy policies; location tracking privacy engine configured to automatically provide such recommendations to a user based on a detected pattern of user behaviors and/or activities; paragraph [0078], lines 1-9: automatically provide recommendations responsive to a detected pattern of user behaviors and/or activities, wherein detected pattern is identified by analyzing W4 data associated with the user and stored in database over time)

C.  Applicant argues on page 8 of Remarks:    ...   Sakamoto merely teaches that its rule-based policy derives from a “knowledgebase comprised of security rules or constraints’—not created and managed by a policy automation engine,   ...   . 

    The Examiner respectfully disagrees.  Paretti discloses the newly amended policy automation engine utilized to automatically create a policy based upon user behavior. (see Paretti paragraph [0045], lines 1-8: configured to provide users with recommendations regarding creation of new privacy policies or modification of existing privacy policies; location tracking privacy engine configured to automatically provide such recommendations to a user based on a detected pattern of user behaviors and/or activities; paragraph [0078], lines 1-9: automatically provide recommendations responsive to a detected pattern of user behaviors and/or activities, wherein detected pattern is identified by analyzing W4 data associated with the user and stored in database over time)

D.  Applicant argues on page 9 of Remarks: Dupont similarly fails to teach a policy that is created and managed by a policy automation engine,   ...   . 

    The Examiner respectfully disagrees.  Dupont is not used to discloses the policy automation engine.  The Office Action indicated the claim limitations Dupont is used to reject.   Paretti discloses amended policy automation engine utilized to automatically create a policy based upon user behavior. (see Paretti paragraph [0045], lines 1-8: configured to provide users with recommendations regarding creation of new privacy policies or modification of existing privacy policies; location tracking privacy engine configured to automatically provide such recommendations to a user based on a detected pattern of user behaviors and/or activities; paragraph [0078], lines 1-9: automatically provide recommendations responsive to a detected pattern of user behaviors and/or activities, wherein detected pattern is identified by analyzing W4 data associated with the user and stored in database over time)

E.  Applicant argues on page 9 of Remarks:    ...   Sakamoto and Dupont fail to disclose and would not have rendered obvious: “determining, by the UBA module, that one or more events in the event log data satisfy a policy that is created and managed by a policy automation engine, the policy indicative of behavior of at least one user in the enterprise computing environment,’   ...   . 

    The Examiner respectfully disagrees.  Sakamoto discloses a policy created based upon user behavior.  (see Sakamoto paragraph [0006], lines 1-10: user behavior information collected, analyzed and compared with statistically derived norm and/or one or more policies to detect anomalous activity; collected user behavior data includes audit trails (i.e. collected log event data) and dynamic views utilizing database management system; paragraph [0035]; [0100]: Java database connectivity API allowing user to any data source utilizing the Java programming language; paragraph [0058], lines 1-9: database object level monitoring includes monitoring database accesses for a selected critical or sensitive database object; database object such as a database table, database view, or database stored procedure; critical database object is a company's (or enterprise’s) table; (company computing environment analogous to enterprise computing environment))
    Paretti discloses a policy automation engine utilized to automatically create a policy based upon user behavior. (see Paretti paragraph [0045], lines 1-8: configured to provide users with recommendations regarding creation of new privacy policies or modification of existing privacy policies; location tracking privacy engine configured to automatically provide such recommendations to a user based on a detected pattern of user behaviors and/or activities; paragraph [0078], lines 1-9: automatically provide recommendations responsive to a detected pattern of user behaviors and/or activities, wherein detected pattern is identified by analyzing W4 data associated with the user and stored in database over time) 

F.  Applicant argues on page 9 of Remarks: Therefore, claims 24-26, 28, 32-34, 36, and 40-42 are also patentable over Sakamoto and Dupont based at least on their dependencies,   ...   . 

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.   

G.  Applicant argues on page 9 of Remarks: Therefore, claims 27, 29, 35, and 37 are patentable over Sakamoto, Dupont, and Mahaffey based at least on their dependencies,   ...   . 

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.   

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 5.        Claims 23 - 26, 28, 31 - 34, 36, 39 - 42 are rejected under 35 U.S.C. 103 as being unpatentable over Sakamoto et al. (US PGPUB No. 20050203881) in view of Paretti et al. (US PGPUB No. 20100076777) and further in view of Dupont et al. (US PGPUB No. 20120137367).     	

Regarding Claims 23, 31, 39, Sakamoto discloses a method and an apparatus and a tangible, non-transitory, computer-readable medium storing program instructions that cause a device in communication with an enterprise computing environment to execute a process comprising the following, the method, the apparatus, and the tangible, non-transitory, computer-readable medium comprising:
a)  retrieving, by a user behavior analysis (UBA) module of a device in communication with an enterprise computing environment, event log data from an application programming interface (API) of a service provider; (see Sakamoto paragraph [0006], lines 1-10: user behavior information collected, analyzed and compared with statistically derived norm and/or one or more policies to detect anomalous activity; collected user behavior data includes audit trails (i.e. collected log event data) and dynamic views utilizing database management system; paragraph [0035]; [0100]: Java database connectivity API allowing user to any data source utilizing the Java programming language; paragraph [0058], lines 1-9: database object level monitoring includes monitoring database accesses for a selected critical or sensitive database object; database object such as a database table, database view, or database stored procedure; critical database object is a company's (or enterprise’s) "employee" table, which contains salary information of the employees; (company computing environment analogous to enterprise computing environment)) and    
c)  applying, by the UBA module, a response action in the enterprise computing environment based on the event log data satisfying the policy. (see Sakamoto paragraph [0006], lines 17-20: suspicious activities that deviate from the normal usage pattern are detected and targeted operations such as an alert, generating reports, and/or email alerts are performed)    

Furthermore, Sakamoto discloses for b) determining, by the UBA module, that one or more events in the event log data satisfy a policy that is created and managed by a policy engine, the policy indicative of behavior of at least one user in the enterprise computing environment. (see Sakamoto paragraph [0006], lines 17-20: suspicious activities that deviate from the normal usage pattern are detected; paragraph [0029], lines 1-6: determine if the new set of data violates a rules-based policy; if rules-based policy is violated then the new data set represents anomalous activity) 

Sakamoto does not specifically disclose for b) a policy automation engine. 
However, Paretti discloses for b) wherein a policy automation engine. (see Paretti paragraph [0045], lines 1-8: configured to provide users with recommendations regarding creation of new privacy policies or modification of existing privacy policies; location tracking privacy engine configured to automatically provide such recommendations to a user based on a detected pattern of user behaviors and/or activities; paragraph [0078], lines 1-9: automatically provide recommendations responsive to a detected pattern of user behaviors and/or activities, wherein detected pattern is identified by analyzing W4 data associated with the user and stored in database over time)
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Sakamoto for b) a policy automation engine as taught by Paretti. One of ordinary skill in the art would have been motivated to employ the teachings of Paretti for the benefits achieved from a system that enables the automatic creation of policy information based upon user behavior. (see Paretti paragraph [0045], lines 1-8)  

Furthermore, Sakamoto discloses for d) a display processing log event data and associated with threat information. (see Sakamoto paragraph [0095], lines 15-22: targeted operation triggered; email alert sent to email receivers defined using screen; view alerts through graphic user interface; (user interface utilized to visualize generate alert associated with detected anomalous activity); paragraph [0046], lines 20-21: anomaly detector provides reports or creates visualization (i.e. associated with alert); paragraph [0006], lines 1-10: user behavior information collected, analyzed and compared with statistically derived norm and/or one or more policies to detect anomalous activity; collected user behavior data includes audit trails (i.e. collected log event data) and dynamic views utilizing database management system;)
Sakamoto-Paretti does not specifically disclose for d) a heat map representing recent activities by locations on a geographical map. 
However, Dupont discloses:
d)  providing, by the UBA module, a threat virtualization that comprises a heat map representing recent activities by location on a geographical map. (see Dupont paragraph [1241], lines 1-4: user chooses what features are shown as rows and which ones are shown as columns, and a time period of interest is selected; paragraph [1243], lines 1-8: each matrix is visualized as a representation known as a heat map, with a color saturation assigned to each cell in order to indicate the amount of communication for the corresponding row feature value and given column feature value, as well as for all bounded features; paragraph [1244], lines 1-8: each matrix is animated and offers playback functionality available through a timeline control, the user can replay past events at normal or faster speed; system can determine the most anomalous time periods and highlight them for the user on the timeline control using a red color; paragraph [1250], lines 1-10: continuous actor graph visualization displays actors as nodes, and communications and other events  as edges; display is updated at discrete intervals of time, the interval duration being continuously adjusted by the system: at the end of each interval, newly added edges are displayed, while previously existing edges are aged so that some of them disappear; paragraph [0996], lines 1-9: type of categorical features corresponds to built-in features of system, such as detected emotive tones or entities (event names, people names, geographical locations, etc.) which are derived from analysis of data (analogous to log events data) and metadata extracted from events (analogous to log events data), including periodic sequences that match a periodic pattern)
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Sakamoto-Paretti for d) a heat map representing recent activities by locations on a geographical map as taught by Dupont. One of ordinary skill in the art would have been motivated to employ the teachings of Dupont for the benefits achieved from a system that enables a visualization of the threat exposed to an environment.  (see Dupont paragraph [1243], lines 1-8)  

Furthermore for Claim 31, Sakamoto discloses wherein one or more network interfaces to communicate with an enterprise computing environment; a processor coupled to the network interfaces and configured to execute one or more processes; and an apparatus memory configured to store a process executable by the processor, the process when executed operable to perform operations. (see Sakamoto paragraph [0104], lines 1-9: functionality of present invention provided by computing system (processor coupled to memory, load and execute instructions) in response to processor executing sequences of instructions read into main memory from a computer readable medium; paragraph [0058], lines 1-9)    

Regarding Claims 24, 32, 40, Sakamoto-Paretti-Dupont discloses the method of claim 23 and the apparatus of claim 31 and the tangible, non-transitory, computer-readable medium of claim 39, further comprising: enriching, by the UBA module, the event log data by adding additional layers of data on raw data collected in data streams. (see Sakamoto paragraph [0042], lines 11-14: based upon a comparison of new data with behavioral patterns determined from historical data determining whether new data represents anomalous activity; paragraph [0044], lines 13-24: data collector reads audit trail (i.e. log event data) and obtains dynamic performance views as historical data; (adding historical data to newly collected log event data))    

Regarding Claims 25, 33, 41, Sakamoto-Paretti-Dupont discloses the method of claim 23 and the apparatus of claim 31 and the tangible, non-transitory, computer-readable medium of claim 39, wherein the event log data comprises an event log source, information indicating a frequency as to when the event log data is collected, an indicator as to whether or not and for how long the event log data is to be retained at the source of the event log data, an event log level of detail, a data volume, or an event type. (see Sakamoto paragraph [0056], lines 1-17: data collector collects user behavior data, processes the data; collected data includes attributes such as a time of action (i.e. timestamp of event data); (selected: when event log data is collected))    

Regarding Claims 26, 34, 42, Sakamoto-Paretti-Dupont discloses the method of claim 23 and the apparatus of claim 31 and the tangible, non-transitory, computer-readable medium of claim 39, wherein the policy is configured to detect at least one of a new location, activity from a new device, activity from irregular locations, anomalies in sequences of events, anomalies in event frequency, or access from suspicious internet protocol (IP) addresses in the event log data. (see Sakamoto paragraph [0095], lines 9-11: rules indicate that user WANI can only access object HR.EMP from location WLINUX (user can access system object only from a particular location); (selected: detecting at least one of a new location; activity from irregular locations))    

Regarding Claims 28, 36, Sakamoto-Paretti-Dupont discloses the method of claim 23 and the apparatus of claim 31, wherein the policy is configured to identify access of at least one account associated with the enterprise computing environment as bot and/or malware access. (see Sakamoto paragraph [0006], lines 17-20: suspicious activities that deviate from normal usage pattern are detected, targeted operation such as generating an alert, generating reports, and/or generating email alerts are performed; paragraph [0058], lines 1-9: database object level monitoring includes monitoring database accesses for a selected critical or sensitive database object; database object such as a database table, database view, or database stored procedure; critical database object is a company's (or enterprise’s) "employee" table, which contains salary information of the employees; (company computing environment analogous to enterprise computing environment)) 

6.        Claims 27, 29, 35, 37 are rejected under 35 U.S.C. 103 as being unpatentable over Sakamoto in view of Paretti and further in view of Dupont and Mahaffey et al. (US PGPUB No. 20150128205).     

Regarding Claims 27, 35, Sakamoto-Paretti-Dupont discloses the method of claim 23 and the apparatus of claim 31, including an enterprise computing environment. (see Sakamoto paragraph [0058], lines 1-9: database object level monitoring includes monitoring database accesses for a selected critical or sensitive database object; database object such as a database table, database view, or database stored procedure; critical database object is a company's (or enterprise’s) "employee" table, which contains salary information of the employees; (company computing environment analogous to enterprise computing environment)  
Sakamoto-Paretti-Dupont does not specifically disclose policy configured to identify information in event log data as sensitive content of an organization. 
However, Mahaffey discloses wherein the policy is configured to identify information in the event log data as sensitive content of an organization associated with the computing environment. (see Mahaffey paragraph [0182], lines 1-7: if user is accessing a bank account information, user requires a secure network connection in order to protect sensitive financial data (i.e. sensitive data))    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Sakamoto-Paretti-Dupont for policy configured to identify information in event log data as sensitive content of an organization as taught by Mahaffey.  One of ordinary skill in the art would have been motivated to employ the teachings of Mahaffey for the benefits achieved from a system that has the capability to make a network connection more secure or have an associated level of security required for content data associated with the particular network connection. (see Mahaffey paragraph [0005], lines 5-10)  

Regarding Claims 29, 37, Sakamoto-Paretti-Dupont discloses the method of claim 23 and the apparatus of claim 31. 
Sakamoto-Paretti-Dupont does not specifically disclose response action comprises at least one of password reset action, disable user access action, or end user compromise validation. 
However, Mahaffey discloses wherein the response action comprises at least one of password reset action, disable user access action, or end user compromise validation. (see Sakamoto paragraph [0260], lines 4-10: in response to detecting attempting to connect to a malicious computing system, user of mobile computing device is informed that all connections (i.e. network connections) have been stopped or disabled; (selected: disable user access action))   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Sakamoto-Paretti-Dupont for response action comprises at least one of password reset action, disable user access action, or end user compromise validation as taught by Mahaffey. One of ordinary skill in the art would have been motivated to employ the teachings of Mahaffey for the benefits achieved from a system that has the capability to make a network connection more secure or have an associated level of security required for content data associated with the particular network connection. (see Mahaffey paragraph [0005], lines 5-10)  

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CJ/
September 12, 2022

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436