DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 06/21/2022 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/02/2021, 06/15/2021, 08/03/2021, 08/25/2021, 09/17/2021, 06/21/2022 was filed after the mailing date of the first action on the merits. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 21-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
With respect to claims 21, the claims recite a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated with each of the plurality of events to provide extracted features from the plurality of events; storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore; performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events; the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore; generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution; and, performing the risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
The limitations directed towards enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events, extracting features from the plurality of events using the enriched data associated with each of the plurality of events, performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events; the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing the risk assessment operation based upon the enriched events, the risk assessment operation taking into account the risk score is a process that, under its broadest reasonably interpretation, covers performance of these limitation in the mind but for the recitation of generic computer components. That is, other than reciting a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, the security analytics system executing on a hardware processor, the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user, nothing in the claim precludes these steps from practically being performed in the mind and/or by a human with pen and paper.
For example, but for the limitations stating “a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore”, “a security analytics system”, “the security analytics system executing on a hardware processor”, “the plurality of protected endpoints communicating with the security analytics system via a network”, and “the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user”,  the mention of “enriching”, “extracting”, “generating”, “performing”, and “the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events; the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container” in the context of this claim, encompasses a user mentally augmenting data tied to a plurality of events and using that augmented data to mentally generate event data based on features of those events using the augmented data to mentally make a risk assessment based on a score and a probability distribution. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The judicial exception is not integrated into a practical application by additional elements. In particular, claim 21 recites a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, the security analytics system executing on a hardware processor, the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user. A computer-implementable method for performing a risk assessment operation, an electronic device, a computer system, a hardware processor, a security analytics system, a datastore, and a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user as recited in claim 21 is recited at a high-level of generality (i.e., as a generic computer performing a generic computer function of receiving). Receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, a security analytics system, and the protected endpoint communicating with the security analytics system via a network the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, is considered by the examiner to be mere data gathering such that it amounts to no more than insignificant extra solution activity. These elements do not integrate the abstract idea into a practical application because it does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use for data gathering in conjunction with the abstract idea.
These claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a computer-implementable method for performing a risk assessment operation, an electronic device, a computer system, a hardware processor, a security analytics system, a datastore, and a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user as recited in claim 21 is recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, a security analytics system, and the protected endpoint communicating with the security analytics system via a network, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, is interpreted to be well understood, routine and conventional activity (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, the security analytics system executing on a hardware processor, the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use. Claim 21 is not patent eligible.
With respect to claims 27, the claims recite a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code for performing a risk assessment operation interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated with each of the plurality of events to provide extracted features from the plurality of events; storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore; performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events; the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container; generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution; and, performing the risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the plurality of protected endpoints communicating with the security analytics system via a network.
The limitations directed towards enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events, extracting features from the plurality of events using the enriched data associated with each of the plurality of events, performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events; the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing the risk assessment operation based upon the enriched events, the risk assessment operation taking into account the risk score is a process that, under its broadest reasonably interpretation, covers performance of these limitation in the mind but for the recitation of generic computer components. That is, other than reciting a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code for performing a risk assessment operation interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, the security analytics system executing on a hardware processor, the plurality of protected endpoints communicating with the security analytics system via a network the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user, nothing in the claim precludes these steps from practically being performed in the mind and/or by a human with pen and paper.
For example, but for the limitations stating “a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code for performing a risk assessment operation interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore“, “a security analytics system”, “the security analytics system executing on a hardware processor”, and “the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user”, the mention of “enriching”, “extracting”, “generating”, and “performing” in the context of this claim, encompasses a user mentally augmenting data tied to a plurality of events and using that augmented data to mentally generate event data based on features of those events using the augmented data to mentally make a risk assessment based on a score and a probability distribution. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The judicial exception is not integrated into a practical application by additional elements. In particular, claim 27 recites “a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code for performing a risk assessment operation interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore“, “a security analytics system”, “the security analytics system executing on a hardware processor”, and “the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user”. A system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code for performing a risk assessment operation interacting with a plurality of computer operations and comprising instructions executable by the processor, an electronic device, a computer system, a hardware processor, a security analytics system, a datastore, and a network the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user as recited in claim 27 is recited at a high-level of generality (i.e., as a generic computer performing a generic computer function of receiving). Receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, and the protected endpoint communicating with the security analytics system via a network is considered by the examiner to be mere data gathering such that it amounts to no more than insignificant extra solution activity. These elements do not integrate the abstract idea into a practical application because it does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use for data gathering in conjunction with the abstract idea.
These claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code for performing a risk assessment operation interacting with a plurality of computer operations and comprising instructions executable by the processor, an electronic device, a computer system, a hardware processor, a security analytics system, a datastore, and a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user as recited in claim 27 is recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, and the protected endpoint communicating with the security analytics system via a network is interpreted to be well understood, routine and conventional activity (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of “a system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code for performing a risk assessment operation interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore“, “a security analytics system”, “the security analytics system executing on a hardware processor”, and “the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user” does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use. Claim 27 is not patent eligible.
With respect to claims 33, the claims recite a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device; enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events; extracting features from the plurality of events using the enriched data associated with each of the plurality of events to provide extracted features from the plurality of events; storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore; performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of event, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastores; generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution; and, performing the risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the plurality of protected endpoints communicating with the security analytics system via a network the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
The limitations directed towards enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events, extracting features from the plurality of events using the enriched data associated with each of the plurality of events, performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing the risk assessment operation based upon the enriched events, the risk assessment operation taking into account the risk score, is a process that, under its broadest reasonably interpretation, covers performance of these limitation in the mind but for the recitation of generic computer components. That is, other than reciting a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, the security analytics system executing on a hardware processor, the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user, nothing in the claim precludes these steps from practically being performed in the mind and/or by a human with pen and paper.
For example, but for the limitations stating “a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore”, “a security analytics system”, “the security analytics system executing on a hardware processor”, and “the plurality of protected endpoints communicating with the security analytics system via a network”, “the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user ”, the mention of “enriching”, “extracting”, “generating”, “performing”, and “the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container” in the context of this claim, encompasses a user mentally augmenting data tied to a plurality of events and using that augmented data to mentally generate event data based on features of those events using the augmented data to mentally make a risk assessment based on a score and a probability distribution. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
The judicial exception is not integrated into a practical application by additional elements. In particular, claim 33 recites “a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore”, “a security analytics system”, “the security analytics system executing on a hardware processor”, and “the plurality of protected endpoints communicating with the security analytics system via a network”, “the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user ”. A non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions, an electronic device, a computer system, a hardware processor, a security analytics system, a datastore, and a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user as recited in claim 33 is recited at a high-level of generality (i.e., as a generic computer performing a generic computer function of receiving). Receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, and the protected endpoint communicating with the security analytics system via a network is considered by the examiner to be mere data gathering such that it amounts to no more than insignificant extra solution activity. These elements do not integrate the abstract idea into a practical application because it does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use for data gathering in conjunction with the abstract idea.
These claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions, an electronic device, a computer system, a hardware processor, a security analytics system, a datastore, and a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user as recited in claim 33 is recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, and the protected endpoint communicating with the security analytics system via a network is interpreted to be well understood, routine and conventional activity (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of “a non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions configured for: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore”, “a security analytics system”, “the security analytics system executing on a hardware processor”, and “the plurality of protected endpoints communicating with the security analytics system via a network”, “the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user ”does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use. Claim 33 is not patent eligible.
With respects to claims 22, 28, and 34, the limitations are directed towards analyzing the enriched data associated with each of the plurality of events and the 3extracted features from the plurality of events when performing a security 4analytics operation. These elements further elaborate the abstract idea and merely confine the claim to a particular technological environment or field of use. Therefore, claims 22, 28, and 34, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 23, 29, and 35, the limitations are directed towards extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features. These elements further elaborate the abstract idea and the human mind and/or with pen and paper can extract features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features. Therefore, claims 23, 29, and 35, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 24, 30, and 36, the limitations are directed towards the feature associated with the event comprises at least one of a number of bytes 3uploaded, a time of day, a presence of certain terms in unstructured content, 4respective domains associated with senders and recipients of information, and 5a Uniform Resource Locator (URL) classification of a web page visit. These elements further elaborate the abstract idea and merely confine the claim to a particular technological environment or field of use. Therefore, claims 24, 30, and 36, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 25, 31, and 37, the limitations are directed towards the enriching data comprises at least one of validating event data associated with at least some of the plurality of events, disclaiming certain event data associated with at least some of the plurality of events; deduplicating at least some of the plurality of events; performing an entity resolution operation on at least some of the plurality of events; performing an attachment enrichment operation on data associated with at least some of the plurality of events; and, performing a domain enrichment on at least some of the plurality of events. The elements directed towards enriching data comprises at least one of validating event data associated with at least some of the plurality of events, disclaiming certain event data associated with at least some of the plurality of events, deduplicating at least some of the plurality of events, and performing an entity resolution operation on at least some of the plurality of events further elaborate the abstract idea and the human mind and/or with pen and paper can validate event data associated with at least some of the plurality of events, disclaim certain event data associated with at least some of the plurality of events, deduplicate at least some of the plurality of events, and perform an entity resolution operation on at least some of the plurality of events. The elements directed towards enriching data comprises performing an attachment enrichment operation on data associated with at least some of the plurality of events and performing a domain enrichment on at least some of the plurality of events appear to be insignificant extra solution activity and are interpreted to be well understood, routine and conventional activity (Storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc. (see MPEP 2106.05(d))). Therefore, claims 25, 31, and 37, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claims 26, 32, and 38, the limitations are directed towards labeling at least some of the plurality of events prior to extracting features from the plurality of events. These elements further elaborate the abstract idea and the human mind and/or with pen and paper can label at least some of the plurality of events prior to extracting features from the plurality of events. Therefore, claims 24, 30, and 36, do not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claim 39, the limitations are directed towards the computer executable instructions are deployable to a client system from a server system at a remote location. These elements further elaborate the abstract idea and merely confine the claim to a particular technological environment or field of use. Therefore, claim 39, does not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.
With respects to claim 40, the limitations are directed towards the executable instructions are provided by a service provider to a user on an on-demand basis. These elements further elaborate the abstract idea and merely confine the claim to a particular technological environment or field of use. Therefore, claim 40, does not recite additional limitations which tie the abstract idea into a practical application and does not amount to significantly more than the identified judicial exception.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 21-38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri et al. (US 20160371489 A1) hereinafter Puri, in view of Holeman et al. (U.S. Publication No.: US 20180191766 A1) hereinafter Holeman, in view of Hu et al. (U.S. Publication No.: US 20180204215 A1) hereinafter Hu, in view of Epple et al. (U.S. Publication No.: US 20190245894 A1) hereinafter Epple, and further in view of Zimmerman et al. (U.S. Publication No.: US 20180027006 A1) hereinafter Zimmermann.
As to claim 21:
Puri discloses:
A computer-implementable method for performing a risk assessment operation, comprising [Paragraph 0051 teaches incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0096 teaches categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments. Paragraph 0118 methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory.]:
enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events [Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events is interpreted to be the claimed enriching data associated with each of the plurality of events.]
extracting features from the plurality of events using the enriched data associated with each of the plurality of events to provide extracted features from the plurality 8of events [Paragraph 0026 teaches the apparatus and methods disclosed herein may deploy a differentiated technology asset that may effectively capture, learn, discover and provide actionable contextually relevant security information. Paragraph 0051 teaches data present in log files may be characterized by log traces containing unique identifiers, timestamps, events, and actions… the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.
Note: The examiner interprets the anomalies and risks to be the claimed extracting features from the plurality of events using the enriched data associated with each of the plurality of events. Timestamps used in the analysis to extract anomalies and risks is interpreted to be claimed extracting features from the plurality of events using the enriched data. The examiner also interprets incoming data that is data present in log files containing events is interpreted to be the claimed plurality of events. Pre-processing steps are interpreted to be included in effectively capturing, learning, discovering and providing actionable contextually relevant security information, therefore teaching the claimed provide enriched data associated with each of the plurality of events.];
storing the enriched data associated with each of the plurality of events and the 10extracted features from the plurality of events within a datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed extracted features and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched data within a datastore.]
performing the risk assessment operation via a security analytics system based upon the enriched events [Paragraph 0019 teaches an event anomaly analysis and prediction apparatus. The apparatus provides for the extraction of correlations between trace events within a log and the information surrounding the correlations such as probability of occurrence of trace log events, probability of transitions between particular trace log events, execution times of trace log events, and anomalous occurrences of trace log events. Paragraph 0051 teaches incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0096 teaches categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments. 
Note: The examiner interprets extracting risks and providing contexts to risks reads on the claimed risk assessment operation and an event anomaly analysis and prediction apparatus that includes data anomaly analyzer is interpreted to be the claimed security analytics system. The event anomaly analysis and prediction apparatus that includes data anomaly analyzer that extracts anomalies, risks, provides context to risk assessments, all based on events is interpreted to read on the claimed risk assessments operation based upon the enriched events.]

Puri discloses some of the limitations as set forth in claim 1 but does not appear to expressly disclose receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent , the endpoint agent executing on a hardware processor of the endpoint device, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, the protected endpoint communicating with the security analytics system via a network, performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Holeman discloses:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions [Paragraph 0053 teaches user activity sensors 470 include computer program instructions that are executable to collect information relating to users of endpoint computer system 120. For example, in various embodiments, sensors 470 may indicate what users are currently logged in to endpoint computer system 120 and whether each login is local or remote. Sensors 470 may further indicate associated account attribution for observed network activity such as identifying which logged-in users or accounts correspond to particular observed network activity. Paragraph 0054 teaches sensors 470 may also collect information about the activities of users. For example, sensors 470 may collect information relating to user activity or inactivity, such as whether there is any input being supplied by the user (e.g., through user interface devices 370). Sensors 470 may also determine what user process are in the foreground (e.g., the identity of the process associated with a currently active window, such as a word processing program to which the user is currently inputting text, as compared to other processes running in the background. Note: The cited sensors as part of the endpoint computer system 120 collecting information about the activities of users is interpreted to read on the claimed identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions. The cited endpoint computer system 120 is interpreted to read on the claimed the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system and information collected representing user activity is interpreted to read on the clamed receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user.], the protected endpoint comprising an endpoint device and an endpoint agent [Paragraph 0032 teaches an endpoint analysis agent may be implemented on an endpoint computer system in a variety of ways, as illustrated by FIG. 2. Note: The examiner interprets the endpoint analysis agent implemented on an endpoint computer system reads on the claimed the protected endpoint comprising an endpoint device and an endpoint agent.], the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0033 teaches in the depicted configuration (Figure 2), endpoint computer system 120 includes a hardware layer 240, which includes the actual underlying hardware of the system that supports process execution (e.g., processors, memory), and is discussed further with reference to FIG. 3. Endpoint computer system 120 further includes an operating system layer 220 that supports multiple system and application processes 212, including, in some embodiments, an endpoint analysis agent process.], 
the protected endpoint communicating with the security analytics system via a network [FIG. 3, a block diagram of a system 300 is shown that includes an exemplary endpoint computer system. In this particular configuration, endpoint analysis agent 340 is implemented in software. Paragraph 0067 teaches endpoint analysis agent 340 is operable to collect endpoint information, package that information (or a subset of that information) in one or more network flow data records, and send those records to network 110, where it may be received either by network flow analyzer 106, or by network flow collector 104, where it may be ultimately forwarded to analyzer 106. Paragraph 0068 teaches network flow analyzer 106 includes flow matching module 510, threat and anomaly detection module 520, and risk analysis module 530. Note: Endpoint computer system with an endpoint analysis agent 340 implemented in software collecting endpoint information via the endpoint analysis agent 340 and sending those records to network 110 where it is received by network flow analyzer 106 is interpreted to read on the claimed the protected endpoint communicating with the security analytics system via a network. The endpoint computer system with an endpoint analysis agent is interpreted to be the claimed protected endpoint and the network flow analyzer interpreted to be the claimed security analytics system. Network 110 used to send records from the endpoint computer system to the network flow analyzer is interpreted to be the claimed network.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint analysis agents running on a computer system to collect data associated with user activity, as taught by Holeman (Paragraph 0032, 0033, 0053, 0054, 0067, 0068, 0080, 0086, Figure 2, and Figure 3), because both applications are directed to identifying threats to information security and storing information relating to those threats; collecting endpoint information and using it to supplement network flow analysis has a number of potential benefits. Because a richer data set providing additional relevant context is being utilized, incidents of false positives for potential network security incidents may be reduced (see Holeman Paragraph 0027).

Puri and Holeman discloses most of the limitations as set forth in claim 21 but does not appear to expressly disclose performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user
Hu discloses:
performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource. Paragraph 0098 teaches clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Paragraph 0106 teaches the comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements. Paragraph 0107 teaches summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster. Paragraph 0141 teaches categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster.
Note: Access requests associated with data elements are interpreted to be the claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events and events that are determined to legitimate or fraudulent are interpreted to enriched events. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative. The DoA/score representing a probability of a current request (event) being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events. In other words, the DoA/score provides a probability that the new transaction (event) contains elements that are deemed legitimate or fraudulent given that data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These scores could contribute to determining whether a new authentication request is legitimate and the cited scores are interpreted to be a result of the claimed analyzing probability distributions of the features extracted from the plurality of events. To further elaborate, the scores are a result of an analysis of the fraudulent clusters (probability distribution). The process including deriving scores based on features of events in a fraudulent cluster and determining whether incoming request (events) are legitimate or fraudulent based on a DoA/score are interpreted to be the claimed performing a probability distribution operation.] 
the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource. Paragraph 0098 teaches clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Paragraph 0106 teaches the comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements. Paragraph 0107 teaches summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster. Paragraph 0141 teaches categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster.
Note: Access requests associated with data elements are interpreted to be claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events. Categorization module configured to allow for categorization changes (updates) and categorize the nodes/data elements into clusters is interpreted to read on the claimed distribution of the features being constructed via a scoring container update operation. Categorization is interpreted to be the scoring container update operation, legitimate clusters and fraudulent clusters are interpreted to be the claimed scoring containers, wherein the clusters are configured to have data elements that have scores e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative, similar to the cited score. The DoA/score representing a probability of a current request being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed a scoring container to provide an approximation of a probability distribution of the features from the plurality of events, wherein the DoA/score is associated with the cluster is interpreted to be the claimed scoring container to provide an approximation of a probability distribution. “t” corresponding to a moving window to calculate the DoA/score for new transactions to determine the appropriate cluster as shown in the formula in Paragraph 0106 of the cited prior art is interpreted to read on the claimed plurality of events for a particular time window. The cited time window is interpreted to be used in the determination of DoA/score which provides a probability that the new transaction contains elements that are deemed legitimate or fraudulent.]; across a sequence of time windows [Paragraph 0106 teaches “t” corresponds to a moving time window on timeline backward, e.g., a weekly window. “H” stand for Historical time. Note: “t” and “H” representing two time windows is interpreted to read on the claimed across a sequence of time windows.], the scoring container being implemented as one or both of a percentile container [Paragraph 0089 teaches the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Note: Clusters that contain score elements with an indication of a percentage of the one more current data elements that match the existing nodes of the existing cluster reads on the claimed scoring container being implemented as a percentile container.], the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations [Paragraph 0089 teaches the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster… the measurement of a matching amount of matching could be different measures with/without different units, such as a function, a probability, a score, or a rate, where units could be per give time, per given change in time, etc. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Note: Clusters (scoring container) that contain score elements with an indication (score operations) of a percentage of the one more current data elements that match the existing nodes of the existing cluster (percentile container) where matching (operations) associated with data distribution to the cluster is measured for a given time (particular period of time) in probability (probability distribution) reads on the claimed the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations.], and a delta container, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri and Holeman, by incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate, as taught by Hu (Paragraph 0004, 0025, 0029, 0095, 0098, 0099, 0106, 0107, and 0141), because all three applications are directed to identifying threats to information security and storing information relating to those threats; incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate provides protection of other resources, e.g., of a same type. For instance, the same attackers might attack other resources, and a profile (via a cluster in the data structure) can allow a server of another party to detect fraudulent requests much quicker, as the proper knowledge of the received data structure can be leveraged (see Hu Paragraph 0090).

Puri, Holeman, and Hu discloses most of the limitations as set forth in claim 21 but does not appear to expressly disclose generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Epple discloses:
generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution [Paragraph 0236 teaches in the threat assessment prediction module 1308, the table 1307 may also, or instead, be accessed to learn about past threat event outcomes. In such implementations, the table 1307 may include three event outcomes for the user 1010 including “Pass” for “Event 1” and “Event 2” and “Fail” for “Event 3.” In FIG. 13, it should be appreciated that the row including “Event . . . ” is a place holder for the sake of clarity of representation and represents that any number of events may be stored in the table 1307 within the bounds of the particular database technology deployed. Paragraph 0241 teaches the threat assessment prediction module 1308 may derive one or more threat assessment prediction profiles by applying one or more pattern recognition algorithms to the plurality of records of the database 1304. Such algorithms may include, for example, probabilistic inferences, anomaly detection, decision trees, training data sets, clustering, or any other suitable technique known in the art for analyzing data sets for predictive models. Paragraph 0242 teaches after at least one prediction profile has been derived, a first plurality of properties may be determined for a first user. Based on those properties and on the assessment prediction profile, the first user may be assigned an initial threat assessment metric identifying at least one predicted threat vector for the first user. Paragraph 0259 teaches the profile of the user may be based at least in part on the user's performance with respect to threat assessments and, in certain implementations, may be further based on any one or more other user risk assessments described herein. Paragraph 0261 teaches the exemplary method 1400 may include processing network traffic to and from the endpoint according to the adjusted profile of the user associated with the endpoint. Paragraph 0262 teaches processing the network traffic may include coloring network packets from the endpoint according to the adjusted profile of the user associated with the endpoint or a risk profile associated with the user. This may, for example, include a general risk assessment or score for the user, general or specific policy restrictions for the user (or a risk score for the user), or specific, known vulnerabilities of a user or the endpoint. 
Note: The examiner interprets the cited risk assessment or score based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering reads on the claimed generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution because the profile or (risk profile) of the user may be based at least in part on the user's performance with respect to threat assessments and, in certain implementations, may be further based on any one or more other user risk assessments described herein (one or more threat assessment prediction profiles and processing network traffic). The cited clustering and probabilistic inference (probability distribution) is interpreted to must include data from a database table 1307 that stores events (Event 1, Event 2, Event 3) because the threat assessment prediction module accesses the database to analyze its contents using clustering and probabilistic inference, therefore, the events that are clustered as part of the cited clustering are interpreted to be enriched events.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, and Hu, by incorporating risk assessments or scores based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering, as taught by Epple (Paragraph 0236, 0241, 0242, 0259, 0261, and 0262), because all four applications are directed to identifying threats to information security and storing information relating to those threats; incorporating risk assessments or scores based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering advantageously provides improved sensitivity to such threats, as well as enabling improved remediation strategies (see Epple Paragraph 0141).

Puri, Holeman, Hu, and Epple discloses most of the limitations as set forth in claim 21 but does not appear to expressly disclose performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Zimmermann discloses:
performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score [Paragraph 0007 teaches user behavior analysis (UBA). Paragraph 0011 teaches a cloud security fabric (CSF 100) that allows an enterprise to discover sensitive data, to apply policies and automation actions to data, users, and/or configurations, and make sure that regulated data is under compliance and that sensitive information is protected, so that the enterprise can enforce use policies around the data. Paragraph 0105 teaches there is value for the host or operator of the CSF 100 in the enterprise APIs 104 as well. The host or operator can perform business automation functions, such as doing an automated security assessment report for an enterprise customer. Paragraph 0114 teaches connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms). Paragraph 0118 teaches referring to FIG. 3, the developer APIs 102 enable developers to access capabilities and services of the modules of the CSF 100 to enable various other solutions, such as SIEMs 304, DLPs 302, UBA solutions 310. Paragraph 0132 teaches there are a number of important cyber security use cases that may benefit from improved UBA solutions, where identification of a pattern of user or machine behavior allows identification of a threat. Paragraph 0134 teaches Important cyber security use cases and features may also include… risk assessment. Paragraph 0158 teaches one may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users. Paragraph 0557 teaches the machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use the data collected from various platforms to profile an organization (and its users) based on behavior over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine learning… involving a cluster of events (such as that mobile access is usually from home and laptop access is normally from the office), but a machine learning facility can provide an indicator of departure from a pattern, whatever it is.  Paragraph 0558 teaches a user or group trust score or risk score may be calculated based on the various capabilities described. Paragraph 0599 teaches the methods and systems described herein may be deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware.
Note: Security analytics services as part of the cloud security fabric (CSF) that provides user behavior analysis (UBA) in a cyber security use case to conduct a risk assessment, wherein the risk assessment reasonably involves user behaviors associated with profiling and providing an indicators of departure and riskiest behaviors used in determining a risk score that indicates riskiest users and/or the riskiest activities being undertaken by users reads on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score. The cloud security fabric that includes security analytics services is interpreted to be the claimed security analytics system. The cited risk assessment involving a risk score based on indications of the riskiest users is interpreted to read on the claimed risk assessment operation. The cited profiling and providing an indicators of departure and riskiest behaviors used in the user behavior analysis to determine the user risk score as part of the risk assessment is interpreted to read on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the risk assessment operation taking into account the risk score. CSF deployed including the security analytics service deployed on deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware is interpreted to read on the claimed the security analytics system executing on a hardware processor.]
the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user [Paragraph 0574 teaches analytic capabilities of the platform 6500 may include, among other things, the following: profiling and detection of outliers; detection of frequency anomalies, including by type of usage; geo-location profiling and detection of anomalies related to location; device usage; user behavior analysis, including inside threat and dormant user analysis, as well as excessive usage and data extraction anomalies; entity behavioral use cases (e.g. binary classification of usage as human or machine, correlation of entity behaviors, and excessive usage or data extraction by machines); entity access patterns (such as behavior of particular endpoints)]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, and Epple, by incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering, as taught by Zimmermann (Paragraph 0007, 0011, 0114, 0118, 0132, 0134, 0158, 0557, 0558, and 0599), because all five applications are directed to identifying threats to information security and storing information relating to those threats; incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering provides better threat indications, such as account compromise which will make alert identification more effective, allowing the production of fewer, more relevant alerts (see Zimmermann Paragraph 0129).

As to claim 22:
Puri discloses:
The method of claim 21, further comprising: 2analyzing the enriched data associated with each of the plurality of events and the 3extracted features from the plurality of events when performing a security 4analytics operation [Paragraph 0018 teaches Learning the behavior of applications through log traces, understanding the flow of events that occur within many applications, performing analytics at massive scales, and performing analytics with low latency and rapid results with streaming data is needed when finding relevant security events and being operationally aware in real-time. Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events, wherein performing validating security events includes performing analytics at massive scales, and performing analytics with low latency and rapid results with streaming data is needed when finding relevant security events is interpreted to be the claimed performing a security 4analytics operation.

As to claim 23:
Puri discloses:
The method of claim 21, wherein:  2extracting features comprises performing transformation operations on certain 3features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different colors (e.g., red, yellow, orange, etc.) representing the probability of occurrence of the events. Further analysis may be performed by grouping events and providing mechanisms to navigate and visualize them according to their features. The examiner interprets using three months of use of data, grouping events, and sizing representing anomalousness to be the claimed transformation operations for smaller sets on certain features wherein anomalousness is interpreted to be the claimed certain features.]

As to claim 24:
Puri discloses:
The method of claim 21, wherein:  2the feature associated with the event comprises at least one of a number of bytes 3uploaded, a time of day, a presence of certain terms in unstructured content, 4respective domains associated with senders and recipients of information, and  5a Uniform Resource Locator (URL) classification of a web page visit [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets anomalous data to be the claimed features and the relevant information as time is interpreted to be the claimed time of day.]

As to claim 25:
Puri discloses:
The method of claim 21, wherein:
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.]; 6deduplicating at least some of the plurality of events 
  
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

As to claim 26:
Puri discloses:
The method of claim 21, further comprising:  2labeling at least some of the plurality of events prior to extracting features from the 3plurality of events to provide labeled events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed labeling at least some of the plurality of events.]; and,  
4storing the labeled events within the datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed extracted features and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched data within a datastore.]

As to claim 27:
Puri discloses:
A system comprising:  2a processor; 3a data bus coupled to the processor; and  4a non-transitory, computer-readable storage medium embodying computer program 5code for performing a risk assessment operation, the non-transitory, computer-readable storage medium being coupled to 6the data bus, the computer program code interacting with a plurality of 7computer operations and comprising instructions executable by the processor [Paragraph 0118 teaches methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory (e.g., the memory 904 of FIG. 9, and the non-transitory computer readable medium 1102 of FIG. 11), such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), hard drives, and flash memory). The memory 904 may include a RAM, where the machine readable instructions and data for the processor 902 may reside during runtime.] 8and configured for: 
enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events [Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events is interpreted to be the claimed enriching data associated with each of the plurality of events.]
extracting features from the plurality of events using the enriched data associated with each of the plurality of events to provide extracted features from the plurality 8of events [Paragraph 0026 teaches the apparatus and methods disclosed herein may deploy a differentiated technology asset that may effectively capture, learn, discover and provide actionable contextually relevant security information. Paragraph 0051 teaches data present in log files may be characterized by log traces containing unique identifiers, timestamps, events, and actions… the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.
Note: The examiner interprets the anomalies and risks to be the claimed extracting features from the plurality of events using the enriched data associated with each of the plurality of events. Timestamps used in the analysis to extract anomalies and risks is interpreted to be claimed extracting features from the plurality of events using the enriched data. The examiner also interprets incoming data that is data present in log files containing events is interpreted to be the claimed plurality of events. Pre-processing steps are interpreted to be included in effectively capturing, learning, discovering and providing actionable contextually relevant security information, therefore teaching the claimed provide enriched data associated with each of the plurality of events.];
storing the enriched data associated with each of the plurality of events and the 10extracted features from the plurality of events within a datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed extracted features and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched data within a datastore.]
performing the risk assessment operation via a security analytics system based upon the enriched events [Paragraph 0019 teaches an event anomaly analysis and prediction apparatus. The apparatus provides for the extraction of correlations between trace events within a log and the information surrounding the correlations such as probability of occurrence of trace log events, probability of transitions between particular trace log events, execution times of trace log events, and anomalous occurrences of trace log events. Paragraph 0051 teaches incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0096 teaches categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments. 
Note: The examiner interprets extracting risks and providing contexts to risks reads on the claimed risk assessment operation and an event anomaly analysis and prediction apparatus that includes data anomaly analyzer is interpreted to be the claimed security analytics system. The event anomaly analysis and prediction apparatus that includes data anomaly analyzer that extracts anomalies, risks, provides context to risk assessments, all based on events is interpreted to read on the claimed risk assessments operation based upon the enriched events.]

Puri discloses some of the limitations as set forth in claim 27 but does not appear to expressly disclose receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent , the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint communicating with the security analytics system via a network, performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events; the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Holeman discloses:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions [Paragraph 0053 teaches user activity sensors 470 include computer program instructions that are executable to collect information relating to users of endpoint computer system 120. For example, in various embodiments, sensors 470 may indicate what users are currently logged in to endpoint computer system 120 and whether each login is local or remote. Sensors 470 may further indicate associated account attribution for observed network activity such as identifying which logged-in users or accounts correspond to particular observed network activity. Paragraph 0054 teaches sensors 470 may also collect information about the activities of users. For example, sensors 470 may collect information relating to user activity or inactivity, such as whether there is any input being supplied by the user (e.g., through user interface devices 370). Sensors 470 may also determine what user process are in the foreground (e.g., the identity of the process associated with a currently active window, such as a word processing program to which the user is currently inputting text, as compared to other processes running in the background. Note: The cited sensors as part of the endpoint computer system 120 collecting information about the activities of users is interpreted to read on the claimed identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions. The cited endpoint computer system 120 is interpreted to read on the claimed the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system and information collected representing user activity is interpreted to read on the clamed receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user.], the protected endpoint comprising an endpoint device and an endpoint agent [Paragraph 0032 teaches an endpoint analysis agent may be implemented on an endpoint computer system in a variety of ways, as illustrated by FIG. 2. Note: The examiner interprets the endpoint analysis agent implemented on an endpoint computer system reads on the claimed the protected endpoint comprising an endpoint device and an endpoint agent.], the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0033 teaches in the depicted configuration (Figure 2), endpoint computer system 120 includes a hardware layer 240, which includes the actual underlying hardware of the system that supports process execution (e.g., processors, memory), and is discussed further with reference to FIG. 3. Endpoint computer system 120 further includes an operating system layer 220 that supports multiple system and application processes 212, including, in some embodiments, an endpoint analysis agent process.]
the protected endpoint communicating with the security analytics system via a network [FIG. 3, a block diagram of a system 300 is shown that includes an exemplary endpoint computer system. In this particular configuration, endpoint analysis agent 340 is implemented in software. Paragraph 0067 teaches endpoint analysis agent 340 is operable to collect endpoint information, package that information (or a subset of that information) in one or more network flow data records, and send those records to network 110, where it may be received either by network flow analyzer 106, or by network flow collector 104, where it may be ultimately forwarded to analyzer 106. Paragraph 0068 teaches network flow analyzer 106 includes flow matching module 510, threat and anomaly detection module 520, and risk analysis module 530. Note: Endpoint computer system with an endpoint analysis agent 340 implemented in software collecting endpoint information via the endpoint analysis agent 340 and sending those records to network 110 where it is received by network flow analyzer 106 is interpreted to read on the claimed the protected endpoint communicating with the security analytics system via a network. The endpoint computer system with an endpoint analysis agent is interpreted to be the claimed protected endpoint and the network flow analyzer interpreted to be the claimed security analytics system. Network 110 used to send records from the endpoint computer system to the network flow analyzer is interpreted to be the claimed network.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint analysis agents running on a computer system to collect data associated with user activity, as taught by Holeman (Paragraph 0032, 0033, 0053, 0054, 0067, 0068, 0080, 0086, Figure 2, and Figure 3), because both applications are directed to identifying threats to information security and storing information relating to those threats; collecting endpoint information and using it to supplement network flow analysis has a number of potential benefits. Because a richer data set providing additional relevant context is being utilized, incidents of false positives for potential network security incidents may be reduced (see Holeman Paragraph 0027).

Puri and Holeman discloses most of the limitations as set forth in claim 27 but does not appear to expressly disclose performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Hu discloses:
performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource. Paragraph 0098 teaches clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Paragraph 0106 teaches the comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements. Paragraph 0107 teaches summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster. Paragraph 0141 teaches categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster.
Note: Access requests associated with data elements are interpreted to be the claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events and events that are determined to legitimate or fraudulent are interpreted to enriched events. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative. The DoA/score representing a probability of a current request (event) being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events. In other words, the DoA/score provides a probability that the new transaction (event) contains elements that are deemed legitimate or fraudulent given that data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These scores could contribute to determining whether a new authentication request is legitimate and the cited scores are interpreted to be a result of the claimed analyzing probability distributions of the features extracted from the plurality of events. To further elaborate, the scores are a result of an analysis of the fraudulent clusters (probability distribution). The process including deriving scores based on features of events in a fraudulent cluster and determining whether incoming request (events) are legitimate or fraudulent based on a DoA/score are interpreted to be the claimed performing a probability distribution operation.] 
the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource. Paragraph 0098 teaches clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Paragraph 0106 teaches the comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements. Paragraph 0107 teaches summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster. Paragraph 0141 teaches categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster.
Note: Access requests associated with data elements are interpreted to be claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events. Categorization module configured to allow for categorization changes (updates) and categorize the nodes/data elements into clusters is interpreted to read on the claimed distribution of the features being constructed via a scoring container update operation. Categorization is interpreted to be the scoring container update operation, legitimate clusters and fraudulent clusters are interpreted to be the claimed scoring containers, wherein the clusters are configured to have data elements that have scores e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative, similar to the cited score. The DoA/score representing a probability of a current request being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed a scoring container to provide an approximation of a probability distribution of the features from the plurality of events, wherein the DoA/score is associated with the cluster is interpreted to be the claimed scoring container to provide an approximation of a probability distribution. “t” corresponding to a moving window to calculate the DoA/score for new transactions to determine the appropriate cluster as shown in the formula in Paragraph 0106 of the cited prior art is interpreted to read on the claimed plurality of events for a particular time window. The cited time window is interpreted to be used in the determination of DoA/score which provides a probability that the new transaction contains elements that are deemed legitimate or fraudulent.]; across a sequence of time windows [Paragraph 0106 teaches “t” corresponds to a moving time window on timeline backward, e.g., a weekly window. “H” stand for Historical time. Note: “t” and “H” representing two time windows is interpreted to read on the claimed across a sequence of time windows.], the scoring container being implemented as one or both of a percentile container [Paragraph 0089 teaches the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Note: Clusters that contain score elements with an indication of a percentage of the one more current data elements that match the existing nodes of the existing cluster reads on the claimed scoring container being implemented as a percentile container.], the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations [Paragraph 0089 teaches the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster… the measurement of a matching amount of matching could be different measures with/without different units, such as a function, a probability, a score, or a rate, where units could be per give time, per given change in time, etc. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Note: Clusters (scoring container) that contain score elements with an indication (score operations) of a percentage of the one more current data elements that match the existing nodes of the existing cluster (percentile container) where matching (operations) associated with data distribution to the cluster is measured for a given time (particular period of time) in probability (probability distribution) reads on the claimed the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations.], and a delta container, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri and Holeman, by incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate, as taught by Hu (Paragraph 0004, 0025, 0029, 0095, 0098, 0099, 0106, 0107, and 0141), because all three applications are directed to identifying threats to information security and storing information relating to those threats; incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate provides protection of other resources, e.g., of a same type. For instance, the same attackers might attack other resources, and a profile (via a cluster in the data structure) can allow a server of another party to detect fraudulent requests much quicker, as the proper knowledge of the received data structure can be leveraged (see Hu Paragraph 0090).

Puri, Holeman, and Hu discloses most of the limitations as set forth in claim 27 but does not appear to expressly disclose generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Epple discloses:
generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution [Paragraph 0236 teaches in the threat assessment prediction module 1308, the table 1307 may also, or instead, be accessed to learn about past threat event outcomes. In such implementations, the table 1307 may include three event outcomes for the user 1010 including “Pass” for “Event 1” and “Event 2” and “Fail” for “Event 3.” In FIG. 13, it should be appreciated that the row including “Event . . . ” is a place holder for the sake of clarity of representation and represents that any number of events may be stored in the table 1307 within the bounds of the particular database technology deployed. Paragraph 0241 teaches the threat assessment prediction module 1308 may derive one or more threat assessment prediction profiles by applying one or more pattern recognition algorithms to the plurality of records of the database 1304. Such algorithms may include, for example, probabilistic inferences, anomaly detection, decision trees, training data sets, clustering, or any other suitable technique known in the art for analyzing data sets for predictive models. Paragraph 0242 teaches after at least one prediction profile has been derived, a first plurality of properties may be determined for a first user. Based on those properties and on the assessment prediction profile, the first user may be assigned an initial threat assessment metric identifying at least one predicted threat vector for the first user. Paragraph 0259 teaches the profile of the user may be based at least in part on the user's performance with respect to threat assessments and, in certain implementations, may be further based on any one or more other user risk assessments described herein. Paragraph 0261 teaches the exemplary method 1400 may include processing network traffic to and from the endpoint according to the adjusted profile of the user associated with the endpoint. Paragraph 0262 teaches processing the network traffic may include coloring network packets from the endpoint according to the adjusted profile of the user associated with the endpoint or a risk profile associated with the user. This may, for example, include a general risk assessment or score for the user, general or specific policy restrictions for the user (or a risk score for the user), or specific, known vulnerabilities of a user or the endpoint. 
Note: The examiner interprets the cited risk assessment or score based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering reads on the claimed generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution because the profile or (risk profile) of the user may be based at least in part on the user's performance with respect to threat assessments and, in certain implementations, may be further based on any one or more other user risk assessments described herein (one or more threat assessment prediction profiles and processing network traffic). The cited clustering and probabilistic inference (probability distribution) is interpreted to must include data from a database table 1307 that stores events (Event 1, Event 2, Event 3) because the threat assessment prediction module accesses the database to analyze its contents using clustering and probabilistic inference, therefore, the events that are clustered as part of the cited clustering are interpreted to be enriched events.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, and Hu, by incorporating risk assessments or scores based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering, as taught by Epple (Paragraph 0236, 0241, 0242, 0259, 0261, and 0262), because all four applications are directed to identifying threats to information security and storing information relating to those threats; incorporating risk assessments or scores based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering advantageously provides improved sensitivity to such threats, as well as enabling improved remediation strategies (see Epple Paragraph 0141).

Puri, Holeman, Hu, and Epple discloses most of the limitations as set forth in claim 27 but does not appear to expressly disclose performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Zimmerman discloses:
performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score [Paragraph 0007 teaches user behavior analysis (UBA). Paragraph 0011 teaches a cloud security fabric (CSF 100) that allows an enterprise to discover sensitive data, to apply policies and automation actions to data, users, and/or configurations, and make sure that regulated data is under compliance and that sensitive information is protected, so that the enterprise can enforce use policies around the data. Paragraph 0105 teaches there is value for the host or operator of the CSF 100 in the enterprise APIs 104 as well. The host or operator can perform business automation functions, such as doing an automated security assessment report for an enterprise customer. Paragraph 0114 teaches connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms). Paragraph 0118 teaches referring to FIG. 3, the developer APIs 102 enable developers to access capabilities and services of the modules of the CSF 100 to enable various other solutions, such as SIEMs 304, DLPs 302, UBA solutions 310. Paragraph 0132 teaches there are a number of important cyber security use cases that may benefit from improved UBA solutions, where identification of a pattern of user or machine behavior allows identification of a threat. Paragraph 0134 teaches Important cyber security use cases and features may also include… risk assessment. Paragraph 0158 teaches one may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users. Paragraph 0557 teaches the machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use the data collected from various platforms to profile an organization (and its users) based on behavior over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine learning… involving a cluster of events (such as that mobile access is usually from home and laptop access is normally from the office), but a machine learning facility can provide an indicator of departure from a pattern, whatever it is.  Paragraph 0558 teaches a user or group trust score or risk score may be calculated based on the various capabilities described. Paragraph 0599 teaches the methods and systems described herein may be deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware.
Note: Security analytics services as part of the cloud security fabric (CSF) that provides user behavior analysis (UBA) in a cyber security use case to conduct a risk assessment, wherein the risk assessment reasonably involves user behaviors associated with profiling and providing an indicators of departure and riskiest behaviors used in determining a risk score that indicates riskiest users and/or the riskiest activities being undertaken by users reads on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score. The cloud security fabric that includes security analytics services is interpreted to be the claimed security analytics system. The cited risk assessment involving a risk score based on indications of the riskiest users is interpreted to read on the claimed risk assessment operation. The cited profiling and providing an indicators of departure and riskiest behaviors used in the user behavior analysis to determine the user risk score as part of the risk assessment is interpreted to read on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the risk assessment operation taking into account the risk score. CSF deployed including the security analytics service deployed on deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware is interpreted to read on the claimed the security analytics system executing on a hardware processor.]
the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user [Paragraph 0574 teaches analytic capabilities of the platform 6500 may include, among other things, the following: profiling and detection of outliers; detection of frequency anomalies, including by type of usage; geo-location profiling and detection of anomalies related to location; device usage; user behavior analysis, including inside threat and dormant user analysis, as well as excessive usage and data extraction anomalies; entity behavioral use cases (e.g. binary classification of usage as human or machine, correlation of entity behaviors, and excessive usage or data extraction by machines); entity access patterns (such as behavior of particular endpoints)]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, and Epple, by incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering, as taught by Zimmermann (Paragraph 0007, 0011, 0114, 0118, 0132, 0134, 0158, 0557, 0558, and 0599), because all five applications are directed to identifying threats to information security and storing information relating to those threats; incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering provides better threat indications, such as account compromise which will make alert identification more effective, allowing the production of fewer, more relevant alerts (see Zimmermann Paragraph 0129).

As to claim 28:
Puri discloses:
The system of claim 27, wherein the instructions are further configured for: analyzing the enriched data associated with each of the plurality of events and the 3extracted features from the plurality of events when performing a security 4analytics operation [Paragraph 0018 teaches Learning the behavior of applications through log traces, understanding the flow of events that occur within many applications, performing analytics at massive scales, and performing analytics with low latency and rapid results with streaming data is needed when finding relevant security events and being operationally aware in real-time. Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events, wherein performing validating security events includes performing analytics at massive scales, and performing analytics with low latency and rapid results with streaming data is needed when finding relevant security events is interpreted to be the claimed performing a security 4analytics operation.

 As to claim 29:
Puri discloses:
The system of claim 27, wherein:  2extracting features comprises performing transformation operations on certain 3features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different colors (e.g., red, yellow, orange, etc.) representing the probability of occurrence of the events. Further analysis may be performed by grouping events and providing mechanisms to navigate and visualize them according to their features. The examiner interprets using three months of use of data, grouping events, and sizing representing anomalousness to be the claimed transformation operations for smaller sets on certain features wherein anomalousness is interpreted to be the claimed certain features.]

As to claim 30:
Puri discloses:
The system of claim 27, wherein the instructions are further configured for:  2the feature associated with the event comprises at least one of a number of bytes 3uploaded, a time of day, a presence of certain terms in unstructured content, 4respective domains associated with senders and recipients of information, and 5a Uniform Resource Locator (URL) classification of a web page visit [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets anomalous data to be the claimed features and the relevant information as time is interpreted to be the claimed time of day.]

As to claim 31:
Puri discloses:
The system of claim 27, wherein:  
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.]; 6deduplicating at least some of the plurality of events 
  
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

As to claim 32:
Puri discloses:
The system of claim 27, wherein the instructions are further configured for:  labeling at least some of the plurality of events prior to extracting features from the 3plurality of events to provide labeled events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed labeling at least some of the plurality of events.]; and,  
4storing the labeled events within the datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed extracted features and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched data within a datastore.]

As to claim 33:
Puri discloses:
A non-transitory, computer-readable storage medium embodying computer program code for performing a risk assessment operation, the computer program code comprising computer executable instructions [Paragraph 0118 teach methods, functions and other processes may be embodied as machine readable instructions stored on a computer readable medium, which may be non-transitory (e.g., the memory 904 of FIG. 9, and the non-transitory computer readable medium 1102 of FIG. 11), such as hardware storage devices (e.g., RAM (random access memory), ROM (read only memory), EPROM (erasable, programmable ROM), EEPROM (electrically erasable, programmable ROM), hard drives, and flash memory). The memory 904 may include a RAM, where the machine readable instructions and data for the processor 902 may reside during runtime.] 3configured for:  
enriching data associated with each of the plurality of events to provide enriched data associated with each of the plurality of events [Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events is interpreted to be the claimed enriching data associated with each of the plurality of events.]
extracting features from the plurality of events using the enriched data associated with each of the plurality of events to provide extracted features from the plurality 8of events [Paragraph 0026 teaches the apparatus and methods disclosed herein may deploy a differentiated technology asset that may effectively capture, learn, discover and provide actionable contextually relevant security information. Paragraph 0051 teaches data present in log files may be characterized by log traces containing unique identifiers, timestamps, events, and actions… the incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0097 teaches In addition to mining, analytics may be performed on learned graphs to extract anomalous behaviors.
Note: The examiner interprets the anomalies and risks to be the claimed extracting features from the plurality of events using the enriched data associated with each of the plurality of events. Timestamps used in the analysis to extract anomalies and risks is interpreted to be claimed extracting features from the plurality of events using the enriched data. The examiner also interprets incoming data that is data present in log files containing events is interpreted to be the claimed plurality of events. Pre-processing steps are interpreted to be included in effectively capturing, learning, discovering and providing actionable contextually relevant security information, therefore teaching the claimed provide enriched data associated with each of the plurality of events.];
storing the enriched data associated with each of the plurality of events and the 10extracted features from the plurality of events within a datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed extracted features and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched data within a datastore.]
performing the risk assessment operation via a security analytics system based upon the enriched events [Paragraph 0019 teaches an event anomaly analysis and prediction apparatus. The apparatus provides for the extraction of correlations between trace events within a log and the information surrounding the correlations such as probability of occurrence of trace log events, probability of transitions between particular trace log events, execution times of trace log events, and anomalous occurrences of trace log events. Paragraph 0051 teaches incoming data 118 may be analyzed for anomalies by the data anomaly analyzer 116 using graph matching, pattern recognition, or other techniques, such as correlation algorithms, to extract anomalies and risks. Paragraph 0096 teaches categorizations may be fed into a real-time CEP engine to generate rules to grade new events for a given time of a day to aid analysts and help provide context to risk assessments. 
Note: The examiner interprets extracting risks and providing contexts to risks reads on the claimed risk assessment operation and an event anomaly analysis and prediction apparatus that includes data anomaly analyzer is interpreted to be the claimed security analytics system. The event anomaly analysis and prediction apparatus that includes data anomaly analyzer that extracts anomalies, risks, provides context to risk assessments, all based on events is interpreted to read on the claimed risk assessments operation based upon the enriched events.]

Puri discloses some of the limitations as set forth in claim 33 but does not appear to expressly disclose receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent , the endpoint agent executing on a hardware processor of the endpoint device, the protected endpoint communicating with the security analytics system via a network, performing a probability distribution operation on the enriched data, the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Holeman discloses:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions [Paragraph 0053 teaches user activity sensors 470 include computer program instructions that are executable to collect information relating to users of endpoint computer system 120. For example, in various embodiments, sensors 470 may indicate what users are currently logged in to endpoint computer system 120 and whether each login is local or remote. Sensors 470 may further indicate associated account attribution for observed network activity such as identifying which logged-in users or accounts correspond to particular observed network activity. Paragraph 0054 teaches sensors 470 may also collect information about the activities of users. For example, sensors 470 may collect information relating to user activity or inactivity, such as whether there is any input being supplied by the user (e.g., through user interface devices 370). Sensors 470 may also determine what user process are in the foreground (e.g., the identity of the process associated with a currently active window, such as a word processing program to which the user is currently inputting text, as compared to other processes running in the background. Note: The cited sensors as part of the endpoint computer system 120 collecting information about the activities of users is interpreted to read on the claimed identifying a plurality of events from the interactions by the user, at least some of the plurality of events corresponding to user actions. The cited endpoint computer system 120 is interpreted to read on the claimed the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system and information collected representing user activity is interpreted to read on the clamed receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable interactions by a user.], the protected endpoint comprising an endpoint device and an endpoint agent [Paragraph 0032 teaches an endpoint analysis agent may be implemented on an endpoint computer system in a variety of ways, as illustrated by FIG. 2. Note: The examiner interprets the endpoint analysis agent implemented on an endpoint computer system reads on the claimed the protected endpoint comprising an endpoint device and an endpoint agent.], the endpoint agent executing on a hardware processor of the endpoint device [Paragraph 0033 teaches in the depicted configuration (Figure 2), endpoint computer system 120 includes a hardware layer 240, which includes the actual underlying hardware of the system that supports process execution (e.g., processors, memory), and is discussed further with reference to FIG. 3. Endpoint computer system 120 further includes an operating system layer 220 that supports multiple system and application processes 212, including, in some embodiments, an endpoint analysis agent process.], 
the protected endpoint communicating with the security analytics system via a network [FIG. 3, a block diagram of a system 300 is shown that includes an exemplary endpoint computer system. In this particular configuration, endpoint analysis agent 340 is implemented in software. Paragraph 0067 teaches endpoint analysis agent 340 is operable to collect endpoint information, package that information (or a subset of that information) in one or more network flow data records, and send those records to network 110, where it may be received either by network flow analyzer 106, or by network flow collector 104, where it may be ultimately forwarded to analyzer 106. Paragraph 0068 teaches network flow analyzer 106 includes flow matching module 510, threat and anomaly detection module 520, and risk analysis module 530. Note: Endpoint computer system with an endpoint analysis agent 340 implemented in software collecting endpoint information via the endpoint analysis agent 340 and sending those records to network 110 where it is received by network flow analyzer 106 is interpreted to read on the claimed the protected endpoint communicating with the security analytics system via a network. The endpoint computer system with an endpoint analysis agent is interpreted to be the claimed protected endpoint and the network flow analyzer interpreted to be the claimed security analytics system. Network 110 used to send records from the endpoint computer system to the network flow analyzer is interpreted to be the claimed network.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, by incorporating endpoint analysis agents running on a computer system to collect data associated with user activity, as taught by Holeman (Paragraph 0032, 0033, 0053, 0054, 0067, 0068, 0080, 0086, Figure 2, and Figure 3), because both applications are directed to identifying threats to information security and storing information relating to those threats; collecting endpoint information and using it to supplement network flow analysis has a number of potential benefits. Because a richer data set providing additional relevant context is being utilized, incidents of false positives for potential network security incidents may be reduced (see Holeman Paragraph 0027).

Puri and Holeman discloses most of the limitations as set forth in claim 33 but does not appear to expressly disclose performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution, and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Hu discloses:
performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource. Paragraph 0098 teaches clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Paragraph 0106 teaches the comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements. Paragraph 0107 teaches summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster. Paragraph 0141 teaches categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster.
Note: Access requests associated with data elements are interpreted to be the claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events and events that are determined to legitimate or fraudulent are interpreted to enriched events. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative. The DoA/score representing a probability of a current request (event) being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events. In other words, the DoA/score provides a probability that the new transaction (event) contains elements that are deemed legitimate or fraudulent given that data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These scores could contribute to determining whether a new authentication request is legitimate and the cited scores are interpreted to be a result of the claimed analyzing probability distributions of the features extracted from the plurality of events. To further elaborate, the scores are a result of an analysis of the fraudulent clusters (probability distribution). The process including deriving scores based on features of events in a fraudulent cluster and determining whether incoming request (events) are legitimate or fraudulent based on a DoA/score are interpreted to be the claimed performing a probability distribution operation.] 
the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window [Paragraph 0004 teaches once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests. Paragraph 0025 teaches a “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements. Paragraph 0029 teaches the data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource. Paragraph 0098 teaches clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Paragraph 0106 teaches the comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements. Paragraph 0107 teaches summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster. Paragraph 0141 teaches categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster.
Note: Access requests associated with data elements are interpreted to be claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events. Categorization module configured to allow for categorization changes (updates) and categorize the nodes/data elements into clusters is interpreted to read on the claimed distribution of the features being constructed via a scoring container update operation. Categorization is interpreted to be the scoring container update operation, legitimate clusters and fraudulent clusters are interpreted to be the claimed scoring containers, wherein the clusters are configured to have data elements that have scores e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative, similar to the cited score. The DoA/score representing a probability of a current request being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed a scoring container to provide an approximation of a probability distribution of the features from the plurality of events, wherein the DoA/score is associated with the cluster is interpreted to be the claimed scoring container to provide an approximation of a probability distribution. “t” corresponding to a moving window to calculate the DoA/score for new transactions to determine the appropriate cluster as shown in the formula in Paragraph 0106 of the cited prior art is interpreted to read on the claimed plurality of events for a particular time window. The cited time window is interpreted to be used in the determination of DoA/score which provides a probability that the new transaction contains elements that are deemed legitimate or fraudulent.]; across a sequence of time windows [Paragraph 0106 teaches “t” corresponds to a moving time window on timeline backward, e.g., a weekly window. “H” stand for Historical time. Note: “t” and “H” representing two time windows is interpreted to read on the claimed across a sequence of time windows.], the scoring container being implemented as one or both of a percentile container [Paragraph 0089 teaches the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Note: Clusters that contain score elements with an indication of a percentage of the one more current data elements that match the existing nodes of the existing cluster reads on the claimed scoring container being implemented as a percentile container.], the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations [Paragraph 0089 teaches the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster… the measurement of a matching amount of matching could be different measures with/without different units, such as a function, a probability, a score, or a rate, where units could be per give time, per given change in time, etc. Paragraph 0095 teaches strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster. Paragraph 0099 teaches the data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Note: Clusters (scoring container) that contain score elements with an indication (score operations) of a percentage of the one more current data elements that match the existing nodes of the existing cluster (percentile container) where matching (operations) associated with data distribution to the cluster is measured for a given time (particular period of time) in probability (probability distribution) reads on the claimed the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations.], and a delta container, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri and Holeman, by incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate, as taught by Hu (Paragraph 0004, 0025, 0029, 0095, 0098, 0099, 0106, 0107, and 0141), because all three applications are directed to identifying threats to information security and storing information relating to those threats; incorporating clustering transactions into clusters utilizing a degree of affinity or score to show the probability of new transactions categorized as either fraudulent or legitimate provides protection of other resources, e.g., of a same type. For instance, the same attackers might attack other resources, and a profile (via a cluster in the data structure) can allow a server of another party to detect fraudulent requests much quicker, as the proper knowledge of the received data structure can be leveraged (see Hu Paragraph 0090).

Puri, Holeman, and Hu discloses most of the limitations as set forth in claim 33 but does not appear to expressly disclose generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution and performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Epple discloses:
generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution [Paragraph 0236 teaches in the threat assessment prediction module 1308, the table 1307 may also, or instead, be accessed to learn about past threat event outcomes. In such implementations, the table 1307 may include three event outcomes for the user 1010 including “Pass” for “Event 1” and “Event 2” and “Fail” for “Event 3.” In FIG. 13, it should be appreciated that the row including “Event . . . ” is a place holder for the sake of clarity of representation and represents that any number of events may be stored in the table 1307 within the bounds of the particular database technology deployed. Paragraph 0241 teaches the threat assessment prediction module 1308 may derive one or more threat assessment prediction profiles by applying one or more pattern recognition algorithms to the plurality of records of the database 1304. Such algorithms may include, for example, probabilistic inferences, anomaly detection, decision trees, training data sets, clustering, or any other suitable technique known in the art for analyzing data sets for predictive models. Paragraph 0242 teaches after at least one prediction profile has been derived, a first plurality of properties may be determined for a first user. Based on those properties and on the assessment prediction profile, the first user may be assigned an initial threat assessment metric identifying at least one predicted threat vector for the first user. Paragraph 0259 teaches the profile of the user may be based at least in part on the user's performance with respect to threat assessments and, in certain implementations, may be further based on any one or more other user risk assessments described herein. Paragraph 0261 teaches the exemplary method 1400 may include processing network traffic to and from the endpoint according to the adjusted profile of the user associated with the endpoint. Paragraph 0262 teaches processing the network traffic may include coloring network packets from the endpoint according to the adjusted profile of the user associated with the endpoint or a risk profile associated with the user. This may, for example, include a general risk assessment or score for the user, general or specific policy restrictions for the user (or a risk score for the user), or specific, known vulnerabilities of a user or the endpoint. 
Note: The examiner interprets the cited risk assessment or score based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering reads on the claimed generating a risk score for the user, the risk score using the extracted features from the plurality of events and the probability distribution because the profile or (risk profile) of the user may be based at least in part on the user's performance with respect to threat assessments and, in certain implementations, may be further based on any one or more other user risk assessments described herein (one or more threat assessment prediction profiles and processing network traffic). The cited clustering and probabilistic inference (probability distribution) is interpreted to must include data from a database table 1307 that stores events (Event 1, Event 2, Event 3) because the threat assessment prediction module accesses the database to analyze its contents using clustering and probabilistic inference, therefore, the events that are clustered as part of the cited clustering are interpreted to be enriched events.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, and Hu, by incorporating risk assessments or scores based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering, as taught by Epple (Paragraph 0236, 0241, 0242, 0259, 0261, and 0262), because all four applications are directed to identifying threats to information security and storing information relating to those threats; incorporating risk assessments or scores based on the risk profile for a user that is derived from algorithms that include probabilistic inferences and clustering advantageously provides improved sensitivity to such threats, as well as enabling improved remediation strategies (see Epple Paragraph 0141).

Puri, Holeman, Hu, and Epple discloses most of the limitations as set forth in claim 33 but does not appear to expressly disclose performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user.
Zimmermann discloses:
performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score [Paragraph 0007 teaches user behavior analysis (UBA). Paragraph 0011 teaches a cloud security fabric (CSF 100) that allows an enterprise to discover sensitive data, to apply policies and automation actions to data, users, and/or configurations, and make sure that regulated data is under compliance and that sensitive information is protected, so that the enterprise can enforce use policies around the data. Paragraph 0105 teaches there is value for the host or operator of the CSF 100 in the enterprise APIs 104 as well. The host or operator can perform business automation functions, such as doing an automated security assessment report for an enterprise customer. Paragraph 0114 teaches connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms). Paragraph 0118 teaches referring to FIG. 3, the developer APIs 102 enable developers to access capabilities and services of the modules of the CSF 100 to enable various other solutions, such as SIEMs 304, DLPs 302, UBA solutions 310. Paragraph 0132 teaches there are a number of important cyber security use cases that may benefit from improved UBA solutions, where identification of a pattern of user or machine behavior allows identification of a threat. Paragraph 0134 teaches Important cyber security use cases and features may also include… risk assessment. Paragraph 0158 teaches one may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users. Paragraph 0557 teaches the machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use the data collected from various platforms to profile an organization (and its users) based on behavior over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine learning… involving a cluster of events (such as that mobile access is usually from home and laptop access is normally from the office), but a machine learning facility can provide an indicator of departure from a pattern, whatever it is.  Paragraph 0558 teaches a user or group trust score or risk score may be calculated based on the various capabilities described. Paragraph 0599 teaches the methods and systems described herein may be deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware.
Note: Security analytics services as part of the cloud security fabric (CSF) that provides user behavior analysis (UBA) in a cyber security use case to conduct a risk assessment, wherein the risk assessment reasonably involves user behaviors associated with profiling and providing an indicators of departure and riskiest behaviors used in determining a risk score that indicates riskiest users and/or the riskiest activities being undertaken by users reads on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score. The cloud security fabric that includes security analytics services is interpreted to be the claimed security analytics system. The cited risk assessment involving a risk score based on indications of the riskiest users is interpreted to read on the claimed risk assessment operation. The cited profiling and providing an indicators of departure and riskiest behaviors used in the user behavior analysis to determine the user risk score as part of the risk assessment is interpreted to read on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the risk assessment operation taking into account the risk score. CSF deployed including the security analytics service deployed on deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware is interpreted to read on the claimed the security analytics system executing on a hardware processor.]
the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user [Paragraph 0574 teaches analytic capabilities of the platform 6500 may include, among other things, the following: profiling and detection of outliers; detection of frequency anomalies, including by type of usage; geo-location profiling and detection of anomalies related to location; device usage; user behavior analysis, including inside threat and dormant user analysis, as well as excessive usage and data extraction anomalies; entity behavioral use cases (e.g. binary classification of usage as human or machine, correlation of entity behaviors, and excessive usage or data extraction by machines); entity access patterns (such as behavior of particular endpoints)]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, and Epple, by incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering, as taught by Zimmermann (Paragraph 0007, 0011, 0114, 0118, 0132, 0134, 0158, 0557, 0558, and 0599), because all five applications are directed to identifying threats to information security and storing information relating to those threats; incorporating security analytics services as part of the cloud security fabric to provide risk assessments based on a user risk scores and clustering provides better threat indications, such as account compromise which will make alert identification more effective, allowing the production of fewer, more relevant alerts (see Zimmermann Paragraph 0129).

As to claim 34:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein 2the computer executable instructions are further configured for:  3analyzing the enriched data associated with each of the plurality of events and the 4extracted features from the plurality of events when performing a security 5analytics operation [Paragraph 0018 teaches Learning the behavior of applications through log traces, understanding the flow of events that occur within many applications, performing analytics at massive scales, and performing analytics with low latency and rapid results with streaming data is needed when finding relevant security events and being operationally aware in real-time. Paragraph 0080 teaches CEP 252 may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time to assess new threats. Paragraph 0081 teaches a map/reduce job may take a relatively long time to execute based on the amount of data, and the complexity of the algorithms in the map/reduce job, in contrast, the CEP 252 operates on one record at a time. Each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it). 
Note: The examiner interprets pre-processing each record or event to enrich data by adding to it or transforming it to be the claimed enriching data associated with each of the plurality of events to provide enriched data, wherein the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events and validating security events, wherein performing validating security events includes performing analytics at massive scales, and performing analytics with low latency and rapid results with streaming data is needed when finding relevant security events is interpreted to be the claimed performing a security 4analytics operation.

As to claim 35:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein:  2extracting features comprises performing transformation operations on certain 3features associated with an event to generate a smaller set of derived features [Paragraph 0107 teaches referring to FIG. 5, with respect to the example of network security events disclosed herein, the apparatus 100 may be applied to three months (e.g., three petabyte) of security data to generate graphs with nodes representing the events, edges connecting events that are related to each other, the size representing the anomalousness (i.e., the very high probability of anomalousness events being displayed on the outer bounds as shown in FIG. 5 at 500, to the very-low probability of anomalousness events being displayed towards the middle), and different colors (e.g., red, yellow, orange, etc.) representing the probability of occurrence of the events. Further analysis may be performed by grouping events and providing mechanisms to navigate and visualize them according to their features. The examiner interprets using three months of use of data, grouping events, and sizing representing anomalousness to be the claimed transformation operations for smaller sets on certain features wherein anomalousness is interpreted to be the claimed certain features.]

As to claim 36:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein: 2the feature associated with the event comprises at least one of a number of bytes 3uploaded, a time of day, a presence of certain terms in unstructured content, 4respective domains associated with senders and recipients of information, and  5a Uniform Resource Locator (URL) classification of a web page visit [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets anomalous data to be the claimed features and the relevant information as time is interpreted to be the claimed time of day.]

As to claim 37:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein:  
2the enriching data comprises at least one of 3validating event data associated with at least some of the plurality of events [Paragraph 0080 teaches tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns that suggest more complicated circumstances. An example may include validating security events against previously verified breaches of information in real time. Paragraph 0081 each record or event (in a file) may be consumed by the CEP 252 and is pre-processed (i.e., the data is enriched by adding to it or transforming it)], 
4disclaiming certain event data associated with at least some of the plurality of 5events [Paragraph 0065 teaches as trace events are tagged and ingested, for example, by CEP, a model representing agent behaviors may be learned in real-time. Paragraph 0078 teaches referring to FIGS. 2A and 2B, with respect to real-time processing of a data stream, a message queue 250 may collect and organize events which are pulled by downstream subscribers, CEP 252 may be applied to evaluate events based on programmed or dynamic rules/algorithms to identify key information. Paragraph 0104 teaches incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). 
Tagging events by the CEP where tagging occurs on data deemed to be anomalous is interpreted to be the claimed disclaiming certain event data associated. The examiner also interprets data stream of events to be the claimed plurality of events.]; 6deduplicating at least some of the plurality of events 
  
7performing an entity resolution operation on at least some of the plurality of 8events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging and associating data with relevant information such as the agent originator to be the claimed performing an entity resolution operation on at least some of the plurality of events wherein the agent originator is interpreted to be the entity outputted from the entity resolution (similar to name or domain name resolution in networking).];  
9performing an attachment enrichment operation on data associated with at 10least some of the plurality of events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets tagging to be the claimed attachment enrichment operation wherein tagging includes tags associated with all relevant information is interpreted to be the claimed data associated with at least some of the plurality of the events.]; and,  
11performing a domain enrichment on at least some of the plurality of events [Paragraph 0104 teaches Any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed domain enrichment wherein tagging and associating is interpreted to be the claimed enrichment process.]

As to claim 38:
Puri discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein 13the computer executable instructions are further configured for:14 labeling at least some of the plurality of events prior to extracting features from the 3plurality of events to provide labeled events [Paragraph 0104 teaches any incoming trace (i.e., from the data 118) deemed to be anomalous may then be tagged for further analysis and associated with all relevant information (e.g., agent originator, time, etc.). The examiner interprets agent originator information to be the claimed labeling at least some of the plurality of events.]; and,  
4storing the labeled events within the datastore [Paragraph 0024 teaches CEP may be described as tracking and processing streams of event data (e.g., click streams or video feeds) from multiple sources to infer and identify patterns. Paragraph 0078 teaches when an anomalous event is encountered, the anomalous event may be flagged and stored in the IMDB 254. In response to a determination that there is a pattern match, the event is flagged as an anomalous event and stored in the IMDB 254. Paragraph 0082 teaches the IMDB 254 may be described as a database management system that relies primarily on main memory for data storage.
Note: The examiner interprets the encountered anomalous event to be the claimed extracted features and the streams of event data tracked and processed by the CEP is interpreted to be the claimed plurality of events. Flagging and storing the anomalous events in the IMDB is interpreted to be the claimed storing the enriched data within a datastore.]

Claim(s) 39 and 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri et al. (US 20160371489 A1) hereinafter Puri, in view of Holeman et al. (U.S. Publication No.: US 20180191766 A1) hereinafter Holeman, in view of Hu et al. (U.S. Publication No.: US 20180204215 A1) hereinafter Hu, in view of Epple et al. (U.S. Publication No.: US 20190245894 A1) hereinafter Epple, in view of Zimmerman et al. (U.S. Publication No.: US 20180027006 A1) hereinafter Zimmermann, and further in view of Cherubini et al. (U.S. Patent No.: US 10579281 B2) hereinafter Cherubini.
As to claim 39:
Puri, Holeman, Hu, Epple, and Zimmerman disclose all of the limitations of claim 33 but do not appear to expressly disclose the non-transitory, computer-readable storage medium of claim 33, wherein 2the computer executable instructions are deployable to a client system from a server system 3at a remote location.
Cherubini discloses:
The non-transitory, computer-readable storage medium of claim 33, wherein 2the computer executable instructions are deployable to a client system from a server system 3at a remote location. [Column 27 Lines 33-37 teach the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. 
The examiner interprets computer readable program instructions to be the claimed computer executable instructions. Instructions executed on entirely or partially on the remote computer or server is interpreted to be the claimed deployable to a client system from a server system at remote location.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, Epple, and Zimmerman, by incorporating computer readable program instructions  to execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server, as taught by Cherubini (Column 27 Lines 33-37), because all six applications are directed to event processing in technical environments; configuring the event detector to use computer readable program instructions  to execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server achieves performance, reliability, security, and storage efficiency at low operating cost and power consumption (see Cherubini Column 20 Lines 51-53).

As to claim 40:
Puri, Holeman, Hu, Epple, and Zimmerman disclose all of the limitations of claim 33 but do not appear to expressly disclose the non-transitory, computer-readable storage medium of claim 33, 2wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.
Cherubini discloses:
	The non-transitory, computer-readable storage medium of claim 33, 2wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis [Column 27 Lines 33-43 teach the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. Remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
The examiner interprets the internet service provider providing internet for computer readable program instructions to be the claimed computer executable instructions provided by a service provider. The user’s computer in receipt of the computer readable program instructions via the internet service provider is interpreted to be the claimed provided to a user on an on-demand basis.]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to combine the teaching of the cited references and modify the invention as taught by Puri, Holeman, Hu, Epple, and Zimmerman, by incorporating an internet service provider providing internet for computer readable program instructions, as taught by Cherubini (Column 27 Lines 33-43), because all six applications are directed to event processing in technical environments; configuring the event detector to use an internet service provider providing internet for computer readable program instructions achieves performance, reliability, security, and storage efficiency at low operating cost and power consumption (see Cherubini Column 20 Lines 51-53).

Response to Arguments
The following is in response to Applicant’s arguments filed on January 03, 2022. 
In response to Applicant’s arguments filed on June 21, 2022 remarks pages 10 and 11, regarding the following:
“…the claims should not be treated as reciting an abstract idea and are patent elibigle.”

Examiner respectfully presents the following response to Applicant’s amendments and remarks:
Applicant’s arguments have been fully considered but they are not persuasive. The examiner’s interpretation of the claims reciting an abstract idea in view of the amendments and the applicant’s argument is maintained. But for the limitations stating “a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device”, “storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore”, “the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore”, “a security analytics system”, “the security analytics system executing on a hardware processor”, “the plurality of protected endpoints communicating with the security analytics system via a network”, and “the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user”,  the mention of “enriching”, “extracting”, “generating”, “performing”, and “the probability distribution operation analyzing probability distributions of the extracted features extracted from the plurality of events; the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container” in the context of this claim, encompasses a user mentally augmenting data tied to a plurality of events and using that augmented data to mentally generate event data based on features of those events using the augmented data to mentally make a risk assessment based on a score and a probability distribution. The examiner maintains, if a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the examiner maintains the claim recites an abstract idea.
The examiner also maintains that the claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements, a computer-implementable method for performing a risk assessment operation, an electronic device, a computer system, a hardware processor, a security analytics system, a datastore, and a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user as recited in claim 21 is recited at a high level of generality to apply the exception using generic computer components. Receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, a security analytics system, and the protected endpoint communicating with the security analytics system via a network, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, is interpreted to be well understood, routine and conventional activity (Receiving or transmitting data over a network e.g., using the internet to gather data, Symantec (see MPEP 2106.05(d))). Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. To further elaborate, the additional limitation of a computer-implementable method for performing a risk assessment operation, comprising: receiving a stream of data via a protected endpoint of a plurality of protected endpoints, the stream of data representing electronically-observable interactions by a user, the electronically-observable interactions being observed through at least one of an electronic device, a computer system and a software application executing on the computing system, the protected endpoint identifying a plurality of events from the interactions by the user, at least some of the stream of events corresponding to user actions, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device, storing the enriched data associated with each of the plurality of events and the extracted features from the plurality of events within a datastore, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore, a security analytics system, the security analytics system executing on a hardware processor, the plurality of protected endpoints communicating with the security analytics system via a network, the security analytics system being implemented in combination with the endpoint to perform operations associated with generating the risk score for the user does not impose a meaningful limit on the judicial exception and it merely confines the claim to a particular technological environment or field of use. The examiner maintains claim 21 is not patent eligible.

Additionally, in response to Applicant’s arguments filed on June 21, 2022 remarks page 13, regarding the following:
“…nowhere within Zimmerman is there any disclosure or suggestion of generating a risk score of a user based the enriched events and… performing a risk assessment operation via a security analytics system based upon the enriched events, the risk assessment operation taking into account the risk score, much less performing a risk assessment operation via a security analytics system based upon the enriched events, the risk assessment operation taking into account the risk score, as required by claims 21, 27 and 33”

Examiner respectfully presents the following response to Applicant’s amendments and remarks:
Applicant’s arguments have been fully considered but they are not persuasive. The Examiner respectfully disagrees with the applicant’s arguments regarding claims 21’s recitation of “performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score” (see Zimmerman Paragraph 0007, 0011, 0105, 0114, 0118, 0132, 0134, 0158, 0557, 0558, and 0599). User behavior analysis (UBA) (see Paragraph 00070. a cloud security fabric (CSF 100) that allows an enterprise to discover sensitive data, to apply policies and automation actions to data, users, and/or configurations, and make sure that regulated data is under compliance and that sensitive information is protected, so that the enterprise can enforce use policies around the data (see Paragraph 0011). There is value for the host or operator of the CSF 100 in the enterprise APIs 104 as well. The host or operator can perform business automation functions, such as doing an automated security assessment report for an enterprise customer (see Paragraph 0105). Connector APIs 108 may connect to CSF through connectors 144. The CSF 100 may host various security relevant services, including security analytics services 124 (which deliver insight relating to key cloud security risks and performance indicators) and configuration management services 134 (which allow the CSF 100 to take configuration information from various sources and configure various security related modules and services in the CSF 100 or in various platforms) (see Paragraph 0114). Referring to FIG. 3, the developer APIs 102 enable developers to access capabilities and services of the modules of the CSF 100 to enable various other solutions, such as SIEMs 304, DLPs 302, UBA solutions 310 (see Paragraph 0118). There are a number of important cyber security use cases that may benefit from improved UBA solutions, where identification of a pattern of user or machine behavior allows identification of a threat (see Paragraph 0132). Important cyber security use cases and features may also include… risk assessment (see Paragraph 0134). One may determine a user risk score based on user behaviors and present administrators with indications of the riskiest users and/or the riskiest activities being undertaken by users (see Paragraph 0158). The machine learning engine 6510 may provided advanced analysis that adaptively learns, such as learning patterns in user behavior, entity behavior, and other factors to uncover pattern…. use the data collected from various platforms to profile an organization (and its users) based on behavior over a time period (such as a few months), to define a baseline profile for that organization and its users, using machine learning… involving a cluster of events (such as that mobile access is usually from home and laptop access is normally from the office), but a machine learning facility can provide an indicator of departure from a pattern, whatever it is (see Paragraph 0557).  A user or group trust score or risk score may be calculated based on the various capabilities described (see Paragraph 0558). The methods and systems described herein may be deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware (see Paragraph 0599). The examiner maintains, security analytics services as part of the cloud security fabric (CSF) that provides user behavior analysis (UBA) in a cyber security use case to conduct a risk assessment, wherein the risk assessment reasonably involves user behaviors associated with profiling and providing an indicators of departure and riskiest behaviors used in determining a risk score that indicates riskiest users and/or the riskiest activities being undertaken by users reads on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the security analytics system executing on a hardware processor, the risk assessment operation taking into account the risk score. The cloud security fabric that includes security analytics services is interpreted to be the claimed security analytics system. The cited risk assessment involving a risk score based on indications of the riskiest users is interpreted to read on the claimed risk assessment operation. The cited profiling and providing an indicators of departure and riskiest behaviors used in the user behavior analysis to determine the user risk score as part of the risk assessment is interpreted to read on the claimed performing a risk assessment operation via a security analytics system based upon the enriched events, the risk assessment operation taking into account the risk score. CSF deployed including the security analytics service deployed on deployed in part or in whole through a machine that executes computer software on a server, client, firewall, gateway, hub, router, or other such computer and/or networking hardware is interpreted to read on the claimed the security analytics system executing on a hardware processor. Further clarification through amendments to the claim language may aid in differentiating from the current prior art citations.
Regarding “generating a risk score of a user based the enriched events”, the examiner maintains Epple discloses these limitations, not Zimmerman (see above for analysis).

Additionally, in response to Applicant’s arguments filed on June 21, 2022 remarks page 13 and 13, regarding the following:
“…nowhere within Puri, Holeman or Zimmerman, alone or in combination, is there any disclosure or suggestion of performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted features extracted from the plurality of events, much less where the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore”

Examiner respectfully presents the following response to Applicant’s amendments and remarks:
Applicant’s arguments have been fully considered but they are not persuasive. The Examiner respectfully disagrees with the applicant’s arguments regarding claims 21’s recitation of “performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events, the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window across a sequence of time windows, the scoring container being implemented as one or both of a percentile container and a delta container, the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations, the delta container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to update a persistent datastore” (see Hu Paragraph 0004, 0025, 0029, 0095, 0098, 0099, 0106, 0107, and 0141). Regarding “performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events”, once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests (see Paragraph 0004). A “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements (see Paragraph 0025). The data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor (see Paragraph 0029). Strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource (see Paragraph 0095). Clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster (see Paragraph 0098). The data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. Paragraph 0106 teaches the comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements (see Paragraph 0099). Summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster (see Paragraph 01070. Categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster (see Paragraph 0141). The examiner maintains the interpretation of access requests associated with data elements are interpreted to be the claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events and events that are determined to legitimate or fraudulent are interpreted to enriched events. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative. The DoA/score representing a probability of a current request (event) being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed performing a probability distribution operation on the enriched events, the probability distribution operation analyzing probability distributions of the features extracted from the plurality of events. In other words, the DoA/score provides a probability that the new transaction (event) contains elements that are deemed legitimate or fraudulent given that data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These scores could contribute to determining whether a new authentication request is legitimate and the cited scores are interpreted to be a result of the claimed analyzing probability distributions of the features extracted from the plurality of events. To further elaborate, the scores are a result of an analysis of the fraudulent clusters (probability distribution). The process including deriving scores based on features of events in a fraudulent cluster and determining whether incoming request (events) are legitimate or fraudulent based on a DoA/score are interpreted to be the claimed performing a probability distribution operation. Regarding, “the probability distribution operation comprising a scoring container update operation, the scoring container update operation using a scoring container to provide an approximation of a probability distribution of the features from the plurality of events for a particular time window”, once the data structure is generated, the data structure may be organized into clusters that represent legitimate or potentially fraudulent authentication requests (see Paragraph 0004). A “cluster” of data elements (nodes) can refer to a collection of overlapped bindings or that overlap on certain data elements (see Paragraph 0025). The data structure can be generated from a plurality of authentication requests that are associated with a resource identifier (e.g., a user account of a computer resource). The data structure can be generated using data elements associated with access requests, where the data elements form nodes within the data structure. Sets of nodes within the data structure can be identified as belonging to certain clusters, e.g., each corresponding to a different legitimate or fraudulent actor (see Paragraph 0029). Strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster, which may be the baseline or another cluster corresponding to a different legitimate user than the one who specified data elements at the time of creation/registration of the resource (see Paragraph 0095). Clusters representing suspicious or fraudulent transactions may also be identified. For example, in FIG. 4, cluster 406(b) can be identified as fraudulent because only two transactions have been conducted, and the data elements 402 are not consistent with the data elements in baseline cluster 406(a). The categorization of fraudulent could change at a later time, e.g., if additional requests included data elements from a legitimate cluster (see Paragraph 0098). The data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster (see Paragraph 0099). The comparison can proceed as follows. When an access request is received, embodiments can determine a Degree of Affiliation (DoA) to a baseline cluster on every possible combination of the binding in current transactional elements (see Paragraph 0106). Summing all the weights together provides a measure of the affiliation on a current request to its historical events from that resource identifier. This example measurement can compare all requests and learn the optimal threshold for decision. The threshold can be a percentile of the current calculated DoA's relative position in all observed/calculated DoAs from all requests. The value of DoA could be positive or negative. The larger the positive value is, the higher the probability of a current request being affiliated with a legitimate cluster, and the smaller the negative value is, the higher the probability of a current request being affiliated with a fraudulent cluster (see Paragraph 0107). Categorization module 1210 can categorize the nodes in the data structure into clusters… update module 1218 can determine whether new nodes should be added to an existing cluster or used to create a new cluster (see Paragraph 0141). The examiner maintains the interpretation of access requests associated with data elements are interpreted to be claimed plurality of events. Access requests, whether legitimate or fraudulent placed into clusters are interpreted to read on the claimed constructing a distribution of the features from the plurality of events. Categorization module configured to allow for categorization changes (updates) and categorize the nodes/data elements into clusters is interpreted to read on the claimed distribution of the features being constructed via a scoring container update operation. Categorization is interpreted to be the scoring container update operation, legitimate clusters and fraudulent clusters are interpreted to be the claimed scoring containers, wherein the clusters are configured to have data elements that have scores e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster. The Degree of Affiliation, in the context of the cited art, is interpreted to be a score wherein the value of DoA could be positive or negative, similar to the cited score. The DoA/score representing a probability of a current request being affiliated with a legitimate cluster or fraudulent cluster is interpreted to read on the claimed a scoring container to provide an approximation of a probability distribution of the features from the plurality of events, wherein the DoA/score is associated with the cluster is interpreted to be the claimed scoring container to provide an approximation of a probability distribution. “t” corresponding to a moving window to calculate the DoA/score for new transactions to determine the appropriate cluster as shown in the formula in Paragraph 0106 of the cited prior art is interpreted to read on the claimed plurality of events for a particular time window. The cited time window is interpreted to be used in the determination of DoA/score which provides a probability that the new transaction contains elements that are deemed legitimate or fraudulent.]. Regarding “across a sequence of time windows”, “t” corresponds to a moving time window on timeline backward, e.g., a weekly window. “H” stand for Historical time (see Paragraph 0106). The examiner interprets “t” and “H” representing two time windows is interpreted to read on the claimed across a sequence of time windows. Regarding “the scoring container being implemented as one or both of a percentile container”, the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster (see Paragraph 0089). Strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster (see Paragraph 0095). The data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster (see Paragraph 0099). The examiner interprets clusters that contain score elements with an indication of a percentage of the one more current data elements that match the existing nodes of the existing cluster reads on the claimed scoring container being implemented as a percentile container.]. Regarding ‘the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations”, the amount can be a number of the one or more current data elements that match the existing nodes of the existing cluster, or a percentage of the one or more current data elements that match the existing nodes of the existing cluster… the measurement of a matching amount of matching could be different measures with/without different units, such as a function, a probability, a score, or a rate, where units could be per give time, per given change in time, etc (see Paragraph 0089). Strength of a matching data elements can allow a new data element in a same request to be added to the baseline. For example, the strength scores can be added for each matching data element, and the total score can be required to be above a certain threshold before new data elements are added to a legitimate cluster (see Paragraph 0095). The data elements of a fraudulent cluster can also have scores, e.g., negative numbers showing a weakness of the data element being part of a valid request. These score could contribute to determining whether a new authentication request is legitimate, e.g., if the new request included one or more data elements of a legitimate cluster and one or more data elements of a fraudulent cluster (see Paragraph 0099). The examiner interprets clusters (scoring container) that contain score elements with an indication (score operations) of a percentage of the one more current data elements that match the existing nodes of the existing cluster (percentile container) where matching (operations) associated with data distribution to the cluster is measured for a given time (particular period of time) in probability (probability distribution) reads on the claimed the percentile container collecting probability distribution of features extracted from certain interrelated events of a particular period of time which are then used to perform scoring operations. Further clarification through amendments to the claim language may aid in differentiating from the current prior art citations.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EARL ELIAS whose telephone number is (571)272-9762. The examiner can normally be reached Monday - Friday (IFP).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Usmaan Saeed can be reached on 571-272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EARL ELIAS/Examiner, Art Unit 2169                                                                                                                                                                                                        
/USMAAN SAEED/Supervisory Patent Examiner, Art Unit 2169