Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
In claims 1, 8 and 15, the limitation “wherein the detailed view includes more details about the action type than the representation of the plurality of actions” the following limitation phrases (“more details” and “about the action”) render the claims ambiguous because limitation phrases are not clearly defined or described what they entail or encompass in order to appraise boundary and scope of the claimed limitation. Therefore, claims 1, 8 and 15 are rendered ambiguous and indefinite. 

Claims 4, 11 and 18 recite the limitation "the certificate authority" in line 3.  There are insufficient antecedent bases for this limitation in the claims.
Dependent claims 2-3, 5-7, 9-10, 12-14, 16-117 and 19-20 depending from their respective independent claims failed to remedy the above deficiencies and therefore rendered indefinite.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-3, 5-10, 12-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over SCHEIDLER et al. (Hereinafter referred to as SCHEIDLER, US Pub. No.: 20180167402) in view of Kirti et al. (Hereinafter referred to as Kirti, US 20150319185). 

As per claim 1:
SCHEIDLER discloses a control server comprising:
one or more processors; and a memory storing instructions which, when executed by the one or more processors, cause the one or more processors to perform operations comprising ([0732]: endpoint device)):
storing, for each user in a set of users having access to a set of data sources, a baseline profile representing baseline activity of the user with respect to a set of data sources ([0062] The method may be one wherein the system gets data from other systems including Logs, audit-trails, and information on user activities. [0063] The method may be one including the system using at least two data sources, including Contextual information sources and raw user activity data sources. [0066] The method may be one wherein raw user activity data sources include one or more of: logs, SSB/syslog-ng/SIEM logs, SCB logs, databases logs, csv files logs, and application data through application programming interfaces. [0103] The security operations center system may be one wherein shared information includes one or more of: User risk histogram, algorithm parameters, algorithm weights, activity numbers, average baseline, baseline outliers, min/max/average/stddev score given by algorithms/baselines, false-negative activities with baselines, anonymous clusters. [0259-0267]: Inputs & sources, [0283-0291]: Log as Activity source, [0292-0300]: Database holds all user/host/activity baseline);
monitoring activity of the set of users with respect to the set of data sources ([0136] Blindspotter (BSP) integrates a variety of contextual information in addition to standard log data, processes them using unique sets of algorithms, and generates user behavior profiles that are continually adjusting using machine learning. It tracks and visualizes user activity in real-time for a better understanding of what is really happening on the network and offers a wide range of outputs from warnings to automatic interventions. [0138] Blindspotter is able to maximize the benefit of logs with syslog-ng and builds a unique profile of individual users with cooperation of Shell Control Box (SCB) which records all user activity at the application layer; [0198-0205]: What may be monitored by BSP; [0206-0213]: Who may be monitored by BSP);
transmitting, to a client device for display thereat, a representation of a plurality of actions of the set of users ([0350-0356]: Outputs and Results,  Data may be accessed using Representational State Transfer (REST) API for integration into existing monitoring infrastructure; Both exports, REST API and the User Interface (UI) may be extended using addons to provide other view of the information stored in BSP each action having at least a time, [0321-0323] Identify logins in unusual time, out of working hours, weekend etc. Algorithm learns about typical login-times,  Weekend & weekdays, [0339] User activity timeline (eg: what hosts were the user accessing, hopping) and whether the user activity is consistent with the baseline profile;
receiving, from the client device, a representation of a selection of a user activity unit ([0283-0285] Logs are pulled by fetchers or pushed by apps, Fetcher can select which logs messages are considered as user activities, Fetch only relevant logs if possible (userlist is available)); and
transmitting, to the client device for display thereat and in response to the selection of the user activity unit, a detailed view of the user activity unit, wherein the detailed view includes more details about the action type than the representation of the plurality of actions (([0303-0312] Algorithms responsible for scoring activities, building baseline using historical data on user behavior, build baseline for hosts, user groups, Baselines used to identify similarly behaving users/hosts or similar activities, Activities are scored after they are fetched; provide visualization to display baselines & explain specific activities. [0380-0384]: User Interface, WebUI where activities, hosts, users may be checked and where results are available, Work-flow functions are provided by the webUI, “bspcli” command line interface for managing BSP installation and running maintenance jobs, REST interface may be available for integration. [0514-0521]: BlindSpotter presents an overview screen (dashboard) for the user to help quick overview of the most important events and trends).

SCHEIDLER does not explicitly disclose the plurality of actions include an action type, a user identifier. Kirti, in analogous art however, discloses the plurality of actions include an action type, a user identifier ([0041]: The accounts of a particular user in different cloud applications (e.g., different user identities) can be associated together in a user identity repository 209. The user identity repository store information concerning tenant accounts and user accounts associated with each tenant account. [0045] The incident remediation application 213 can be utilized to coordinate and/or perform remediation actions in response to detected threats. Perform the selected remediation action. [0058] Activity data associated with user accounts can include information relating to the use of and/or actions taken with a user account including sources of information such as a user log(s) or audit trail(s), login and logout statistics (including attempts and successes), IP addresses used to access the application, devices used to access the application, and cloud resources that were accessed (including, but not limited to, files and folders in a file management cloud application [such as Box], employees and contractors in a human resource cloud application [such as Workday], and contacts and accounts in a customer relationship management cloud application [such as Salesforce]). Activity data can include the user account or other user identifier for the user associated with the events or statistics).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of baseline activity disclosed by SCHEIDLER to include the plurality of actions include an action type, a user identifier. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide methods for contextual and cross application threat detection using past activity data from cloud applications includes receiving activity data concerning actions performed by a user account associated with a user within a monitored cloud application, threat intelligence and managing security controls for cloud applications as suggested by Kirti (0003-0004).

As per claim 2:
SCHEIDLER and Kirti disclose wherein the action type of the user activity unit is a data transmission (Kirti: [0058], wherein the representation of a plurality of actions indicates that the action type is a data transmission (Kirti: [0075, 0080]); and  wherein the detailed view indicates an amount of data transmitted, a source Internet Protocol (IP) address of the data transmission, and a destination IP address of the data transmission (Kirti: [0080; 0087-0090]).

As per claim 3:
SCHEIDLER and Kirti disclose wherein the representation of a plurality of actions indicates that the user activity of the selected user activity unit is inconsistent with the baseline profile (SCHEIDLER [0103]; and wherein the detailed view indicates a reason why the user activity is inconsistent with the baseline profile [SCHEIDLER [0643].

As per claim 5. 
SCHEIDLER and Kirti disclose wherein the set of data sources is hosted at a computer system (SCHEIDLER [0005]: computer implemented; [0020-021]: hosts).

As per claim 6:
SCHEIDLER and Kirti disclose  wherein the set of data sources comprises one or more of: a packet log of packets travelling between the computer system and an external network, a driver log of the computer system, a secure socket layer (SSL) certificate authority (CA) of the computer system, a programmable logic controller (PLC) of the computer system, a simple mail transfer protocol (SMTP) log of the computer system, a web access log of the computer system, service repos of the computer system, network drives of the computer system, workstation performance logs of the computer system, and workstation network traffic of the computer system (SCHEIDLER: [0917-0918] You need a valid X.509 certificate and corresponding private key in order to enable Secure Sockets Layer (SSL), both in separate files, formatted in the PEM (Privacy-enhanced Electronic Mail) format. Make sure you have the following lines in blindspotter.conf and make sure the certificate files exist: [0918] You can use OpenSSL tools to create new certificates, or you can acquire them from a trusted certification authority (CA) service).

As per claim 7:
SCHEIDLER and Kirti disclose wherein the set of users having access to the set of data sources comprise system administrators of the computer system (SCHEIDLER [0208]: Administrators, operators, developers, etc.).

As per claims 8-10 and 12-14:
Claims 8-10 and 12-14 are directed to a non-transitory machine-readable medium storing instructions which, when executed by one or more processors of a machine, cause the one or more processors to perform operations having substantially similar corresponding limitations of claims 1-3 and 5-7 respectively and therefore claims 8-10 and 12-14 are rejected with the same rationale given above to reject claims 1-3 and 5-7.

As per claims 15-17 and 19-20:
Claims 15-17 and 19-20 are directed to a method having substantially similar corresponding limitations of claims 1-3 and 5-6 respectively and therefore claims 15-17 and 19-20 are rejected with the same rationale given above to reject claims 1-3 and 5-6.

Allowable Subject Matter
Claims 4, 11 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter:  the pertinent prior arts of record cited in PTO-892, either taken alone or in combination neither anticipates nor renders obvious the claimed subject matter of the instant application taken as a whole when together with their independent claims including intervening claim on condition that above rejection and objections have been overcome: 
determining, based on monitoring the activity of the set of users, that a specified user action of a specified user comprises modifying the certificate authority; determining that the specified user has never modified the certificate authority previously; and  providing, in response to determining that the user action comprises modifying the certificate authority and in response to determining that the specified user has never modified the certificate authority previously, a digital transmission representing the user action of the specified user.

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494