DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Allowable Subject Matter

Claim 4, 6, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and all intervening claims.
Claims 7-15 are allowed.
14.	The following is an examiner's statement of reasons for allowance: 
The closest prior art, as previously recited, Muddu 20180302423 A1, Li CN 106708978 A, and Isano JP5973636B1 are also generally directed to a cybersecurity method utilizing vector-enriched service access data to support detection of an anomalous service access, the method comprising:  acquiring a set of graph-based vectors which include one or more service vectors and one or more geolocation vectors, the service vectors and the geolocation vectors generated from a bipartite access graph having links, each link having a service node and a geolocation node connected by the link, [See Muddu, Fig. 8 and ¶0215, 0218, 0244, 0261-0262, and 0280 and 0554-0556] each service node having a service identifier identifying a service, each geolocation node having a geolocation identifier identifying a geolocation, each link connecting the service node of the link with the geolocation node of the link and having an access value derived from at least one service access from the geolocation to the service, [See Muddu, ¶¶0018, 0218, 0261-0262, 0546, 0604 and 0606]; getting an anomaly candidate service access description which includes at least a service identifier corresponding to an anomaly candidate service access; procuring at least one anomaly candidate vector that is based on at least the anomaly candidate service access description; [Muddu ¶¶0207 and 0457: an action, an IP address, an event identifier (ID), a process ID, a type of the event, a type of machine that generates the event; FIG. 40A, each “Threat Review” view 4000 can identify a particular threat by its type and provides a summary description 4002 along with a threat score 4003.]; each service vector corresponding to a service node and based on at least the access values of all links which connect to the service node; [See Li CN 106708978 A, p. 2, ¶1: Generating a bipartite graph with the target user and the service as a vertex, wherein the target user is interested in the service when there is a connection between the vertex of the target user and the vertex of the service p. 2, ¶¶12 and 14:  D. The element value of the current service theme vector and the element value of the current user's interest vector when the convergence state is reached is determined as the element value of each corresponding user's interest vector and the element value of each service subject vector. Based on the user interest vector and the vector product of the service subject vector, the service recommendation is made to the target user. p. 6, ¶1: A service recommendation method based on bipartite graph, the method comprising: constructing initial service theme vector per one target user of initial user interest vector and each service, wherein the user interest vector and the service subject vectors are probability vector; service subject vector constructing a target function based on bipartite graph;];  calculating a vector distance using at least the anomaly candidate vector; [See Isano JP5973636B1, ¶0028] and classifying the anomaly candidate service access either as anomalous or as non-anomalous, the classifying based at least in part on the vector distance. [See Isano ¶0026-0027] 
However, none of Muddu, Li, and Isano teach or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claim 7.  For example, none of the cited prior art teaches or suggest getting an anomaly candidate service access description which includes at least a service identifier and a geolocation identifier corresponding to an anomaly candidate service access; procuring at least one anomaly candidate vector that is based on at least the anomaly candidate service access description; each service vector corresponding to a service node and based on at least the access values of all links which connect to the service node, each geolocation vector corresponding to a geolocation node and based on at least the access values of all links which connect to the geolocation node, in view of other limitations of claim 7.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
The closest prior art of record:
Muddu (20180302423 A1) teaches A security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is “big data” driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.
Li (CN-106708978-A) teaches an invention provide a bipartite graph-based service recommendation method and apparatus. The method comprises the steps of acquiring a service which each target user is interested in; constructing an initial user interest vector of each target user and an initial service topic vector of each service, wherein the user interest vector and the service topic vector are both probability vectors; generating a bipartite graph by taking the target users and the services as vertexes, and constructing a bipartite graph-based target function P according to the user interest vectors and the service topic vectors; solving the target function P to determine an element value of each user interest vector and an element value of each service topic vector; and performing service recommendation on the target users according to the user interest vectors and the service topic vectors. By applying the method and the apparatus, the calculation complexity of bipartite graph-based service recommendation is lowered, and the user interest vectors and the service topic vectors output by a model are all the probability vectors, so that more probability-based actual applications can be constructed conveniently.
Isano (JP5973636B1) teaches an anomaly vector detection apparatus and an anomaly vector program for detecting an anomaly vector based on a cluster classification of vectors, which can detect an anomaly vector more appropriately when there are a plurality of anomaly clusters. An abnormal vector detection device classifies a plurality of vectors into j clusters for a plurality of different values of a variable j (where j is an integer of 2 or more); An abnormal cluster detection step S5 for detecting an abnormal cluster from the inside and an abnormality degree determination step S6 for determining an abnormality degree for each vector belonging to the abnormal cluster are executed, and each vector is abnormal based on the abnormality degree of each vector. It is determined whether or not the vector is S10. [Selection] Figure 3
Examiner Comments
Claims 16-20 are directed towards a computer-readable storage medium and has been analyzed for 35 USC 101. The claim comprises configured with data and instructions which upon execution by a processor cause a computing system to perform a service access data vector-enrichment method to support detection of an anomalous service access. Therefore, the computer-readable storage medium does not have propagating signals. No 35 USC 101 deemed necessary since specification states: ‘... also includes one or more computer-readable storage media 112. Storage media 112 may be of different physical types. The storage media 112 may be volatile memory, non-volatile memory, fixed in place media, removable media, magnetic media, optical media, solid-state media, and/or of other types of physical durable storage media (as opposed to merely a propagated signal or mere energy). In particular, a configured storage medium 114 such as a portable (i.e., external) hard drive, CD,DVD, memory stick, or other removable non-volatile memory medium...For compliance with current United States patent requirements, neither a computer- readable medium nor a computer-readable storage medium nor a computer- readable memory is a signal per se or mere energy under any claim pending or granted in the United States.’ (para 0032).

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/12/2020 and 01/26/2022 were filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claim 7 is objected to because of the following informalities:  
Claim 7, line 17: “a geolocation node;” antecedent basis due to claim 7, line 8.  Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 5, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al, hereinafter (“Muddu”), US PG Publication (20180302423 A1), in view of Li et al, hereinafter (“Li”), Chinese Patent Application (CN-106708978-A), published 09/27/2019. 
Regarding claims 1 and 16,  Muddu teaches a cybersecurity data enrichment system, comprising and a computer-readable storage medium configured with data and instructions which upon execution by a processor cause a computing system to perform a service access data vector-enrichment method to support detection of an anomalous service access, the method comprising:  [Muddu, ¶¶0159-0161: a high-level conceptual view of the processing within security platform 102 in FIG. 2 where event data (enrichment or annotation herein) allow more effective consumption by downstream data consumers; enriched event data from the ETL block 204 is then provided to a batch analyzer 240 over a batch processing path 242 for detecting anomalies, threat indicators and threats. ¶¶0742-0743: security platform (e.g., security platform 300) implemented using one or more conventional physical processing device including various machine-readable storage media, may be used for storing and executing program instructions pertaining to the techniques introduced here. 
a digital memory;  [Muddu, ¶0743: computer system 8500 includes: memory 8520] and  
 a processor  [Muddu, ¶0743: computer system 8500 includes: one or more processor(s) 8510] in operable communication with the digital memory, the processor configured to perform service access data enrichment and anomaly detection support steps which include (a) obtaining a map of IP addresses to geolocations,  [Muddu, Fig. 8 and ¶0215: graph generator 810 identify a relationship between entities involved in an event based on actions; an event records a GET command to indicate a certain IP address(es) between entities of different types (e.g. user and device). ¶0218: Using the aforementioned techniques (e.g., the parsers 806, and the field mapper 808), the graph generator 810 can readily identify that the event represented in the FIG. 9A involves a number of entities, such as the user “psibbal,” the source IP “10.33.240.240,” the destination IP “74.125.239.107,” and an URL “sample.site.com.” Fig. 8 and ¶0244: The data intake and preparation stage can also include additional event decorators 814, which include a geographical decorator where an additional field is received about their respective IP's geographical location.] (b) building a bipartite access graph having links, each link having a service node and a geolocation node connected by the link, each service node having a service identifier identifying a service, each geolocation node having a geolocation identifier identifying a geolocation, each link connecting the service node of the link with the geolocation node of the link and having an access value derived from at least one service access from the geolocation to the service,  [Muddu, ¶¶0261-0262: session tracking inspects event data which has sessionID, start time, device identifier where an a derived property attribute “LinkContext” can also be generated from the event view. ¶¶0280 and 0554-0556: bipartite graph made up of normal nodes and pseudo nodes; every edge connects a normal node to a pseudo node.  ¶¶0604 and 0606: entities may be identified by one or more of an IP address, a unique identification (UID), uniform resource locator (URL), and user ID. In such an example each of these identifiers may be considered a discrete entity associated with the computer network or two or more identifiers maybe associated with the same entity.]  
(d) generating a respective geolocation vector for at least one geolocation node, the geolocation vector based on at least the access values of one or more links which connect to the geolocation node, the service vectors and geolocation vectors collectively referred to herein as graph-based vectors, [Muddu, ¶0018, 0218, and 0546: FIG. 9B shows an event-specific relationship graph based on the event where to create an event-specific relationship graph 902 based on the event; an automated cluster identification process. ¶0620: feature vectors] and  
(e) associating at least two of the generated vectors with an anomaly detection system;  [Muddu ¶¶0616 and 0630: Anomaly detection is also described in more detail elsewhere herein. entity profile including a plurality of feature scores may be represented as a feature vector, f={f1 f2 f3 . . . fn}. In such an embodiment, the anomaly score may simply be represented as:   score = ∑ i = 1 n   w i  f i]¶] and  
whereby the cybersecurity data enrichment system is configured to support detection of anomalous service accesses such that a similarity of two given vectors corresponds with a likelihood that a given service was non-maliciously accessed. [Muddu, ¶0533: PST-SIM: The PST implementation of cosine similarity (PST-SIM) is the cosine similarity between two vectors representing the two sequences. ¶¶0605-0606 presence of malware may use inferring techniques to determine anomalous behavior. Hence, Examine interprets the two sequences associated with the two vectors as being analyzed to determine likelihood of maliciousness or not.] 
    While Muddu teaches service vector [Muddu, ¶0549: mapping nodes to 1D grid where a norm assigns a strictly positive length or size to each vector in a vector space.]; however, Muddu fails to explicitly teach but Li teaches (c) generating a respective service vector for at least one service node, the service vector based on at least the access values of one or more links which connect to the service node,  [Li CN 106708978 A, p. 2, ¶1: Generating a bipartite graph with the target user and the service as a vertex, wherein the target user is interested in the service when there is a connection between the vertex of the target user and the vertex of the service p. 2, ¶¶12 and 14:  D. The element value of the current service theme vector and the element value of the current user's interest vector when the convergence state is reached is determined as the element value of each corresponding user's interest vector and the element value of each service subject vector. Based on the user interest vector and the vector product of the service subject vector, the service recommendation is made to the target user. 
p. 6, ¶1: A service recommendation method based on bipartite graph, the method comprising: constructing initial service theme vector per one target user of initial user interest vector and each service, wherein the user interest vector and the service subject vectors are probability vector; service subject vector constructing a target function based on bipartite graph;] 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of network security anomaly and threat detection using rarity scoring of Muddu before him or her by including the teachings of Bipartite graph-based service recommendation method and apparatus of Li. The motivation/suggestion would have been obvious to try to modify the system of security platform 102 for event data enrichment of Muddu by adding the service recommendation method based on bipartite graph as taught by Li [Li, p. 2, ¶¶1 and 12-14].   
  
Regarding claim 2, the combination of Muddu and Li teach claim 1 as described above. 
 Muddu teaches wherein the service identifier includes at least one of the following: an API identifier, a web service identifier, an endpoint URL, a URI, a storage resource identifier, a network resource identifier, a compute resource identifier, a software-as-a- service identifier, a platform-as-a-service identifier, an infrastructure-as-a-service identifier, an email service address, or another denotation of at least one network-accessible item.  [Muddu, ¶0606: url] 
  
Regarding claim 3, the combination of Muddu and Li teach claim 1 as described above. 
Muddu teaches wherein the geolocation identifier expressly identifies at least one of the following: a building, a campus, a district, a city, a metropolitan area, a county, a province, a state, a country, a region containing multiple countries, a legal jurisdiction, or a regulatory jurisdiction. [Muddu ¶0713:  a geographic (“geo”)-location feature, e.g., a location from where a connection request to the network 8065 is originating, where each value of the feature is a two-letter country identifier.] 

Regarding claim 5, the combination of Muddu and Li teach claim 1 as described above. 
Muddu teaches in combination with the anomaly detection system.  [See Muddu ¶¶0616 and 0630: Anomaly detection] 
  
Regarding claim 17, the combination of Muddu and Li teach claim 16 as described above. 
Muddu teaches wherein the method further comprises associating the generated vectors with an anomaly detection system, whereby the anomaly detection system is configured for utilizing at least one of the vectors to support detection of anomalous service accesses, with anomaly false positive curtailment relative to service access anomaly detection which does not map IP addresses to geolocations. [Muddu, ¶0348-0349: the security platform 300 detects anomalies in event data, and further detects threats based on detected anomalies. A processing hierarchy 2300 of detecting anomalies, identifying threat indicators, and identifying threats with the security platform 300. Reducing false positives in identifying security threats to the network is one goal of the security platform] 
  
Regarding claim 18, the combination of Muddu and Li teach claim 16 as described above. 
Muddu teaches wherein the method further comprises receiving from a human user at least one access value or an endorsement of at least one access value, or both. [Muddu, ¶0260 and 0262: session resolver queries session database using user and event time information from data event; where a derived property attribute “LinkContext” can also be generated from the event view ] 


  Claims 19 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al, hereinafter (“Muddu”), US PG Publication (20180302423 A1), in view of Li et al, hereinafter (“Li”), Chinese Patent Application (CN-106708978-A), published 09/27/2019, in view of Hu et al, hereinafter (“Hu”), Collaborative Filtering for Implicit Feedback Datasets, was submitted in 09/12/2020 IDS. 

Regarding claim 19, the combination of Muddu and Li teach claim 16 as described above. 
While Muddu teaches generating at least a portion of the graph-based vectors comprises collaborative filtering  [See Muddu, ¶0279: collaborative filtering; ¶¶0018, 0218, and 0546: FIG. 9B shows an event-specific relationship graph based on the event where to create an event-specific relationship graph 902 based on the event; an automated cluster identification process. ¶0620: feature vectors]; however the combination of Muddu and Li fail to explicitly teach but Hu teaches wherein generating at least a portion of the graph-based vectors comprises collaborative filtering with matrix factorization. [Hu p. 1, Introduction, ¶3: and p. 4 ¶3: explicit profiles creation approaches using collaborative filtering (CF) using matrix factorization] 

 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Muddu and Li before him or her by including the teachings of collaborative filtering for implicit feedback datasets of Hu. The motivation/suggestion would have been obvious to try to modify the system of security platform 102 for event data enrichment of Muddu by adding the service recommendation method based on bipartite graph as taught by Li, with matrix factorization based collaborative filtering [Hu, p. 1, Introduction, ¶3: and p. 4 ¶3:].   
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Shah et al (11349857 B1) discloses suspicious group detection..
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Sakinah White Taylor/           Primary Examiner, Art Unit 2497