DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 were cancelled, 21-38 were added as new claims by preliminary amendments on 7/16/21, then on 8/18/21 claims 21-38 were amended again, claims 21-38 are pending.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on08/19/22.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Priority
This application discloses and claims only subject matter disclosed in prior application no 15/600, filed 05/19/17, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a continuation. Should applicant desire to claim the benefit of the filing date of the prior application, attention is directed to 35 U.S.C. 120, 37 CFR 1.78, and MPEP § 211 et seq.

	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 21, 26- 27, 32-33, 38  are rejected under 35 U.S.C. 103 as being unpatentable over Cohen et al US Pub. 2016/0112375 (hereinafter “Cohen”) in view of Song eta al(US 9275345 B1).

With regards to  claims 21, 27, 33 Cohen discloses the invention substantially as claimed including a method comprising: 
receiving, with one or more hardware processors, application log data for a cloud-based software service that provides access for at least two organizations having different corresponding users (Abstract A method and system for protecting cloud-based applications executed in a cloud computing platform are presented. The method includes intercepting traffic flows from a plurality of client devices to the cloud computing platform, wherein each of the plurality of client devices is associated with a user attempting to access a cloud-based application; extracting at least one parameter from the intercepted traffic related to at least each client device and a respective user attempting to access the cloud-based application; [0062] As a non-limiting example, this technique can be used with SaaS services that support SAML and organizations that already have an external SAML provider), wherein the software service comprises at least a user application executing in a software operating system ([0020] An architecture for monitoring and securing communications is described herein. The systems and methods described herein can be used to transparently enable cloud traffic security and control for users anywhere. The system can be configured to secure any or all traffic and activities in a company's cloud services accounts);
analyzing, with the one or more hardware processors, the application log data to extract interaction characteristics corresponding to an entity in an organization, wherein the entity is either a resource or a user ([0104] The security gateway can also be configured to detect and identify any communications device being used by a user to connect to the SaaS provider. The device identification can be logged in connection with the user's access history so that individual SaaS sessions can be associated with the specific device used for that session. The identifying information stored can include the International Mobile Equipment Identity (IMEI), phone number, media access control (MAC) address, internet (IP) protocol address, or other uniquely or substantially uniquely identifying information. This device identification information can be tracked across multiple user sessions and/or stored in connection with the associated user profile.);
grouping the extracted interaction characteristics into a first set of baseline interaction characteristics and a second set of other interaction characteristics with one or more hardware processors ([0109] Anomalies can be detected based on comparing one or more parameters to previously stored profile information. As non-limiting examples, the profile information can include: location, time of activity (hour of day, day of week, etc.), device usage, user-agent (type and version), frequency of actions/requests, type of actions performed, order of actions performed, type of information accessed, traffic bandwidth, session characteristics (length, idle time, etc.), and/or HTTP requests characteristics (which resources are accessed, methods, headers, capitalization, etc.).);
training one or more statistical models with the one or more hardware processors utilizing the first set of baseline interaction characteristics and the second set of other interaction characteristics to evaluate in-app behavior of a first entity corresponding to the organization ([0134] The threat characterization logic can include methods for constructing a supervised learning model for security alerts. The system can collect feedback on alerts, engage both the IT and the employee and dynamically build the user profile by querying the user for suspicious patterns, and/or engage the supervisor, if the user appears suspicious (e.g., a rogue user); [0136];); 

Cohen  does not exclusively but Song teaches, 
grouping the extracted interaction characteristics into a first set of baseline low-variance interaction characteristics and a second set of other interaction characteristics (Song col 15 line 20-30; measuring with the sensor how many of the plurality of different types of user interactions with the computer system occur during a first time period; evaluating the usability of the different types of user interactions that are measured to discriminate among the different users by identifying those user interactions having low variance over time with the same user )
training one or more statistical models with the one or more hardware processors utilizing the first set of baseline low-variance interaction characteristics and the second set of other interaction characteristics (Song col 15 line 30-40; using at least three of the different types of user interactions that have greater ability to discriminate significance to train a model of user interactions for each of the plurality of users; monitoring the interaction of a plurality of users of the computer system during a second time period subsequent to the training of the models to measure for each user how many of the plurality of user interactions with the computer system occur,)
providing a baseline behavior profile for the first entity based on the one or more statistical models from the first set of baseline low-variance interaction characteristics (Song Col 8 line 50-60; Table I shows the list of eighteen RUU features, sorted by their Fisher scores, with the respective scores listed in the rightmost column. For our dataset, the most discriminative feature was the number of unique processes run by each user; this indicates that different users within our study group not only used different numbers of applications but this behavior was also consistent across the measured time span. This property exists even after the dataset has been filtered to normalize the behavior profiles (as described below.) We note that this is a discovered property of the RUU dataset, and is not guaranteed to be consistent across all user datasets ); 
and generating an anomaly score based on the baseline behavior profile, the second set of other interaction characteristics and interaction characteristics with the software service by a second entity corresponding to the organization (Song col 12 line 40-55; Table II shows the accuracy comparisons between the GMM model and other related classifiers. The column labeled “Uniq. Procs” show the number of unique processes observed on that user's workstation, and the “Days” column show the number of days worth of traffic collected from that user. The experiment is set up as one-vs.-all classification where each user's data was randomly split into training and testing sets, at 80% to 20% ratios. Single GMM was trained for each user using the training data. Then, each test sample was evaluated against all trained GMMs (representing all of the users) and the model with the highest probability score labeled that sample) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Cohen’s method/product/system with teaching of Song in order  to secure user authentication (Col 4 line 5-40; )

With regards to claims 26, 32, 38 Cohen in view of Song discloses, wherein the cloud-based software service comprises at least a multitenant database environment in which the multitenant database environment provides each of multiple organizations with a dedicated share of a software instance including one or more of organization-specific data (Cohen FIG 7, SaaS; Cohen [0119] Business risk: The control the provider allows to its clients and the ability of these control measures to protect the usage of the service, including, e.g., auditing capabilities, enterprise administrative control, and operational practices; col. 12, claim 2, users accessing the cloud-based application), user management, organization-specific functionality, configuration, customizations, non-functional properties and associated applications

Claims 24-25, 30-31, 36-37  are rejected under 35 U.S.C. 103 as being unpatentable over Cohen et al US Pub. 2016/0112375 (hereinafter “Cohen”) in view of Song et al(US 9275345 B1) further in view of Kording et al., US PG Pub No. 2017/0075519 (hereinafter “Kording”).

With regards to claims 24, 30, 36, Cohen in view of Song  does not explicitly disclose wherein the baseline low-variance interaction characteristics comprise a lowest M dimensions that represent no more than a pre- selected percentage of total variance. However, Kording does teach wherein the baseline low-variance interaction characteristics comprise a lowest M dimensions that represent no more than a pre- selected percentage of total variance (Para. 0036, number of dimensions may be chosen to capture a pre-specified level of a certain percentage of a total variance). It would have been obvious to a person with ordinary skill in the art at the time the invention was filed to modify Cohen in view Song’s system to further include dimensions that represent no more than a pre-selected range of total variance as taught by Kording for the benefit of optimizing computational results.

As per claim 25, 31, 37 Cohen in view of Song and Kording teaches wherein the high-variance characteristics comprise a top N dimensions that represent pre-selected percentage of total variance (Cording Para. 0036, number of dimensions may be chosen to capture a pre-specified level of a certain percentage of a total variance). Motivation would be same as stated in claims above.

Allowable Subject Matter
Claims 22-23, 28-29, 34-35 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

 					Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498