DETAILED ACTION
 	 	Claims 1-18 are presented for examination on the merits
Notice of Pre-AIA  or AIA  Status
 	The present application is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
 	The information disclosure statement (IDS) submitted on 03/09/2021, 05/10/2021, 07/15/2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.
Drawings
The drawings filed on 03/09/2021 are accepted by the examiner.
Priority
The application is filed on 03/09/2021 and claims an earlier priority date from provisional application filed on 11/27/2017.
Non-Statutory Double Patenting

1.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement, and there is no statutory double patenting rejection applied to other claim/claims of the set. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to                           http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

2.	Claims 1-18 of instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-33 of Patent No. US 10,986,114 B1 and over claims 1-33 of Patent No. US 10,419,469 B1. Although the conflicting claims are not identical, they are not patentably distinct from each other because both applications recite receiving similar log data associated with at least one user session associated with an original user. A logical graph is generated using at least a portion of the received log data where a logical graph is a privilege change graph that models privilege changes between processes. 


Claim Rejections - 35 USC § 101

3.	35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

4.	Claim 18 is rejected under 35 U.S.C. 101 because: the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  
 5.	Claim 18 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
 	Independent Claim 18 recites “a computer program product embodied in a tangible computer readable storage medium and comprising computer instructions….”. Pending claims are interpreted as broadly as their terms reasonably allow (See In re Zletz, 893 F.2d 3 19 (Fed. Cir. 1989)). The broadest reasonable interpretation of a claim drawn to a computer readable storage medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media (See MPEP 2111.01).  When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. §101 as covering non-statutory subject matter.  See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter).
 6.	The Examiner suggests that a claim drawn to such a computer readable storage medium that covers both transitory and non-transitory embodiments may be amended to narrow the claim to cover only statutory embodiments to avoid a rejection under 35 U.S.C. §101 by adding the limitation "non-transitory" to the claim [or any similar limitations such as  "computer usable memory", or "computer usable storage memory", or "computer readable memory", or "computer readable device", (i.e. any variations thereof, where "media" or "medium" is replaced by "device" or "memory")].  Such an amendment would typically not raise the issue of new matter, even when the specification is silent because the broadest reasonable interpretation relies on the ordinary and customary meaning that includes signals per se.  The limited situations in which such an amendment could raise issues of new matter occur, for example, when the specification does not support a non-transitory embodiment because a signal per se is the only viable embodiment such that the amended claim is impermissibly broadened beyond the supporting disclosure.  See, e.g., Gentqv Galleiy, Inc. v. Berkline Corp., 134 F.3d 1473 (Fed. Cir. 1998).
Claim Rejections - 35 USC § 103

7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


9.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


10.	This application currently names joint inventors.  In considering patentability of the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) prior art under 35 U.S.C. 103(a).

11.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Koottayi et al. (US 20180288063 A1, hereinafter, Koottayi) in view of Miltonberger (US 20100094767 A1).
 	Regarding claim 1, Koottayi discloses a system, comprising: a processor configured to: [receive log data associated with at least one user session in a network 5environment associated with an original user] (Paragraphs 0111, 0088: valid user associated with an authorized session); 
 	generate a logical graph using at least a portion of the received log data (Paragraphs 0015, 0061: generating the plurality of behavior models from historical data; Paragraphs 0084, 0118: build dynamic models around the behavior background, detect anomalous access requests from users based on the rules and models in order to determine a threat perception for the end user, and ultimately authenticate /authorize the user's access into the target system 130 in real-time); 
 	wherein the generated logical graph comprises: (1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges (Paragraph 0015-0016:  generating, by the computing system, the behavior model by classifying the data from the plurality of historical access requests against the parameter and using a clustering algorithm on the classified data to generate the data cluster); 
  	wherein the set of edges include at least one edge connecting the first node to the second node (Paragraphs 0064, 0171, 0076:  CGI (common gateway interface) servers… the resource request is forwarded to one or more access managers 155 to determine whether the client requesting the protected resource may access the protected resource. An example of such an authentication proxy is a pluggable authentication module (PAM) used in Linux systems)
 	and use the generated logical graph to detect an anomaly, wherein detecting the anomaly includes determining that a change has been made to the set of edge (Paragraph 0082, 0084. 0088, 0094: determine if the user's activity is anomalous and generate a threat perception for the users), and 
 	in response to detecting 10the anomaly (Paragraphs 0006, 0013, 0066: monitoring user access and detecting threats in real-time by detecting anomalous access requests from users), 
	take a remedial action (Paragraph 0101: a threat detection component (e.g., threat detection component 165) may comprise a rules engine 305 having a machine learning component 310 and data analysis component 315, which are configured to create dynamic enforcement policies for a user or group of users by analyzing the incoming real-time data and the historical data regarding access requests received from the user or group of users (e.g., stored in memory 185) over a period of time); and 
  	and a memory coupled to the processor and configured to provide the processor with instructions (Paragraphs 0088, 0095, 0101: behavior models may be stored in the memory).
 	Koottayi does not explicitly states but Miltonberger from the same or similar fields of endeavor teaches receive log data associated with at least one user session in a network 5environment associated with an original user (Miltonberger, Paragraphs 0042, 0046-0047, 0059: risk engine 202 is a real-time event processor that receives data of user events or a set of events. The risk engine 202 also stores the user account model for the particular user. The risk engine 202 uses the risk score and details of the observed event to update the user account model, and stores the updated user account model for use in evaluating the next subsequent set of event data (of a session) of the user; Figs 6, 16 and associated texts)
  	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize user session associated with an original user as taught by Miltonberger in the teachings of Koottayi for the advantage predicting expected behavior of a user in an account and automatically generate a causal model corresponding to a user for fraud detection using the behavior-based modeling (Miltonberger, Abstract and Paragraph 0005).
 	 Regarding claim 2, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein the logical graph comprises an insider behavior graph, wherein the insider behavior graph models interactions of the original user with a network environment (Koottayi, Paragraphs 0084, 0118, 0111, 0088: model can be constantly learning from historical data. Instead of updating the model every week or every other week, this model can be updated in real time such that the following anomaly detections have taken into account all historical data of the user's activity into account).
 	Regarding claim 3, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein the received log data comprises information associated with the original user provided by a plurality of machines (Koottayi Fig. 1 and associated texts: Consumers and Business users; Paragraph 0133: displaying data enable the administrator to quickly decipher a larger quantity of information including who is accessing what, the enforcement actions being taken, how many different users are accessing the same application or resource, and the threat perception for each user).
  	Regarding claim 4, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein the logical graph comprises a privilege change graph, wherein the privilege change graph models privilege changes between processes (Koottayi, Paragraphs 0084, 0118, 0111, 0088: model can be constantly learning from historical data. Instead of updating the model every week or every other week, this model can be updated in real time such that the following anomaly detections have taken into account all historical data of the user's activity into account).
 	Regarding claim 5, the combination of Koottayi and Miltonberger discloses the system of claim 4 wherein the privilege changes are represented as edges in the privilege change graph (Miltonberger, Paragraph 0106: a probabilistic model that represents a set of variables and their probabilistic independencies as a graph of nodes (parameters) and edges (dependent relations); Figs 6, 16 and associated texts).
	Regarding claim 6, the combination of Koottayi and Miltonberger discloses the system of claim 4 wherein the privilege change graph includes process hierarchy 25information (Koottayi Paragraphs 0085, 0131: hierarchical and relational databases wherein network topology in which nodes such as the threat detection component 175, one or more agents 145, the one or more proxies 150, the one or more access managers 155, and/or the one or more Webgates 160 are all interconnected).
	Regarding claim 7, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein the logical graph comprises a machine-server graph, wherein the machine-server graph clusters machines into nodes based on resources executing on the machine (Koottayi Paragraphs 0100, 0143: collector is configured to load balancing and organize the information related to an access request received from a user into various categories such as the client context 205 (user-agent identifier, IP address, host name, GPS location, etc.), the resource context 210 ( resource URL, application domain, agent name, tenant name, etc.), the user context 215 (user identity store, user identity, user groups (static or dynamic groups)), server context 220 (event context such as AuthN, Reauthn, AuthZ, Deny, etc.) timestamps 225 (last access time, last updated time, etc.), session information 230 (session ID, session index, access, etc.), the server instance (e.g., the server instance processing the request, etc.)
	Regarding claim 8, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein detecting the anomaly includes determining that the original user has logged in from an anomalous location (Paragraphs 0095, 0118: the anomaly to trigger second factor authentication when the location based data does not match the historical data and the higher threat perception is received).
 	Regarding claim 9, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein detecting the anomaly includes determining that the original user has logged into an anomalous machine (Koottayi Paragraphs 0127, 0096, 0112, 0117: collected data can be linked to machine learning, which will then create more enforcement policies or trigger anomalies triggered by the enforcement policies wherein end users (or client IP addresses) with the perceived threat perception is being presented).	
 	Regarding claim 10, the combination of Koottayi and Miltonberger discloses the system of claim 9 wherein the anomalous machine has an associated machine class and wherein determining that the original user has logged into the anomalous machine includes determining that the original user has accessed an anomalous machine class (Koottayi Paragraph 0143,0096, 0112, 0117, 0094: various categories such as a client context (user-agent identifier, IP address, host name, GPS location, etc.), a server context (event context such as AuthN, Reauthn, AuthZ, Deny, etc.) a server instance (e.g., the server instance processing the request, etc.) processing the request, and so on; Paragraph 0009,0026, 0106; a clustering algorithm on the classified data to generate the data cluster).
 	Regarding claim 11, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein detecting the anomaly includes determining that the original user has accessed an anomalous application (Koottayi Paragraphs 0107, 0064-0066, 0082: behavior models to determine if the user's or group of users' access request is anomalous).
 	Regarding claim 12, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein detecting the anomaly includes determining that the original user has transmitted data to an anomalous destination (Koottayi Paragraphs 0082, 0084, 0088, 0093: threat detection system 105 initiates a configured action, e.g., allow/challenge/deny the user's activity in the target system).
  	Regarding claim 13, the combination of Koottayi and Miltonberger discloses the system of claim 12 wherein the processor is further configured to determine that the anomalous destination is an anomalous destination based at least in part on geolocation information associated with the destination (Koottayi Paragraphs 0095, 0100, 0143, 0095, and 0118). 
 	Regarding claim 14, the combination of Koottayi and Miltonberger discloses he system of claim 1 wherein detecting the anomaly includes determining that the original user has transmitted an anomalous amount of data (Koottayi Paragraphs 0162,  0123, 0152: amount of data can be measured based on one or more factors such as storage size of data, units of information, number of access request instances to determine the threat score wherein an indication of a set of top sources is provided based on an amount of the data flowing from the plurality of sources to the plurality of destinations).
 	Regarding claim 15, the combination of Koottayi and Miltonberger discloses The system of claim 1 wherein detecting the anomaly includes determining that the original user has made an anomalous privilege change (Miltonberger Paragraph 0044: an example of multi-channel fraud is when someone steals account access credentials, accesses the account online and changes profile information or gets information about the account owner (e.g., account balances, account numbers, signature from check images, etc.), and then commits fraud via other channels (check fraud by forging signature) using information gained via account access)
 	Regarding claim 16, the combination of Koottayi and Miltonberger discloses the system of claim 1 wherein taking the remedial action includes generating an alert (Koottayi Paragraphs 0094, 0096, 0099: an inspection policy monitors data and informs an administrator when a certain criteria match a predefined pattern. The inspection policy does not cause an alert to be triggered when the pattern exists but collects the predefined set of attributes when the pattern exists).
   	Regarding claim 19; Claim 19 is similar in scope to claim 1, and is therefore rejected under similar rationale. 
 	Regarding claim 20; Claim 19 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Examiner Notes 
12.	The Examiner notes that incorporating the combined limitations of claims 2, 6, and 9 including the limitations of any intervening claims into independent claim 1 would better clarify the subject matter/embodiment of claimed invention. Similarly, amending independent claims 17 and 18 with aforesaid claim limitations would help advance the prosecution as it would clarify the claimed invention.
Conclusion
13. 	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
EL-MOUSSA (US 20190207955 A1) discloses malicious network traffic identification.
EL-MOUSSA (US 20190012457 A1) discloses method to identify a derivative of one or more malicious software components in a computer system including: evaluating a measure of a correlation fractal dimension (CFD) for at least a portion of a monitored software component in the computer system.
14.	In an effort to advance compact prosecution, with respect to any amendments to the claimed invention, the applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.  
Moreover with respect to advancing compact prosecution, if the applicant intends to make numerous amendments, the examiner respectfully requests that applicant submit a clean copy of the claims in addition to the marked up copy of the claims in order to expedite the examination process by allowing for accurate optical character recognition (OCR) of the claims.
The prior art made of record and not relied upon, if any, is considered pertinent to applicant’s disclosure and would be listed under PTO-Form 892.
15.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHFUZUR RAHMAN whose telephone number is (571)270-7638.  The examiner can normally be reached on Monday thru Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MAHFUZUR RAHMAN/Primary Examiner, Art Unit 2498