DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 7-13 and 17-19 have been withdrawn. 
Claims 1-6, 14-16 and 20 have been examined.

Election/Restrictions
Applicant’s election without traverse of claims 1-6, 14-16 and 20 in the reply filed on 07/12/2022 is acknowledged.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 5 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claims 5 and 16 recites the limitation "the other real sample set" in line 5 and lines 5-6 respectively.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 2, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over EP 3109771 to Swaminathan et al (hereinafter Swaminathan) and Proactive Defense for Evolving Cyber Threats by Colbaugh et al (hereinafter Colbaugh).
As per claim 1, 14 and 20, Swaminathan teaches:
A method comprising: 
receiving, at a computing device, a distributional similarity request associated with a pair of real sample sets, each real sample set of the pair comprising a number of real observations (Swaminathan: [0036]: Given data set S1and S2 we wish to evaluate the similarity of S1 to S2. In this case both S1and S2 could be real data. Receiving a request to perform an operation (in this case determine similarity) was well known to one of ordinary skill in the art before the effective filing date of the claimed invention); 
determining, via the computing device, a pair of random sample sets for the pair of real sample sets (Swaminathan: [0035]: There is no reason to exclude the case where we wish to check and test the similarity between two independently obtained data sets, where each of the data set could actually be either synthetic or real or both (combination of real and synthetic data), i.e., two sets of synthetic data to be combined with two sets of real data is determined); 
determining, via the computing device, a pair of perturbed sample sets corresponding to the pair of real sample sets, a first perturbed sample set of the pair comprising a first one of the pair of real sample sets and a first one of the pair of random sample sets and a second perturbed sample set of the pair comprising a second one of the pair of real sample sets and a second one of the pair of random sample sets (Swaminathan: [0035]: There is no reason to exclude the case where we wish to check and test the similarity between two independently obtained data sets, where each of the data set could actually be either synthetic or real or both (combination of real and synthetic data- perturbed sample sets). Given data set S1 and S2 we wish to evaluate the similarity of S1 to S2); 
determining, via the computing device, a pair of probability distributions corresponding to the pair of perturbed sample sets, a first probability distribution of the pair corresponding to the first perturbed sample set and comprising a probability for each of the number of real and random observations in the first perturbed set, a second probability of the distribution of the pair corresponding to the second perturbed sample set and comprising a probability for the each of the number of real and random observations in the second perturbed set (Swaminathan: [0048]: Within these data sets we consider now any one variable (column of data) that is either ordinal or nominal with C categories. An example of such a variable includes "Day of the week" that has seven categories(Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday). We are then interested in the average statistical probabilities or frequencies of each of these categories and wish to compare their frequencies in one data set with the other. [0060] The key approach is to use the labeled "Real" and "Synthetic" data sets in order to first determine the logistic regression parameter θ. Then, for the real as for the synthetic data, we consider every data record z and compute the "residue" or H(θ,z). The idea being that both for the real and the synthetic, the distribution of the computed probabilities or H(θ,z) must be similarly distributed); and 
automatically generating, via the computing device, a distributional similarity measure using the pair of probability distributions corresponding to the pair of perturbed sample sets, the distribution similarity measure representing a degree of similarity between the pair of real sample sets associate with distributional similarity request (Swaminathan: [0011] In general, a similarity value provides an indication of how similar two data sets are according to a specific metric. [0060]: This similarity is then tested using the Kolmogorov-Smirnov test on the estimated values for or H(θ,z) over the "real" and "synthetic" datasets).
Swaminathan teaches synthetic data but does not explicitly teach: the determination comprising, for a random sample set of the pair, selecting a number of random observations from a domain of observations corresponding to the pair of real sample sets. However, Colbaugh teaches: 
the determination comprising, for a random sample set of the pair, selecting a number of random observations from a domain of observations corresponding to the pair of real sample sets (Colbaugh: page 129: right column: paragraphs 1-2: For attacks which are already underway, [7] offers an S-HDS discrete-system state estimation method that allows the mode to inferred using only modest amounts of measured data. Alternatively, and of more interest in the present application, it is often possible to identify likely future attack modes through analysis of auxiliary information sources (e.g., the subject matter knowledge possessed by domain experts or “non-cyber” data such as that found in social media). Once a candidate attack mode has been identified, synthetic attack data corresponding to the mode can be generated by employing one of the S-HDS models derived in [7]. The synthetic data take the form of a set of K network attack instance vectors, denoted AS={xS1,…,xSK}. The set As can then be combined with (actual) measurements of L normal network activity instances, NM={xNM1,…,xNML], and P (recently) observed attacks, AM={xM1,…,xMP}, yielding the training dataset TR=NM∪AM∪AS of real and synthetic data). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Colbaugh in the invention of Swaminathan to include the above limitations. The motivation to do so would be to result in networks defenses that are effective against both current and (near) future attacks (Colbaugh: Abstract).

As per claim 2, Swaminathan in view of Colbaugh teaches:
The method of claim 1, further comprising: communicating, via the computing device, the distribution similarity measure representing a degree of similarity between the pair of real sample sets in response to the request (Swaminathan: [0011] In general, a similarity value provides an indication of how similar two data sets are according to a specific metric. [0060]: This similarity is then tested using the Kolmogorov-Smirnov test on the estimated values for or H(θ,z) over the "real" and "synthetic" datasets).

Claims 3, 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Swaminathan in view of Colbaugh as applied to claims 1 and 14 above, and further in view of US 20200076843 to Luiggi et al (hereinafter Luiggi).
As per claims 3 and 15, Swaminathan in view of Colbaugh teaches monitoring by an intrusion detection system (Colbaugh: page 125, right column, lines 8-9 and page 129, left 2nd last paragraph) column but does not teach the rest of the limitations of claim 3. However, Luiggi teaches:
the pair of real sample sets correspond to a pair of time periods and to a user account associated with a computing system being monitored by an intrusion detection system, the number of real observations of a first real sample set of the pair comprising information identifying each resource access request made by the user account in a first of the pair of time periods, the number of real observations of a second real sample set of the pair comprising information identifying each resource access request made by the user account in a second of the pair of time periods, and the similarity measure representing a level of similarity in access requests for user account and the pair of time periods (Luiggi: [0052]: In certain embodiments, the event and contextual information collected by the event collector 402 may be processed by an enrichment module 404 to generate enriched user behavior information. In certain embodiments, the enrichment may include certain contextual information related to a particular user behavior. In certain embodiments, the enrichment may include certain temporal information, such as timestamp information, related to a particular user behavior. [0054] In certain embodiments, the on-demand 408 analytics may be performed on enriched user behavior associated with a particular interval of, or point in, time. In certain embodiments, the streaming 406 or on-demand 408 analytics may be performed on enriched user behavior associated with a particular user. [0058] In certain embodiments, the network edge device 202 may be implemented in a bridge, a firewall, or a passive monitoring configuration. In certain embodiments, a small packet of contextual information associated with a user behavior may be sent with a service request. In certain embodiments, service requests may be related to Domain Name Service (DNS), web browsing activity, email, and so forth, all of which are essentially requests for service by an endpoint device 304. In certain embodiments, such service requests may be associated with temporal event information, described in greater detail herein. Consequently, such requests can be enriched by the addition of user behavior contextual information (e.g., UserAccount, interactive/automated, data-touched, temporal event information, etc.). [0079]. [0084]: In various embodiments, a probability distribution analysis system may be implemented to process certain entity information associated with an event to analyze the probability distribution of its associated features. [0085]. [0140]: In certain embodiments, a user behavior factor 814 associated with a particular user, such as user ‘A’ 802 or ‘B’ 862, may be used by the probability distribution analysis system 118 to compare the user's current user behavior to past user behavior).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Luiggi in the invention of Swaminathan in view of Colbaugh to include the above limitations. The motivation to do so would be to identify security risks to a computer system based on an analysis of the construction of a distribution of categorical features of events (Luiggi: [0004]).

As per claim 4, Swaminathan in view of Colbaugh and Luiggi teaches:
The method of claim 3, further comprising: making, by the intrusion detection system, a comparison between the level of similarity and a threshold level of similarity; and determining, by the intrusion detection system and based on the comparison, that the user account has been compromised using the comparison (Luiggi: [0140]: In certain embodiments, a user behavior factor 814 associated with a particular user, such as user ‘A’ 802 or ‘B’ 862, may be used by the probability distribution analysis system 118 to compare the user's current user behavior to past user behavior. If the user's current user behavior matches their past user behavior, then the probability distribution analysis system 118 may determine that the user's user behavior is acceptable. If not, then the user profile management system 118 may determine that the user's user behavior is anomalous, abnormal, unexpected or malicious. [0142] It will be appreciated that anomalous, abnormal, unexpected or malicious user behavior may include inadvertent or compromised user behavior. As another example, the user may be attempting to access confidential information as a result of being compromised. [0143]).
The examiner provides the same rationale to combine prior art Swaminathan in view of Colbaugh and Luiggi as in claim 3 above.

Claims 5, 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Swaminathan in view of Colbaugh as applied to claims 1 and 14 above, and further in view of US 20140325643 to Bart et al (hereinafter Bart).
As per claims 5 and 16, Swaminathan in view of Colbaugh teaches monitoring by an intrusion detection system (Colbaugh: page 125, right column, lines 8-9 and page 129, left 2nd last paragraph) column but does not teach the rest of the limitations of claim 3. However, Bart teaches:
the pair or real sample sets corresponding to a user of a computing system being monitored by an intrusion detection system, one real sample set of the pair comprising, as the number of real observations, a number of resource access requests made by the user account to the computing system being monitored by the intrusion detection system, the other real sample set of the pair corresponding to a user group to which the user is assigned and comprising, as its number of real observations, the number of resource access requests of the group of users, and the similarity measure representing a level of similarity for the user's access requests relative to the user group's access request (Bart: [0019]: A domain is a source of user activity information. For example, a domain can be one of: device access, e-mail, file copy and/or access, Hypertext Transfer Protocol (HTTP) access, or logon activity. A malicious activity detection system may detect anomalous user activities by collecting user activity information from different domains, clustering the users based on the user activity information, and comparing a user's activities against other users with similar roles (also called peers). The clusters may correspond to user roles in organizational structures because different roles have different user activity patterns. [0022] The system may use the multi-domain probability model disclosed herein to cluster users. The multi-domain probability model facilitates inferring the probability distributions of domains associated with clusters and distribution of users among a number of clusters. A cluster of users is a group of users with domain characteristics that are within the probability distributions of the cluster. A domain characteristic is, for example, the number of e-mails a user sends daily. Another domain characteristic can be the number of files the user accesses daily. Each cluster includes users performing similar roles in an organization. To detect anomalous user activity, the system may compare a user to other users in the same role, and determine whether the user exhibits anomalous e-mail and file usage patterns).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bart in the invention of Swaminathan in view of Colbaugh to include the above limitations. The motivation to do so would be to detect malicious insider activity (Bart: [0019]).

As per claim 6, Swaminathan in view of Colbaugh and Bart teaches:
The method of claim 5, further comprising: making, by the intrusion detection system, a comparison between the level of similarity and a threshold level of similarity; and determining, by the intrusion detection system and based on the comparison, that the user account has been compromised using the comparison (Bart: [0032] After the system determines the distributions, the system may utilize the model to detect anomalous user behavior. The system and/or a human operator may compare a user with that of his peers to determine whether the user behaves similarly within the domains. Users are peers if they share a job role or position. If a user does not behave similarly to other peers within a domain, then that user behavior can be labeled as anomalous. For example, if a user sends or reads less than the typical number of e-mails (threshold level) that others in the same role would, the system may flag the user as anomalous).
The examiner provides the same rationale to combine prior art Swaminathan in view of Colbaugh and Bart as in claim 5 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20210224282 to Poirel et al: A method, system and computer-usable medium for performing a streaming scoring operation, comprising: receiving a stream of events, the stream of events comprising a plurality of events; ingesting the plurality of events; extracting features from the plurality of events to provide extracted features; and, generating a streaming scoring value based upon the extracted features.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438