DETAILED ACTION
The following claims are pending in this office action: 1-20
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 01/29/2021 are accepted.  
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 10/21/2021 and 04/26/2022 have been considered.  The submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed 10/21/2021 and 04/26/2022 is attached to the instant Office action. 
Specification
The use of the terms TANIUM™, CROWDSTRIKE™, CLOUDTRAIL™, AMAZON WEB SERVICES™ (see para. 0005), BLUETOOTH™ and FIREWIRE™ (see para. 0027) which are a trade names or marks used in commerce, have been noted in this application. The terms should be accompanied by the generic terminology; furthermore, the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM, or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
Claim Objections
Claims 18-19 are objected to because of the following informalities:
Claim 18-19 recites the limitation “The method of claim 7” (claim 18, ln. 1; and claim 19, ln. 1). This appears to be a typo.  Examiner suggests changing the limitation to “The method of claim 17”.   

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-2, 11-12, and 20 are rejected under 35 USC § 102(a)(1) as being anticipated by Huston, III et al. (US Pub. 2021/0112078) (hereinafter “Huston”).

As per claim 1, Huston teaches a system for attributing user behavior of a user of a computing device, the system comprising: at least one processor; and ([Huston, para. 0005] “…the invention relates to a system [the computing device] comprising: a processor”; [para. 0257] operations … generate an entity interaction map … a representation of the concatenation of two or more correlated entity reactions [for example, a user and a user device – see Fig. 14b])
a memory communicatively coupled to the processor, the memory storing instructions executable by the at least one processor ([Huston, para. 0005] “a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus”; [para. 0034] “computer-readable media may include … memory”) to perform a method comprising: ([para. 0004] “the invention relates to a method for performing a security analytics mapping operation”)
determining that the user has logged into the computing device; ([Huston, para. 0246] “EBC system 120 operations are begun with the receipt of information associated with [determining] a particular event … information associated with the event may include … user behavior factors”; [para. 0158] user entity’s associated user behavior factors … such as … when they log-in”)
in response to the determination, collecting log data from a plurality of telemetry sources associated with the computing device; ([Huston, para. 0245] “the EBC system 120 may be implemented to receive certain event information... generated by, received from, or a combination thereof, certain event data sources 1010 [a plurality of telemetry sources]”; “event data sources 1010 may likewise include output [collecting] from … network 1210 access and traffic logs … event logs 1214 of all kinds, and so forth [log data associated with the computing device]”)
extracting, from the log data, activity data concerning activities of the computing device; and ([Huston, para. 0242] “an EBC system 120 may be implemented to identify an indicator of behavior … based on an observable [activity data] … the observable may include event information [activities] corresponding to electronically-observable [of the computing device] behavior”; “observable … may be received [extracted] from an electronic data source such as the event data sources 1010 [log data]”)
analyzing the activity data to determine ([Huston, para. 243] “an EBC system 120 may be implemented to identify a particular event of analytic utility by analyzing an observable 1106 [activity data] associated with a particular indicator of behavior”) that the activity data are attributed to the user. ([para. 0187] the security analytics system 118 [entity behavior system – see para. 0100] may be implemented to use information associated with certain entity behavior elements [activity data] to resolve the identity of an entity at a particular point in time [attributed to the user]”)

As per claim 2, Huston teaches claim 1.  
Huston teaches wherein the plurality of the telemetry sources includes one or more of the following: ([Huston, para. 0242; Fig. 12b; Fig. 13] “the event information corresponding to electronically-observable behavior enacted by an entity may be received from an electronic data source [telemetry source]”) logs of endpoint security applications installed on the computing device, ([Fig. 12b; Fig. 13; para. 0256] “the source … may be … a non-user entity [installed on the computing device – see para. 0042]… endpoint application [security application as the reference performs security operations]”); [para. 0245] the event data source outputs logs) logs of at least one of a router or a switch providing communications services to the computing device, ([Fig. 12b; para. 0245] event data source includes edge devices 304 that outputs a log; [para. 0084]”edge device 304 broadly refers to a device providing an entry point into a network, such as the network 140” [providing communication services]; “Examples of such edge devices 304 include routers”) logs from a cloud-based network, ([Fig. 12b; para. 0245] event data source includes networks 1210 [in a cloud environment – see para. 0042] which outputs a log) logs from access Application Programming Interfaces, ([Fig. 12b; para. 0245] event data source includes applications and data security 1204 [APIs] which output logs) logs from a monitoring system configured to track network connections of the computer device, ([Fig. 12b; para. 0245] event data source includes processes that output network access and traffic logs) logs of operations of the computing devices, ([Fig. 12b; para. 0245] event data source includes endpoint devices that output event logs) and logs of an identity management system.  ([Fig. 12b; para. 0245] event data source includes Identity and access  system 1204 that outputs event logs)

As per claim 11, Huston teaches a method for attributing user behavior of a user of a computing device.  ([Huston, para. 0004] “the invention relates to a method for performing a security analytics mapping operation”; [para. 0257] operations … generate an entity interaction map … a representation of the concatenation of two or more correlated entity reactions [for example, a user and a user device – see Fig. 14b])
The method performs the steps performed by the system of claim 1, has language that is identical or substantially similar to the method performed by the system of claim 1, and thus the method is rejected with the same rational applied against claim 1.  

As per claim 12, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 20, Huston teaches a computer-readable medium comprising at least one instruction. ([Huston, para. 0005] “a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus”)
The computer-readable medium claim causes a processing device to perform the steps of the system of claim 1, has language that is identical or substantially similar to the method performed by the system of claim 1, and thus the computer-readable medium claim is rejected with the same rational applied against claim 1.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-7, and 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over Huston in view of Bisht et al. (US Patent No. 11,457,031) (hereinafter “Bisht”)

As per claim 3, Huston teaches claim 2.  
Huston also teaches wherein the extracting the activity data includes determining ([Huston, para. 0242] “an EBC system 120 may be implemented to identify an indicator of behavior … based on an observable [activity data] … the observable may include event information corresponding to electronically-observable behavior”) a network address of the computing device, ([Fig. 12a; para. 0247] “an observable 1106 … may include endpoint [computing device] spawn [network address]”) a list of active directories and files being accessed on the computing device, a list of applications being executed by the computing device, ([para. 0089] “an endpoint agent 206 [edge device, which provides entity behavior information/activity data – see para. 0084] may share a list of files [broadest reasonable interpretation of directories/applications include files] that have been read [accessed/executed] by a current process”) a list of network addresses of websites associated with the computing device, ([para. 0114] “an endpoint agent 206 [edge device, which provides entity behavior information/activity data – see para. 0084] may share a list of files [broadest reasonable interpretation of directories/applications include files] that have been read [accessed/executed] by a current process”) an amount of data transferred between the computing device and the websites or the applications, ([para. 0269] “a feature, as it relates to an event, [observable/activity data – see para. 0114: “observable broadly refers to certain event information corresponding to an electronically-observable behavior enacted by an entity”] broadly refers to a property, characteristic, or attribute of a particular event”; “example of features associated with an event include the number of bytes uploaded … of certain web page visits”) and a type of operations conducted.  ([para. 0098] “Data flow tracking is performed by one or more endpoint agents 206, [edge device, which provides entity behavior information/activity data – see para. 0084] which allows the quality and type of information [a type of operations conducted] associated with particular entities to be measured”)
Huston does not clearly teach wherein the extracting the activity data includes types of connections to the websites, types of connections to the applications.  
However, Bisht teaches wherein the extracting the activity data includes types of connections to the websites, ([Huston, col. 29, ln. 32-37] “the graph based learning processor has an extraction engine to process the data to extract a plurality of netflow data [activity data] comprising the source IP address, the destination IP address, the IP protocol, the source port for UDP or TCP, or other protocols, the destination port for UDP or TCP, or other protocols [types of connections to the websites]”) types of connections to the applications. ([col. 25, ln. 32-58] “selected NetFlow variables [activity data] are parsed and taken as input … Examples of such variables are… 12. Application protocol” [type of connections to the applications])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Huston with the teachings of Bisht to include wherein the extracting the activity data includes types of connections to the websites, types of connections to the applications.  One of ordinary skill in the art would have been motivated to make this modification because extracting such activity data would assist in allowing the system to identify systems infected by bots.  (Bisht, col. 25, ln. 33)

As per claim 4, Huston in view of Bisht teaches claim 3.  
Huston also teaches generating, based on the activity data, behavior attributes of the user; and ([Huston, para. 0251] “IOB abstraction operations … may be performed on the resulting observables 1106 to generate a corresponding IOB [indicator of behavior/behavior attributes of the user]”)
associating the behavior attributes with a unique identifier of the computing device.  ([Huston, para. 0248] “the resulting IOBs 1108 [behavior attributes] may be processed to generate [associate] an associated EBP element 1180 … the EBP element 1190 may include non-user entity profile attribute [unique identifier]”; [para. 0161] “non-user entity profile attribute [unique identifier] … broadly refers to data or metadata that can be used … to ascertain the identity of a non-user entity [computing device – see para. 0042”)

As per claim 5, Huston in view of Bisht teaches claim 4.  
Huston also teaches wherein the unique identifier includes one of a media access control (MAC) address and a universally unique identifier (UUID) of the computing device.  ([Huston, para. 0162] “the non-user [computing device] profile attributes [unique identifier] ... include certain identity information, such as ... Media Access Control (MAC), physical address, serial number [broadest reasonable interpretation of universally unique identifier] …”)

As per claim 6, Huston in view of Bisht teaches claim 3.  
Huston does not clearly teach wherein the generating the behavior attributes includes creating a graph, the graph including nodes representing the applications and the websites and edges representing relationships between the user and one or more of the applications and the websites. 
However, Bisht teaches wherein the generating the behavior attributes includes creating a graph, ([Bisht, col. 15, ln. 14-23] “processes for … using [creating] graph-based models to determine the associations … to monitor the behavior”) the graph including nodes representing the applications and the websites ([col. 25, ln. 63-65] “the NetFlows are added to a graph object, such that each IP address that appears in the NetFlow capture is represented by a node in the graph”; [col. 28, ln. 15-17] “each IP address that appears in the NetFlow capture, either as source IP or destination IP, is mapped to a node in the graph”; [col 18, ln. 1-2] “the system has various data sources … such [as] infra-structures … e.g. web, applications”) and edges representing relationships between the user and one or more of the applications and the websites.  ([col. 25, ln. 65-67] “Each connection [relationship] between source IP  [user] and destination IP [one or more of the applications and websites] is represented by an edge in the graph between source IP node and destination”; [col. 17, ln. 64-67 to col. 18, ln. 1-3] “the client device [source] can be a client [user]”; [col. 10, ln. 66-67 to col. 11, ln. 1-3] “On the outbound [destination] side … IoT enabled devices … accessing specific Web sites … specific pages within a website [web app or application]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Huston with the teachings of Bisht to include wherein the generating the behavior attributes includes creating a graph, the graph including nodes representing the applications and the websites and edges representing relationships between the user and one or more of the applications and the websites.  One of ordinary skill in the art would have been motivated to make this modification because creating a graph-based model to determine associations in order to monitor the behavior of source and destination nodes allows identification of systems infected with bots.  (Bisht, col. 25, ln. 28-33)

As per claim 7, Huston in view of Bisht teaches claim 3.  
Huston also teaches estimating a security integrity of the computing device based on a comparison of the behavior attributes to reference behavior attributes. ([Huston, para. 0080] “certain entity behavior information may be anonymized, aggregated, and processed to produce a model of typical, or expected, entity behavior … in this example, the resulting model of expected entity behavior may then be used by the security analytics system 118 as a reference [reference behavior attributes] to determine [comparison] whether a particular entity [computing device – see para. 0042] behavior may be anomalous, abnormal, unexpected, or suspicious [estimating a security integrity]”)

As per claim 13, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 14, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 15, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 16, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 17, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

Claims 8-9, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Huston in view of Bisht as applied to claim 7 above, and further in view of Devost (US Pub. 2013/0254885) (hereinafter “Devost”)

As per claim 8, Huston in view of Bisht teaches claim 7.  
Huston in view of Bisht does not clearly teach wherein the reference behavior attributes include further behavior attributes determined using log data of at least one further computing device associated with the user.
However, Devost teaches wherein the reference behavior attributes include further behavior attributes determined using log data of at least one further computing device associated with the user. ([Devost, Fig. 1; para. 0052] “the RDHD and RALP [see para. 0053 – further behavior attributes determined using log data] are sent by the server 140 [at least one further computing device associated with the user] as a reference data map [see para. 0013 – reference behavior attributes]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Huston with the teachings of Devost to include wherein the reference behavior attributes include further behavior attributes determined using log data of at least one further computing device associated with the user.  One of ordinary skill in the art would have been motivated to make this modification because such system behavior factors, which are reference factors are not readily observable or understood by a user, and cannot be spoofed by an outside attacker allowing it to detect changes in insider behavior that could be indicative of malicious intent, or an external entity masquerading as a legitimate user.  (Devost, para. 0027; para. 0032)

As per claim 9, Huston in view of Bisht teaches claim 7.  
Huston in view of Bisht does not clearly teach wherein the reference behavior attributes are determined based on a plurality of further behavior attributes determined using further log data collected for a plurality of further computing devices associated with a plurality of further users having a same role within an enterprise. 
However, Devost teaches wherein the reference behavior attributes are determined based on a plurality of further behavior attributes determined using further log data collected for a plurality of further computing devices associated with a plurality of further users having a same role within an enterprise.  ([Devost, Fig. 1; para. 0063] “the reference data map 150 [reference behavior attributes] created [determined] by the digital hidrosis engine 130 can include a reference data map 150 that defines "normal" behavior based on the activities of the entire enterprise … all employees/users… as well as a reference data map 150 that defines "normal" behavior based on the activities of a predetermined group [further behavior attributes] … e.g., users that are engineers, users that are accountants, users that are in management, etc. [associated with a plurality of users having a same role within an enterprise]”; [para. 0054] “The host systems 120 are initially provided with RDHD and RALP [further behavior attributes: see para. 0062 and para. 0063] based on … activity log parameters [further log data] collected … by the digital hidrosis engine [a plurality of further computing devices]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Huston with the teachings of Devost to include wherein the reference behavior attributes are determined based on a plurality of further behavior attributes determined using further log data collected for a plurality of further computing devices associated with a plurality of further users having a same role within an enterprise.  One of ordinary skill in the art would have been motivated to make this modification because by engaging in non-intrusive interrogation of computer and network behavior to establish patterns of normality across different classes of users or user roles, subtle indicators or anomalies that could be indicative of an increased risk of malicious intent can be found.  (Devost, para. 0029)

As per claim 18, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

As per claim 19, the claim language is identical or substantially similar to that of claim 9. Therefore, it is rejected under the same rationale applied to claim 9.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Huston in view of Bisht as applied to claims 7 above, and further in view of Apostolopoulos (US Pub. 2018/0219888) (hereinafter “Apostolopoulos”)

As per claim 10, Huston in view of Bisht teaches claim 7.  
Huston in view of Bisht does not clearly teach prior to the determining that the user has logged into the computer device, collecting further log data from the plurality of telemetry sources associated with the computing device; and prior to extracting the activity data, excluding the further log data from the log data.
However, Apostolopoulos teaches prior to the determining that the user has logged into the computer device, ([Apostolopoulos, para. 0099] “the real-time processing path is configured to continuously monitor and analyze [determining] … event data [activity data]”; [para. 0131] “examples of supported data … include … an authentication event [that the user has logged into the computer device]”) collecting further log data from the plurality of telemetry sources associated with the computing device; and ([para. 0102] “in the context of machine-learning evaluation, historical data [further data, prior to the authentication event as it is historical] … may be used”; [para. 0046] “the data generated … can include, server log files, activity log filed [further log data]”)
prior to extracting the activity data, excluding the further log data from the log data.  ([Apostolopoulos, para. 0099] “the real-time processing path excludes historical data [further log data] … from its evaluation [log data, as the evaluation is to analyze log data]”; “real-time processing path is configured to continuously [prior to] monitor and analyze [extracting]… event data [the activity data]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Huston with the teachings of Apostolopoulos to include prior to the determining that the user has logged into the computer device, collecting further log data from the plurality of telemetry sources associated with the computing device; and prior to extracting the activity data, excluding the further log data from the log data.  One of ordinary skill in the art would have been motivated to make this modification because the evaluation of the historical data tends to be slower, and by doing this manner of data scaling [i.e. not processing historical/reference/further log data during real-time monitoring of user behavior], the security platform can provide anomaly and threat detection in a real-time manner.  (Apostolopoulos, para. 0101-0102)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Muddu et al. (US Patent No. 9,516,053) discloses activity detection where patterns of behavior that are abnormal are identified when compared to a histogram, and where patterns of behaviors are compiled based on data sources, such log files from a variety of sources.  
Moran (US Pub. 2007/0157315) discloses prior to a login event, other users who login and have their login events recorded on a log file (further log data) and where such log files are removed due to a roll-down event (excluding the further log data) when computing the signature of a file against a database for the file.  
Biswas et al. (US Pub. 2020/0128047) creating graph profiles associated with user activity events data that is fed into a threat engine in order to determine threat events.  The graphs include nodes and edges where the edges represent relationships between the nodes and the nodes represent actions performed by the user.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493