DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Amendment
The Amendment filed on 10/12/2022 has been entered. 
The rejection of claims 1-22 under 35 U.S.C 112(b) is withdrawn in view of the amendment.
Claims 1, 8 and 15 are amended.
Claims 1-20 are pending of which claims 1, 8 and 15 are independent claims.

Response to Arguments
The applicant's arguments filed on 10/12/2022 regarding claims 1-14 have been fully considered.  The arguments regarding to claims 1-15 and 19-20 are essentially directed towards the newly introduced limitations and they are addressed in this Office Action, below.
The argument regarding to claims 17-18 corresponding to prior art Muralidharan is persuasive and therefore, the rejection to claims 17-18 is withdrawal.

	
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 1-4, 6-8 and 15 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Martin et al. (Pub. No.: US 2018/0004948, hereinafter Martin).
Regarding claim 1: Martin discloses A method of detecting anomalous user behavior in cloud environments, the method comprising:
receiving a count of an action taken during a current time interval in a cloud environment (Martin - [0052]: receiving a first signal from a sensor implementing deep packet inspection to detect anomalous behaviors of assets on the network in Block S210, the first signal specifying a first anomalous behavior of a first asset on the network at a first time; compiling the first signal and a first set of signals into a first vector representing frequencies of anomalous behaviors, in a predefined set of behavior types, of the first asset on the network within a first time window of a preset duration up to the first time in Block S220. [0023]: statistical anomaly-based detection methods);
accessing a history of previous counts of the action taken across a peer group and generating a statistical characterization of the previous counts of the action based on a sliding window of the history of previous counts of the action across the peer group (Martin - [0051]: each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration); 
determining whether the count of the action taken during the current time interval is greater by more than a threshold amount than the statistical characterization of the previous counts of the action taken across the peer group (Martin - [0053]: the system can compare the new vector to a corpus of historical vectors representing behaviors of other assets on the network over similar time windows (e.g., two-week periods) in the past (e.g., a complete tracked history of the network) to determine whether the recent combination of behaviors of the asset have been observed in the past (e.g., on the same or other asset on the network) in Block S230); 
determining that the action represents an outlier based on a determination that the count of the action taken during the current time interval is greater by more than the threshold amount than the statistical characterization of the previous counts of the action taken across the peer group; and 
generating an alert based on determining that the action represents an outlier (Martin - [0053]: the system can issue an alert to investigate the asset in Block S240 if the new vector deviates significantly from the corpus of historical vectors).
Regarding claim 2: Martin discloses wherein the count of the action taken during the current time interval comprises a count of a single action type performed by a single user (Martin - [0052]: a first vector representing frequencies of anomalous behaviors, in a predefined set of behavior types, of the first asset on the network. [0014]: an asset (e.g., a machine and user) on the network).
Regarding claim 3: Martin discloses wherein the count of the action taken during the current time interval comprises a count of a single action type performed on a single resource (Martin - [0052]: a first vector representing frequencies of anomalous behaviors, in a predefined set of behavior types, of the first asset on the network. [0014]: an asset (e.g., a machine and user) on the network). 
Regarding claim 4: Martin discloses further comprising generating the count of the action taken during the current time interval by aggregating actions by a single user or on a single resource from an action log recorded during the current time interval (Martin - [0036]: the system can retrieve a risk algorithm specific to a type of a new signal from a risk database and then pass a total number of like actions (e.g., failed password attempts by one computer, port 3389 scan events by one computer) and/or a like action frequency (e.g., a number of failed password attempts within a five-minute interval)).
Regarding claim 6: Martin discloses wherein determining whether the count of the action is greater by more than a threshold amount comprises:
providing the count of the action and a type of the action to a neural network (Martin - [0064]: the system can pass the first vector through a replicator neural network. [0052]: a first vector representing frequencies of anomalous behaviors); and
receiving an output from the neural network indicating whether the action represents an outlier (Martin - [0027]: to calculate an outlier score for the first vector in Block S230).
Regarding claim 7: Martin discloses wherein the neural network is trained using the count of the action, the type of the action, and a response to the alert (Martin - [0052]: compiling the first signal and a first set of signals into a first vector representing frequencies of anomalous behaviors, in a predefined set of behavior types, of the first asset on the network within a first time window of a preset duration up to the first time. [0064]: the system can pass the first vector through a replicator neural network—trained on vectors generated from signals triggered at substantially all assets on the network during previous two-week intervals—to calculate an outlier score for the first vector).
Regarding claim 8: this claim defines a computer readable medium claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Therefore, claim 8 is rejected with the same rational as in the rejection of claim 1. 
Regarding claim 15: this claim defines a system claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Therefore, claim 15 is rejected with the same rational as in the rejection of claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (Pub. No.: US 2018/0004948, hereinafter Martin) in view of Huang et al. (Pub. No.: US 2020/0184245, hereinafter Huang).
Regarding claim 5: Martin doesn’t explicitly teach but Huang discloses wherein the threshold amount comprises a predetermined number of standard deviations above the statistical characterization of the previous times when the action was taken across the peer group (Huang - [0049]: thresholds generator 476 can generate thresholds 462 and 464 by multiplying standard deviation σ with a multiplier value (e.g., three) set by standard deviation multiplier 480 to generate a multiple … Each of comparators 472 can compare the shifted output data element against thresholds 462 and 464 provided by thresholds generator 476 to determine whether the shifted output data element is an outlier).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Huang so that threshold is generated for determining an outlier. The modification would have allowed the system to find an outlier.

Claims 9, 11-14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (Pub. No.: US 2018/0004948, hereinafter Martin) in view of Stolfo et al. (Pub. No.: US 2003/0167402, hereinafter Stolfo).
Regarding claim 9: Martin doesn’t explicitly teach but Stolfo discloses wherein the operations further comprise:
calculating a first vector that is representative of actions taken during a plurality of previous time intervals in the cloud environment;
calculating a similarity between the first vector and a second vector that comprises counts of actions taken during a current time interval, wherein the second vector also comprises the count of the action;
comparing the similarity to a baseline threshold to determine whether one or more anomalous actions have occurred; and
generating an alert based at least in part on a determination that the one or more anomalous actions have occurred in the cloud environment (Stolfo - [0068]: A histogram for normal behavior may be taken over one time period, and histogram for new behavior may be taken over a second time period. [0069]: Once such histograms have been created, the histogram of the baseline behavior is compared with the histogram of the selected behavior to determine whether the new behavior represents a deviation that may be classified as a violation of email security policy … A histogram can be represented by a vector. [0064]: Where the selected behavior of the particular email account deviates from this profile of prior or baseline behavior, the system 10 may issue an alert that a violation of an email security policy has occurred).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Stolfo so that the histogram of the baseline behavior is compared with the histogram of the selected behavior to determine whether the new behavior represents a deviation that may be classified as a violation. 
Regarding claim 11: Martin doesn’t explicitly teach but Stolfo discloses wherein each entry in the first vector comprises an average event score during the plurality of previous time intervals (Stolfo - [0066]: a histogram may record the average number of emails sent by an email account each day during the previous month, wherein each bin represents a day, hour, or other time period).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Stolfo so that a histogram may record the average number of emails sent by an email account each day during the previous month. The modification would have allowed the system to use histogram computed over the twelve months to serve as a statistical model of baseline behavior of the email account.
Regarding claim 12: Martin doesn’t explicitly teach but Stolfo discloses wherein each of the plurality of previous time intervals comprises one day (Stolfo - [0066]: a histogram may record the average number of emails sent by an email account each day during the previous month).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Stolfo so that the time period can be one day. The modification would have allowed the system to be flexible.
Regarding claim 13: Martin doesn’t explicitly teach but Stolfo discloses wherein the plurality of previous time intervals comprises a sliding window of days, wherein the sliding window of days adds the current time interval to the sliding window of days and removes a least-recent time interval from the sliding window of days after each time interval (Stolfo - [0066]: Each bin in the histogram counts some number of events in fixed time periods).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Stolfo so that Each bin in the histogram counts some number of events in fixed time periods. The modification would have allowed the system to use bin to accumulate events.
Regarding claim 14: Martin doesn’t explicitly teach but Stolfo discloses wherein the first vector is representative of actions taken during the plurality of previous time intervals by storing a histogram of event counts for each of the plurality of previous time intervals (Stolfo - [0066] and [0067]: histograms that may be stored for an email account).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Stolfo so that histograms that may be stored. The modification would have allowed the system to do further analysis.
Regarding claim 19: Martin doesn’t explicitly teach but Stolfo discloses wherein the action comprises a number of emails that are sent by a particular user (Stolfo - [0064]: The statistics gathered about the prior transmission of email to and from a particular email account can be used as training data to create a probabilistic or statistical model of an email account).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Stolfo so that he statistics gathered about the prior transmission of email to and from a particular email account. The modification would have allowed the system to create a probabilistic or statistical model of an email account.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (Pub. No.: US 2018/0004948, hereinafter Martin) in view of Bagheri et al. (Pub. No.: US 2020/0134188).
Regarding claim 10: Martin doesn’t explicitly teach but Bagheri discloses wherein the similarity is calculated using a cosine similarity (Bagheri - [0058]: cosine similarity to evaluate similarity between two vectors).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Bagheri so that cosine similarity is used to evaluate similarity between two vectors.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (Pub. No.: US 2018/0004948, hereinafter Martin) in view of DORMODY et al. (Pub. No.: US 2019/0360804).
Regarding claim 16: Martin doesn’t explicitly teach but DORMODY discloses wherein determining whether the action represents an outlier comprises:
performing a second determination of whether the count of the action is greater than a global mean of action counts multiplied by a scale factor for the action (DORMODY - [0062]: the new global success average may be determined by weighting the current global success average using any suitable weight and adding it to a weighted access count for the deallocated page (again using any suitable weight). [0066]: If the global access average is less than the global access average threshold, but the global success average is greater than or equal to the global success average threshold).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with DORMODY so that t the global access average threshold is used to determine an outlier. 

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (Pub. No.: US 2018/0004948, hereinafter Martin) in view of Rouatbi et al. (Pub. No.: US 2019/0104147, hereinafter Rouatbi).
Regarding claim 20: Martin doesn’t explicitly teach but Rouatbi discloses wherein the action comprises a number of folders created by a particular user (Rouatbi - [0029]: the same or similar action may presented as different actions in the artifacts … User/Favorites folder was created as an action).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Martin with Rouatbi so that an action can be creating User/Favorites folder. 

Allowable Subject Matter 
Claims 17 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Peer (Patent No.: US 8,621,586) - Using baseline profiles in adaptive authentication
Pugsley et al. (Pub. No.: US 2019/0087341) - Method and system for coordinating baseline and secondary prefetchers
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437