DETAILED ACTION
The following claims are pending in this office action: 1-17
The following claims are amended: 1-14 and 16-17
The following claims are new: -
The following claim is cancelled: -
Claims 1-17 are rejected. This rejection is FINAL.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Previous Objections Withdrawn
The objections to claims 1-17 are withdrawn based on the amendments and clarifications provided by Applicant. 
The 35 USC § 112(b) rejections to claims 4-7 and 16 are withdrawn based on the amendments.  
The 35 USC § 101 rejections to claims 9-14 and 17 are withdrawn based on the amendments
Allowable Subject Matter
Claims 4 and 7 would be allowable if rewritten to overcome the rejections under 35 U.S.C. 112(b) set forth in this Office action and to include all of the limitations of the base claim, and any intervening claims.
RESPONSE TO ARGUMENTS
Applicant’s arguments filed in the amendment filed 08/17/2022 have been fully considered but are moot in view of new grounds of rejection necessitated by amendment. 
Applicant notes: Independent claim 1 is amended to include the limitation “wherein the multiple behavior dimensions are obtained by arbitrarily combining the content included in a business layer feature dimension and a behavior layer feature dimension”.  This limitation is disclosed by Chen et al. (US Pub. 2018/0060587) as explained below and rejected accordingly.  
Dependent 1-8 and 15-16 depend on independent claim 1.  The amended elements in the claims are disclosed by Chen et al. (US Pub. 2018/0060587) as explained below, and so any additional features to the dependent claims are rejected accordingly.
Applicant’s further notes that the searched prior art does not teach feature B: “determining eigenvectors for the user behavior data based on the multiple eigenvalues”.  Applicant explains: 
…Meng only discloses obtaining the covariance matrix of data set, and computing feature values and eigenvectors of the covariance matrix.  However, Meng does not disclose multiple eigenvalues of the user behavior data under preset multiple behavior dimensions (which are obtained by arbitrarily combining the content included in a business layer feature dimension and a behavior layer feature dimension).


Applicant further asserts that the searched prior art does not teach feature C: “obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each of the multiple aggregation classes”.   Applicant explains:
…Events are represented as vectors based on attribute information of the events … Wang does not disclose obtaining multiple aggregation classes by clustering the new event vector. That is, Wang does not disclose the disclose the division of the event vector into multiple aggregated classes… It can be seen that “the cluster center vector” is the center vector of a previously constructed event cluster rather than the center vector of each aggregation class in multiple aggregation classes obtained by clustering the new event vector.   


Applicant further asserts that the searched prior art does not teach feature D: “determining a difference eigenvector, wherein a distance between the difference eigenvector and a central vector of one of the multiple aggregation classes to which the difference eigenvector belongs is not within a preset distance range”.   Applicant explains:
…Wang compares the new event vector with the center vector of the previously constructed event cluster to determine the risk level for a new event.  That is to say, in order to determine the risk level for a new event, only this new event vector is compared to the previously constructed event cluster.  However, the event cluster is not constructed based on the new event vector.  Therefore, there is no calculation of a distance between the new event vector and a central vector of the aggregation class to which the new event vector belongs.  


Applicant further asserts that the searched prior art does not teach feature E: “determining a user characterized by the difference vector as an abnormal user”.   Applicant explains:
…the metric vectors with similarity score values above a threshold are ordinally listed and their corresponding log metrics are provided as metric recommendations through the user interface.  However, the metric vectors are not used to characterize a user, nor are they used to determining an abnormal user.  Furthermore … Convertino does not mention the relationship between metric vectors and user behavior and unusual activities, nor does it mention that vectors characterize a user.  In Convertino, metric vectors are used to generate metric recommendations.  

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Features B, C, D and E are within the scope and content of the prior art.  
In regards to feature B, determining eigenvectors for the user behavior data based on the multiple eigenvalues, in PCA-based behavior feature extraction, “we compute feature values and eigenvectors”.  Meng, pg. 3, Sec. 2.2.  Step 4 “After the calculation, we can get feature values λ1 = 0.049, λ2 = 1.284, and eigenvectors”.  Meng, pg. 4, Sec. 2.2.4. The term “feature values” are synonymous with eigenvalues.  “The components with small importance can be ignored, thus, we can get a data set with few dimensions.  Precisely speaking, the original data is n-dimensional, after choosing the previous p main components, the current data will be only p dimensions”.  Meng, pg. 4, Sec. 2.2.5.  P main components are multiple eigenvectors.  “… we can ignore an eigenvector with smaller feature value, and then we obtain an eigenvector … which is the main direction of the data set”.  Meng, pg. 4, Sec. 2.2.5.  An example of how a principle/main direction/eigenvector may be determined using the multiple eigenvalues.  Furthermore, to support the above: “PCA can be used to calculate the principal directions based on the features in each group”.  Meng, pg. 4, Sec. 2.2.5.  PCA is used to calculate the multiple eigenvectors (principal directions) based on the features (eigenvalues) in each group.  As the limitations of feature B is recited by Meng, the content of feature B argued by Applicant is within the scope and content of the cited prior art. 
In regards to feature C, obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each of the multiple aggregation classes, Wang discloses “using well-known machine learning clustering algorithms … to determine if the event is part of any existing event cluster or user cluster in real time” where the “user profile cluster is updated by adding the event vector into the cluster determined by the well-known clustering algorithm”.  Wang, para. 0032.  In other words, the user profile cluster aggregates the event vectors into the cluster (creating an aggregation class) using a well-known (preset) clustering algorithm.  The terms event cluster and user profile cluster are used interchangeably.  The event profile is represented by the event cluster.  Wang, para. 0052.  “A new cluster 5-11 starts as an event vector 5-10, which is detected as anomaly and not part of the existing event cluster 5-3 by the well-known clustering algorithm”.  Wang, para. 0054 and Fig. 4.  In other words, the preset clustering algorithm obtains cluster 5-3 and new cluster 5-11 (multiple aggregation classes) by clustering the vectors.   Wang also teaches “the cluster center vector in an n-dimensional vector space”.  Wang, para. 0041, Fig. 3, vector 4-8.   “The center of a user’s event cluster is dynamically updated”.  Wang, para. 0053.  In other words, the center vector of a user’s event cluster (each of the multiple aggregation classes) is dynamically updated (acquired).  Thus, Wang teaches obtaining multiple aggregation classes by clustering the vectors through a preset clustering algorithm, and acquiring a central vector of each of the multiple aggregation classes.  As explained above, Meng teaches that eigenvectors, a type of vector, is obtained from eigenvalues representing user behavior data.  Combined with Wang, the references teach obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each of the multiple aggregation.  As the limitations of feature C is recited by Wang and Meng, the content of feature C argued by Applicant is within the scope and content of the cited prior art.   
In regards to feature D, determining a difference eigenvector, wherein a distance between the difference eigenvector and a central vector of one of the multiple aggregation classes to which the difference eigenvector belongs is not within a preset distance range, Wang teaches “a risk score (preset distance range) of the vector distance (distance) between the event vector (difference vector) and the cluster (multiple aggregation classes) center vector (central vector)”.  Wang, para. 0041.  Clustering creates aggregation classes (broadly interpreted as groups of data/vectors that are similar), and so a plurality of clusters is synonymous with “multiple aggregation classes”.  A risk score is calculated by “comparing said event vector of said event with said event vector clusters”.  Wang, claim 1.  The “anomaly event in form of an event vector” is determined.  Wang, para. 0052, Fig. 3.  The risk score may be “Normal: the event looks legitimate”; “Low Risk: some aspects of the event are abnormal, but not many”; “Medium Risk: some important aspects of the event are abnormal while some are not”; and “High Risk: many key aspects of the event are abnormal”.  Wang, para. 0037-0040.  Thus, an abnormal event vector is determined based on the risk.  In other words, para. 0041 of Wang discloses a determining a difference vector (anomalous event vector), wherein a distance (vector distance) between the difference vector (anomalous event vector) and a central vector (center vector) of multiple aggregation classes (event vector clusters) to which the difference vector belongs is not within a preset distance range (where the risk score is not Normal).  Wang further teaches “capture the user activity… converting … the event … to numeric values … and is now represented as an n-tuple vector” or transforming user behavior into an event vector. As explained above, Meng teaches that eigenvectors, a type of vector, is obtained from eigenvalues representing user behavior data.  Combined with Wang, the references teach determining a difference eigenvector, wherein a distance between the difference eigenvector and a central vector of one of the multiple aggregation classes to which the difference eigenvector belongs is not within a preset distance range.  As the limitations of feature D is recited by Wang and Meng, the content of feature D argued by Applicant is within the scope and content of the cited prior art.   
In regards to feature E, determining a user characterized by the difference eigenvector as an abnormal user, Covertino teaches that “sematic similarity between vectors implies relevance, therefore metric recommendations are made by calculating 625 the similarity between a centroid vector Cj and metric vectors Mi (difference vector)”… “the metric vectors … with similarity score … values above a threshold … are provided 630 as metric recommendations (determining a user) through the user interface”.  Covertino, para. 0073 and para. 0074.   In other words, a metric recommendation is characterized by a metric vector.  The metric vector is a difference vector as it is determined based on the distance between the vector and a central vector, where the distance is above a similarity threshold.  The metric recommendation includes log data depicting a user, for example, Adam Apple, Brian Beats, Chris Cherry, or David Dates.  Covertino, Fig. 4b.  The user may be an abnormal user as the log data is used to “identify intrusion attempts or unusual activities” by users.  Covertino, para. 0004.  As explained above, Meng teaches that eigenvectors, a type of vector, is obtained from eigenvalues representing user behavior data.   Combined with Meng, the references teach determining a user characterized by the difference eigenvector as an abnormal user.  As the limitations of feature D is recited by Covertino and Meng, the content of feature E argued by Applicant is within the scope and content of the cited prior art.   

In considering the prior art references as a whole, there is no substantive difference between the claim limitations at issue and the prior art.  
“Once the examiner sets out this prima facie case, the burden shifts to the patentee to provide evidence, in the prior art or beyond it, or argument sufficient to rebut the examiner's evidence. The examiner then reaches the final determination on obviousness by weighing the evidence establishing the prima facie case with the rebuttal evidence." ACCO Brands Corp. v. Fellowes, Inc., 813 F.3d 1361, 1365–66, 117 USPQ2d 1951, 1553-54 (Fed. Cir. 2016) (internal citations omitted).  
As for feature B, Applicant suggests that cited prior art does not disclose multiple eigenvalues of the user behavior data.  However, as explained in the non-final rejection dated 05/25/2022 and further elaborated on above, Meng teaches the feature stated.  Although Applicant is correct in stating that Meng discloses obtaining the covariance matrix of data set, and computing feature values and eigenvectors of the covariance matrix, that is not the only feature described by Meng.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, applicant’s argument is not convincing.
As for feature C, Applicant suggests that the cited prior art does not disclose obtaining multiple aggregation classes by clustering the new event vector as Wang does not disclose the division of the new event vector into multiple aggregated classes.   During patent prosecution, “claims must be given their broadest reasonable interpretation in light of the specification… Though understanding the claim language may be aided by explanations contained in the written description, it is important not to import into a claim limitations that are not part of the claim.”  See MPEP 2111.  Nowhere in the claims is the limitation that the obtaining multiple aggregation classes must be done by “clustering the new event vector”.  Also, nowhere in the specifications of the instant application does the Applicant indicate support for indicating such a limitation.  Furthermore, Applicant does not clearly explain how such a step must be done such that a new event vector may be divided into multiple aggregated classes.  As explained above, Examiner takes the broadest reasonable interpretation of “multiple aggregate classes” as more than one (multiple) cluster (aggregate) of vectors (classes).   As for the additional statements presented, that “events are represented as vectors based on attribute information of the events”, and “the cluster center vector is the center vector of a previously constructed event cluster, rather than the center vector of each aggregation class in multiple aggregation classes obtained by clustering the new event vector”, these arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, applicant’s argument is not convincing.
As for feature D, Applicant suggests that the cited prior art compares a new event vector with the previously constructed event cluster, which in turn equates to the assertion that there is no calculation of a distance between new event vector and a central vector of the aggregation class as the new event vector is not included in the event cluster.  During patent prosecution, “claims must be given their broadest reasonable interpretation in light of the specification… Though understanding the claim language may be aided by explanations contained in the written description, it is important not to import into a claim limitations that are not part of the claim.”  See MPEP 2111.  Nowhere in the claims is the limitation that the aggregation class must be aggregated with the most current vector.   Also, nowhere in the specifications of the instant application does the Applicant indicate support for indicating such a new limitation.  Furthermore, applicant does not clearly explain how such a step must be done in order to create an aggregation class.  As explained above, Examiner takes the broadest interpretation of aggregation class as a cluster of vectors, without including a limitation of whether the cluster needs to be constructed based on a new event vector or otherwise.  Finally, even if this limitation is included, Applicant is directed to para. 0053 of Wang where it states “the center of a user’s event cluster is dynamically updated, the risk score of a new event is also dynamically adjusted” where the example provided does consider the current event in calculating the cluster center, and so does include the embodiment of including the new event in calculating the distance.   Accordingly, applicant’s argument is not convincing.
As for feature E, Applicant suggests that in the cited prior art, the vectors are not used to characterize a user, nor are they used to determining an abnormal user.  Furthermore … Convertino does not mention the relationship between metric vectors and user behavior and unusual activities, nor does it mention that vectors characterize a user.  "A person of ordinary skill in the art is also a person of ordinary creativity, not an automaton." KSR Int'l Co. sv. Teleflex Inc., 550 U.S. 398, 421, 82 USPQ2d 1385, 1397 (2007). "[I]n many cases a person of ordinary skill will be able to fit the teachings of multiple patents together like pieces of a puzzle." Id. at 420, 82 USPQ2d 1397. Office personnel may also take into account "the inferences and creative steps that a person of ordinary skill in the art would employ." Id. at 418, 82 USPQ2d at 1396. Also see MPEP 2141.03.  The determination of whether the vectors characterize or determine an abnormal user depends on what is a metric vector.  Para. 0010 of Convertino clearly states “Each log metric is represented by a metric vector in vector space” … “components of the vector represent … characteristics … such as user”.  Furthermore, Fig. 4b clearly depicts characteristic including names of users.  Thus, it is clear that the metric vectors represent users in at least one embodiment.  As for determining an abnormal user, the function of the system of Covertino is to produce a “metric recommendation”.    Metric recommendations are “log metrics”.  See para. 0009 of Convertino.  “Different users with different capacities or occupational roles may generate or use similar metrics”.  See para. 0007 of Covertino.  “Security and compliance experts have used logs to identify intrusion attempts or unusual activities”, which roles that may be assigned to malicious users. Thus, it is clear that the capacity or role of intruder, or unusual activity user, can be detected using the metric recommendation of Convertino.  Accordingly, applicant’s argument is not convincing.

A person of ordinary skill in the in the pertinent art would have been able to use prior art references cited.  If the only facts of record pertaining to the level of skill in the art are found within the prior art of record, the court has held that an invention may be held to have been obvious without a specific finding of a particular level of skill where the prior art itself reflects an appropriate level. Chore-Time Equipment, Inc. v. Cumberland Corp., 713 F.2d 774, 218 USPQ 673 (Fed. Cir. 1983). See also Okajima v. Bourdeau, 261 F.3d 1350, 1355, 59 USPQ2d 1795, 1797 (Fed. Cir. 2001). At the time of filing, it would have been obvious to use the prior art cited to satisfy the amended limitations.  Thus, the invention, as claimed, would be within the level of ordinary skill in the art.  
The Applicant has not provided any objective indicia of nonobviousness in the record to be considered, and it is assumed that there are no secondary considerations supporting nonobviousness.
In conclusion, the Applicant’s arguments are not persuasive.  The Graham factors, as analyzed above, support a finding that the amended claims are within the metes and bounds possessed by the public.  
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-7, 15 and 16 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 1-7, 15 and 16 recites the limitation “the multiple behavior dimensions” (claim 1, ln. 4). This limitation lacks antecedent basis.  Examiner suggests replacing the limitation with “the preset multiple behavior dimensions”.
Claim 1-7, 15 and 16 recites the limitation “the content” (claim 4, ln. 4-5). This limitation lacks antecedent basis.  Examiner suggests replacing the limitation with “content”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5, 9-10, 12, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (US Pub. 2019/0116193) (hereinafter “Wang”) in view of Meng et al., Anomaly Detection Model of User Behavior Based on Principle Component Analysis, Journal of Ambient Intelligence and Humanized Computing, January 21, 2016, pg. 547-554 (hereinafter “Meng”) in view of Convertino et al. (US Pub. 2016/0335260) (hereinafter “Convertino”) and further in view of Chen et al. (US Pub. 2018/0060587) (hereinafter “Chen”)

As per claim 1, Wang teaches an abnormal user identification method, comprising: acquiring user behavior data of a user; ([Wang, para. 0015-0016] an event reporting agent detects entity behavior [user behavior] which can include parameters such as the IP address of the device used, the type of device used, physical location, number of login attempts, date and time, and more)
obtaining multiple aggregation classes by clustering the vectors through a preset clustering algorithm, ([Wang, para. 0032] the risk assessment engine collects and constructs the user profile [during a training period – see para. 0045], multiple clusters [aggregation classes – see para. 0006] based on the received events that are event vectors [see – para. 0006; para. 0052], using well known machine learning algorithms such as K-Means; Fig. 4 shows an entity profile that evolves from a cluster into two clusters [multiple aggregation classes]; obtaining, and using eigenvectors obtained from user behavior is taught by Meng below, and an eigenvector is one type of vector) and acquiring a central vector of each of the multiple aggregation classes; ([Wang, para. 0041] the risk assessment engine computes a risk score of the event based on the vector distance between the event vector and the cluster center vector [each central vector of each of the multiple aggregation class]; [para. 0053] the center [central vector] of a user’s event cluster [each of the multiple aggregation classes as a user’s event cluster is an entity profile that contain multiple classes – see para. 0054 and Fig. 4] is dynamically updated [acquired])
determining a difference vector, wherein a distance between the difference vector and a central vector of one of the multiple aggregation classes to which the difference vector belongs is not within a preset distance range; and ([Wang para. 0041] the risk assessment engine calculates [determines] the risk score, a vector distance between the event vector [difference vector] and the cluster center vector [central vector of an aggregation class].  The vector is determined to be high risk [a difference vector] if is not within, for example, 30 minutes distance in vector distance [a preset distance range], from the cluster center.  [Para. 0054; Fig. 4] The cluster is one of the multiple clusters [aggregation] comprised of vectors [classes].  Obtaining, and using eigenvectors obtained from user behavior is taught by Meng below, and an eigenvector is one type of vector)
Wang does not clearly teach extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions, wherein the multiple behavior dimensions are obtained by arbitrarily combining the content included in a business layer feature dimension and a behavior layer feature dimension; determining eigenvectors for the user behavior data based on the multiple eigenvalues; and determining a user characterized by the difference eigenvector as an abnormal user.
However, Meng teaches extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions; and ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] feature values [eigenvalues] are calculated by extracting user behavior by using a covariance matrix) 
determining eigenvectors for the user behavior data based on the multiple eigenvalues. ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] based on the feature value [eigenvalue] the eigenvector which represents the biggest correlation between data dimensions is determined)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang with the teachings of Meng to include extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions; and determining eigenvectors for the user behavior data based on the multiple eigenvalues.  One of ordinary skill in the art would have been motivated to make this modification because using such a method of principal component analysis describes the user’s behavior more completely and improves the efficiency and stability of the algorithm in order to more precisely and effectively detect abnormal user behavior.  (Meng, abstract)
Wang in view of Meng does not clearly teach wherein the multiple behavior dimensions are obtained by arbitrarily combining the content included in a business layer feature dimension and a behavior layer feature dimension; and determining a user characterized by the difference eigenvector as an abnormal user.
However, Convertino teaches determining a user characterized by the difference vector as an abnormal user.  ([Convertino, para. 0073-0074] a semantic similarity that is a representation of the Euclidean distance between a centroid vector and a metric vector [a distance vector] is determined.  The metric vectors with similarity score above a threshold are provided as metric recommendations [an abnormal user – see para. 0004 – the method is used to determine intrusion attempts or unusual activities of users’ behavior])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng with the teachings of Convertino to include determining a user characterized by the difference vector as an abnormal user.  One of ordinary skill in the art would have been motivated to make this modification because, by using such a method, a user specific recommendation may be provided to identify the metric users that are most similar to the user vector based on the similarity scores.  (Covertino, para. 0077)
	Wang in view of Meng and in view of Covertino does not clearly teach wherein the multiple behavior dimensions are obtained by arbitrarily combining the content included in a business layer feature dimension and a behavior layer feature dimension.
	However, Chen wherein the multiple behavior dimensions ([Chen para. 0040] “a preset variable … correspond to the operation behavior [preset multiple behavior dimensions – see para. 0032] and can be extracted from the service data [content]”) are obtained by arbitrarily ([para. 0058] “the time for applying the previously-described pre-set algorithm to compute the value of the pre-set variable is not limited to a particular interval”; ‘obtained arbitrarily’ is content that the multiple behavior dimensions are extracted from for an arbitrary [or non-limited] interval period of time – see pg. 5-6 of the instant application) combining the content included in a business layer feature dimension and a behavior layer feature dimension.  ([para. 0044] “the first generated service data includes a browsing page Pa [web browsing, a business layer feature dimension – see pg. 6 of the instant application], and a browsing duration [browsing behavior/a behavior layer feature dimension]; [para. 0043] the service data is combined to form aggregated data)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng and Convertino with the teachings of Chen to include wherein the multiple behavior dimensions are obtained by arbitrarily combining the content included in a business layer feature dimension and a behavior layer feature dimension.  One of ordinary skill in the art would have been motivated to make this modification because, such an implementation allows a backend system to aggregate such streams of information [the business layer and the behavior layer dimension] in order to calculate a risk associated with an operation behavior.  (Chen, para. 0023)

As per claim 2, Wang in view of Meng, Convertino and Chen teaches claim 1.  
Wang in view of Chen does not clearly teach wherein when the user includes multiple users, extracting multiple eigenvalues of the user behavior data under preset multiple behavior dimensions comprises: extracting multiple user eigenvalues of user behavior data of each user under multiple user behavior dimensions; determining eigenvectors for the user behavior data based on the multiple eigenvalues comprises: determining a user eigenvector of each of the multiple users based on multiple user eigenvalues of this user; obtaining multiple aggregation classes by clustering the eigenvectors through a preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple user classes by clustering the user eigenvectors of the multiple users through a preset clustering algorithm; and determining a central vector of each of the multiple user classes based on a user eigenvector contained in this user class.
However, Meng teaches extracting the multiple eigenvalues of the user behavior data under the preset multiple behavior dimensions comprises: extracting multiple user eigenvalues of user behavior data of each user under multiple user behavior dimensions; ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] feature values [eigenvalues] are calculated by extracting user behavior by using a covariance matrix; [Pg. 4, Section 3.2] in the user behavior processing stage, the user behavior apparatus transform user behavior of users [a plurality of different users as vectors are made according to normal user behaviors and other types of user’s behaviors, and vectors are made of features which belong to one user’s behavior] to feature values [multiple user eigenvalues of behavior data of each user], and calculates each feature value, such as database access behavior and Web browsing behavior [multiple user behavior dimensions])
determining the eigenvectors for the user behavior data based on the multiple eigenvalues comprises: determining a user eigenvector of each of the multiple users based on multiple user eigenvalues of the each of the multiple users.  ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] based on the feature value [eigenvalue] the eigenvector which represents the biggest correlation between data dimensions is determined.  [Pg. 4, Section 3.2] in the training phase the system converts the audit logs of normal user behaviors into eigenvectors [determining a user eigenvector of each of the multiple users] and groups these vectors according to their users [based on this user].  As the eigenvectors are based on the feature values, and feature values for a plurality of users are calculated, each of the eigenvectors are based on the multiple user eigenvalues)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Wang, Meng, Convertino and Chen for the same reasons as disclosed above.  
Wang in view of Meng and Chen does not clearly teach wherein when the user includes multiple users obtaining the multiple aggregation classes by clustering the vectors through the preset clustering algorithm, and acquiring a central vector of each of the multiple aggregation class, comprises: obtaining multiple user classes by clustering the user vectors of the multiple users through the preset clustering algorithm; and determining a central vector of each of the multiple user classes based on a user vector contained in this user class.  
However, Convertino teaches wherein when the user includes multiple users, ([Convertino, para. 0040] the data management module monitors and captures activity of multiple users in various roles across different organizations using log metrics)
obtaining the multiple aggregation classes by clustering the vectors through the preset clustering algorithm, and acquiring a central vector of each of the multiple aggregation class, comprises: obtaining multiple user classes by clustering the user vectors of the multiple users through the preset clustering algorithm; and ([Convertino, para. 0060; para. 0066] clusters for various aggregations/classes [multiple aggregation classes] of the metrics vectors of the multiple users [see para. 0040; 0059 – the log metrics of multiple users are represented by metric vectors] with respect to different values of the various parameterizations, such as role, time period, operation, location or a combination thereof [multiple classes] are generated using a clustering algorithm such as k clustering [preset clustering algorithm].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
determining a central vector of each of the multiple user classes based on a user vector contained in this user class.  ([Convertino, para. 0059-0060] the recommendation module is configured to generate centroid vectors for each of the various aggregation classes [multiple user classes].  A centroid vector is a representation of the metrics [a user vector as log metrics of users are represented by the metric vectors] in a class [this user class].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng and Chen with the teachings of Convertino to include wherein when the user includes multiple users, obtaining the multiple aggregation classes by clustering the vectors through the preset clustering algorithm, and acquiring a central vector of each of the multiple aggregation class, comprises: obtaining multiple user classes by clustering the user eigenvectors of the multiple users through the preset clustering algorithm; and determining a central vector of each of the multiple user classes based on a user eigenvector contained in this user class.  One of ordinary skill in the art would have been motivated to make this modification because a centroid vector aggregated by different users provides an unintuitive perspective which allows an enterprise to benefit from such metrics by users across the enterprise.  (Convertino, para. 0010; para. 0088)

As per claim 5, Wang in view of Meng, Convertino and Chen teaches claim 1.  
Wang also teaches when the user includes one user, ([Wang, para. 0031] the Event Reporting Agent captures activity of one user) the user behavior data contains at least one piece of historical user behavior data ([para. 0056] the method captures long-term memory data relating to behavior which does not change or only gradually changes over a long period [at least one piece of historical data]) and one piece of current user behavior data; ([para. 0056] the method captures short-term memory data which represents the entity’s temporary behavior, for example, events collected in a current travelling week [one piece of current user behavior data])
extracting multiple first data values of each piece of the historical user behavior data under the multiple user behavior dimensions, ([Wang, para. 0056; Fig. 5] multiple pieces of data values [multiple first data values] are extracted from long-term historical user data, such as when a user checks work emails, long-term login time of day, and long-term login city [multiple user behavior dimensions].  Obtaining, and using eigenvalues obtained from user behavior is taught by Meng below, and an eigenvalue is one type of value) and multiple second data values of the current user behavior data under the multiple user behavior dimensions; ([para. 0056; Fig. 5] multiple pieces of data values are extracted from current behavior [multiple second data values], such as current login city, and current login time of day [multiple user behavior dimensions].  Obtaining, and using eigenvalues obtained from user behavior is taught by Meng below, and an eigenvalue is one type of value)
determining a first data vector of each piece of the historical user behavior data based on the multiple first data values, ([Wang, para. 0056; Fig. 5] long-term data vectors [first data vector of each piece of historical user behavior data] are determined from the long-term data values [multiple first data values].  Obtaining, and using eigenvalues and eigenvectors obtained from user behavior is taught by Meng below; an eigenvalue is one type of value, and an eigenvector is one type of vector) and a second data vector of the current user behavior data based on the multiple second data value; ([para. 0056; Fig. 5] a short-term data vector [second data vector of the current user behavior data] is determined from the short-term login data values [multiple second data values].  Obtaining, and using eigenvalues and eigenvectors obtained from user behavior is taught by Meng below; an eigenvalue is one type of value, and an eigenvector is one type of vector)
obtaining the multiple aggregation classes by clustering the vectors through the preset clustering algorithm, and acquiring a central vector of each aggregation class, comprises: obtaining multiple data classes by clustering multiple first data vectors and the second data vector through the preset clustering algorithm ([Wang, para. 0032] the risk assessment engine collects and constructs the user profile [during a training period – see para. 0045], multiple clusters [aggregation classes – see para. 0006] based on the received events that are event vectors [see – para. 0006; para. 0052], using well known machine learning algorithms such as K-Means; [para. 0056; Fig. 5] the multiple first data vectors and the second data vectors are clustered within event clusters.  Obtaining, and using eigenvectors from user behavior is taught by Meng below, and an eigenvector is one type of vector)
Wang in view of Chen does not clearly teach extracting the multiple eigenvalues of the user behavior data under preset multiple user behavior dimensions; and determining the eigenvectors for the user behavior data based on the multiple eigenvalues; determining a central vector of a first data class to which the second data vector belongs; determining the difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and if the distance between the second data eigenvector and the central vector of the first data class is not within the preset distance range, determining the second data vector as the difference vector. 
However, Meng teaches extracting the multiple eigenvalues of the user behavior data under preset multiple user behavior dimensions; and ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] feature values [eigenvalues] are calculated by extracting user behavior by using a covariance matrix)
determining the eigenvectors for the user behavior data based on the multiple eigenvalues.  ([Meng, Pg. 3-4, Section 2.2 – PCA-based user behavior feature extraction method] based on the feature value [eigenvalue] the eigenvector which represents the biggest correlation between data dimensions is determined)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Wang, Meng, Convertino and Chen for the same reasons as disclosed above.  
Wang in view of Meng and Chen does not clearly teach determining a central vector of a first data class to which the second data vector belongs; determining the difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and if the distance between the second data eigenvector and the central vector of the first data class is not within the preset distance range, determining the second data vector as a difference vector. 
However, Convertino teaches determining a central vector of a first data class to which the second data vector belongs; ([Covertino, Para. 0101] For each period of time parameterization, a time period vector is generated, as the centroid of metric vectors [a central vector] which specified the particular time period as an attribute of the matrix, for example, a time period vector would be generated for metrics that had time period of interest for the previous 24 hours [to which the second data vector belongs], week, month range, quarter, year, and so forth [a central vector of a first data class].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
determining the difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and ([Covertino, para. 0102] the similarity [a distance – see para. 0073] between each of the M vectors in a target set [second data vector] and each of the time period vectors [a central vector of a first data class] is computed.  This identifies the subset Mp of the vectors [difference vector] deemed associated with the metric time period [a preset distance range, as association/similarity is a distance calculation – see para. 0073, and the metric time period is generated at the time of creation of the metric – see para. 0101].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector)
and if the distance between the second data eigenvector and the central vector of the first data class is not within the preset distance range, determining the second data vector as a difference vector. ([Covertino, para. 0074; para. 0102] the metric vectors with similarity [the distance – see above] score below a threshold [a preset distance range] are provided as in the subset of metric vectors deemed associated with the metric time period [a difference vector])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng and Chen with the teachings of Convertino to include determining a central vector of a first data class to which the second data vector belongs; determining the difference vector, comprises: determining whether a distance between the second data vector and the central vector of the first data class is within a preset distance range; and if the distance between the second data eigenvector and the central vector of the first data class is not within the preset distance range, determining the second data vector as a difference vector.  One of ordinary skill in the art would have been motivated to make this modification because it allows the system to aggregate the behavior usage according to a time period in order to make use of the similarity of metrics, for example, gain insights into end user behavior associated with the time period parameters.   (Convertino, para. 0006, para. 0009)

As per claim 9, Wang teaches an electronic device comprising a processor and a non-transitory machine readable storage medium which stores machine executable instructions that can be executed by the processor.  ([Wang, claim 19] a computer-readable medium [stored on computer servers having hardware memory – see para. 0002] having executable instructions coupled to computer [processor] to perform the instructions is disclosed)
The machine executable instructions cause the processor to execute the method of claim 1, has language that is identical or substantially similar to the attack detection device of claim 1, and thus the claim is rejected with the same rational applied against claim 1.  

As per claim 10, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 12, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 15, Wang in view of Meng, Convertino and Chen teaches claim 1.
Wang in view of Meng does not clearly teach a non-transitory machine readable storage medium, which stores machine executable instructions that, when called and executed by a processor, cause the processor to perform a method.  
However, Convertino teaches a non-transitory machine readable storage medium, which stores machine executable instructions that, when called and executed by a processor, cause the processor to perform a method.  ([Convertino, claim 21] a non-transitory computer readable storage medium storing program code that implements a computer executed method [machine executable instructions]; [para. 0035] the computer system includes processors that are used to run the code)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng and Chen with the teachings of Convertino to include a non-transitory machine readable storage medium, which stores machine executable instructions that, when called and executed by a processor, cause the processor to perform a method.  One of ordinary skill in the art would have been motivated to make this modification because memory and processors allows an application layer of software to interact with the method in a computer system.  (Convertino, para. 0033)

Claims 3, 6, 11, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Wang in view of Meng, Convertino, and Chen and further in view of Jang et al. (US 2015/0127243) (hereinafter “Jang”) included in the IDS dated 04/19/2022.

As per claim 3, Wang in view of Meng, Convertino and Chen teaches claim 2.  
Wang in view of Meng, Convertino and Chen does not clearly teach wherein, obtaining the multiple user classes by clustering the user eigenvectors of the multiple users through the preset clustering algorithm, comprises: obtaining K initial user classes by clustering wherein K is a positive integer; acquiring a first initial user class and a second initial user class in the K initial user classes; obtain a combined initial user class by combining the first initial user class and the second initial user class; obtaining multiple user classes by taking the combined initial user class and other initial user classes that are not combined in the K initial user classes respectively as clustered user classes; wherein, the first initial user class is an initial user class, in the K initial user classes, in which the number of user eigenvectors is less than a preset number threshold; the second initial user class is an initial user class in the K initial user classes, wherein the distance between a central vector of the second initial user class and a central vector of the first initial user class is minimum.
However, Jang teaches wherein obtaining the multiple user classes by clustering the user vectors of the multiple users through the preset clustering algorithm, comprises: obtaining K initial user classes by clustering the user vectors of the multiple users through a K-means clustering algorithm, wherein K is a positive integer; ([Jang, para. 0018-0019] the server is configured to divide data [user vectors of the multiple users – see para. 0019] into a plurality of clusters using K-means clustering.  K random numbers are selected between 1 and N [a positive integer].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent on, and an eigenvector is one type of vector)
acquiring a first initial user class and a second initial user class in the K initial user classes; ([Jang, para. 0019-0021] the server selects a set of initial daily vectors, and designates each initial daily vector as the center of a cluster [a first and second initial user class], where there are K initial daily vectors, and K corresponding initial clusters [K initial user classes].  Then the server analyzes the remaining daily vectors to iteratively assign them to a cluster based on their distance to the center vector)
obtain a combined initial user class by combining the first initial user class and the second initial user class; ([Jang, para. 0038] two clusters [the first and second initial user classes – see para. 0019] are merged forming a merged cluster [a combined initial user class] when the centroids are less than a predetermined distance apart)
obtaining multiple user classes by taking the combined initial user class and other initial user classes that are not combined in the K initial user classes respectively as clustered user classes; ([Jang, para. 0037-038] the server may be configured to merge clusters [the combined initial user class].  The clusters may be merged recursively [as clustered user classes] such that clusters [combined initial user class] may be merged with another cluster [initial user class not combined].  [Para. 0036] the initial user classes are K initial user classes)
wherein, the first initial user class is an initial user class, in the K initial user classes, in which the number of user vectors is less than a preset number threshold; ([Jang, para. 0037] the server combines clusters when the number of vectors in a cluster [first initial user class] is less than a minimum value [a preset number threshold].  [Para. 0018-0019] The first initial user class is an initial user class in the K initial user classes as all classes are combined using K-means clustering.  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent on, and an eigenvector is one type of vector)
the second initial user class is an initial user class in the K initial user classes, wherein the distance between a central vector of the second initial user class and a central vector of the first initial user class is minimum.  ([Jang, para. 0037] the server combines clusters the cluster where the number of vectors is less than a minimum with the cluster having the nearest [minimum distance] centroid [the second initial user class].  [Para. 0018-0019] The second initial user class is an initial user class in the K initial user classes as all classes are combined using K-means clustering)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng, Convertino and Chen with the teachings of Jang to include wherein obtaining the multiple user classes by clustering the user vectors of the multiple users through the preset clustering algorithm, comprises: obtaining K initial user classes by clustering the user vectors of the multiple users through a K-means clustering algorithm, wherein K is a positive integer; acquiring a first initial user class and a second initial user class in the K initial user classes; obtain a combined initial user class by combining the first initial user class and the second initial user class; obtaining multiple user classes by taking the combined initial user class and other initial user classes that are not combined in the K initial user classes respectively as clustered user classes; wherein, the first initial user class is an initial user class, in the K initial user classes, in which the number of user vectors is less than a preset number threshold; the second initial user class is an initial user class in the K initial user classes, wherein the distance between a central vector of the second initial user class and a central vector of the first initial user class is minimum.  One of ordinary skill in the art would have been motivated to make this modification because 1) K-means clustering allows similar sets of data to be identified; and 2) combining clusters allows for an optimization of the K value for the clustering algorithm so that the value that the value may be used for subsequent requests, and to better identify variance among vectors.  (Jang, para. 0018; para. 0036)

As per claim 6, Wang in view of Meng, Convertino and Chen teaches claim 5.  
Wang also teaches obtaining the multiple data classes by clustering multiple first data vectors and the second data vector through the preset clustering algorithm, comprises:([Wang, para. 0032] the risk assessment engine collects and constructs the user profile [during a training period – see para. 0045], multiple clusters [aggregation classes – see para. 0006] based on the received events that are event vectors [see – para. 0006; para. 0052], using well known machine learning algorithms such as K-Means; [para. 0056; Fig. 5] the multiple first data vectors and the second data vectors are clustered within event clusters.  Obtaining, and using eigenvectors from user behavior is taught by Meng below, and an eigenvector is one type of vector)
obtaining K initial data classes by clustering the multiple first data vector and the second data vector through a K-means clustering algorithm ([Wang para. 0033] the risk assessment engine uses K-Means to determine if an event belongs in a cluster.  [Para. 0056] the events include long-term memory events [first data vector as this is historic behavior data] and short-term memory [second data vector as this is current behavior data].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent upon, and an eigenvector is one type of vector.  Wherein K is a positive integer is taught by Jang below.)
acquiring a first initial data class in the K initial data classes, ([Wang, para. 0033] the risk assessment engine uses K-means to obtain a cluster [first initial data class in the K initial data classes] representative of the user behavior data.  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector.  Wherein, the first initial data class contains N data vectors, and N is a positive integer is taught by Jang below)
wherein, the first initial data class is an initial data class to which the second data vector belongs.  ([Wang, para. 0033; para. 0056] the vector representative of short-term memory [second data vector] belongs in a cluster determined using K-Means [first initial data class in the K initial data classes].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent upon, and an eigenvector is one type of vector.  Wherein, the first initial data class contains N data vectors, and N is a positive integer is taught by Jang below)
Wang in view of Meng, Convertino and Chen does not teach wherein K is a positive integer; wherein, the first initial data class contains N data eigenvectors, and N is a positive integer; if N is less than a preset number threshold, acquiring a second initial data class in the K initial data classes; obtaining a combined initial data class by combining the first initial data class and the second initial data class; obtaining the multiple data classes by taking the combined initial data class and other initial data classes that are not combined in the K initial data classes respectively as clustered data classes; the second initial data class is an initial data class in the K initial data classes, wherein the distance between a central vector of the second initial data class and a central vector of the first initial user class is minimum.
However, Jang teaches wherein K is a positive integer; ([Wang, para. 0033; para. 0056] the vector representative of short-term memory [second data vector] belongs in a cluster determined using K-Means [first initial data class in the K initial data classes].  Obtaining, and using eigenvectors from user behavior was taught by Meng above, and an eigenvector is one type of vector.  Wherein, the first initial data class contains N data vectors, and N is a positive integer is taught by Jang below)
wherein, the first initial data class contains N data vectors, and N is a positive integer; ([Jang, para. 0018-0019] the server divides initial daily vector K as 3, 5, 10, 30, 100 [a positive integer] include clusters [the first initial data class].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent upon, and an eigenvector is one type of vector)
if N is less than a preset number threshold, acquiring a second initial data class in the K initial data classes; ([Jang, para. 0037] two clusters [the first and second initial user classes – see para. 0019] are merged when the number of vectors in a cluster [first initial user class] is less than a minimum threshold)
obtaining a combined initial data class by combining the first initial data class and the second initial data class; ([Jang, para. 0037] the server may be configured to merge the two clusters, forming a merged cluster [the combined initial user class] when the number of vectors is less than a minimum)
obtaining the multiple data classes by taking the combined initial data class and other initial data classes that are not combined in the K initial data classes respectively as clustered data classes; ([Jang, para. 0037-038] the server may be configured to merge clusters [the combined initial user class].  The clusters may be merged recursively [as clustered user classes] such that clusters [combined initial user class] may be merged with another cluster [initial user class not combined].  [Para. 0036] the initial user classes are K initial user classes)
	the second initial data class is an initial data class in the K initial data classes, wherein the distance between a central vector of the second initial data class and a central vector of the first initial user class is minimum.  ([Jang, para. 0038]  the server combines clusters when the centroid [central vector] of the initial k-means cluster [second initial data class] is less than a predetermined distance apart [a minimum] between the initial k-means cluster of another k-means cluster [first initial data class].  Examiner takes first and second initial data classes as interchangeable as they are both initial data classes created during generation of clusters during K-means clustering.  [Para. 0018-0019] The second initial user class is an initial user class in the K initial user classes as all classes are combined using K-means clustering.  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent on, and an eigenvector is one type of vector)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Wang, Meng, Convertino, Chen, and Jang for the same reasons as disclosed above.  

As per claim 11, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 13, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

Claims 8, 14, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Wang, Meng, Convertino and Chen and further in view of Chari et al. (US 2018/0359270) (hereinafter “Chari”)

As per claim 8, Wang in view of Meng, Convertino and Chen teaches claim 2.  
Wang in view of Meng, Convertino and Chen does not clearly teach determining the user characterized by the difference eigenvector as an abnormal user comprises: determining whether a data eigenvalue for the difference eigenvector exceeds a preset baseline eigenvalue based on each of the multiple user behavior dimensions; and if the data eigenvalue for the difference eigenvector exceeds the preset baseline eigenvalue, determining that a user behavior characterized under the user behavior dimension is an abnormal user behavior, and that a user characterized by the difference eigenvector is the abnormal user.
However, Chari teaches determining the user characterized by the difference vector as an abnormal user comprises: determining whether a data value for the difference vector exceeds a preset baseline value based on each of the multiple user behavior dimensions; ([Chari, para. 0036] the anomalous user behavior detector uses distance metrics corresponding to the user group distance vector [difference vector] to identify anomalous behavior.  First, the detector determines whether the distance metric corresponding to the user is greater than [exceeds] a distance threshold [preset baseline value].  [Para. 0034] this determination is based on user activities of a plurality of users [multiple user behavior dimensions].  Obtaining, and using eigenvectors from user behavior was taught by Meng above in claim 1 which this claim is dependent upon, and an eigenvector is one type of vector)
and if the data value for the difference vector exceeds the preset baseline value, determining that a user behavior characterized under the user behavior dimension is the abnormal user behavior, and that a user characterized by the difference eigenvector is the abnormal user.  ([Chari, para. 0036] if the distance metrics [data value for the difference vector] is greater than the distance threshold, then the anomalous user behavior detector identifies that the user vector [the difference vector] is associated with anomalous user behavior.  Anomalous user behavior represents one or more users that indicates a security threat [an abnormal user].  Obtaining, and using eigenvalues and eigenvectors obtained from user behavior is taught by Meng above in claim 1 which this claim is dependent on; an eigenvalue is one type of value, and an eigenvector is one type of vector)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Wang in view of Meng, Convertino and Chen with the teachings of Chari to include determining the user characterized by the difference vector as an abnormal user comprises: determining whether a data value for the difference vector exceeds a preset baseline value based on each of the multiple user behavior dimensions; and if the data value for the difference vector exceeds the preset baseline value, determining that a user behavior characterized under the user behavior dimension is the abnormal user behavior, and that a user characterized by the difference eigenvector is the abnormal user.  One of ordinary skill in the art would have been motivated to make this modification because such a modification allows detection of anomalous user behavior by learning which users have similar behavior and adapting to new user behavior.  (Chari, para. 0046)

As per claim 14, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

As per claim 16, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

As per claim 17, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Wang et al. (Patent No. 10,505,959) discloses creating a reference profile to detect an abnormal change in behavior, where Principle Component Analysis is used to generate Eigenvalues from eflow which includes, file uploads, web pages, and emails and log information containing IP address information.
Liu et al. (US Pub 2016/0021141) discloses aggregating sets of IP addresses from monitored network traffic over a sampling period and generating eigenvalues based on such signals.  
Chen et al. (US Pub. 2018/0375781) discloses computing eigenvalues from data that includes obtaining a stream aspect data feature, an application aspect data stream feature and a terminal aspect data feature.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493