DETAILED ACTION
This communication is in response to Applicant’s amendment filed on August 29, 2022. Claims 3 and 13 have been amended. Claims 1-20 are pending and are directed towards system and method for CLOUD SECURITY SYSTEM IMPLEMENTING SERVICE ACTION CATEGORIZATION. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/13/2022 was Acknowledge. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Terminal Disclaimer
The terminal disclaimer filed on 08/29/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of Patent No. 10,999,325 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Claim Objections
Claims 9 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claims 10 and 11 are objected by dependency.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-8 and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti et al. U.S. Patent Pub No. 2015/0319185 A1 (hereinafter “Kirti”) in view of Sarukkai et al. U.S. Patent No. 9,722,895 B1 (hereinafter “Sarukkai”).

As per claims 1, 12 and 19, Kirti teaches a method of implementing cloud security in an enterprise (a cloud security provider maintains a cloud security monitoring and control system that enables tenants to view information about security controls in the various clouds that they use, review analytics reports, and configure security controls. Kirti, para [0035]) the method comprising: 
performing, using the processor, categorization of the uncategorized service action using at least one contextual categorization prediction method to map the uncategorized service action to a service action category in the first set of service action categories (various types of algorithms can be particularly useful for analyzing the data. Decision tree, time series, naive Bayes analysis, and techniques used to build user behavior profiles are examples of machine learning techniques that can be utilized to generate predictions based on patterns of suspicious activity and/or external data feeds […]The activity data can include contextual information such as IP address and geographic location. Kirti, para [0068]); 
evaluating cloud security risk of cloud activities based on the first set of service action categories (analytics can be used to detect security controls drift, which can refer to the changing of one or more security controls in a seemingly arbitrary manner that can increase security risks. A risk event can be generated in response to the change of one or more security controls in one or more cloud applications and actionable intelligence associated with the risk event. Kirti, para [0074]).; and 
detecting cloud security threats using the first set of service action categories (analytics can be used to detect security controls drift, which can refer to the changing of one or more security controls in a seemingly arbitrary manner that can increase security risks. A risk event can be generated in response to the change of one or more security controls in one or more cloud applications and actionable intelligence associated with the risk event. Kirti, para [0074]).
Kirti does not explicitly teach accessing, using a hardware processor, a mapping data for service actions to a first set of service action categories, wherein each of the first set of service action categories describes a permitted and intended function that is performed by each of a plurality of service actions in the service action category; identifying, using the processor, an uncategorized service action associated with a first cloud service provider in the cloud activity data associated with the enterprise.
However, Sarukkai teaches the steps of accessing, using a hardware processor, a mapping data for service actions to a first set of service action categories (The event data correlation engine 32 is further configured to receive input data from a vendor discovery database 246. Sarukkai, Col. 14 lines 44-49), wherein each of the first set of service action categories describes a permitted and intended function that is performed by each of a plurality of service actions in the service action category (In some embodiments, a facet map is provided to enable cross-reference of network events based on various attributes, including cloud service type, user device type, anomaly detected, action type, and risk assessment of cloud infrastructure. Sarukkai, Col.7 Line 56-60 ) (the log processor 16 of the usage assessment system generates an anonymity file 35 containing a mapping of masked identifying information [mapping data] to random identifiers. More specifically, the tokenization process at the log processor 16 generates an anonymity file that contains a mapping of identifying information in the processed event network logs to be masked and the corresponding random identifier. Sarukkai, Col. 8 lines 28-36)( A client-side software component accesses the anonymity file and replaces the anonymized data on the webpage with the actual, unmasked information. For example, the enterprise's users' identifying information, such as the users' names and physical locations, may be unmasked. The rendering of the user specific data is only on the browser side and the user specific data does not leave the enterprise's data network. In the example shown in FIG. 6, the anonymity file 35 may be uploaded by selecting the function "Un-tokenize users" [service action] in the "Uploaded Users" pane [first set of service action categories]. Sarukkai, Col. 8 lines 48-57).
 identifying, using the processor, an uncategorized service action associated with a first cloud service provider in the cloud activity data associated with the enterprise (in some cases, cloud service providers, such as IaaS (Infrastructure as a Service) providers, may use dynamic IP addresses[…]The use of dynamic IP addresses impairs the log processor's ability to correlate and filter the network event data as it is not possible to determine the true destination of the network traffic based on IP addresses in the network event logs. Sarukkai, Col. 9 lines 11-2); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Kirti in view of Sarukkai. One would be motivated to do so, to identify new network data and activities. (Sarukkai, Col. 14 lines 50-53)

As per claims 2 and 20, Kirti and Sarukkai teach the method of claims 1 and 19 above. Kirti teaches the method further comprising: applying security enforcement policy to cloud activities of the enterprise based on the first set of service action categories. (The cloud seeder application 204 can be utilized to implement security policies by setting security controls within a tenant's accounts in various cloud applications. Kirti, para [0046]).

As per claims 3 and 13, Kirti and Sarukkai teach the method of claims 1 and 12 above. Kirti teaches wherein performing, using the processor, categorization of the uncategorized service action using at least one contextual categorization prediction method to map the uncategorized service action to a service action category in the first set of service action categories comprises: performing categorization of the uncategorized service action by identifying a role of the a user associated with the uncategorized service action (Software defined security configuration data can include data describing: roles that are defined for users, groups and grouping of users, encryption keys, tokens, access controls, permissions, configurations, type of authentication policy, mobile access policy, and many other types of security controls. Kirti, para [0048]).

As per claims 4 and 14, Kirti and Sarukkai teach the method of claims 3 and 13 above. Kirti teaches wherein performing categorization of the uncategorized service action by identifying a role of the user associated with the uncategorized service action comprises: performing categorization of the uncategorized service action by identifying a role of the user within the enterprise and evaluating the cloud activity of the user around the time of the uncategorized service action. (Software defined security configuration data can include data describing: roles that are defined for users, groups and grouping of users, encryption keys, tokens, access controls, permissions, configurations, type of authentication policy, mobile access policy, and many other types of security controls. Kirti, para [0048]) (various types of algorithms can be particularly useful for analyzing the data. Decision tree, time series, naive Bayes analysis, and techniques used to build user behavior profiles are examples of machine learning techniques that can be utilized to generate predictions based on patterns of suspicious activity and/or external data feeds. Kirti, para [0068]).
	
As per claims 5 and 15, Kirti and Sarukkai teach the method of claims 3 and 13 above. Kirti teaches wherein performing categorization of the uncategorized service action by identifying a role of the user associated with the uncategorized service action comprises: performing categorization of the uncategorized service action by identifying a job title or a job function of the user within the enterprise (Data stored in an application catalog database and/or analytics and threat intelligence repository database 211 can be used to generate a variety of reports. Categories of reports can include: authentication and authorization, network and device, systems and change data, resource access and availability, malware activity, and failures and critical errors. Reports can be based on various attributes such as, but not limited to, per application, per user, per secured resource, and per device used for access. Reports may highlight recent changes such as updated features in a cloud application or newly modified policies. Reports may be pre-generated by scheduled jobs (e.g., for performance reasons) or may be requested by a user or administrator. Kirti, para [0063]).

As per claims 6 and 16, Kirti and Sarukkai teach the method of claims 1 and 12 above. Kirti wherein performing, using the processor, categorization of the uncategorized service action using at least one contextual categorization prediction method to map the uncategorized service action to a service action category in the first set of service action categories comprises: performing categorization of the uncategorized service action by identifying an intent and sequence of a connection session containing the uncategorized service action (login statistics (e.g., users with the most failed logins, IP address based login history including consideration of IP reputation, geolocation, and other factors),[…] Trends may be identified, such as login activity within a certain time period. Kirti, para [0066]).

As per claims 7 and 17, Kirti and Sarukkai teach the method of claims 6 and 16 above, wherein performing categorization of the uncategorized service action by identifying an intent and sequence of a connection session containing the uncategorized service action comprises: 
evaluating the sequence of service actions within the connection session including the uncategorized service action (a threat can be identified based on an account accessing one or more files or failing a series of login attempts from an IP address that is flagged (by a third party feed or otherwise) as malicious. In a similar way, a threat can also be based on different patterns of activity in one cloud or across multiple clouds over a series of time[…]activity data from different clouds may be in different formats or with different possible values or ranges of values); 
identifying service actions with previously mapped service action categories (algorithms can aggregate and compare data from different clouds in meaningful ways. Kirti, para [0068]) (data collected over time is used to build models of normal behavior (e.g., patterns of events and activity) and flag behavior that deviates from normal as abnormal behavior. Kirti, para [0068]); and
generating a predicted service action category for the uncategorized service action based on the previously mapped service action categories for the service actions within the connection session (Clustering and regression algorithms can be used to categorize data and find common patterns. For example, a clustering algorithm can put data into clusters by aggregating all entries of users logging in from a mobile device. Predictive analytics can also include identifying threats based on activity. Kirti, para [0068]).

As per claims 8 and 18, Kirti and Sarukkai teach the method of claims 6 and 16 above. wherein performing categorization of the uncategorized service action by identifying an intent and sequence of a connection session containing the uncategorized service action comprises: 
evaluating the sequence of service actions within the connection session including the uncategorized service action (a threat can be identified based on an account accessing one or more files or failing a series of login attempts from an IP address that is flagged (by a third party feed or otherwise) as malicious. In a similar way, a threat can also be based on different patterns of activity in one cloud or across multiple clouds over a series of time[…]activity data from different clouds may be in different formats or with different possible values or ranges of values); 
identifying a signature of service actions in the sequence of service actions (the connection must be authenticated by a token (signature) or using login credentials as in the connection made with a cloud crawler application. Kirti, para [0057])( Activity data can include information about system status or activity of a cloud application system such as, but not limited to, server activity, server reboots, security keys used by a server, and system credentials, where this information is visible or accessible to a system using authorized credentials. Kirti, para [0058]); and
generating a predicted service action category for the uncategorized service action based on the signature of service actions (security controls metadata is categorized (308) (mapped into categories) and indexed. The categorization may comply with a standard specified by a security organization and/or may be certified and/or audited by a third party. Kirti, para [0051]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Respectfully Submitted

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492