DETAILED ACTION

This communication is in response to Application No. 17/333,534 filed on 5/28/2021. The amendment presented on10/20/2022, which amends claims 1, 4, 8, 11, 15, and 18, is hereby acknowledged. Claims 1-20 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/25/2022 is being considered by the examiner.

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8-10, 12, 15-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Karpovsky et al. (hereinafter Karpovsky)(US 2020/0296117) in view of Gallardo (US 2021/0209243).
Regarding claims 1, 8, and 15, Karpovsky teaches as follows:
a compute device comprising: processing circuitry; a memory coupled to the processing circuitry (machine 900 (in the form of a computer), can include a processing unit 902, memory 903, removable storage 910, and non-removable storage 912, see, paragraph [0091] and figure 9), the memory including instructions that, when executed by the processing circuitry, cause the processing circuitry to perform operations for cloud resource security management (the system, machine-readable medium, or method can include or use processing circuitry or other circuitry to perform operations for cloud resource security, see, paragraph [0003]), the operations comprising: 
obtaining a cloud resource management log (interpreted as resource actions) that details actions performed, by a group of users of cloud resources (a behavior profile 556 can be generated for each user, group of users (e.g., an organization or customer), device (e.g., IP address), group of devices, or a combination thereof, see, paragraph [0065]), in a cloud portal, the actions each including entries comprising a user identification (ID) of a user of the group of users, an operation of operations performed on a cloud resource of the cloud resources and (i) a uniform resource identifier (URI) of a cloud resource of the cloud resources that is a target of the operation, or (ii) a time the operation was performed (the resource action data can include one or more of a time 704 at which the behavior was performed (equivalent to applicant’s time), a resource name 706 (identification uniquely identifying the resource)(equivalent to applicant’s URI), a principal name 708 (e.g., a username or other identification uniquely identifying the entity causing the behavior to be performed), a client IP address 710 (equivalent to applicant’s user ID) through which the behavior is being performed, an event type 712 (e.g., data read request, execution request, data write request, email retrieval or send, file read or write request, or the like)(equivalent to applicant’s operation), or an action status 714 (e.g., whether the behavior was blocked, allowed, being analyzed further, or the like), see, paragraph [0069] and figure 7);
determining a respective score (interpreted as probability score S) for each action in the cloud resource management log (the alerts aggregation unit 728 can, for each resource, user, customer, client, or a combination thereof, determine a normalized probability score, S. The normalized probability score can be based on a series of profiles built based on the historical, normal, non-adverse behavior of the entity (e.g., resource, device, or other), see, paragraph [0072] and figure 7); 
comparing the respective score to a specified criterion (the profile analyzer 716 can compare the data from the events stream 702 to the profile 718, 720, 722 to which the data corresponds and generate an alert 732 if the comparison indicates an anomalous or harmful behavior, see, paragraph [0071] and figure 7); and 
providing an indication of anomalous action in response to determining the respective score satisfies the specified criterion (probability score S thus aggregates alerts in a hierarchy into a single alert provided to an alerts service 730. This greatly reduces the number of alerts generated. In some examples, an alert generated at a low granularity profile 722 can evolve into an alert generated at a middle granularity profile 720 and so on, see, paragraph [0081] and figure 7).
Karpovsky does not teach the resource actions as claimed.
Gallardo teaches as follows:
the system 102 may calculate and recalculate the risk score based on detected behaviors of the client device 106. Various types of behaviors may lead to an increased risk score. For example, if the system 102 receives requests from the client device 106 to access large numbers of files, repeated attempts to access files restricted by the security policy, attempts to defeat security measures (equivalent to applicant’s altering security policy) and/or changing network conditions such as moving to a less secure network (equivalent to applicant’s moving one or more cloud resources or connecting to other resource), such behaviors may lead to an increased risk score (see, paragraph [0039] and figure 1A).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Karpovsky with Gallardo to include monitoring various types of user behaviors as taught by Gallardo in order to efficiently identify malicious behaviors on cloud resources.  
Regarding claims 2, 9, and 16, Karpovsky teaches as follows:
using collaborative filtering (the operation 440 can include filtering resource actions 654 of the resource 608, see, paragraph [0058]).
Regarding claims 3, 10, and 17, Karpovsky teaches as follows:
the resource action data can include one or more of a time 704 (equivalent to applicant’s time) at which the behavior was performed, a resource name 706 (equivalent to applicant’s resource), a principal name 708, a client IP address 710 (equivalent to applicant’s user ID) through which the behavior is being performed, an event type 712 (equivalent to applicant’s operation), or an action status 714, see, paragraph [0069] and figure 7).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Karpovsky in view of Gallardo to include combining resource action data in order to determine score depending on different combination of resource action data.
Regarding claims 5, 12, and 19, Karpovsky in view of Gallardo teaches similar limitations as presented above in the rejections regarding claims 1-3.
Therefore, they rejected for similar reason as presented above.

Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Karpovsky et al. (hereinafter Karpovsky)(US 2020/0296117) in view of Gallardo (US 2021/0209243), and further in view of Bhatkar et al. (hereinafter Bhatkar)(US 2018/0375883). 
Regarding claims 4, 11, and 18, Karpovsky in view of Gallardo does not teach of generating a bipartite graph. 
Bhatkar teaches as follows:
generating a bipartite graph including respective users of the users and respective cloud resources of the cloud resources as nodes and respective edges representing whether the respective user accessed the respective cloud resource (FIG. 2 is a flowchart 200 of example collaboration graphs 210-218 that may be employed in automatically detecting insider threats. As disclosed in FIG. 2, the collaboration graphs 210-218 may represent collaborative access of one or more network resources in a network between a target user using a target network device and other users using other network devices. The collaboration graphs 210-218 may include nodes A-K and N representing users and edges representing collaborative access of the one or more network resources during time periods t0-t3, see, para. [0023] and figure 2).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Karpovsky in view of Gallardo with Bhatkar to include generating a bipartite graph as taught by Bhatkar in order to effectively present collaboration graphs between users and resources accessed by the users. 

Claims 6, 7, 13, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Karpovsky et al. (hereinafter Karpovsky)(US 2020/0296117) in view of Gallardo (US 2021/0209243), and further in view of Sadovsky et al. (hereinafter Sadovsky)(US 2015/0180894).
Regarding claims 6, 13, and 20, Karpovsky in view of Gallardo does not teach the claimed operation of changing permissions.
	Sadovsky teaches as follows:
anomaly detector 26 may use each of the logged security events that occur within the online service (e.g., any event that changes permissions, such as creating accounts, changing permissions of one or more accounts, . . . ) in order to detect anomalous activity (see, para. [0018] and figure 1).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Karpovsky in view of Gallardo with Sadovsky to include anomaly detector detecting changing permissions event as taught by Sadovsky in order to efficiently detect the well-known anomalous activity.
Regarding claims 7 and 14, Karpovsky teaches of providing the indication of anomalous action as presented above (see, paragraph [0081] and figure 7).
Karpovsky in view of Gallardo does not teach of providing a text message indicating anomalous action.
Sadovsky teaches as follows:
anomaly detector 26 determines that anomalous activity may be occurring in online service 110 and generates anomaly report 130 that is shown displayed on display 125. In the current example, anomaly report 130 shows a message that includes information showing the anomalous activity (e.g., "Account 1 created 10 new accounts) and also shows the normal activity (e.g., "Creating 2 accounts is normal activity). The report may be provided to one or more users to show activity that may be considered anomalous activity (see, para. [0016]-[0017] and figure 1); and 
a smart phone 1030 is one of user device receiving the anomaly report (see, para. [0063] and figure 8).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Karpovsky in view of Gallardo with Sadovsky to include sending an anomaly report as a text message in order to efficiently notifying an alert to users with smart phone device.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeong S Park whose telephone number is (571)270-1597. The examiner can normally be reached Monday through Friday 8:00-4:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEONG S PARK/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        
November 23, 2022