DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The amendment filed 07/28/2022 has been placed of record in the file.
Claims 1, 5, 7, 9, 13, 15- 16 and 20 have been amended. Claims 1-20 are pending.

                    Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued
examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the
finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's
submission filed on 07/28/2022 has been entered.

                                      Response to Arguments
In view of the remarks, submitted on July 28, 2022, applicant’s arguments have been carefully
and respectfully considered but are not persuasive.
On Pages 6-7 of remarks by applicant, the applicant argues that the cited references do not
appear to teach the claim element “utilizing a grouping model to identify a job function of a user of a tenant, wherein the job function is identified based on a persona for the job function;", as amended in claims 1, 9, and 16.
Applicant’s arguments, with respect to the rejection(s) of claim(s) 1, 9 and 16 have been fully
considered and are persuasive. However, upon further consideration, a new ground(s) of rejection is made in view of Dotan - Cohen et al. (US 2019/0340554 A1).
                                                    Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti et al. (US10,701,094 B2), hereinafter Kirti in view of Dotan - Cohen et al. (US 2019/0340554 A1), hereinafter Dotan – Cohen.

In regards to claim 1, Kirti discloses a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors to perform steps of (Kirti, Para. 0026, may be implemented in software (e.g., code, instructions, program) executed by one or more processing units (e.g., processors cores)): 
utilizing one or more behavior models to identify normal behavior and abnormal behavior of the user based on the job function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity); 
utilizing an orchestration model with a plurality of rules to score one or more of current (Kirti, Para. 0125, internal data sources can include data models determined by a behavioral analytics engine 304 and can optionally include threat intelligence data 314 maintained by the security management and control system and Para. 0193, the unsupervised learning engine 438 can aggregate events dally, weekly, or for a different time period, and in this way gather a body of historical event data for a cloud service) and historical behavior of the user in order to identify risk (Kirti, Para. 0118, the analytics engine 300 can analyze various data sources to identify network threats for an organization whose users are using cloud services), based on inputs received from the one or more behavior models and the user's job function (Kirti, Para. 0185, the statistical analysis engine 432 can output behavioral models 442, which can describe the manner in which the users of an organization use a cloud service or multiple cloud services. For example, the statistical analysis engine 432 can output a mode that describes the use of a cloud service by a particular user, the use of a cloud service by a group of users, and/or the use of a cloud service by all the users in an organization); and 
utilizing an active learning model to improve the orchestration model (Kirti, Para. 0164, Regression analysis may include building and updating a linear regression model. A linear regression model may provide output such as S=c1(I1) + c2(I2) + . . . + cn (In). The coefficients ci computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score).  
Kirti fails to disclose utilizing a grouping model to identify a job function of a user of a tenant, wherein the job function is identified based on a persona for the job function; 
However, Dotan – Cohen teaches utilizing a grouping model to identify a job function of a user of a tenant (Dotan – Cohen, Para. 0066, event logic 295 may comprise pattern recognition classifier(s), fuzzy logic, neural network, finite state machine, support vector machine, logistic regression, clustering, or machine-learning techniques, similar statistical classification processes, or combinations of these to identify events from user data, which user data corresponds to persona), wherein the job function is identified based on a persona for the job function (Dotan – Cohen, Para. 0066, event logic 295 may specify types of project features or user activity, such as specific user device interaction(s), that are associated with an event, accessing a schedule or calendar, accessing materials associated with a project entity (e.g., an agenda or presentation materials in a meeting), composing or responding to a project request communication, acknowledging a notification, navigating to a website, or launching an app);
 Kirti and Dotan – Cohen are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Dotan – Cohen to include utilizing a grouping model to identify a job function of a user of a tenant (Dotan – Cohen, Para. 0066), wherein the job function is identified based on a persona for the job function (Dotan – Cohen, Para. 0066). Doing so would aid the computer project management technologies for structuring and capturing various user behavior with respect to projects to improve the ability of a computing system to implement project-related applications and services (Dotan – Cohen, Para. 0003).

In regards to claim 2, the combination of Kirti and Dotan – Cohen teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include utilizing the score received from the orchestration model to cause a security technique (Kirti, Para. 0164, the coefficients cj computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected).  

In regards to claim 3, the combination of Kirti and Dotan – Cohen teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include providing feedback based on the score to the one or more behavior models (Kirti, Para. 0163, as another example, administrators of the security management and control system can provide feedback. Alternatively, or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks).  

In regards to claim 4, the combination of Kirti and Dotan – Cohen teaches the non-transitory computer-readable storage medium of claim 1, wherein the steps further include providing multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).  

In regards to claim 5, the combination of Kirti and Dotan – Cohen teaches the non-transitory computer-readable storage medium of claim 1, wherein the grouping model utilizes a clustering technique to identify the job function from a plurality of job functions (Kirti, Para. 0206 and Para. 0207, the neural network can be configured to minimize a cost function, where the cost function models change to cloud service. In these and other examples, the model can be used to identify a set of users). 

In regards to claim 6, the combination of Kirti and Dotan – Cohen teaches the non-transitory computer-readable storage medium of claim 1, wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage correlation among different behavior models to reduce false positives (Kirti, Para. 0169, thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives)).  

In regards to claim 7, the combination of Kirti and Dotan – Cohen teaches the non-transitory computer-readable storage medium of claim 1, wherein the one or more behavior models define the normal behavior and the abnormal behavior for the job function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).  

In regards to claim 8, the combination of Kirti and Dotan – Cohen teaches the non-transitory computer-readable storage medium of claim 1, wherein the abnormal behavior includes the user being suspected of leaving the tenant (Kirti, Para. 0138, a security policy can also describe an action that is to be taken when an event is detected, such as blocking access to a service, or disabling a user account).  

In regards to claim 9, Kirti discloses a system comprising:
 a network interface (Kirti, Para. 077);
 a processor communicatively coupled to the network interface (Kirti, Para. 0255); and 
memory storing computer-executable instructions that, when executed, cause the processor to
utilize one or more behavior models to identify normal behavior and abnormal behavior of the user based on the job function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity); 
utilizing an orchestration model with a plurality of rules to score one or more of current (Kirti, Para. 0125, internal data sources can include data models determined by a behavioral analytics engine 304 and can optionally include threat intelligence data 314 maintained by the security management and control system and Para. 0193, the unsupervised learning engine 438 can aggregate events dally, weekly, or for a different time period, and in this way gather a body of historical event data for a cloud service) and historical behavior of the user in order to identify risk (Kirti, Para. 0118, the analytics engine 300 can analyze various data sources to identify network threats for an organization whose users are using cloud services), based on inputs received from the one or more behavior models and the user's job function (Kirti, Para. 0185, the statistical analysis engine 432 can output behavioral models 442, which can describe the manner in which the users of an organization use a cloud service or multiple cloud services. For example, the statistical analysis engine 432 can output a mode that describes the use of a cloud service by a particular user, the use of a cloud service by a group of users, and/or the use of a cloud service by all the users in an organization); and 
utilize an active learning model to improve the orchestration model (Kirti, Para. 0164, Regression analysis may include building and updating a linear regression model. A linear regression model may provide output such as S=c1(I1) + c2(I2) + . . . + cn (In). The coefficients ci computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score).  
Kirti fails to disclose utilize a grouping model to identify a job function of a user of a tenant, wherein the job function is identified based on a persona for the job function; 
However, Dotan – Cohen teaches utilize a grouping model to identify a job function of a user of a tenant (Dotan – Cohen, Para. 0066, event logic 295 may comprise pattern recognition classifier(s), fuzzy logic, neural network, finite state machine, support vector machine, logistic regression, clustering, or machine-learning techniques, similar statistical classification processes, or combinations of these to identify events from user data), wherein the job function is identified based on a persona for the job function (Dotan – Cohen, Para. 0066, event logic 295 may specify types of project features or user activity, such as specific user device interaction(s), that are associated with an event, accessing a schedule or calendar, accessing materials associated with a project entity (e.g., an agenda or presentation materials in a meeting), composing or responding to a project request communication, acknowledging a notification, navigating to a website, or launching an app);
 Kirti and Dotan – Cohen are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Dotan – Cohen to include utilize a grouping model to identify a job function of a user of a tenant (Dotan – Cohen, Para. 0066), wherein the job function is identified based on a persona for the job function (Dotan – Cohen, Para. 0066). Doing so would aid the computer project management technologies for structuring and capturing various user behavior with respect to projects to improve the ability of a computing system to implement project-related applications and services (Dotan – Cohen, Para. 0003).

In regards to claim 10, the combination of Kirti and Dotan – Cohen teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor utilize the score received from the orchestration model to cause a security technique (Kirti, Para. 0209, risk scores indicate a degree of security risk to the tenant from actions performed by a user in using the cloud service).  

In regards to claim 11, the combination of Kirti and Dotan – Cohen teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor provide feedback based on the score to the one or more behavior models (Kirti, Para. 0164, the coefficients ci; computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected).  

In regards to claim 12, the combination of Kirti and Dotan – Cohen teaches the system of claim 9, wherein the instructions that, when executed, further cause the processor provide multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).

In regards to claim 13, the combination of Kirti and Dotan – Cohen teaches the system of claim 9, wherein the grouping model utilizes a clustering technique to identify the job function from a plurality of job functions (Kirti, Para. 0206 and Para. 0207, the neural network can be configured to minimize a cost function, where the cost function models change to cloud service. In these and other examples, the model can be used to identify a set of users).  

In regards to claim 14, the combination of Kirti and Dotan – Cohen teaches the system of claim 9, wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives (Kirti, Para. 0169, thus, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives)).  

In regards to claim 15, the combination of Kirti and Dotan – Cohen teaches the system of claim 9, wherein the one or more behavior models define the normal behavior and the abnormal behavior for the job function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).

In regards to claim 16, Kirti discloses a method comprising:
utilizing one or more behavior models to identify normal behavior and abnormal behavior of the user based on the job function (Kirti, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity); 
utilizing an orchestration model with a plurality of rules to score one or more of current (Kirti, Para. 0125, internal data sources can include data models determined by a behavioral analytics engine 304 and can optionally include threat intelligence data 314 maintained by the security management and control system and Para. 0193, the unsupervised learning engine 438 can aggregate events dally, weekly, or for a different time period, and in this way gather a body of historical event data for a cloud service) and historical behavior of the user in order to identify risk (Kirti, Para. 0118, the analytics engine 300 can analyze various data sources to identify network threats for an organization whose users are using cloud services), based on inputs received from the one or more behavior models and the user's job function (Kirti, Para. 0185, the statistical analysis engine 432 can output behavioral models 442, which can describe the manner in which the users of an organization use a cloud service or multiple cloud services. For example, the statistical analysis engine 432 can output a mode that describes the use of a cloud service by a particular user, the use of a cloud service by a group of users, and/or the use of a cloud service by all the users in an organization); and 
utilizing an active learning model to improve the orchestration model (Kirti, Para. 0164, Regression analysis may include building and updating a linear regression model. A linear regression model may provide output such as S=c1(I1) + c2(I2) + . . . + cn (In). The coefficients ci computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score).  
Kirti fails to disclose utilizing a grouping model to identify a job function of a user of a tenant, wherein the job function is identified based on a persona for the job function; 
However, Dotan – Cohen teaches utilizing a grouping model to identify a job function of a user of a tenant (Dotan – Cohen, Para. 0066, event logic 295 may comprise pattern recognition classifier(s), fuzzy logic, neural network, finite state machine, support vector machine, logistic regression, clustering, or machine-learning techniques, similar statistical classification processes, or combinations of these to identify events from user data), wherein the job function is identified based on a persona for the job function (Dotan – Cohen, Para. 0066, event logic 295 may specify types of project features or user activity, such as specific user device interaction(s), that are associated with an event, accessing a schedule or calendar, accessing materials associated with a project entity (e.g., an agenda or presentation materials in a meeting), composing or responding to a project request communication, acknowledging a notification, navigating to a website, or launching an app);
 Kirti and Dotan – Cohen are both considered to be analogous to the claim invention because they are in the same field of using behavior models to identify normal behavior and abnormal behavior of the user based on an identified function. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Kirti to incorporate the teachings of Dotan – Cohen to include utilizing a grouping model to identify a job function of a user of a tenant (Dotan – Cohen, Para. 0066), wherein the job function is identified based on a persona for the job function (Dotan – Cohen, Para. 0066. Doing so would aid the computer project management technologies for structuring and capturing various user behavior with respect to projects to improve the ability of a computing system to implement project-related applications and services (Dotan – Cohen, Para. 0003).

In regards to claim 17, the combination of Kirti and Dotan – Cohen teaches the method of claim 16, further comprising utilizing the score received from the orchestration model to cause a security technique (Kirti, Para. 0164, the coefficients c; computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected).  

In regards to claim 18, the combination of Kirti and Dotan – Cohen teaches the method of claim 16, further comprising providing feedback based on the score to the one or more behavior models (Kirti, Para. 0163, as another example, administrators of the security management and control system can provide feedback. Alternatively, or additionally, in some examples, feedback can be obtained using automated machine learning algorithms, such as decision trees and neural networks).  

In regards to claim 19, the combination of Kirti and Dotan – Cohen teaches the method of claim 16, further comprising providing multi-tenant insights as feedback (Kirti, Para. 0169, after one or more flagged events or activities is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).  

In regards to claim 20, the combination of Kirti and Dotan – Cohen teaches the method of claim 16, wherein the grouping model utilizes a clustering technique to identify the function from a plurality of functions (Kirti, Para. 0207, identifying the set of users can include grouping the actions performed during used of the cloud service, and identifying a group of actions that includes an action that is privileged. For example, a K-means clustering technique can be used to plot the actions in the activity data, and the users who performed to actions to identify users who performed similar actions), wherein the orchestration model includes a plurality of input features from the one or more behavior models and leverage the correlation among different behavior models to reduce false positives (Kirti, Para. 0169, machine learning algorithms can be utilized in at least the ways discussed above to make recommendations and reduce false alarms (false positives). Activity data collected from various parameters over a period of time can be used with machine learning algorithms to generate patterns referred to as user behavior profiles), and wherein the one or more behavior models define the normal behavior and the abnormal behavior for the job function in terms of one or more of Uniform Resource Locator (URL) access, bandwidth, device, and app usage (Kirti, Para. 0096, Para. 0051, analysis performed by the security monitoring and control system 102 can include determining models of normal and/or abnormal behavior in user activity, and using the models to detect patterns of suspicious activity. In some examples, the security monitoring and control system 102 can simultaneously analyze data from different services and/or from different services providers).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
DICHIU et al (US 2020/0186545 A1) teaches a computer system comprises at least one hardware processor configured, in response to receiving a cluster membership indicator indicating a grouping of a plurality of client systems into a plurality of client clusters, to select a client cluster from the plurality of client clusters, the selected client cluster comprising multiple client systems.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/             Supervisory Patent Examiner, Art Unit 2496