Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Response to Amendment
This is a reply to the application filed on 10/17/2022, in which, claim(s) 1-20 is/are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/15/2022, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Response to Arguments
Claim Rejections - 35 U.S.C. § 112:
Applicants’ arguments with respect to 112 2nd paragraph with rejection of claim(s) 1-20 have been fully considered and are not persuasive. The claim reciting the first vector to be representation of the action taken by the user during a plurality of previous time intervals, and calculating the similarity between the first and second vector; however, there is no clarification on how the second vector is calculated.

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant's arguments filed 10/17/2022 have been fully considered but they are not persuasive.
Applicant suggested that Martin aggregates actions taken by many users and not to one user. (See Remarks pp. 7-8)
The Examiner respectfully disagrees. Although Martin discloses of a large-scale network detection. Martin still teaches the detect of a particular user and/or machine. For instance, in figure 3, step w210 teaches the detection of user j smith and machine IP 73.93.115.46, login attempt within a given time interval, and so on [Martin; ¶26-28; 50-53].

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 8 and 15 reciting the first vector to be representation of the action taken by the user during a plurality of previous time intervals, and calculating the similarity between the first and second vector; however, it is unclear how the second vector is calculated.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (Pub. No.: US 2018/0004948 A1; hereinafter Martin) in view of Stapleton et al. (Pat. No.: US 10,045,218 B1; hereinafter Stapleton).
Regarding claims 1, 8, and 15, Martin discloses a method of detecting anomalous behavior by a user in a cloud environment, the method comprising:
calculating a first vector that is representative of actions taken by the user during a plurality of previous time intervals in the cloud environment (calculating the first vector from the unique behavior of one or more user(s) and/or machine on the network, the first vector is commonly the historical vector often predefined set of behavior types on the network [Martin; ¶53, 71-79; Fig. 3 and associated text]); 
calculating between the first vector and a second vector that comprises counts of actions taken by the user during a current time interval (calculating the second vector of similar behavior, in which the second vector is within a second time window of the present duration [Martin; ¶53, 79-91; Fig. 3 and associated text]); 
comparing the similarity to a baseline threshold to determine whether one or more anomalous actions have occurred when the second vector diverges from the first vector by more than a threshold amount (compare the second vector (present) to the first vector (historical) to determine if it exceed a threshold, and determine it to be malicious when it is above a threshold value [Martin; ¶27, 53, 71-79; Fig. 3 and associated text]); and 
generating an alert based at least in part on a determination that the one or more anomalous actions have occurred in the cloud environment (send an alert when the when determine a malicious event occurs [Martin; ¶50-53, 71-79; Fig. 3 and associated text]). Martin does not explicilty discloses calculating a similarity between the first vector and a second vector; however, in a related and analogous art, Stapleton teaches this feature.
In particular, Stapleton teaches calculating of cosine similarity between vectors and determine anomalies based on user specified threshold [Stapleton; 6:20-67]. It would have been obvious before the effective filing date of the claimed invention to modify Martin view of Stapleton with the motivation to find similarity between vectors for easier detection of anomalies.

Regarding claim 2, Martin-Stapleton combination discloses the method of claim 1, wherein the similarity is calculated using a cosine similarity (calculating of cosine similarity between vectors and determine anomalies based on user specified threshold [Stapleton; 6:20-67]). The motivation to find similarity between vectors for easier detection of anomalies.

Regarding claim 3, Martin-Stapleton combination discloses the method of claim 1, wherein each entry in the first vector comprises an average event score during the plurality of previous time intervals (the frequencies of anomalous behaviors within a first-time window [Martin; ¶50-53, 71-79; Fig. 3 and associated text]).

Regarding claim 4, Martin-Stapleton combination discloses the method of claim 1, wherein each of the plurality of previous time intervals comprises one day (the time intervals various, depending on preset, it can be hours, days, weeks, etc., [Martin; ¶50-53, 71-79; Fig. 3 and associated text]).

Regarding claim 5, Martin-Stapleton combination discloses the method of claim 1, wherein the plurality of previous time intervals comprises a window of at least 60 days (the time intervals various, depending on preset, it can be hours, days, weeks, etc., [Martin; ¶50-53, 71-79; Fig. 3 and associated text]).

Regarding claim 6, Martin-Stapleton combination discloses the method of claim 1, wherein the plurality of previous time intervals comprises a sliding window of days, wherein the sliding window of days adds the current time interval to the sliding window of days and removes a least-recent time interval from the sliding window of days after each time interval (the time intervals various, depending on preset, it can be hours, days, weeks, etc., new events can replace old events [Martin; ¶50-53, 71-79; Fig. 3 and associated text]).

Regarding claim 7, Martin-Stapleton combination discloses the method of claim 1, wherein the first vector is representative of actions taken during the plurality of previous time intervals by storing a histogram of event counts for each of the plurality of previous time intervals (the data are based on historical events [Martin; ¶50-53, 71-79; Fig. 3 and associated text]).

Regarding claim 9, Martin-Stapleton combination discloses the non-transitory computer-readable medium of claim 8, wherein the operations further comprise: comparing the similarity to an upper threshold to further determine whether one or more anomalous actions have occurred (determine it to be malicious when it is above a threshold value [Martin; ¶27, 53, 71-79; Fig. 3 and associated text]).

Regarding claim 10, Martin-Stapleton combination discloses the non-transitory computer-readable medium of claim 9, wherein the baseline threshold characterizes the similarity as being suspicious, and wherein the upper threshold characterizes the similarity as representing a threat (determine it to be malicious when it is above a threshold value [Martin; ¶27, 53, 71-79; Fig. 3 and associated text]).

Regarding claim 11, Martin-Stapleton combination discloses the non-transitory computer-readable medium of claim 9, wherein the upper threshold is determined based on a predetermined number of standard deviations of an average value calculated in the first vector (the frequencies of anomalous behaviors within a first-time window [Martin; ¶50-53, 71-79; Fig. 3 and associated text]).

Regarding claim 12, Martin-Stapleton combination discloses the non-transitory computer-readable medium of claim 9, wherein the upper threshold is represented by a neural network that receives the similarity as an input (the malicious vector is trained thought a neural network [Martin; ¶64, 76-78]).

Regarding claim 13, Martin-Stapleton combination discloses the non-transitory computer-readable medium of claim 8, wherein the baseline threshold is represented by a neural network that receives the similarity as an input (the malicious vector is trained thought a neural network [Martin; ¶64, 76-78]).

Regarding claim 14, Martin-Stapleton combination discloses the non-transitory computer-readable medium of claim 8, wherein the baseline threshold is determined using a peer group analysis for users similar to a current user (the unique behavior of one or more user(s) and/or machine on the network, the first vector is commonly the historical vector often predefined set of behavior types on the network [Martin; ¶53, 71-79; Fig. 3 and associated text]).

Regarding claim 16, Martin-Stapleton combination discloses the system of claim 15, wherein the operations further comprise: comparing one or more values in the second vector to one or more action scores associated with the one or more values (calculating the second vector of similar behavior, in which the second vector is within a second time window of the present duration [Martin; ¶53, 79-91; Fig. 3 and associated text]).

Regarding claim 17, Martin-Stapleton combination discloses the system of claim 16, wherein each of the one or more action scores represents a likelihood that the action is a malicious action representing a threat (calculating the second vector of similar behavior, in which the second vector is within a second time window of the present duration [Martin; ¶53, 79-91; Fig. 3 and associated text]).

Regarding claim 18, Martin-Stapleton combination discloses the system of claim 15, wherein the second vector comprises counts of actions taken relative to a particular resource (login attempt within a given time interval, and so on [Martin; ¶26-28; 50-53]).

Regarding claim 19, Martin-Stapleton combination discloses the system of claim 15, wherein values in the first vector are weighted depending on a day of the week on which an action occurred (the detect of a particular user and/or machine. For instance, in figure 3, step w210 teaches the detection of user j smith and machine IP 73.93.115.46, login attempt within a given time interval, and so on [Martin; ¶26-28; 50-53]).

Regarding claim 20, Martin-Stapleton combination discloses the system of claim 15, wherein the second vector comprises counts of actions taken relative to a particular user (user login attempt within a given time interval, and so on [Martin; ¶26-28; 50-53]).

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http:ljwww.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAO Q HO whose telephone number is (571)270-5998.  The examiner can normally be reached on 7:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DAO Q HO/Primary Examiner, Art Unit 2432