DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 23-42 as submitted via preliminary amendments on 5/25/21 were considered.  Claims 1-22 were cancelled.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 23-25, 29-31, 33-35, 37, 39, and 42 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Pratt et al (US 10,673,880).
Claims 23 and 33:
	Pratt discloses: 
building a customized behavioral profile for an identity using a machine-learning process (col 7, lines 47-61; col 8, lines 6-34; col 10, lines 17-29; and col 26, lines 10-23; Anomaly detection models used by machine-learning), wherein inputs to the machine-learning process include at least two of: 
a login location (col 26, lines 36-36; Location identified by domain name and/or IP address), 
a login time, 
a number of login attempts (col 26, lines 24-36), 
an identification of a login device (col 7, lines 47-61; Domain name and IP address; col 34, lines 36-46; and col 34, line 61-col 35, line 10; MAC address), 
an IP address used for login (col 7, lines 47-61), and 
an application used for login (col 7, lines 47-61; Black listed applications identified); 
identifying a new event associated with the identity (col 8, lines 6-24 and col 10, lines 17-59); 
determining a risk level for the new event based on the customized behavioral profile for the identity (col 10k, lines 28-47; and col 48, lines 38-48; Anomaly score ranked from 0 to 10 indicates risk level); 
accessing a set of security rules (col 8, lines 6-52, col 45, lines 60-65); and 
performing a security action based on the risk level and the set of security rules (col 7, line 62-col 8, line 52; col 9, lines 33-65; and col 48, lines 38-59; Especially in cited column 9 where several security actions are listed), the security action comprising at least one of: 
generating a prompt for authentication of the identity, 
generating an alert (col 9, lines 33-65), or 
denying access by the identity to an access-restricted network resource (col 9, lines 33-65; Shutting down resources or locking users out)..

Claim 24:
	Pratt further discloses wherein the customized behavioral profile for the identity is represented by a plurality of clusters of event vectors (col 51, lines 55-65).

Clam 25:
	Pratt further discloses wherein the plurality of clusters of event vectors each have at least three dimensions (col 52, lines 28-48; Vectors being type of anomaly detected, types of entities associated, and temporal clustering of entities).

Claim 29:
	Pratt further discloses wherein the inputs to the machine-learning process further include authorization escalation events (col 9, lines 33-65; User decides how to handle anomalies detected and whether to authorize or more standard responses).

Clam 30:
	Pratt further discloses wherein the inputs to the machine-learning process further include risk feedback events (col 9,k lines 33-65; Data is feedback to the machine learning system to improve the machine learning model).

Claim 31:
	Pratt further discloses wherein the operations further comprise receiving updates on activity of the identity and automatically updating the customized behavioral profile for the identity based on the updates (col 9, lines 33-65 and col 26, lines 10-23).

Claim 34:
	Pratt further discloses wherein determining the risk level includes determining whether the new event is part of a cluster of event vector col 51, liens 55-65).

Claim 35:
	Pratt further discloses wherein determining the risk level is based on a distance between a vector associated with the new event and one or more of the cluster of event vectors (col 52, lines 28-48).

Claim 37:
	Pratt further discloses converting a format of ingested data to form the inputs to the machine-learning process (col 4, line 4-col 5, line 52).

Claim 39:
	Pratt further discloses wherein the set of security rules are customized rules (col 6, line63-col 7, line 4; and col 8, lines 6-53; User/administrator customizes the rules).

Claim 42:
	Pratt further discloses generating a display of the risk level (col 10, lines 6-36 and col 50, lines 45-60).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 26, 28, 32, and 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al (US 10,673,880).
Claims 26 and 40:
	Pratt does not explicitly disclose wherein the operations further comprise determining a confidence level associated with the risk level.  However, official notice is taken that before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Pratt’s invention such that it also tracked confidence level and wherein the operations further comprise determining a confidence level associated with the risk level.  One of ordinary skill in the art would have been motivated to do so as it would let the administrator know what sort of error margins each risk level estimate carries.

Claim 28:
	Pratt further discloses wherein the inputs to the machine-learning process further include interface events (col 9, line 33-col 10, line 16 and col 49, lines 7-38; Display anomalies for user/human operators).
	Pratt does not disclose the interface being “command-line”.  However, official notice is taken that command-line interfaces were well known in the art prior to the effective filing date of applicant’s claimed invention, thus it would have been obvious to one of ordinary skill in the art to modify Pratt’s invention so the interface was command-line.  The rationale for why this is obvious is that it’s nothing more than simple substitution of one known element (i.e. GUI-type of interface) for another (i.e. command-line) to achieve predictable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).

Claim 32:
	Pratt does not teach enrolling or un-enrolling a client device with an identity management service.  However, official notice is taken that before the effective filing date of applicant’s claimed invention, such a limitation was well known in the art.  It would have been obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention to modify Pratt’s invention so that the operations further comprise receiving updates on activity of the identity and automatically updating the customized behavioral profile for the identity based on the updates.  One of ordinary skill would have been motivated to do so as it would allow one to sell network anomaly protection on a subscription model to clients.


Claim(s) 36 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al (US 10,673,880) in view of Chen et al (US 2016/0065604).
Claim 36:
	Pratt does not disclose, but Chen discloses applying a filter to exclude malformed or irrelevant inputs to the machine-learning process (paragraph 25).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Pratt’s invention using Chen’s teachings.  One skilled in the art would have been motivated to do so as it would prevent the machine learning tool to operate less effectively due to outlier data.


Claim(s) 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al (US 10,673,880) in view of Alexander et al (US 2002/0143938).
Claim 38:
	Pratt does not disclose, but Alexander discloses wherein the set of security rules are default rules (paragraph 57).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Pratt’s invention using Alexander’s teachings so the set of security rules are the default rules.  One of ordinary skill in the art would have been motivated to do so because by assigning default rules, it would ensure there are active security rules.



Allowable Subject Matter
Claims 27 and 41 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495