DETAILED ACTION

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 22 September 2022 has been entered.  (It is noted that the request for continued examination indicates to consider arguments in a brief filed on 21 September 2022, but there was no brief filed in this application and nothing filed on this date.  It has been assumed that Applicant is merely requesting entry of the after final amendment filed on 22 September 2022).
By the above submission, Claims 1-3, 7, 11, and 16 are amended.  Claims 5, 6, 10, and 12-15 have been canceled.  No new claims have been added.  Claims 1-4, 7-9, 11, and 16-20 are currently pending in the present application.

Response to Arguments

Applicant's arguments filed 22 September 2022 have been fully considered but they are not persuasive.
At the outset, it is noted that an interview was conducted on 06 October 2022 prior to Applicant’s filing of the request for continued examination, in which certain aspects were agreed upon and during which Applicant’s representatives indicated that the Examiner’s suggestions would be considered when drafting the formal response; however, Applicant has only requested consideration of the previously filed after final amendment and has not incorporated any of the suggestions set forth by the Examiner in the interview.
Regarding the rejection of Claims 1-20 under 35 U.S.C. 101 as directed to abstract ideas without significantly more, and with particular reference to independent Claim 1, Applicant asserts that the claims have been amended to incorporate additional limitations that integrate to form a practical application (pages 13-16 of the present response).  However, Applicant does not state what this practical application entails or how such an application is integrated in the claim.  Although Applicant argues that UCIBID may improve intrusion detection capabilities by reducing false positives (page 16 of the present response, citing paragraph 0022 of the specification), Applicant does not explain how the false positives are reduced or what the nexus of this asserted improvement is with the limitations of the claims.  Applicant also argues that the disclosed method and system allow detection of intrusions and provide a new feature of better functionality and a practical solution to a problem (pages 17-18 of the present response).  However, again, Applicant does not explain the nexus between these alleged improvements or solutions and the limitations of the claims.  Applicant additionally argues that the practical application addresses challenges faced with a cost effective approach (pages 18-19 of the present response) but again does not point out what in the claims provides such an approach or addresses such challenges.  Applicant points to numerous portions of the specification (pages 19-20 of the present response, citing paragraphs 0003, 0004, 0025, and 0042) but does not explain how these are tied to the claims.
Applicant further argues that various claim limitations require actions that cannot be practically performed in a human mind, and that provide a technological improvement (page 20 of the present response).  However, the subject matter eligibility inquiries do not require that every part of the claim be capable of being performed mentally for the claim to recite a mental process or other abstract idea.  Rather, Prong One of Step 2A merely requires considering whether there are judicial exceptions recited in the claims.  The claims still include mathematical concepts (as evidenced by the specific equations recited in Claims 17 and 18) and the various data comparisons and rankings also fall within the grouping of mental processes.
Applicant asserts that the claimed limitations add significantly more and provide an improvement to existing technologies (page 21 of the present response); however, this is a conclusory statement, and Applicant does not explain what more is added or what improvement is provided.  Applicant makes several other conclusory statements that the claimed limitations represent significantly more than abstract ideas or mathematical calculations and concepts and go beyond what is well-understood, routine, and conventional into a practical application (pages 21-22 of the present response).  However, applicant provides no explanation of what underlying features are relied upon for these conclusions and provides no explanation of the nexus between the claims and the asserted improvements.
Applicant requests that the Examiner rely on the specification for determining whether the claims are directed to an improvement in the existing technologies (page 21 of the present response).  However, although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Regarding the rejection of Claims 1-20 under 35 U.S.C. 112(a) for failure to comply with the written description requirement, Applicant points out support for the limitations at issue in Claims 1 and 11 (see page 22 of the present response, citing paragraphs 0013 and 0022).  This portion of the arguments is persuasive and the rejection of the independent claims is withdrawn.  With respect to Claims 19 and 20, Applicant generally points to certain portions of the specification and drawings (see pages 23-24 of the present response, citing paragraphs 0027-0031 and Figure 2).  However, Applicant provides no explanation of what in these portions would be considered the first or other scenario as claimed.  In the interview, the Examiner requested that Applicant’s representative provide further explanation of the cited portions in the formal response.
Regarding the rejection of Claims 1-20 under 35 U.S.C. 112(a) for failure to comply with the enablement requirement, Applicant merely states that the claims have been amended but does not explain how the amendments overcome the rejection (see page 24 of the present response).  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references or how the claims overcome the outstanding rejections.
Regarding the rejection of Claims 1-20 under 35 U.S.C. 112(b) as indefinite, Applicant asserts that a limitation referring to “the user session” clearly is intended to refer to “a user session of the plurality of user sessions” (page 25 of the present response).  However, because there are plural user sessions, the reference is actually unclear as to which of the plural sessions the limitation is intended to refer.  In the interview, the Examiner recommended that “a user session” and “the user session” could be amended to more uniquely identify the session being referenced, for example as “a first user session” or “a particular user session” or “a specific user session”.
Therefore, for the reasons detailed above, the Examiner maintains the rejections as set forth below.

Specification

The objection to the disclosure is withdrawn in light of the amendments to the specification.  It is noted that “stealing credentials” in paragraph 0025 may be clearer as “a theft of credentials”.
The objection to the specification for failure to provide proper antecedent basis for the claimed subject matter is NOT withdrawn because not all issues have been addressed and/or because the amendments have raised new issues, as detailed below.
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required:  Claims 19 and 20 recite “in a first scenario the user session is attributed to a single user, and in another scenario the user session is attributed to different users”.  There appears to be no mention of attributing a session to a single user or to different users as claimed, and therefore, there is not proper antecedent basis for the claimed subject matter in the specification.  For further detail, see below regarding the rejection under 35 U.S.C. 112(a) for failure to comply with the written description requirement.

Claim Rejections - 35 USC § 101

The rejection of Claims 5, 6, 10, and 12-15 under 35 U.S.C. 101 is moot in light of the cancellation of the claims.  The rejection of Claims 1-4, 7-9, 11, and 16-20 is NOT withdrawn for the reasons detailed below.
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-4, 7-9, 11, and 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract ideas without significantly more. 
Independent Claim 1 recites a method that includes predicting probabilities, constructing a user group, determining an anomaly score, detecting an intrusion based on a comparison of the anomaly score with a threshold, and providing a ranking.  Predicting the probabilities and determining an anomaly score are mathematical calculations that fall into the grouping of mathematical concepts, which is one of the groupings of abstract ideas set forth in MPEP § 2106.04(a)(2).  As further evidence, see the specific equations recited in Claim 17.  Constructing the user group, comparing the anomaly score to a threshold, and providing a ranking of scores are mental processes including a comparison of data.  Mental processes are another grouping of abstract ideas set forth in MPEP § 2106.04(a)(2).  Abstract ideas are judicial exceptions as per MPEP § 2106.04(I).  See also Alice Corporation Pty. Ltd. v. CLS Bank, International, et al, 573 U.S. 208, 110 USPQ2d 1976 (2014).
The judicial exception is not integrated into a practical application because there is no subsequent use of the result of the detection/comparison.  The claim does not recite any use or further action with respect to the result of the detecting step. There is nothing that would result in a particular transformation, as per MPEP § 2106.05(c), nor does the claim require the use of the abstract idea in conjunction with a particular machine or manufacture, as per MPEP § 2106.05(b).  The recitation of the user session only serves to link the abstract idea to a particular technological environment, as per MPEP § 2106.05(h).  The recitation of providing the ranking constitutes, at most, insignificant post-solution activity, as per MPEP § 2106.05(g).  The recitations relating to reducing false positives only recite an intended use of the claimed steps without clearly linking how the steps would result in the intended use or result.  The details of the clustering method merely provide further details of the abstract process used to analyze the data.  The steps of training the model or providing the model are recited as alternatives, and providing the model in an already trained state at most constitutes data gathering, which is insignificant extra-solution activity as per MPEP § 2106.05(g).  There are no additional elements that apply or use the abstract idea in a meaningful way beyond merely linking the use of the judicial exception to a particular technological environment.  There is no subsequent significant use of the result of the detecting step. Therefore, the claim is not directed to a practical application of the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception for similar reasons as detailed above with respect to the question of a practical application of the judicial exception.  The step of training the model could provide significantly more than the judicial exception or a practical application thereof, but at present the step is only recited as an alternative.  Therefore, the claim as a whole, whether the steps are considered individually or as an ordered combination, is not directed to significantly more than the abstract idea.
Dependent Claims 2-4, 7-9, 17, and 19 only recite further details of the abstract ideas, such as use of a matrix or other algorithms, which do not provide a practical application or significantly more than the abstract ideas as detailed above.  These claims are abstract for the same reasons as the independent claim and do not add significantly more to the abstract idea recited in the independent claim.
Independent Claim 11 recites a computer system having functionality corresponding to that of the method of Claim 1.  This functionality is directed to an abstract idea for similar reasons as detailed above with respect to Claim 1.  This judicial exception is not integrated into a practical application for similar reasons as detailed with respect to Claim 1.  The recitations of a computer system are at a generic level and constitute nothing more than mere instructions to implement the abstract idea on a computer. See MPEP § 2106.05(f).  Therefore, the claim is not directed to a practical application of the abstract idea, and is not directed to significantly more for similar reasons as discussed above.
Dependent Claims 16, 18, and 20 only recite further details of the abstract ideas, such as use of a matrix or other algorithms, which do not provide a practical application or significantly more than the abstract ideas as detailed above.  These claims are abstract for the same reasons as the independent claim and do not add significantly more to the abstract idea recited in the independent claim.
Based upon consideration of all of the relevant factors with respect to the claims as an ordered combination and as a whole, Claims 1-20 are determined to be directed to abstract ideas without a practical application and without significantly more, as detailed above.  Therefore, based on the above analysis, the claimed inventions are not directed to patent eligible subject matter.
As discussed in the interview, an amendment to remove the alternative limitation of providing the model in a trained state, such that the claim requires training the model, would likely be sufficient to overcome this rejection.  Alternatively, a further step prescribing a significant use of the provided ranking may also be sufficient to overcome the rejection.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 19 and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 19 and 20 recite “in a first scenario the user session is attributed to a single user, and in another scenario the user session is attributed to different users”.  Although Applicant generally points to paragraphs 0027-0031 and Figure 2 of the specification for support for the claims as amended (pages 23-24 of the present response), there appears to be no mention in the cited portion or elsewhere in the specification of attributing a session to a single user or to different users as claimed.  Therefore, there is not clear written description of the claimed subject matter in the specification.

Claims 1-4, 7-9, 11, and 16-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
A determination of a failure to comply with the enablement requirement is made considering the undue experimentation factors set forth in MPEP § 2164.01(a).  In the present application, the factors which appear to weigh most heavily are the breadth of the claims (MPEP § 2164.08), the amount of direction provided by the inventor (MPEP § 2164.03), and the existence of working examples.  Independent Claims 1 and 11 broadly recite users are grouped together based on a similarity threshold “to reduce false positives in a [sic] presence of indistinguishable users when detecting said intrusions using User Cluster Identification Based Intrusion Detection” and “detecting an intrusion if the anomaly score of the user session and the claimed user exceeds a predetermined threshold to reduce said false positives in the presence of said indistinguishable users” or similar limitations.  The only mentions of false positives in the specification are in paragraphs 0017, 0022, and 0024.  These paragraphs generally mention reduction of false positives in similar language as that of the claims, but do not clearly describe how grouping users would reduce false positives, and do not describe anything similar to detecting an intrusion based on a threshold to reduce false positives or how such a detection would reduce false positives.  The specification provides no clear detail or explicit examples (e.g. evidence, data, or analysis) of how false positives would or could be reduced.  Although the claims recite UCIBID, there is no explanation of what such a protocol actually encompasses.  The lack of details or examples in any detail beyond the claim language suggests that there is little direction provided by the inventor.  Combined with the broad scope of the claims, this suggests that the enablement of the description is not commensurate in scope with the claims (MPEP § 2164.08) and that undue experimentation would be required to make or use the invention based on the disclosure (MPEP § 2164.06).
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-4, 7-9, 11, and 16-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “the user session” in lines 4, 6, and throughout the claim.  However, because the claim recites a plurality of user sessions, it is not clear to which of the plural sessions these limitations are intended to refer.  The claim further recites “a claimed user of the plurality of users of the user session of the plurality of user sessions of said each record of the plurality of records” in lines 4-5.  This string of prepositional phrases is unclear as to which phrases modify what other terms.  The claim additionally recites “the user identification model which takes as input the plurality of activity features” in lines 18-19.  Although the claim recites a model, there is not clear antecedent basis for this more detailed limitation. The claim further recites “similar activity features” in line 20.  The term “similar” is a relative term, and it is not clear from the claims or specification how similar activities must be to be included in the user group.  See MPEP § 2173.05(b).  The claim additionally recites “to reduce false positives in a presence of indistinguishable users when detecting said intrusions using User Cluster Identification Based Intrusion Detection” in line 33-35.  It is not clear how the grouping of users reduces false positives.  Further, the recited UCIBID is not clearly defined.  Although the claim details the efficiency of UCIBID, this does not describe any particular steps or algorithms encompassed by such a protocol.  The claim also recites “a precision of said AUPRC is defined as a number of true positives over a number of true positives plus a number of said false positives, and a recall is defined as the number of true positives over the number of true positives plus a number of false negatives” in lines 40-44.  The numerators and denominators of these expressions are ambiguous.  It is not clear whether precision equals TP/(TP+FP) or (TP/TP)+FP, and it is not clear whether recall equals TP/(TP+FN) or (TP/TP)+FN.  The claim also recites “the probability that the user session belongs to the user group” in lines 50-51 and 57-58.  Although the claim previously recited plural probabilities, there is not clear antecedent basis for this more detailed limitation in the claims.  The claim further recites “lower the probability that the user session belongs to the user group, more anomalous the user session is” in lines 57-58.  The phrases “lower the probability” and “more anomalous” are grammatically unclear and not in proper idiomatic English.  The claim additionally recites “detecting an intrusion if the anomaly score of the user session and the claimed user exceeds a predetermined threshold to reduce said false positives in the presence of said indistinguishable users” in lines 59-61.  It is not clear how detecting an intrusion if a score exceeds a threshold would result in reducing false positives.  The claim also recites “providing an anomaly-based intrusion ranking… using said UCIBID” in lines 62-63.  It is not clear what is actually ranked in this ranking; further, if the anomaly score is used in the ranking, it is not clear how other comparative anomaly scores may be obtained or when this ranking is performed, which amounts to a gap in the claim.  Further, it is not clear how UCIBID would be used to provide a ranking.  The above ambiguities render the claim indefinite.
Claim 7 recites “the user session” in line 2.  However, because Claim 1 recites a plurality of user sessions, it is not clear to which of the plural sessions this limitation is intended to refer.
Claim 11 recites “the user session” in lines 6-7 and throughout the claim.  However, because the claim recites a plurality of user sessions, it is not clear to which of the plural sessions these limitations are intended to refer.  The claim further recites “a claimed user of the plurality of users of the user session of the plurality of user sessions” in lines 6-7.  This string of prepositional phrases is unclear as to which phrases modify what other terms.  The claim additionally recites “similar activity features” in line 9.  The term “similar” is a relative term, and it is not clear from the claims or specification how similar activities must be to be included in the user group.  See MPEP § 2173.05(b).  The claim additionally recites “the user identification model which takes as input the plurality of activity features” in lines 20-21.  Although the claim recites a model, there is not clear antecedent basis for this more detailed limitation. The claim further recites “similar activity features” in line 24.  The term “similar” is a relative term, and it is not clear from the claims or specification how similar activities must be to be included in the user group.  See MPEP § 2173.05(b).  The claim additionally recites “to reduce false positives in a presence of indistinguishable users when detecting said intrusions using User Cluster Identification Based Intrusion Detection” in line 36-38.  It is not clear how the grouping of users reduces false positives.  Further, the recited UCIBID is not clearly defined.  Although the claim details the efficiency of UCIBID, this does not describe any particular steps or algorithms encompassed by such a protocol.  The claim also recites “a precision of said AUPRC is defined as a number of true positives over a number of true positives plus a number of said false positives, and a recall is defined as the number of true positives over the number of true positives plus a number of false negatives” in lines 43-47.  The numerators and denominators of these expressions are ambiguous.  It is not clear whether precision equals TP/(TP+FP) or (TP/TP)+FP, and it is not clear whether recall equals TP/(TP+FN) or (TP/TP)+FN.  The claim also recites “the probability that the user session belongs to the user group” in lines 55-56.  Although the claim previously recited plural probabilities, there is not clear antecedent basis for this more detailed limitation in the claims.  The claim additionally recites detecting “an intrusion if the anomaly score of the user session and the claimed user exceeds a predetermined threshold to reduce said false positives in the presence of said indistinguishable users” in lines 60-62.  It is not clear how detecting an intrusion if a score exceeds a threshold would result in reducing false positives.  The claim also recites providing “an intrusion ranking… using said UCIBID” in lines 63-65.  It is not clear what is actually ranked in this ranking; further, if the anomaly score is used in the ranking, it is not clear how other comparative anomaly scores may be obtained or when this ranking is performed, which amounts to a gap in the claim.  Further, it is not clear how UCIBID would be used to provide a ranking.  The above ambiguities render the claim indefinite.
Claim 16 depends from canceled Claim 12, and therefore the scope of the clam is unclear.  Claim 16 further recites “the user session” in line 3.  Because the claims recite plural user sessions, it is not clear to which of the plural sessions this is intended to refer.  The claim additionally recites “lower the probability that the user session of the plurality of user sessions belongs to the user group, more anomalous the user session is” in lines 3-4.  The phrases “lower the probability” and “more anomalous” are grammatically unclear and not in proper idiomatic English.
Claim 17 recites “an equation comprising” in line 2.  However, the open-ended nature of the transitional term “comprising” makes it unclear what the equation requires and if anything can be added to the equation.  The claim further recites “the user session” in lines 5 and 7 and “the user” in line 6.  However, because the claims recite a plurality of users and a plurality of sessions, it is not clear to which these limitations are intended to refer.
Claim 18 recites “an equation comprising” in line 2.  However, the open-ended nature of the transitional term “comprising” makes it unclear what the equation requires and if anything can be added to the equation.  The claim further recites “the user session” in lines 5, 6, and 7 and “the user” in line 6.  However, because the claims recite a plurality of users and a plurality of sessions, it is not clear to which these limitations are intended to refer.
Claim 19 recites “the user session” in lines 1 and 2.  However, because the claims recite a plurality of sessions, it is not clear to which session these limitations are intended to refer.
Claim 20 recites “the user session” in lines 1 and 2.  However, because the claims recite a plurality of sessions, it is not clear to which session these limitations are intended to refer.
Claims not specifically referred to above are rejected due to their dependence on a rejected base claim.

Allowable Subject Matter

Claims 1-4, 7-9, 11, and 16-20 would be allowable if rewritten or amended to overcome the rejections under 35 U.S.C. 112(a) and (b) and 35 U.S.C. 101, set forth in this Office action.
The following is a statement of reasons for the indication of allowable subject matter:  None of the cited art clearly teaches or suggests the use of “User Cluster Identification Based Intrusion Detection”, although as noted above, this terminology is not well-defined, and amendments to change the scope of the claims may result in a reconsideration of the indication of allowable subject matter.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Lal, US Patent 7874000, discloses a system for intrusion detection monitoring activities performed by users in a group.
Xie et al, US Patent 8387145, discloses a system that blocks malicious activity and groups users together for tracking.
Singh et al, US Patent 8788407, discloses a system for malware data clustering.
Stowe et al, US Patent 9165299, discloses a system for intrusion prevention uses user agent data clustering.
Petersen et al, US Patent 9384112, discloses tools for use in processing log messages using user groups.
Hen et al, US Patent 11483327, discloses a cybersecurity system using clustering of user behaviors.
Srivastava et al, US Patent Application Publication 2016/0065594, discloses an intrusion detection system that groups users based on various characteristics.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Zachary A. Davis/Primary Examiner, Art Unit 2492