DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This final office action is in response to the amendment filed 22 January 2026.
Claims 1-20 are pending. Claims 1, 8, and 15 are independent claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 3-6, 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolescu et al. (US 2021/0029136, published 28 January 2021, hereafter Apostolescu) and further in view of Goradia (US 9195829, published 24 November 2015) and further in view of Becker et al. (US 10084802, patented 25 September 2018, hereafter Becker) and further in view of Venturelli et al. (US 11379842, filed 7 April 2020, hereafter Venturelli) and further in view of Hild (US 2020/0314128, published 1 October 2020).
As per independent claim 1, Apostolescu discloses a non-transitory computer-readable medium storing instructions that, when executed by at least one processor, cause the system to:
determine a set of parameters corresponding to the digital action comprising at least one type of digital action, a number of affected files, a file size, a user location, a time of the digital action, collaborator, data, or user role (paragraph 0043: Here, a “feature” is a type of behavior/action. For example, file size is a feature and the actual size of the file is a behavior)
based on the set of parameters, utilize an anomaly-detection model trained to detect anomalous actions to generate an anomaly indicator corresponding to the digital action (paragraph 0042: Here, a classifier is loaded and applied to the extracted behaviors to label the behavior as a “threat” or “non-threat”)
based on the anomaly indicator, provide, for display, an electronic communication indicating the digital action as anomalous (paragraph 0099: Here, a file is output with its associated label (thread/non-threat). Files that have been identified as anomalous will be output with the label “threat”)
Apostolescu fails to specifically disclose:
identify a digital action taken by a client device associated with a user account
determine a set of parameters corresponding to the digital user action
based on the set of parameters, utilize an anomaly-detection model trained to detect anomalous actions and a confidence score indicating a likelihood of the digital user action being an anomalous action
a confidence score for the anomaly satisfying a threshold confidence
automatically restrict one or more additional digital user actions for the user account within the content management system
display on a graphical user interface of an administrator device
receive data from the administrator device in response to the electronic communication indicating the digital user action of the user account as anomalous
update one or more parameters of the anomaly-detection model in accordance with the data received from the administrator device in response to the electronic communications
However, Goradia, which is analogous to the claimed invention because it is directed toward detecting and displaying anomalous behaviors, discloses:
identify a digital action taken by a client device associated with a user account of a content management system (Figure 1; column 5, lines 11-19: Here, a central (content) management system is used coupled to communication systems associated with a plurality of users to exchange information. The anomalous behavior detection device (Figure 1, item 110; column 5, line 30-32) operates in the cloud to identify anomalous behaviors at connected devices)
display on a graphical user interface of an administrator device (Figure 6; column 5, lines 1-10 and column 10, lines 38-43: Here, a GUI provides the administrator results of the anomalous behavior detection analysis to monitor such operations)
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed an administrator to view and monitor anomalous behaviors (Goradia: column 5, lines 1-10). This would have allowed a user the advantage of preventing these behaviors from being propagated throughout the entire system.
Additionally, Becker, which is analogous to the claimed invention because it is directed toward supervisory control, discloses:
identify a digital action taken by a client device associated with a user account (column 5, lines 1-23: Here, a digital action is received from a user)
determine a set of parameters corresponding to the digital user action (column 5, lines 1-23: Here, a set of parameters corresponding to a user action are receive)
automatically restrict one or more additional digital user actions for the user account within the content management system (column 5, lines 1-23: Here, based upon the anomalous actions, access for a specified user is blocked)
display on a graphical user interface of an administrator device (column 5, lines 1-23: Here, anomalous actions are displayed to an administrator on a dashboard)
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Becker with Apostolescu-Gordia, with a reasonable expectation of success, as it would have allowed for improved security by restricting access of users performing anomalous actions (Becker: column 2, lines 21-32).
Further, Venturelli, which is analogous to the claimed invention because it is directed toward using a machine learning model to identify anomalies, discloses utilizing an anomaly-detection model trained to detect anomalous actions and a confidence score indicating a likelihood of the digital user action being an anomalous action (column 19, lines 12-20: Here, a trained fraud detection machine learning model identifies an anomalous action. A confidence score (predicted likelihood) representing the anomaly is determined) and a confidence score for the anomaly satisfying a threshold confidence (column 19, lines 24-26: Here, the confidence score is compared against a threshold score to determine that the action is a fraudulent action). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Venturelli with Apostolescu-Goria-Becker, with a reasonable expectation of success, as it would have trigger an action based upon a calculated likelihood score meeting a threshold confidence value (Venturelli: column 19, lines 12-26).
Finally, Hild, which is analogous to the claimed invention because it is directed toward performing actions responsive to determining an anomalous event, discloses:
receive data from the administrator device in response to the electronic communication indicating the digital user action of the user account as anomalous (paragraph 0014: Here, anomalous network activity is detected. This triggers an alert to a network administrator including the time of the anomaly occurrence, the portion of the network in which the anomaly occurred, any impacted components, and a level of certainty the machine learning model has in its determination of the anomaly. Further, the administrator assesses the anomaly and determines an appropriate course of action, including actions to counteract the malicious activity (paragraph 0015))
update one or more parameters of the anomaly-detection model in accordance with the data received from the administrator device in response to the electronic communications (paragraphs 0014-0015: Here, parameters are updated based upon the administrator’s course of action. This can include performing an automatic quarantine of additional changes until an administrator releases the quarantine or resetting the configuration using log files to a default configuration. Further, this can include assessing, via a machine learning model, whether the anomaly occurred as a result of configuration changes to the network, and revert to a previous configuration (Figure 4; paragraphs 0052-0055))
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Hild with Apostolescu-Goradia-Becker-Venturelli, with a reasonable expectation of success, as it would have allowed for notifying an administrator to enable quarantining and reverting parameters to a previous configuration (Hild: paragraphs 0014-0015).
As per dependent claim 3, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 1, and the same rejection is incorporated herein. Goradia discloses providing, for display on the GUI of the administrator device, the electronic communication to indicate the digital action comprises at least one of an anomalous file deletion, an anomalous file share, an anomalous file creation, an anomalous file modification, an anomalous user role modification, or an anomalous file decryption (column 4, lines 12-31; column 13, TABLE A: Here, a plurality of anomalous actions are specified, including add/delete files on storage, unauthorized sharing of data, and role modification (gain root access)).
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed an administrator to view and monitor anomalous behaviors (Goradia: column 5, lines 1-10). This would have allowed a user the advantage of preventing these behaviors from being propagated throughout the entire system.
As per dependent claim 4, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 1, and the same rejection is incorporated herein. Goradia discloses providing, for display on the graphical user interface of the administrator device, a context for identifying the digital action as anomalous (column 15, lines 20-32: Here, the context of the event is provided to the administrative user. This includes providing video of the application at the time of the behavior to allow the administrator to determine whether the interaction is expected or within the normal operation of the interaction), the context including an indicator of at least one of the user account corresponding to the digital action, a time of the digital action, or a reason for identifying the digital action as anomalous (Figure 4B; column 9, line 56- column 10, line 12: Here, the GUI allows for playback of the anomalous behaviors where the action is synchronized with time data to provide video playback/context of the action).
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed an administrator to view and monitor the context of the anomalous behaviors to determine if they are anomalous to expected behaviors (Goradia: column 15, lines 20-32). This would have allowed a user the advantage of preventing normal behaviors while excluding anomalous behaviors.
As per dependent claim 5, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 1, and the same rejection is incorporated herein.
Venturelli discloses determining a sensitivity level of the anomaly indicator based on the confidence score and selecting, the one or more digital user actions to automatically restrict for the user account sensitivity level of the anomaly indicator from the anomaly-detection model (column 19, lines 12-26: Here, determining that a score meets the threshold is analogous to determining that a sensitivity level of the anomaly has been met. Further, based upon this determination an action is blocked (restricted)). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Venturelli with Apostolescu-Goria-Becker, with a reasonable expectation of success, as it would have trigger an action based upon a calculated likelihood score meeting a threshold confidence value (Venturelli: column 19, lines 12-26).
As per dependent claim 6, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 1, and the same rejection is incorporated herein. Goradia discloses determining the severity level of the digital actions based on at least one of the set of parameters corresponding to the digital actions, characteristics corresponding to the user account of the content management system, or user interactions corresponding to historical electronic communication indicating digital actions as anomalous (column 6, lines 27-35 and column 13, TABLE A: Here, the threat score is based on anomalies detected by the anomalous behavior detection analysis. This may be based on a plurality of parameters associated with a digital action (column 4, lines 12-31; column 13, TABLE A)).
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed an administrator to view and monitor anomalous behaviors (Goradia: column 5, lines 1-10). This would have allowed a user the advantage of preventing these behaviors from being propagated throughout the entire system.
Apsotolescu fails to specifically disclose providing an electronic communication indicating the digital user action as anomalous based on the severity level. However, the examiner takes official notice that it was notoriously well-known in the art at the time of the applicant’s effective filing date to provide an alert/notification for events that trigger an alert threshold. It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined the well-known with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have allowed for providing an alert/notification based upon anomalous activity.
As per independent claim 15, Apostolescu discloses a method comprising:
determine a set of parameters corresponding to the digital action comprising at least one type of digital action, a number of affected files, a file size, a user location, a time of the digital action, collaborator, data, or user role (paragraph 0043: Here, a “feature” is a type of behavior/action. For example, file size is a feature and the actual size of the file is a behavior)
based on the set of parameters, utilize an anomaly-detection model trained to detect anomalous actions to generate an anomaly indicator corresponding to the digital action (paragraph 0042: Here, a classifier is loaded and applied to the extracted behaviors to label the behavior as a “threat” or “non-threat”)
based on the anomaly indicator, provide, for display, an electronic communication indicating the digital action as anomalous (paragraph 0099: Here, a file is output with its associated label (thread/non-threat). Files that have been identified as anomalous will be output with the label “threat”)
modifying the anomaly-detection model based on data received from the administrator device indicating a response to the electronic communication or the digital action (emphasis added; paragraph 0041: Here, the model is iteratively trained to improve accuracy)
Apostolescu fails to specifically disclose:
identify a digital action taken by a client device associated with a user account of a content management system
determine a set of parameters corresponding to the digital user action
based on the set of parameters, utilize an anomaly-detection model trained to detect anomalous actions and a confidence score indicating a likelihood of the digital user action being an anomalous action
a confidence score for the anomaly satisfying a threshold confidence
display on a graphical user interface of an administrator device
receive data from the administrator device in response to the electronic communication indicating the digital user action of the user account as anomalous
update one or more parameters of the anomaly-detection model in accordance with the data received from the administrator device in response to the electronic communications
However, Goradia, which is analogous to the claimed invention because it is directed toward detecting and displaying anomalous behaviors, discloses:
identify a digital action taken by a client device associated with a user account of a content management system (Figure 1; column 5, lines 11-19: Here, a central (content) management system is used coupled to communication systems associated with a plurality of users to exchange information. The anomalous behavior detection device (Figure 1, item 110; column 5, line 30-32) operates in the cloud to identify anomalous behaviors at connected devices)
display on a graphical user interface of an administrator device (Figure 6; column 5, lines 1-10 and column 10, lines 38-43: Here, a GUI provides the administrator results of the anomalous behavior detection analysis to monitor such operations)
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed an administrator to view and monitor anomalous behaviors (Goradia: column 5, lines 1-10). This would have allowed a user the advantage of preventing these behaviors from being propagated throughout the entire system.
Additionally, Becker, which is analogous to the claimed invention because it is directed toward supervisory control, discloses:
identify a digital action taken by a client device associated with a user account (column 5, lines 1-23: Here, a digital action is received from a user)
determine a set of parameters corresponding to the digital user action (column 5, lines 1-23: Here, a set of parameters corresponding to a user action are receive)
display on a graphical user interface of an administrator device (column 5, lines 1-23: Here, anomalous actions are displayed to an administrator on a dashboard)
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Becker with Apostolescu-Goradia, with a reasonable expectation of success, as it would have allowed for improved security by restricting access of users performing anomalous actions (Becker: column 2, lines 21-32).
Further, Venturelli, which is analogous to the claimed invention because it is directed toward using a machine learning model to identify anomalies, discloses utilizing an anomaly-detection model trained to detect anomalous actions and a confidence score indicating a likelihood of the digital user action being an anomalous action (column 19, lines 12-20: Here, a trained fraud detection machine learning model identifies an anomalous action. A confidence score (predicted likelihood) representing the anomaly is determined) and a confidence score for the anomaly satisfying a threshold confidence (column 19, lines 24-26: Here, the confidence score is compared against a threshold score to determine that the action is a fraudulent action). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Venturelli with Apostolescu-Goria-Becker, with a reasonable expectation of success, as it would have trigger an action based upon a calculated likelihood score meeting a threshold confidence value (Venturelli: column 19, lines 12-26).
Finally, Hild, which is analogous to the claimed invention because it is directed toward performing actions responsive to determining an anomalous event, discloses:
receive data from the administrator device in response to the electronic communication indicating the digital user action of the user account as anomalous (paragraph 0014: Here, anomalous network activity is detected. This triggers an alert to a network administrator including the time of the anomaly occurrence, the portion of the network in which the anomaly occurred, any impacted components, and a level of certainty the machine learning model has in its determination of the anomaly. Further, the administrator assesses the anomaly and determines an appropriate course of action, including actions to counteract the malicious activity (paragraph 0015))
update one or more parameters of the anomaly-detection model in accordance with the data received from the administrator device in response to the electronic communications (paragraphs 0014-0015: Here, parameters are updated based upon the administrator’s course of action. This can include performing an automatic quarantine of additional changes until an administrator releases the quarantine or resetting the configuration using log files to a default configuration. Further, this can include assessing, via a machine learning model, whether the anomaly occurred as a result of configuration changes to the network, and revert to a previous configuration (Figure 4; paragraphs 0052-0055))
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Hild with Apostolescu-Goradia-Becker-Venturelli, with a reasonable expectation of success, as it would have allowed for notifying an administrator to enable quarantining and reverting parameters to a previous configuration (Hild: paragraphs 0014-0015).
As per dependent claim 16, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 15, and the same rejection is incorporated herein. Goradia discloses providing, for display on the GUI of the administrator device, the electronic communication to indicate the digital action comprises at least one of an anomalous file deletion, an anomalous file share, an anomalous file creation, an anomalous file modification, an anomalous user role modification, or an anomalous file decryption (column 4, lines 12-31; column 13, TABLE A: Here, a plurality of anomalous actions are specified, including add/delete files on storage, unauthorized sharing of data, and role modification (gain root access)).
As per dependent claim 17, Apostolescu, Goradia, Becker, Venturelli, and Hild discloses the limitations similar to those in claim 15, and the same rejection is incorporated herein. Apostolescu discloses wherein updating the one or more parameters of the anomaly-detection model comprises adjusting parameters of a machine learning model (paragraph 0041: Here, the training engine iterates through training data to adjust parameters of the model until an accuracy threshold is met).
Claims 2 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolescu, Goradia, Becker, Venturelli, and Hild and further in view of Eshghi (US 2020/0076768, published 5 March 2020).
As per dependent claims 2, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 1, and the same rejection is incorporated herein. Apostolescu fails to specifically disclose causing the computing system to identifying the digital action taken by the client device via a document-synchronizing platform through which multiple user accounts access, edit, or share synchronized documents.
However, Eshghi, which is analogous to the claimed invention because it is directed toward identifying anomalous actions within edits of a content management system, discloses identifying the digital action taken by the client device via a document-synchronizing platform through which multiple user accounts access, edit, or share synchronized documents (paragraph 0062: Here, an anomalous edit is identified in a content management system (document-synchronizing platform)). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Eshghi with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have allowed for identifying of anomalous edits (Eshghi: paragraph 0062). This would have provided the advantage of preventing the editing behaviors to be synchronized with other version of the document to prevent system intrusions.
As per dependent claim 7, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 1, and the same rejection is incorporated herein. Apostolescu fails to specifically disclose wherein the set of parameters corresponding to the digital action further comprises at least one of collaborator activity, a collaborator identity, a personal identifiable information (PII) classification, a time zone of the digital action, a time of user interactivity with a digital content item, historical user activity times within the content management system, user engagement data, a user device type, a user-email domain, user group similarity data, or user activity patterns.
However, Eshghi, which is analogous to the claimed invention because it is directed toward identifying anomalous actions within edits of a content management system, discloses disclose wherein the set of parameters corresponding to the digital action further comprises at least one of collaborator activity (paragraph 0062: Here, a user edit is a collaborator activity), a collaborator identity, a personal identifiable information (PII) classification, a time zone of the digital action, a time of user interactivity with a digital content item, historical user activity times within the content management system, user engagement data, a user device type, a user-email domain, user group similarity data, or user activity patterns.
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Eshghi with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have allowed for identifying of anomalous edits (Eshghi: paragraph 0062). This would have provided the advantage of preventing the editing behaviors to be synchronized with other version of the document to prevent system intrusions.
Claims 8-10 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolescu, Goradia, Becker, Venturelli, and Hild, and further in view of Leiderfarb et al. (US 2017/0171230, published 15 June 2017, hereafter Leiderfarb).
As per independent claim 8, Apostolescu discloses a system comprising:
at least one processor (Figure 7, item 710)
at least one non-transitory computer-readable medium storing instructions that, when executed by at least one processor (Figure 7, item 740)
cause the system to:
determine a set of parameters corresponding to the digital action comprising at least one type of digital action, a number of affected files, a file size, a user location, a time of the digital action, collaborator, data, or user role (paragraph 0043: Here, a “feature” is a type of behavior/action. For example, file size is a feature and the actual size of the file is a behavior)
based on the set of parameters, utilize an anomaly-detection model trained to detect anomalous actions to generate an anomaly indicator corresponding to the digital action (paragraph 0042: Here, a classifier is loaded and applied to the extracted behaviors to label the behavior as a “threat” or “non-threat”)
based on the anomaly indicator, provide, for display, an electronic communication indicating the digital action as anomalous (paragraph 0099: Here, a file is output with its associated label (thread/non-threat). Files that have been identified as anomalous will be output with the label “threat”)
Apostolescu fails to specifically disclose:
identify a digital action taken by a client device associated with a user account of a content management system
determine a set of parameters corresponding to the digital user action
However, Goradia, which is analogous to the claimed invention because it is directed toward detecting and displaying anomalous behaviors, discloses:
identify a digital action taken by a client device associated with a user account of a content management system (Figure 1; column 5, lines 11-19: Here, a central (content) management system is used coupled to communication systems associated with a plurality of users to exchange information. The anomalous behavior detection device (Figure 1, item 110; column 5, line 30-32) operates in the cloud to identify anomalous behaviors at connected devices)
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed an administrator to view and monitor anomalous behaviors (Goradia: column 5, lines 1-10). This would have allowed a user the advantage of preventing these behaviors from being propagated throughout the entire system.
Additionally, Becker, which is analogous to the claimed invention because it is directed toward supervisory control, discloses:
identify a digital action taken by a client device associated with a user account (column 5, lines 1-23: Here, a digital action is received from a user)
determine a set of parameters corresponding to the digital user action (column 5, lines 1-23: Here, a set of parameters corresponding to a user action are receive)
display on a graphical user interface of an administrator device (column 5, lines 1-23: Here, anomalous actions are displayed to an administrator on a dashboard)
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Becker with Apostolescu-Goradia, with a reasonable expectation of success, as it would have allowed for improved security by restricting access of users performing anomalous actions (Becker: column 2, lines 21-32).
Further, Apostolescu fails to specifically disclose:
based on the set of parameters, utilize an anomaly-detection model trained to detect anomalous actions and a confidence score indicating a likelihood of the digital user action being an anomalous action
a confidence score for the anomaly satisfying a threshold confidence
However, Venturelli, which is analogous to the claimed invention because it is directed toward using a machine learning model to identify anomalies, discloses utilizing an anomaly-detection model trained to detect anomalous actions and a confidence score indicating a likelihood of the digital user action being an anomalous action (column 19, lines 12-20: Here, a trained fraud detection machine learning model identifies an anomalous action. A confidence score (predicted likelihood) representing the anomaly is determined) and a confidence score for the anomaly satisfying a threshold confidence (column 19, lines 24-26: Here, the confidence score is compared against a threshold score to determine that the action is a fraudulent action). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Venturelli with Apostolescu-Goria-Becker, with a reasonable expectation of success, as it would have trigger an action based upon a calculated likelihood score meeting a threshold confidence value (Venturelli: column 19, lines 12-26).
Apostolescu fails to specifically disclose:
receive data from the administrator device in response to the electronic communication indicating the digital user action of the user account as anomalous
update one or more parameters of the anomaly-detection model in accordance with the data received from the administrator device in response to the electronic communications
However, Hild, which is analogous to the claimed invention because it is directed toward performing actions responsive to determining an anomalous event, discloses:
receive data from the administrator device in response to the electronic communication indicating the digital user action of the user account as anomalous (paragraph 0014: Here, anomalous network activity is detected. This triggers an alert to a network administrator including the time of the anomaly occurrence, the portion of the network in which the anomaly occurred, any impacted components, and a level of certainty the machine learning model has in its determination of the anomaly. Further, the administrator assesses the anomaly and determines an appropriate course of action, including actions to counteract the malicious activity (paragraph 0015))
update one or more parameters of the anomaly-detection model in accordance with the data received from the administrator device in response to the electronic communications (paragraphs 0014-0015: Here, parameters are updated based upon the administrator’s course of action. This can include performing an automatic quarantine of additional changes until an administrator releases the quarantine or resetting the configuration using log files to a default configuration. Further, this can include assessing, via a machine learning model, whether the anomaly occurred as a result of configuration changes to the network, and revert to a previous configuration (Figure 4; paragraphs 0052-0055))
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Hild with Apostolescu-Goradia-Becker-Venturelli, with a reasonable expectation of success, as it would have allowed for notifying an administrator to enable quarantining and reverting parameters to a previous configuration (Hild: paragraphs 0014-0015).
Further, Apostolescu fails to specifically disclose:
perform a remedial action within the content management system in response to the anomaly indicator identifying the digital action as anomalous
However, Leiderfarb, which is analogous to the claimed invention because it is directed toward detecting and remediating anomalous actions, discloses perform a remedial action within the content management system in response to the anomaly indicator identifying the digital action as anomalous (paragraphs 0153-0161: Here, anomalous (malicious) content is identified and remediated. This includes stopping the malicious process from running, deleting/quarantining malicious files, reverting changes to the registry, and removing created kernel objects). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Leiderfarb with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have provided a remediation strategy for anomalous activities (Leiderfarb: paragraphs 0153-0161). This would have allowed for reverting a system back to the pre-attack state and prevented the anomalous activities from infecting the machine and connected machines.
As per dependent claim 9, Apostolescu, Goradia, Becker, Venturelli, Hild, and Leiderfarb disclose the limitations similar to those in claim 8, and the same rejection is incorporated herein. Apostolescu discloses based on the anomaly indicator, provide, for display, an electronic communication indicating the digital action as anomalous (paragraph 0099: Here, a file is output with its associated label (thread/non-threat). Files that have been identified as anomalous will be output with the label “threat”).
Apostolescu fails to specifically disclose providing, for display on a GUI of the administrator device, the electronic communication to indicate the digital action comprises at least one of an anomalous file deletion, an anomalous file share, an anomalous file creation, an anomalous file modification, an anomalous user role modification, or an anomalous file decryption.
However, Goradia, which is analogous to the claimed invention because it is directed toward detecting and displaying anomalous behaviors, discloses providing, for display on a GUI of the administrator device (Figure 6; column 5, lines 1-10 and column 10, lines 38-43: Here, a GUI provides the administrator results of the anomalous behavior detection analysis to monitor such operations), the electronic communication to indicate the digital action comprises at least one of an anomalous file deletion, an anomalous file share, an anomalous file creation, an anomalous file modification, an anomalous user role modification, or an anomalous file decryption (column 4, lines 12-31; column 13, TABLE A: Here, a plurality of anomalous actions are specified, including add/delete files on storage, unauthorized sharing of data, and role modification (gain root access)).
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed an administrator to view and monitor anomalous behaviors (Goradia: column 5, lines 1-10). This would have allowed a user the advantage of preventing these behaviors from being propagated throughout the entire system.
As per dependent claim 10, Apostolescu, Goradia, Becker, Venturelli, Hild, and Leiderfarb disclose the limitations similar to those in claim 8, and the same rejection is incorporated herein. Leiderfarb discloses performing the remedial action by automatically recovering one or more deleted digital content items, restricting the user account corresponding to the digital action from performing additional actions, or modifying a user permission of the user account (paragraphs 0153-0161: Here, anomalous (malicious) content is identified and remediated. This includes stopping the malicious process from running, deleting/quarantining malicious files, reverting changes to the registry (recovering deleted digital content items), and removing created kernel objects). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Leiderfarb with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have provided a remediation strategy for anomalous activities (Leiderfarb: paragraphs 0153-0161). This would have allowed for reverting a system back to the pre-attack state and prevented the anomalous activities from infecting the machine and connected machines.
As per dependent claim 13, Apostolescu, Goradia, Becker, Venturelli, Hild, and Leiderfarb disclose the limitations similar to those in claim 8, and the same rejection is incorporated herein. Goradia discloses providing the electronic communication indicating the digital action as anomalous based on the digital action satisfying an alert threshold representing one or more of a severity level of the digital action or a sensitivity level of the anomaly indicator from the anomaly-detection model (column 6, lines 27-35 and column 11, lines 3-8: Here, a threat score is associated with each detected action. Actions that have a threat score below a threshold are labeled as “safe,” while those having a threat score above a threshold are labeled as “unsafe”).
It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Goradia with Apostolescu, with a reasonable expectation of success, as it would have allowed for labeling items as safe/unsafe based upon a metric (Goradia: column 11, lines 3-8). This would have provided a user the advantage of viewing the labeled data and would have avoided relying upon the user to mentally identify this threshold.
As per dependent claim 14, Apostolescu, Goradia, Becker, Venturelli, Hild, and Leiderfarb disclose the limitations similar to those in claim 13, and the same rejection is incorporated herein. Goradia discloses providing a notification via a user interface to an administrative user based upon a severity level (column 6, lines 27-35 and column 11, lines 3-8: Here, a threat score is associated with each detected action. Actions that have a threat score below a threshold are labeled as “safe,” while those having a threat score above a threshold are labeled as “unsafe.” In this instance, those actions above a threshold and labeled as “unsafe” are interpreted as those actions having a high severity level).
Additionally Leiderfarb discloses performing the remedial action (paragraphs 0153-0161: Here, anomalous (malicious) content is identified and remediated. This includes stopping the malicious process from running, deleting/quarantining malicious files, reverting changes to the registry (recovering deleted digital content items), and removing created kernel objects). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Leiderfarb with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have provided a remediation strategy for anomalous activities (Leiderfarb: paragraphs 0153-0161). This would have allowed for reverting a system back to the pre-attack state and prevented the anomalous activities from infecting the machine and connected machines.
Claims 11-12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolescu, Goradia, Becker, Venturelli, Hild, and Leiderfarb and further in view of Yao et al. (US 2020/0004808, published 2 January 2020, hereafter Yao).
As per dependent claim 11, Apostolescu, Goradia, Becker, Venturelli, Hild, and Leiderfarb disclose the limitations similar to those in claim 8, and the same rejection is incorporated herein. Apostolescu fails to specifically disclose providing, for display on the graphical user interface of an administrator device, an electronic communication to indicate the performed remedial action.
However, Goradia, which is analogous to the claimed invention because it is directed toward detecting and displaying anomalous behaviors, discloses providing, for display on a GUI of the administrator device (Figure 6; column 5, lines 1-10 and column 10, lines 38-43: Here, a GUI provides the administrator results of the anomalous behavior detection analysis to monitor such operations), the electronic communication to indicate the digital action comprises at least one of an anomalous file deletion, an anomalous file share, an anomalous file creation, an anomalous file modification, an anomalous user role modification, or an anomalous file decryption (column 4, lines 12-31; column 13, TABLE A: Here, a plurality of anomalous actions are specified, including add/delete files on storage, unauthorized sharing of data, and role modification (gain root access)).
Additionally, Leiderfarb, which is analogous to the claimed invention because it is directed toward detecting and remediating anomalous actions, discloses perform a remedial action within the content management system in response to the anomaly indicator identifying the digital action as anomalous (paragraphs 0153-0161: Here, anomalous (malicious) content is identified and remediated. This includes stopping the malicious process from running, deleting/quarantining malicious files, reverting changes to the registry, and removing created kernel objects). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Leiderfarb with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have provided a remediation strategy for anomalous activities (Leiderfarb: paragraphs 0153-0161). This would have allowed for reverting a system back to the pre-attack state and prevented the anomalous activities from infecting the machine and connected machines.
Finally, Yao discloses an electronic communication to indicate the performed action (Figures 4 and8; paragraphs 0045 and 0074-0075: Here, a user is notified of a modification and they are prompted with the ability to continue editing or to undo the edit). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Yao with Apostolescu-Goradia-Becker-Venturelli-Hild-Leiderfarb, with a reasonable expectation of success, as it would have allowed a user to either confirm or deny proposed actions (Yao: Figure 8; paragraphs 0074-0075). This would have allowed a user greater control over actions performed by the system.
As per dependent claim 12, Apostolescu, Goradia, Becker, Venturelli, Hild, Leiderfarb, and Yao disclose the limitations similar to those in claim 11, and the same rejection is incorporated herein. Yao discloses providing, for display on the graphical user interface, a selectable option to cancel the remedial action (Figure 8; paragraphs 0074-0075). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Yao with Apostolescu-Goradia-Becker-Venturelli-Hild-Leiderfarb, with a reasonable expectation of success, as it would have allowed a user to either confirm or deny proposed actions (Yao: Figure 8; paragraphs 0074-0075). This would have allowed a user greater control over actions performed by the system.
As per dependent claim 19, Apostolescu, Goradia, Becker, Venturelli, and Hild, disclose the limitations similar to those in claim 15, and the same rejection is incorporated herein. Apostolescu discloses modifying the anomaly-detection model (paragraph 0041). Apostolescu fails to specifically disclose:
providing, for display on the GUI of the administrator device, a selectable option for remedial action in response to the digital action
receiving, from the administrator device, a selection of the selectable option for the remedial action or no selection of the selectable option for the remedial action
However, Leiderfarb, which is analogous to the claimed invention because it is directed toward detecting and remediating anomalous actions, discloses perform a remedial action within the content management system in response to the anomaly indicator identifying the digital action as anomalous (paragraphs 0153-0161: Here, anomalous (malicious) content is identified and remediated. This includes stopping the malicious process from running, deleting/quarantining malicious files, reverting changes to the registry, and removing created kernel objects). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Leiderfarb with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have provided a remediation strategy for anomalous activities (Leiderfarb: paragraphs 0153-0161). This would have allowed for reverting a system back to the pre-attack state and prevented the anomalous activities from infecting the machine and connected machines.
Finally, Yao discloses receiving, from the device, a selection of the selectable option for the remedial action or no selection of the selectable option for the remedial action (Figures 4 and8; paragraphs 0045 and 0074-0075: Here, a user is notified of a modification and they are prompted with the ability to continue editing or to undo the edit). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Yao with Apostolescu-Goradia-Becker-Venturelli-Hild-Leiderfarb, with a reasonable expectation of success, as it would have allowed a user to either confirm or deny proposed actions (Yao: Figure 8; paragraphs 0074-0075). This would have allowed a user greater control over actions performed by the system.
Claims 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolescu, Goradia, Becker, Venturelli, Hild, and further in view of Jones et al. (US 9537880, patented 3 January 2017, hereafter Jones).
As per dependent claim 18, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 17, and the same rejection is incorporated herein. Apostolescu discloses training a machine learning model based to determine anomalous data (paragraph 0041).
Apostolescu fails to specifically disclose data identifying characteristics corresponding to a group of users. However, Jones, which is analogous to the claimed invention because it is directed toward detecting anomalous behavior, discloses data identifying characteristics corresponding to a group of users (column 4, lines 6-27: Here, an administrator reviews accounts of a group of users associated with a specific type of behavior that indicates a compromised account). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Jones with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have allowed for monitoring a group of users engaged in specific behavior (column 4, lines 6-27). This would have facilitated identifying users engaged in malicious activities based upon anomalous behaviors.
As per dependent claim 20, Apostolescu, Goradia, Becker, Venturelli, and Hild disclose the limitations similar to those in claim 15, and the same rejection is incorporated herein. Apostolescu discloses modifying the anomaly-detection model (paragraph 0041).
Apostolescu fails to specifically disclose the data indicating the response for at least one of a user type for the user account, an account type associated with the user account, or a group of the content management system associated with the user account. However, Jones, which is analogous to the claimed invention because it is directed toward detecting anomalous behavior, discloses the data indicating the response for at least one of a user type for the user account, an account type associated with the user account, or a group of the content management system associated with the user account (column 4, lines 6-27: Here, an administrator reviews accounts of a group of users associated with a specific type of behavior that indicates a compromised account). It would have been obvious to one of ordinary skill in the art at the time of the applicant’s effective filing date to have combined Jones with Apostolescu-Goradia-Becker-Venturelli-Hild, with a reasonable expectation of success, as it would have allowed for monitoring a group of users engaged in specific behavior (column 4, lines 6-27). This would have facilitated identifying users engaged in malicious activities based upon anomalous behaviors.
Response to Arguments
Applicant’s arguments have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Apostolescu, Goradia, Becker, Venturelli, and Hild.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Kraus et al. (US 2020/0285737): Discloses a machine learning model for testing for anomalies and taking action based upon identifying anomalies, such as preventing access (Figure 9, item 910), terminating access (Figure 9, item 912), generating an alert (Figure 9, item 914), and configuring the tool (Figure 9, item 904)
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KYLE R STORK whose telephone number is (571)272-4130. The examiner can normally be reached 8am - 2pm; 4pm - 6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Omar Fernandez Rivas can be reached at 571/272-2589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KYLE R STORK/Primary Examiner, Art Unit 2128