SYSTEMS AND METHODS FOR NEAR REAL-TIME RISK SCORE GENERATION

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment 2. This is in response to the amendments filed on 08/14/2025. Claims 1, 12 and 20 have been amended. Claims 1-5,8-16,19-21,31-33 are currently pending and have been considered below. Response to Arguments 3. Applicant’s arguments filed on 08/14/2025 have been fully considered but they are not persuasive. On the Remarks, Applicant argues that, Several features in the pending claims are not taught by any of the cited prior art references. The examiner respectfully disagrees. The reference of Rubin: First, in response to applicant's argument that several features in the pending claims are neither taught nor suggested, in any of the cited prior art references. It is noted that, Rubin at Para.0057, Para.0294, Para.0061 and Para.0051 discloses, “a login …. event”, “an event … pattern… that tends to be used by attackers”, “to identify illicit …. pattern … time …. between the second-computer-login and the third-computer-login is less than a predetermined …. time… or …. less than five minutes”, “a pattern of consistent …. data transfers between networked computers….” which the examiner interpreted as being the claimed “identifying point-in-time anomalies having values that remain the same during a predetermined time period….”, illicit pattern associated with one login event is equivalent to the claimed point-in-time anomaly. Also, Rubin at Para.0074, Para.0051 and Para.0082 discloses, “…. illicit…. sequence …. of events… including a login … to a first computer …. followed by a data transfer …. to the first computer, followed by a login … to a second computer….”, “illicit …movement detection… a pattern of consistent … data transfers between networked computers”, “time between two login times is less than two minutes…”, which the examiner interpreted as being the claimed “volumetric anomalies having values that remain the same during …. predetermined time period”, because two minutes time to transfer group of data or login events is equivalent to volumetric anomalies having same values during predetermined time period. Also, Rubin at Para.0028, Para.0264, discloses, “detecting anomalies…based on logged behavior ...”, “identify a login event”, which the examiner interpreted as being the claimed “identifying point-in-time anomalies and volumetric anomalies from the near real¬-time application events”. In addition, Rubin at Para. 0075 discloses, “score …. based …. time …. between logins to …. computers …. difference between a transfer size …. to a computer …”, which the examiner interpreted as being the claimed “generating a risk score for the identified point-in¬time anomalies and the volumetric anomalies”. The reference of Dodson: It is noted that, Dodson at Para.0029, Para.0037 and Para.0063 discloses, “each data instance is comprised of … principle value … measured for anomalies…”, “grouping the data instance… time frame or portion of total time for which data instances were collected”, “grouping the data instances into groups based on continuous time” which the examiner interpreted as being the claimed “identifying …. Anomalies…. having values that remain the same during each fraction of the …. time period”, because portion of total time is equivalent to each fraction of the time period, data instances comprised of a principle value which is associated with anomalies related to a particular user, for every anomalous event, the principle value is fixed so it is construed that anomalies contain values which is same /fixed for a user. The reference of Visbal: It is noted that, Visbal at Para.0061, Para.0060 discloses, “calculates weightings for …. calculation of threat …scores, the weights used for each data source …. a value …. for a data source …. of its IP addresses …. involved in actual threats”, “weightings …. determined in …. scheduled manner, such as nightly….”, which the examiner interpreted as being the claimed “generating a batch risk score from a batch process”. Also, Visbal at Para.0075, Para.0066 discloses, “IP addresses …. of data sources …. future threats …. involved in actual past threat events…. threat …score …. of …. combined ….”, “the threat …. score …. calculated based on a probability of a given IP address being involved in an actual threat based on the historical …. threat …” which the examiner interpreted as being the claimed “combining the risk score with the batch risk score”. The reference of Berman: It is noted that, Berman at Para.0105, Para.0078, Para.0085 discloses; “calculate risk scores, based on the accident history and the real-time condition”, “combine … historical accident data and… roadway features to compute the likelihood of having an accident on a specific road …”, “computes the real-time risk score of the given condition... (e.g., weather”, which the examiner interpreted as being the claimed "combining …generate a near real-time risk score” because the broadest reasonable interpretation of the claimed “combining ….generate a near real-time risk score“ includes computing or generating real-time risk score based on the combination of historical/ previous accident data and data containing likelihood of having accident on the specific road because of certain weather condition. The reference of Balabine: It is noted that, Balabine at Para.0112 discloses; “weight of event becomes negligible at the end of the statutory period. For example, …. after 30 days the time decay factor of an event is equal to 0.01” which the examiner interpreted as being the claimed "identifying …. anomalies having decayed values after the predetermined time period has expired…” because the broadest reasonable interpretation of the claimed "identifying …. anomalies having decayed values after the predetermined time period has expired…” includes the weight of anomalous event becomes negligible or having a decayed value after 30 days, “after 30 days the time decay factor of an event is equal to 0.01” is equivalent to after a predetermined time period /after a certain time period or when 30 days are over, time decay factor of an event is equal to 0.01 indicating that anomalies having decayed values or negligible values. Also, Balabine at Para.0107, Para.0106 discloses; “a time decay factor is based at least in part on an elapsed time …associated with the … anomalous activities of the user”, “anomalous activities of the user are determined…. correspond to one or more second time periods prior to a first time period that is used as the basis to compute a current risk …..” which the examiner interpreted as being the claimed “anomalies having decayed values for each fraction of a plurality of fractions of the predetermined time period”, because the broadest reasonable interpretation of the claimed “anomalies having decayed values for each fraction of the predetermined time period” includes anomalous activities having time decay factor based on at least in part on an elapsed time, anomalies start having decayed values in any part on an elapsed time/each fraction of the certain time period. Any part on an elapsed time within one or more second time periods prior to a first time period is equivalent to the claimed “each fraction of a plurality of fractions of the …. time period”. In addition, Balabine at Para.0113 discloses; “the time decay factor of the event becomes negligible …. at the 30 day mark” which the examiner interpreted as being the claimed “anomalies having decayed values ….after a preceding fraction of the predetermined time period has expired” because the broadest reasonable interpretation of the claimed “anomalies having decayed values ….after a preceding fraction of the predetermined time period has expired” includes anomalies start having decayed values within 30 days’ time/ in part/ fraction of the 30 days period of time, when 30 days are over, the time decay factor is very low/anomalies value is decayed, thus interpreted as “anomalies having decayed values ….after a preceding fraction of the predetermined time period has expired”. It is clearly indicated that, Rubin, Dodson, Visbal, Berman and Balabine teach all the features in the pending claim 1 and the rejection of such is sustained below. Applicant's further arguments with respect to claim(s) 31-33 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 4. Claims 1-4,8-15,19-20 and 28-30 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Rubin et al. (US 20210243208 A1) in view of Dodson et al (US 20180316707 A1) in view of Visbal et. Al (US 20190158515 A1) also in view of Berman et. Al (US 20220276063 A1) and further in view of Balabine et al. (US 20190081967 A1). Regarding Claim 1: Rubin discloses: a. A system, (Para.0056; “system”) comprising: b. a processor; (Para.0056; “a processor”) and a memory coupled with and readable by the processor and storing therein a set of instructions which, (Para.00056; “a memory”) when executed by the processor, causes the processor to generate risk scores (Para.00056, Para.0055; “The processor …. perform steps for detecting illicit …. movement”, “computing an… score… indicates … that a detected…. movement times (durations) ….data transfer sizes”) in near real-time (Para.0038; “portion of the data …. representative of real-world items”) by: c. …identifying anomalies in the application events, (Para.0061, Para.0051; “to identify illicit …. pattern …. between the second-computer-login and the third-computer-login ….”, “a pattern of consistent …. data transfers between networked computers….”) d. …. the anomalies include identifying point-in-time anomalies (Para.0057, Para.0294; “a login …. event”, “an event … pattern… that tends to be used by attackers”) having values that remain the same during a predetermined time period (Para.0061, Para.0051; “to identify illicit …. pattern … time …. between the second-computer-login and the third-computer-login is less than a predetermined …. time… or …. less than five minutes”, “a pattern of consistent …. data transfers between networked computers….”) and volumetric anomalies (Para.0074; “…. illicit…. sequence …. of events… including a login … to a first computer …. followed by a data transfer …. to the first computer, followed by a login … to a second computer….”) having values that remain the same during …. predetermined time period; (Para.0051, Para.0082; “illicit …movement detection… a pattern of consistent … data transfers between networked computers”, “time between two login times is less than two minutes…” two minutes time to transfer group of data or events is construed as volumetric anomalies having same values during predetermined time period) training models (Para.0210; “model trained for …. anomaly detection…. model …include …machine learning model”) …. to identify the point-in-time anomalies and the volumetric anomalies; (Para.0210, Para.0094, and Para.0211; “cybersecurity anomaly detection… the number of times user accessed resource …”,”a logon event from a …computer to a …computer”, “sequence of events”) identifying point-in-time anomalies and volumetric anomalies from the near real--time application events (Para.0028, Para.0264, Para.0265; “detecting anomalies…based on logged behavior ...”, “identify a login event”, “identify a data transfer event”) based on the trained models; (Para.0078; “…. from a trained machine learning model …. identify ….. anomalies”) e. generating a risk score (Para.0078; “obtain …. from a trained machine learning model …. an …. score”) for the identified point-in-time anomalies and the volumetric anomalies based on the trained models; (Para.0075, Para.0264, Para.0265; “score …. based …. time …. between logins to …. computers …. difference between a transfer size …. to a computer …”, “identify a login event”, “identify a data transfer event”) …. however, Rubin does not explicitly disclose: c. generating a batch risk score from a batch process regarding application events associated with an application; d. the anomalies include point-in-time anomalies having values that remain the same during a predetermined time period and volumetric anomalies having values that remain the same during each fraction of the predetermined time period; ….in the batch process to identify the point-in-time anomalies and the volumetric anomalies; receiving near real-time application events associated with the application in near real-time after generating the batch risk score; e. …. combining the risk score with the batch risk score to generate a near real-time risk score; and f. identifying point-in-time anomalies having decayed values after the predetermined time period has expired and volumetric anomalies having decayed values for each fraction of a plurality of fractions of the predetermined time period after a preceding fraction of the predetermined time period has expired. In an analogous reference Dodson discloses: d. … the anomalies include identifying point-in-time anomalies (Para.0055; ”generating anomaly … for each of the data instances …”) having values that remain the same (Para.0054; “The data instances …comprise …one principle value….” explained in later citations) during a …. time period (Para.0053 and Para.0055; “detecting anomalous activity… of data instance… for a time”, “generating anomaly …for each of the data instances over continuous time”) and volumetric anomalies (Para.0037; “to perform anomaly detection by bucketing (e.g., grouping) the data instances …”) having values that remain the same (Para.0029 and Para.0031; “each data instance is comprised of … principle value … measured for anomalies…”, “a principle value comprises … “log on time”, … include users, … login locations” as every data instance (volumetric anomalies are construed as grouped data instances) is comprised a principle value which is associated with anomalies related to a particular user, for every anomalous event, the principle value is fixed so it is construed that volumetric anomalies contain values which is same /fixed for a user) during each fraction of the ….time period; (Para.0037 and Para.0063; “grouping the data instance… time frame or portion of total time for which data instances were collected”, “grouping the data instances into groups based on continuous time”) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Rubin’s method of detecting illicit lateral movement by enhancing Rubin’s method to include Dodson’s method of outlier and singularity identification. The motivation: by determining anomalies within specific time fractions of a dataset, it is possible to identify data points significantly deviating from the expected pattern within each time window. however, Rubin in view of Dodson does not explicitly disclose: c. generating a batch risk score from a batch process regarding application events associated with an application; d. …. in the batch process to identify the point-in-time anomalies and the volumetric anomalies; receiving near real-time application events associated with the application in near real-time after generating the batch risk score; e. …. combining the risk score with the batch risk score to generate a near real-time risk score; and f. identifying point-in-time anomalies having decayed values after the predetermined time period has expired and volumetric anomalies having decayed values for each fraction of a plurality of fractions of the predetermined time period after a preceding fraction of the predetermined time period has expired. In an analogous reference Visbal discloses: c. generating a batch risk score from a batch process (Para.0061, Para.0060; “calculates weightings for …. calculation of threat …scores, the weights used for each data source …. a value …. for a data source …. of its IP addresses …. involved in actual threats”, “weightings …. determined in …. scheduled manner, such as nightly….”) regarding application events associated with an application; (Paraq.0031; “data sources, such as mobile computing devices...provide …. data regarding network security events…. installed on the mobile device …. a log of potential threats”) d. …. in the batch process (Para.0098, Para.0060; “… IP reputation system …. a special-purpose machine …. perform the operations”, “the IP reputation system … maintain a list of …. security threats … in …scheduled manner, such as nightly…”) to identify the point-in-time anomalies (Para.0072, Para.0073; “the IP reputation system …. accesses threat risk instances …. regarding the particular IP address…. 110.110.110.110 appears … 500 times”, “each threat…. for each of the 500 times that the IP address 110.110.110.110 appears …. with each occurrence” threat created from each occurrence of threat risk instance is construed as the point-in-time anomalies) and the volumetric anomalies; (Para.0072; “…. threat risk instances ….” threat created from occurrence of group of multiple threat risk instances are construed as the volumetric anomalies) receiving near real-time application events associated with the application (Para.0075, Para.0072; “receives input from data sources ….20% of the IP addresses …. predicted as future threats …. 20% chance that …. IP address on …. these lists … involved in an actual threat event….”, “data source regarding the particular IP address….. 110.110.110.110 ….” Receiving input from data sources is construed as receiving the application events which will be actual threat, based on the prediction from their actual occurrence previously) in near real-time (Para.0060; “…. threat risk from that data source….in real-time …”) after generating the batch risk score; (Para.0075, Para.0060; “IP reputation system …. calculates a threat score for the IP address … of data sources …. involved in ….. past threat events….”, “scheduled manner, such as nightly based …. threat data received from …. sources and confirmed threats …. Associated…. to previously received threat data” after the occurrence of the scheduled event and generated risk score, actual real time threat occurred, which is construed as receiving the application events after generating the batch risk score) e. …combining the risk score with the batch risk score (Para.0075, Para.0066; “IP addresses …. of data sources …. future threats …. involved in actual past threat events…. threat …score …. of …. combined probability….”, “the threat …. score …. calculated based on a probability of a given IP address being involved in an actual threat based on the historical …. threat …”) …. f. identifying point-in-time anomalies having decayed values …. time period ….and volumetric anomalies having decayed values …. of the …. time period …. (Visbal, Para.0086, Para.0072; “… over time…. decay rate …. for the threat …scores ….”, “threat risk instances …. regarding the particular IP address”) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Rubin in view of Dodson’s method of detecting illicit lateral movement by enhancing Rubin in view of Dodson’s method to include Visbal’s method for generating a threat score of a plurality of IP addresses in order to include batch risk score from a batch process. The motivation: batch risk score generated from a batch process offers several benefits, including increased efficiency, improved accuracy in risk assessment, better quality control, and the ability to identify potential issues early on by analyzing large datasets of data together, allowing for proactive risk mitigation strategies across a whole batch of transactions or operations. however, Rubin in view of Dodson and in view of Visbal does not explicitly disclose: e. …combining …. to generate a near real-time risk score. and f. identifying … anomalies having decayed values after the predetermined time period has expired and …. anomalies having decayed values for each fraction of a plurality of fractions of the predetermined time period after a preceding fraction of the predetermined time period has expired. In an analogous reference Berman discloses: e. …. combining …. (Para.0078, Para.0085; “combine … historical accident data and… roadway features to compute the likelihood of having an accident on a specific road …”, “computes the real-time risk score of the given condition...”) to generate a near real-time risk score. (Para.0105; “calculate risk scores, based on the accident history and the real-time condition”); and…. Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Rubin in view of Dodson and in view of Visbal’s method of detecting illicit lateral movement by enhancing Rubin in view of Dodson and in view of Visbal’s method to include Berman’s method for vehicular navigation assessed based on risk tolerance. The motivation: a new risk score which is the combination of score generated in previously generated mode with dynamic updates which is on demand or currently ongoing, helps to identify anomalies properly. however, Rubin in view of Dodson also in view of Visbal and further in view of Berman does not explicitly disclose: f. identifying … anomalies having decayed values after the predetermined time period has expired and …. anomalies having decayed values for each fraction of a plurality of fractions of the predetermined time period after a preceding fraction of the predetermined time period has expired. In an analogous reference Balabine discloses: o. identifying ……anomalies having decayed values after the predetermined time period has expired (Para.0099 and Para.0112; “w is the… weight … of the anomalous activity by a user or an anomalous event,”, “the weight of event becomes negligible... after 30 days the time decay factor of an event ...” the weight of anomalous event becomes negligible after 30 days and an amount of time decay factor is construed as after a certain time period/after a certain time period is expired ,anomalies having decayed values) and … anomalies having decayed values for each fraction of a plurality of fractions of the predetermined time period (Para.0107, Para.0106; “one or more …values of …risk metrics are determined by applying a time decay … time decay factor is based at least in part on an elapsed time …associated with the … anomalous activities of the user and a time associated with the latest anomalous activity of the user”, “anomalous activities of the user are determined…. correspond to one or more second time periods prior to a first time period that is used as the basis to compute a current risk …..” the time decay factor of one type of anomalous activities is based on a at least in part on an elapsed time is construed as anomalies start having decayed values over time/each part/fraction of the predetermined time period, any part on an elapsed time within one or more second time periods prior to a first time period is construed as the claimed “each fraction of a plurality of fractions of the predetermined time period”) after a preceding fraction of the predetermined time period has expired.(Para.0113; “the time decay factor of the event becomes negligible at the end of the … period… in graph 1200, the time decay factor is nearly negligible at the 30 day mark.” one type of anomalies start having decayed values within 30 days’ time/ in part/ fraction of the 30 days period of time and the negligible time decay factor at 30 days indicate that after the preceding fraction of the predetermined time period has expired or when at least a part of the 30 days and total 30 days is over, the time decay factor is very low/anomalies value is decayed) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Rubin in view of Dodson also in view of Visbal and further in view of Berman’s method of detecting illicit lateral movement by enhancing Rubin in view of Dodson also in view of Visbal and further in view of Berman’s method to include Balabine’s method of determining risk associated with anomalous behavior of a user over a certain period in order to include time decaying aspects of the anomalous activities. The motivation: a time-decaying graph or computation ensures that more recent anomalous activities are weighted and observed more than the older values and for the entire time slot. Also, watching the activities or events occurred, allow the detection of anomalies in events or activities smoothly as well as any suspicious user can be identified easily for a specific period. With respect to independent claims 12 and 20, a corresponding reasoning was given earlier in this section with respect to claim 1, therefore, claims 12 and 20 rejected, for similar reasons, under the grounds as set forth for claim 1. Regarding Claim 2: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: g. The system of claim 1, wherein identifying anomalies from the near real-time application events further comprises extracting features from each near real-time application (Dodson, Para.0083; Para.0084 and Para.0088; “a step 506 of extracting….”, “each feature … component can be… users who have CPU usage in a specified range”, “performing outlier… detection… based on similarities in feature values. For example, data instances of multiple tenants that have approximately similar CPU, memory, bandwidth”) at one time. (Dodson, Para.0079; “When outlier …are adjusted, changes … visible in real-time.”) With respect to dependent claim 13, a corresponding reasoning was given earlier in this section with respect to claim 2; therefore, claim 13 is rejected, for similar reasons, under the grounds as set forth for claim 2. Regarding Claim 3: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: h. The system of claim 1, wherein identifying anomalies from the near real-time application events further comprises using models trained from extracted features (Berman, Para.0078; “statistical regression models that are based on roadway features to compute the likelihood of having an accident on a specific road segment”) from application events processed during the batch process. (Berman, Para.0078; “historical accident”) With respect to dependent claim 14, a corresponding reasoning was given earlier in this section with respect to claim 3; therefore, claim 14 is rejected, for similar reasons, under the grounds as set forth for claim 3. Regarding Claim 4: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: i. The system of claim 3, wherein the extracted features from application events processed during the batch process include features extracted from each application event at one time and features extracted from multiple application events at one time. (Visbal, Para.0060; “various data sources against …. security threats… nine days after …there is a threat risk associated with the IP address…. in …..scheduled manner, such as nightly”) With respect to dependent claim 15, a corresponding reasoning was given earlier in this section with respect to claim 4; therefore, claim 15 is rejected, for similar reasons, under the grounds as set forth for claim 4. Regarding Claim 8: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: j. The system of claim 1, further comprising: comparing the near real-time risk score with a predetermined threshold; (Dodson, Para.0056; “an anomaly score is a …measure of how … unusual the deviation… the anomaly score… does not allow this to exceed … more than a certain value” a certain value is construed as predetermined threshold as the value is already determined) and initiating an action if near real-time risk score exceeds the predetermined threshold. (Dodson, Para.0056; “generate alerts … based on the anomaly score, i.e., the system … does not allow this to exceed … more than a certain value”) With respect to dependent claim 19, a corresponding reasoning was given earlier in this section with respect to claim 8; therefore, claim 19 is rejected, for similar reasons, under the grounds as set forth for claim 8. Regarding Claim 9: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: k. The system of claim 8, wherein initiating an action if the near real-time risk score exceeds the predetermined threshold (Dodson, Para.0056; “generate alerts … based on the anomaly score, i.e., the system … does not allow this to exceed … more than a certain value”) further comprises requesting additional information for entity authentication. (Dodson, Para.0058; “all devices … used to access a particular database use a higher level of authentication in response to detecting anomalous activity (e.g., high level of access requests)”) Regarding Claim 10: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: l. The system of claim 8, wherein initiating an action if the near real-time risk score exceeds the predetermined threshold further comprises requesting a detailed investigation in response to an alert notification. (Dodson, Para.0058; “the system can suggest that users not be allowed to log in from remote locations if … indicate that users are logging in after permissible log in hours when remote” suggestion for preventing a user to log in from remote location can be helpful to identify a suspected or a specific user which is construed as requesting a detailed investigation in response to an alert notification) Regarding Claim 11: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: m. The system of claim 8, wherein initiating an action (Rubin, Para.0258; “raising an alert”) if the near real-time risk score exceeds the predetermined threshold further comprises displaying a graphical representation of the near real-time risk score. (Para.0257, Para.0258, Para.0237; “sequence of events”, “report ..by…displaying on a screen… sending an email or text or voicemail”, “score; ….numeric….“legitimate” or “suspect””) Claims 5, 16 and 21 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Rubin et al. (US 20210243208 A1) in view of Dodson et al (US 20180316707 A1) in view of Visbal et. Al (US 20190158515 A1) also in view of Berman et. Al (US 20220276063 A1) and in view of Balabine et al. (US 20190081967 A1) and further in view of Danichev et al. (US 20180241654 A1). Regarding Claim 5: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: n. The system of claim 1, wherein the volumetric anomalies … Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine does not explicitly disclose: n. … the volumetric anomalies include compared to self-volumetric anomalies and compared to others volumetric anomalies. In an analogous reference Danichev discloses n. … the volumetric anomalies include compared to self-volumetric anomalies (Para.0063; “if more than a certain number of events are each greater than a threshold, then … then an anomaly is said to have been detected.”) and compared to others volumetric anomalies. (Para.0063; “if more than a certain number of events are each greater than a lower threshold” the events that are greater than a higher threshold is construed as self-volumetric anomalies, the events that are greater than a lower threshold are construed as others volumetric anomalies) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine’s method of detecting illicit lateral movement to include Danichev’s method of anomaly detection in order to include different type of anomalous activities. The motivation: different type of anomalous activities helps to analyze the suspicious events or activities occurring at a particular time, also it is easier to compare with a certain threshold or baseline value. With respect to dependent claims 16 and 21, a corresponding reasoning was given earlier in this section with respect to claim 5; therefore, claims 16 and 21 are rejected, for similar reasons, under the grounds as set forth for claim 5. Claims 31-33 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Rubin et al. (US 20210243208 A1) in view of Dodson et al (US 20180316707 A1) in view of Visbal et. Al (US 20190158515 A1) also in view of Berman et. Al (US 20220276063 A1) and in view of Balabine et al. (US 20190081967 A1) and further in view of Wade et al. (US 20100153157 A1). Regarding Claim 31: Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine discloses: The system of claim 1, wherein the predetermined time period … and each fraction of the plurality of fractions of the predetermined time period (Balabine, Para.0107, Para.0106; “one or more …values of …risk metrics are determined …. based at least in part on an elapsed time …associated with the … anomalous activities of the user and a time associated with the latest anomalous activity of the user”, “risk metrics corresponding to one or more ….. anomalous activities of the user …. correspond to one or more second time periods prior to a first time period that is used … to compute a current risk metric”) …. however, Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine does not explicitly disclose: …… time period corresponds to a twenty-four-time period and each fraction of the plurality of fractions of the predetermined time period corresponds to one hour time periods. In an analogous reference Wade discloses: …. time period (Para.0060; “Utilization at a Particular Time”) corresponds to a twenty-four-time period and ….. time period corresponds to one hour time periods. (Para.0077, Para.0058; “utilizations of the network resource …. performed continuously, periodically (e.g., weekly, daily, hourly, etc.)”, “utilization of the particular network resource …..network resource monitoring system …. Receive…. utilization information ….. monitoring may be performed continually, periodically (e.g., every one or more minutes, hours, days, weeks, etc.)”) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Rubin in view of Dodson in view of Visbal also in view of Berman and further in view of Balabine’s method to include Wade’s method for determining how to manage network resources to service provider environment. The motivation: A twenty-four-hour period focuses on long-term network planning and analysis, while a one-hour period enables dynamic, responsive adjustments to address short-term fluctuations. Using both time scales for network resource management provides a comprehensive strategy for optimizing performance, reliability, and cost-efficiency. With respect to dependent claims 32 and 33, a corresponding reasoning was given earlier in this section with respect to claim 31, therefore, claims 32 and 33 rejected, for similar reasons, under the grounds as set forth for claim 31. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAYEDA SALMA NAHAR whose telephone number is (703)756-4609. The examiner can normally be reached M-F 12:00 PM to 6:00 PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached on (571) 272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAYEDA SALMA NAHAR/Examiner, Art Unit 2491 /AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2491