ADAPTIVE SYSTEM FOR NETWORK AND SECURITY MANAGEMENT

DETAILED ACTION This communication is in response to Applicant’s amendment filed on November 07, 2025. Claims 6, 14 and 19 have been canceled, claims 1, 9 and 22 have been amended. Claims 1-5, 7-13, 15-18 and 20-25 are pending and are directed towards ADAPTIVE SYSTEM FOR NETWORK AND SECURITY MANAGEMENT. Examiner acknowledges Applicant’s amendment to specification and claims, and therefore withdraws the previous office action’s objections to the specification, the claims, and the 35 USC § 102 rejection. However, due to the change in scope of the claims in the amendment, a new rejection under 35 USC § 103 is presented herein. The rejection is stated below. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 12/15/2025 was Acknowledge. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Response to Arguments Applicant's arguments filed on November 07, 2025 with respect to 35 U.S.C. 102 and 103 rejections have been fully considered but they are moot in view of the new grounds of rejections. Applicant arguments have been addressed in the rejections below. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 1-5, 7-13 and 15-18 and 20-25 are rejected under 35 U.S.C. 103 as being unpatentable over Shenoy et al. US 2019/0098037 A1 (hereinafter “Shenoy”) in view of Peteroy et al. US 2018/0278643 A1 (hereinafter “Peteroy”). As per claims 1, 9 and 22, Shenoy teaches a system for identifying computer risk, the system configured to: receive a set of inputs from a plurality of third-party sources, wherein the set of inputs comprise at least one of streaming data or historical data (a security system receives activity data associated with a first source. The activity data may include data associated with a first user account during the use of a first cloud-based service…retrieve additional activity data from a second source. The additional activity data may include data associated with a second user account during the use of a second cloud-based service. Shenoy, para [0031]); perform, by an event signal processing component of the system, normalization on the set of inputs (the data loader application 206 performs operations for normalizing the data and reformatting the data into a common format for storage in, and retrieval from, the analytics and threat intelligence repository 211. Shenoy, para [0103]); perform, by the event signal processing component of the system, classification of the normalized set of inputs (Reformatting the data may include categorizing and structuring the data into the common format. Shenoy, para [0103])( Clustering and regression algorithms can be used to categorize data and find common patterns. For example, a clustering algorithm can put data into clusters by aggregating all entries of users logging in from a mobile device. Shenoy, para [0163]); generate, by a machine learning model of the event signal processing component of the system, vectorized data .., based on the classification of the normalized set of inputs, wherein the entities include at least one of a (i) signal type, (ii) network environment, or (iii) objective (Decision tree, time series, naive Bayes analysis, and techniques used to build user behavior profiles are examples of machine learning techniques that can be used to generate predictions based on patterns of suspicious activity and/or external data feeds. Techniques such as clustering can be used to detect outliers and anomalous activity. Shenoy, para [0160]) (Activity data collected from various parameters over a period of time can be used with machine learning algorithms to generate patterns referred to as user behavior profiles. The activity data can include contextual information such as IP address and geographic location. Shenoy, para [0163])( Statistics such as those illustrated above can be combined into a feature vector. Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24 hour time period, and/or other measures. Feature vectors may be aggregated per cloud application and/or per user per cloud application. Shenoy, para [0130]); and generate, by the event signal processing component of the system, clusters of alerts based on the vectorized data by identifying a similarity of existing alert clusters (generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things. Shenoy, para [0106])( techniques such as outlier detection can establish a baseline that is useful for detecting anomalous activities. Such anomalous activities along with contextual threat intelligence can provide more accurate prediction of threats with low prediction errors. Shenoy, para [0164])( alerts 322 can be provided in visualizations 328 that can be viewed using a user interface that is accessible to an organization. Shenoy, para [0167]-[0168]). Shenoy does not explicitly teach vectorized data including graph embeddings representing relationship between entities and semantic embeddings representing attributes of entities. However, Peteroy teaches vectorized data including graph embeddings representing relationship between entities and semantic embeddings representing attributes of entities (threat entity data structure 500 may be used to store, retrieve, and visualize network security events in a time-series, multi-scale graph with contextual representation around multiple feature vectors. Threat entities may also provide a structure for distributed and anonymized hypothesis generation around the characteristics, behavior, and connectedness of a multiscale graph of network entities and associated properties. Threat entities may also be utilized in a system for a centralized collaboration workspace where the time-series multiscale graph of each threat entity is contextualized with a tailored view for each investigator or analyst. Peteroy, para [0058])( Unified data store 108 may be a graph database, meaning the unified data store uses graph-based structures for semantic queries with nodes, edges, and properties of the graphs being used to represent and store data. As is explained in more detail below, in such embodiments, a graph may represent a computer network with the nodes of the graph representing various network devices interconnected by edges that represent interactions between the nodes, such as data communications and the like. Nodes of a graph may also represent sub-graphs, wherein a higher level graph may represent a relatively broad network, with nodes of the higher level graph representing sub-graphs representing smaller networks within the relatively broad network, interconnected by edges representing interactions between the smaller networks. Peteroy, Para [0031]) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Shenoy in view of Peteroy. One would be motivated to do so, to enhance the accuracy of system classification and clustering by representing vectorized data with graphs. As per claims 2 and 10, Shenoy and Peteroy teach the system as recited in Claim 1, wherein the set of inputs are at least one of (i) log files, (ii) performance metric information, (iii) alert data, (iv) configuration data, or (v) trace data (the activity data may be received in different formats that are used by different service providers or services. For example, the data may be formatted in JSON or other data interchange formats, or may be available as log files or database entries. Shenoy, para [0103]). As per claims 3 and 11, Shenoy and Peteroy teach the system as recited in Claim 2, wherein the classification comprises categorizing each set of input, of the set of inputs, wherein each of the normalized set of inputs is categorized as having at least one of a (i) designated department of a user, or (ii) location information of an internet protocol (IP) address (the contextual data can include, for example, identification of a type of the client device, IP addresses used by the client device, geolocation data computed by a Global Positioning System (GPS) receiver of the client device, and other information about the client device or that can be obtained from the client device. Shenoy, para [0126])( Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24 hour time period, and/or other measures. Shenoy, para [0130])( Algorithm 3 provides an example of an algorithm that can be used for analytics of multiple application behavior. In algorithm 3, user IP addresses associated with various cloud service activities (such as logging in) are resolved to geolocation coordinates IP1 (Latitude 1, Longitude 1), IP2 (Latitude 2, Longitude 2), IP3 (Latitude 3, Longitude 3),. Shenoy, para [0143]). As per claims 4 and 12, Shenoy and Peteroy teach the system as recited in Claim 3, wherein the classification is based on a policy or entity graph (the control manager 172 can also maintain security policies for the organization 130. A security policy can define an action or set of actions that, when detected, constitute a security violation or an event that otherwise requires attention. In some examples, actions that are defined by a policy as a security violation can occur through use of one service, meaning that all the actions were performed while using the same service. In some examples, the actions can have occurred during use of more than one service, where the services are provided by one service provider or multiple service providers. In some examples, a security policy can also define one or more remediation actions to perform when a violation of the policy is detected. Shenoy, para [0074][00178]). As per claims 5 and 13, Shenoy and Peteroy teach the system as recited in Claim 1, wherein normalization of the set of inputs comprises transforming the set of inputs into a uniform format for processing (The data entered into a landing repository 210 may be in different formats and/or have different ranges of values, due, for example, from having been collected from different service providers. In some examples, the data from the data loader application 206 can be reformatted and/or structured before being moved to the analytics and threat intelligence repository 211 so that, for example, the data has a uniform format. Shenoy, para [0098]). As per claims 7 and 15, Shenoy and Peteroy teach the system as recited in Claim 1, wherein the vectorized data is stored in a run-time vector database (Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24 hour time period, and/or other measures. Feature vectors may be aggregated per cloud application and/or per user per cloud application. Shenoy, para [0130]) (Table 5 below lists example values for several possible daily aggregation matrix vectors. The example vectors illustrated here include a count of logins per day for one day (“logcntday_1dy”), a count of failed logins per day for one day (“logfailcntday_1dy”), a count per day of IP addresses from which failed logins occurred over one day (“logfailipdisday_1dy”), and a count per day of IP addresses used to log in over one day (“logipdisday_1dy”). Shenoy, para [0132]). As per claims 8, 18 and 23, Shenoy and Peteroy teach the system as recited in Claim 1, wherein identifying the similarity of existing alert clusters is based at least on one or more correlation rules (the recommendation engine 308 can use association rule learning can to generate recommendations. In some examples, the recommendation engine 308 can use profile linking algorithms to link activities across multiple cloud applications by finding cross-service correlation. A single user can be identified across multiple cloud service using one or more attributes or identification factors, such as a primary user identifier that is commonly used across the clouds or a single sign-on (SSO) authentication mechanism (e.g., Active Directory, Okta, etc.). Examples of correlation of activities across applications find a user logged into two cloud services simultaneously from different IP addresses, find a user who performs several failed login attempts and subsequently changes the user's password, and users who frequently have with numerous failed logins for two or more cloud services, among other examples… Alerts can be constructed based on pre-defined rules that can include specific events and thresholds. Shenoy, para [0161]) (the recommendation engine 308 can use association rule learning can to generate recommendations. In some examples, the recommendation engine 308 can use profile linking algorithms to link activities across multiple cloud applications by finding cross-service correlation. A single user can be identified across multiple cloud service using one or more attributes or identification factors, such as a primary user identifier that is commonly used across the clouds or a single sign-on (SSO) authentication mechanism (e.g., Active Directory, Okta, etc.). Examples of correlation of activities across applications find a user logged into two cloud services simultaneously from different IP addresses, find a user who performs several failed login attempts and subsequently changes the user's password, and users who frequently have with numerous failed logins for two or more cloud services, among other examples. Shenoy, para [0172]). As per claim 16, Shenoy and Peteroy teach the computer-implemented method of Claim 9, wherein generating, by a machine learning model, vectorized data based on the classification of the normalized set of inputs includes generating a run-time vector database, wherein the run-time vector database includes the vectorized data and additional information (Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24 hour time period, and/or other measures. Feature vectors may be aggregated per cloud application and/or per user per cloud application. Shenoy, para [0130]) (Table 5 below lists example values for several possible daily aggregation matrix vectors. The example vectors illustrated here include a count of logins per day for one day (“logcntday_1dy”), a count of failed logins per day for one day (“logfailcntday_1dy”), a count per day of IP addresses from which failed logins occurred over one day (“logfailipdisday_1dy”), and a count per day of IP addresses used to log in over one day (“logipdisday_1dy”). Shenoy, para [0132]). As per claim 17, Shenoy and Peteroy teach the computer-implemented method of Claim 16, wherein the additional information includes processing results associated with at least the normalization on the set of inputs or the classification of the normalized set of inputs (the activity data may be received in different formats that are used by different service providers or services. For example, the data may be formatted in JSON or other data interchange formats, or may be available as log files or database entries. In some examples, the data loader application 206 performs operations for normalizing the data and reformatting the data into a common format for storage in, and retrieval from, the analytics and threat intelligence repository 211. Reformatting the data may include categorizing and structuring the data into the common format. In some examples, the database is adaptive to structural changes and new values, and can run automated processes to check for changed data. In some examples, the cloud crawler application 202 recognizes differences in the structure or values of the data retrieved, and can apply the changes to the application catalog database 208 and/or the analytics and threat intelligence repository 211. Shenoy, para [0103])( the data in the activity logs may be normalized by the analytics engine 300 or prior to being provided to the analytics engine 300. Normalizing the activity data 310 include reformatting the activity data 310 such data from different services and/or service providers is comparable, has the same meaning, and/or bears the same significance and relevance. After normalization, the behavioral analytics engine 304 can aggregate and compare data from different cloud services in meaningful ways. For example, a series of failed login attempts by one user with one cloud service may be deemed not to be a threat. However, a series of failed logins by the same user but at multiple different cloud services indicate a concerted effort to crack the user's password and should thus set off an alarm. Shenoy, para [0123]). As per claim 20 and 24, Shenoy and Peteroy teach the computer-implemented method of Claim 9, wherein identifying the similarity of existing alert clusters is based on a machine learning model (the security monitoring and control system 102 can include a learning system 178. The learning system 178 can apply various machine learning algorithms to data collected by the security monitoring and control system 102. The information learned about the data can then be used, for example, by the data analysis system 136 to make determinations about user activities in using services provided by the service provider 110. For example, the learning system 178 can learn patterns of normal or common behaviors of users of an organization. In these and other examples, the learning system 178 can generate models that capture patterns that the learning system 178 has learned, which can be stored in the storage 122 along with other data for an organization. Shenoy, para [0077])( the threat detection and prediction analytics application 212 can generate analytics using machine learning and other algorithms. The analytics performed by the prediction analytics application 212 can include identifying and predicting security threats from patterns of activity and behavioral models. Analytics performed by the descriptive analytics application 207 and the prediction analytics application 212 can be performed using data stored in the analytics and threat intelligence repository 21. Shenoy, para [0106]-[0109])( the analytics engine 300 can perform various other analytics 306 on the activity data 310 obtained from service providers. In some examples, various types of algorithms can be particularly useful for analyzing the data. Decision tree, time series, naive Bayes analysis, and techniques used to build user behavior profiles are examples of machine learning techniques that can be used to generate predictions based on patterns of suspicious activity and/or external data feeds. Techniques such as clustering can be used to detect outliers and anomalous activity. For example, a threat can be identified based on an account accessing one or more files or failing a series of login attempts from an IP address that is flagged (by a third party feed or otherwise) as malicious. In a similar way, a threat can also be based on different patterns of activity with one cloud application or across multiple cloud applications, possibly over time. Shenoy, para [0160]). As per claim 21, Shenoy and Peteroy teach the computer-implemented method of Claim 20, wherein one or more correlation rules are configured to prioritize processing over the machine learning model (Information in an alert about each risk event can include, for example, an identifier for the affected cloud service or instance a category, a priority, a date and time, a description, a recommended remediation type, and/or a status, among other information. A risk event may also have a user-selectable action, such as editing, deleting, marking status complete, and/or performing a remediation action. Selection of a remediation action may invoke an application such as the incident remediation application and/or cloud seeder application to perform the selected remediation. An alert and/or other information concerning an identified threat can be sent to an entity external to security monitoring and control system. Shenoy, para [0168]) As per claim 25, Shenoy and Peteroy teach the one or more non-transitory computer-readable media of Claim 22, wherein identifying the similarity of existing alert clusters is based a combination of machine learning model and one or more correlation rules ( the analytics engine 300 can perform various other analytics 306 on the activity data 310 obtained from service providers. In some examples, various types of algorithms can be particularly useful for analyzing the data. Decision tree, time series, naive Bayes analysis, and techniques used to build user behavior profiles are examples of machine learning techniques that can be used to generate predictions based on patterns of suspicious activity and/or external data feeds. Techniques such as clustering can be used to detect outliers and anomalous activity. For example, a threat can be identified based on an account accessing one or more files or failing a series of login attempts from an IP address that is flagged (by a third party feed or otherwise) as malicious. In a similar way, a threat can also be based on different patterns of activity with one cloud application or across multiple cloud applications, possibly over time. Shenoy, para [0160]) (the recommendation engine 308 can use association rule learning can to generate recommendations. In some examples, the recommendation engine 308 can use profile linking algorithms to link activities across multiple cloud applications by finding cross-service correlation. A single user can be identified across multiple cloud service using one or more attributes or identification factors, such as a primary user identifier that is commonly used across the clouds or a single sign-on (SSO) authentication mechanism (e.g., Active Directory, Okta, etc.). Examples of correlation of activities across applications find a user logged into two cloud services simultaneously from different IP addresses, find a user who performs several failed login attempts and subsequently changes the user's password, and users who frequently have with numerous failed logins for two or more cloud services, among other examples… Alerts can be constructed based on pre-defined rules that can include specific events and thresholds. Shenoy, para [0161]) (the recommendation engine 308 can use association rule learning can to generate recommendations. In some examples, the recommendation engine 308 can use profile linking algorithms to link activities across multiple cloud applications by finding cross-service correlation. A single user can be identified across multiple cloud service using one or more attributes or identification factors, such as a primary user identifier that is commonly used across the clouds or a single sign-on (SSO) authentication mechanism (e.g., Active Directory, Okta, etc.). Examples of correlation of activities across applications find a user logged into two cloud services simultaneously from different IP addresses, find a user who performs several failed login attempts and subsequently changes the user's password, and users who frequently have with numerous failed logins for two or more cloud services, among other examples. Shenoy, para [0172]). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALID M ALMAGHAYREH whose telephone number is (571)272-0179. The examiner can normally be reached Monday - Thursday 8AM-5PM EST & Friday variable. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUPAL DHARIA can be reached at (571)272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Respectfully Submitted /KHALID M ALMAGHAYREH/Primary Examiner, Art Unit 2492