SECURITY BREACH DETECTION AND MITIGATION IN A CLOUD-BASED ENVIRONMENT

DETAILED ACTION This office action is in response to the Applicants response filed 11/25/2025. Claims 1-6, 8, 10-19 are examined and pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claims 1 and 14 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6, 8, 10-19 are rejected under 35 U.S.C. 103 as being unpatentable over Sopan (U.S. 11637862 B1, hereinafter “Sopan”) in view of Karpovsky et al. (U.S. 2023/0199003 A1, hereinafter “Karpovsky”). As to claims 1 and 14, Sopan discloses a method comprising: obtaining one or more outputs of the trained AI model, the one or more outputs indicating: a set of activities, of the activities indicated by the event data, performed with respect to at least one of the plurality of client devices that is indicative of a security breach (column 3, lines 44-50; discloses The action generator receives the modified alerts and associated context information to determine a recommended course of action for presentation via the reporting logic. The action generator determines a recommended course of action based on the application of a predictive model generated by the predictive model generation logic.), one or more security actions to be taken at the cloud-based environment in response to the set of activities, and for each of the one or more security actions, a level of confidence that a respective security action will mitigate the security breach (column 3, lines 51-67; discloses To determine a priority associated with the modified alert, the action generator may analyze the confidence levels (e.g., associated with a course of action determined by application of the predictive model, associated with a classification label, etc.). The priority assigned to a received alert may be based, at least in part, on a numerical distance of the confidence level a threshold, such as, for example, an automated execution threshold. For example, if the confidence associated with an action is 55% and the confidence threshold for automated execution of an action is 90%, the action generator may determine that the confidence associated with an action is too far from the threshold to be automatically actionable and should be displayed to an analyst and therefore given a higher priority for the analyst's attention.); determining, based on the one or more outputs, a security action having a level of confidence that satisfies a confidence criterion (column 4, lines 13-18; discloses a course of action is applicable if the action generator determines a level of correlation (i.e. confidence level) between a course of action and the modified alert exceeds a confidence threshold); and performing a set of operations to initiate the determined security action at the cloud-based environment (column 4, lines 63-67; discloses he mitigation logic initiates an external computing device (e.g., a cyber-security device, etc.) to execute a mitigation (i.e. via a course of action) sent by the mitigation logic.). Sopan does discloses the received alert is received from one or more alert-generating cyber-security devices and the automated analyst alerting system (“AAAS”) is configured to receive an alert, analyze the alert according to a model generated by a machine learning procedure applied to data in a knowledge store. The knowledge store includes data that associates previously detected alerts, cyber-security threats, and undesirable computing device configurations with one or more classifications as determined by a cyber-security analyst. (column 2, lines 3-12 ) However, Sopan does not explicitly disclose the method wherein providing event data associated with a plurality of client devices of a cloud-based environment as input to a trained artificial intelligence (AI) model, wherein the event data comprises a log generated by at least one of the plurality of client devices, the log indicating activities performed during operation of the at least one of the plurality of client devices. In an analogous art, Karpovsky discloses the method wherein providing event data associated with a plurality of client devices of a cloud-based environment as input to a trained artificial intelligence (AI) model, wherein the event data comprises a log generated by at least one of the plurality of client devices, the log indicating activities performed during operation of the at least one of the plurality of client devices (para. [0026]-[0028]; discloses generating logs of data that have occurred with respect to application and resources managed or accessed that include user initiated actions. These previously generated logs which are historical logs, are provided to the unsupervised machine learning algorithm during a training process); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify alerting system in Sopan by incorporating a function to generate historical logs of activities to access resources and applications by users as taught by Karpovsky in order to more quickly and accurately detect suspicious activity and benign activity (Kapovsky, para. [0003]) As to claim 2, Sopan- Karpovsky discloses the method of claim 1, further comprising: providing indicator of compromise (IOC) data as input to the trained AI model with the provided event data, wherein the IOC data indicates one or more activities pertaining to one or more other security breaches of other cloud-based environments, wherein the at least one of the set of activities corresponds to the one or more activities indicated by the IOC data (Sopan, column 2, lines 1-15; discloses receive an alert (the received alert is received from one or more alert-generating cyber-security devices), analyze the alert according to a model generated by a machine learning procedure applied to data in a knowledge store. The knowledge store includes data that associates previously detected alerts, cyber-security threats, and undesirable computing device configurations with one or more classifications as determined by a cyber-security analyst. Such classifications may include labels (e.g., “malicious”, “non-malicious”, “phishing”, “misconfiguration”, etc.) and a confidence level associated with the classification.). As to claim 3, Sopan- Karpovsky discloses the method of claim 2, further comprising: updating the IOC data to include information pertaining to the set of activities that is indicative of the security breach (Sopan, column 3, line 12-20; discloses the classifiers may classify each alert based on a label as determined by an analyst and/or the alert recommendation engine according to the predictive model. In some embodiments, analysts may select from a pre-defined set of labels, whereas, in other embodiments, labeling may be done automatically. A classifier may generate a probability of association with a label relating to each received alert.). As to claim 4, Sopan- Karpovsky discloses the method of claim 1, wherein the set of operations to initiate the determined security action comprise an operation associated with one or more of: transmitting a security alert to a computing system associated a security authority associated with the determined security action (Sopan, column 1, lines 43-50; discloses the alerts are analyzed by an alert recommendation engine which automatically determines a recommended course of action related to the one or more received cyber-security alerts by application) ; executing one or more instructions to prevent at least one of the one or more client devices from performing one or more operations for a particular time period; executing one or more instructions to prevent at least one of the one or more client devices from accessing a particular type of data; or executing one or more instructions to prevent at least one of the one or more client devices from communicating with another client device. As to claim 5, Sopan- Karpovsky discloses the method of claim 1, wherein performing the set of operations to initiate the determined security action at the cloud-based environment comprises: determining whether the level of confidence of the determined security action exceeds a threshold level of confidence; and responsive to determining that the level of confidence of the determined security action exceeds the threshold level of confidence, executing one or more instructions of a security action protocol associated with the determined security action (Sopan, column 3, lines 43-column 4, lines 27; discloses action generator may analyze the confidence levels and determine if the course of action is applicable based on level of correlation (i.e. confidence level) between a course of action and the modified alert exceeds a confidence level. If level exceeded, the action is automatically executed). As to claim 6, Sopan- Karpovsky discloses the method of claim 5, further comprising: responsive to determining that the level of confidence of the determined security action does not exceed the threshold level of confidence, transmitting a security alert to a computing system associated with a security authority associated with the determined security action (Sopan, column 3, lines 43-column 4, lines 27; discloses if the confidence associated with an action is 55% and the confidence threshold for automated execution of an action is 90%, the action generator may determine that the confidence associated with an action is too far from the threshold to be automatically actionable and should be displayed to an analyst and therefore given a higher priority for the analyst's attention). As to claim 8, Sopan discloses a system comprising: a memory; and a processing device coupled to the memory, the processing device to perform operations comprising: generating training data for an AI model, wherein generating the training data comprises: generating a target output comprising: an indication of whether the one or more historical activities of the client devices were previously indicated by a security authority to be indicative of a historical security breach (column 3, lines 44-50; discloses The action generator receives the modified alerts and associated context information to determine a recommended course of action for presentation via the reporting logic. The action generator determines a recommended course of action based on the application of a predictive model generated by the predictive model generation logic.) and, for a historical activity of the one or more historical activities previously indicated by the security authority to be indicative of the historical security breach, one or more historical security actions initiated by the security authority at the cloud-based environment in response to the historical activity to mitigate the historical security breach (column 3, lines 51-67; discloses to determine a priority associated with the modified alert, the action generator may analyze the confidence levels (e.g., associated with a course of action determined by application of the predictive model, associated with a classification label, etc.). The priority assigned to a received alert may be based, at least in part, on a numerical distance of the confidence level a threshold, such as, for example, an automated execution threshold. For example, if the confidence associated with an action is 55% and the confidence threshold for automated execution of an action is 90%, the action generator may determine that the confidence associated with an action is too far from the threshold to be automatically actionable and should be displayed to an analyst and therefore given a higher priority for the analyst's attention.); and providing the training data to train the AI model to predict activities performed with respect to the plurality of client devices that are indicative of a security breach and one or more security actions to mitigate the security breach (column 4, lines 63-67; discloses he mitigation logic initiates an external computing device (e.g., a cyber-security device, etc.) to execute a mitigation (i.e. via a course of action) sent by the mitigation logic using a machine-learning model), wherein the training data comprises (i) a set of training inputs comprising the training input and (ii) a set of target outputs comprising the target output (column 2, line 58-67; discloses the training system may include information extracted from received alerts and stored as data in the knowledge store. The information extracted from the received alert may include received alert message content as well as well as meta-information associated with the received alert (e.g., time of receipt, IP address of the source cyber-security device, etc.). The training system may also include information associated with the received alert (e.g., modifying a label associated with alert or associating a course of action with the alert) by the cyber-security analyst and stored in the knowledge store.). generating a training input comprising historical event data indicating one or more historical activities performed with respect to at least one of a plurality of client devices of a cloud-based environment (column 2, lines 3-12; discloses the automated analyst alerting system (“AAAS”) is configured to receive an alert, analyze the alert according to a model generated by a machine learning procedure applied to data in a knowledge store. The knowledge store includes data that associates previously detected alerts, cyber-security threats, and undesirable computing device configurations with one or more classifications as determined by a cyber-security analyst.); and Sopan does discloses the received alert is received from one or more alert-generating cyber-security devices and the automated analyst alerting system (“AAAS”) is configured to receive an alert, analyze the alert according to a model generated by a machine learning procedure applied to data in a knowledge store. The knowledge store includes data that associates previously detected alerts, cyber-security threats, and undesirable computing device configurations with one or more classifications as determined by a cyber-security analyst. (column 2, lines 3-12 ) However, Sopan does not explicitly disclose the method wherein generating a training input comprising historical event data indicating one or more historical activities performed with respect to at least one of a plurality of client devices of a cloud-based environment. In an analogous art, Karpovsky discloses the system wherein generating a training input comprising historical event data indicating one or more historical activities performed with respect to at least one of a plurality of client devices of a cloud-based environment (para. [0026]-[0028]; discloses generating logs of data that have occurred with respect to application and resources managed or accessed that include user initiated actions. These previously generated logs which are historical logs, are provided to the unsupervised machine learning algorithm during a training process); It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify alerting system in Sopan by incorporating a function to generate historical logs of activities to access resources and applications by users as taught by Karpovsky in order to more quickly and accurately detect suspicious activity and benign activity (Kapovsky, para. [0003]) As to claim 10, Sopan- Karpovsky discloses the system of claim 8, wherein the one or more historical security actions comprise at least one of: executing one or more instructions to prevent at least one of the plurality of client devices from performing one or more operations for a particular time period; executing one or more instructions to prevent at least one of the plurality of client devices from accessing a particular type of data; or executing one or more instructions to prevent at least one of the plurality of client devices from communicating with another client device (Sopan, column 14, lines 5-15; discloses the predictive model generation logic 265 generates predictive models and stores in the memory 230. In some embodiments the predictive model generation logic 265 may generate a separate second predictive action model (based on the actions previous associated with alerts and stored in the knowledge store 140) for use by the action generator 244, distinct and trained separately from the predictive model used by the alert analysis and labeling engine 242 (based on prior classifications of alerts and stored in the knowledge store 140).). As to claim 11, Sopan- Karpovsky discloses the system of claim 8, wherein at least one of the training input or the target output is further generated based on one or more of security rule data associated with a user of the plurality of client devices or indicator of compromise data collected for the cloud-based environment or another cloud-based environment (Sopan, column 2, lines 58-column 3, lines 10; discloses he training system may include information extracted from received alerts and stored as data in the knowledge store. The information extracted from the received alert may include received alert message content as well as well as meta-information associated with the received alert (e.g., time of receipt, IP address of the source cyber-security device, etc.). The training system may also include information associated with the received alert (e.g., modifying a label associated with alert or associating a course of action with the alert) by the cyber-security analyst and stored in the knowledge store. ) . As to claim 12, Sopan- Karpovsky discloses the system of claim 8, wherein the operations further comprise: identifying a security log comprising an indication of historical activities previously initiated by the security authority in response to the one or more historical activities of the client devices; and extracting the one or more historical activities from the identified security log (Sopan, column 2, lines 5-15; discloses the knowledge store includes data that associates previously detected alerts, cyber-security threats, and undesirable computing device configurations with one or more classifications as determined by a cyber-security analyst. These previous alerts can be extracted from the knowledge store). As to claim 13, Sopan- Karpovsky discloses the system of claim 12, wherein the AI model is associated with a platform, and wherein the security log is associated with at least one of the platform or another platform (Sopan, column 1, lines 45-55; discloses the data stored in the knowledge base is used to generate the predictive machine learning model). As to claim 15, Sopan- Karpovsky discloses the non-transitory computer readable storage medium of claim 14, wherein the operations further comprise: providing indicator of compromise (IOC) data as input to the trained AI model with the provided event data, wherein the IOC data indicates one or more activities pertaining to one or more other security breaches of other cloud-based environments, wherein the at least one of the set of activities corresponds to the one or more activities indicated by the IOC data (Sopan, column 2, lines 1-15; discloses receive an alert (the received alert is received from one or more alert-generating cyber-security devices), analyze the alert according to a model generated by a machine learning procedure applied to data in a knowledge store. The knowledge store includes data that associates previously detected alerts, cyber-security threats, and undesirable computing device configurations with one or more classifications as determined by a cyber-security analyst. Such classifications may include labels (e.g., “malicious”, “non-malicious”, “phishing”, “misconfiguration”, etc.) and a confidence level associated with the classification.). As to claim 16, Sopan- Karpovsky discloses the non-transitory computer readable storage medium of claim 15, wherein the operations further comprise: updating the IOC data to include information pertaining to the set of activities that is indicative of the security breach (Sopan, column 3, line 12-20; discloses the classifiers may classify each alert based on a label as determined by an analyst and/or the alert recommendation engine according to the predictive model. In some embodiments, analysts may select from a pre-defined set of labels, whereas, in other embodiments, labeling may be done automatically. A classifier may generate a probability of association with a label relating to each received alert.). As to claim 17, Sopan- Karpovsky discloses the non-transitory computer readable storage medium of claim 14, wherein the set of operations to initiate the determined security action comprise an operation associated with one or more of: transmitting a security alert to a computing system associated a security authority associated with the determined security action (Sopan, column 1, lines 43-50; discloses the alerts are analyzed by an alert recommendation engine which automatically determines a recommended course of action related to the one or more received cyber-security alerts by application); executing one or more instructions to prevent at least one of the one or more client devices from performing one or more operations for a particular time period; executing one or more instructions to prevent at least one of the one or more client devices from accessing a particular type of data; or executing one or more instructions to prevent at least one of the one or more client devices from communicating with another client device. As to claim 18, Sopan- Karpovsky discloses the non-transitory computer readable storage medium of claim 14, wherein performing the set of operations to initiate the determined security action at the cloud-based environment comprises: determining whether the level of confidence of the determined security action exceeds a threshold level of confidence (Sopan, column 3, lines 43-column 4, lines 27; discloses action generator may analyze the confidence levels and determine if the course of action is applicable based on level of correlation (i.e. confidence level) between a course of action and the modified alert exceeds a confidence level. If level exceeded, the action is automatically executed); responsive to determining that the level of confidence of the determined security action exceeds the threshold level of confidence, executing one or more instructions of a security action protocol associated with the determined security action. As to claim 19, Sopan- Karpovsky discloses the non-transitory computer readable storage medium of claim 18, wherein the operations further comprise: responsive to determining that the level of confidence of the determined security action does not exceed the threshold level of confidence, transmitting a security alert to a computing system associated with a security authority associated with the determined security action (Sopan, column 3, lines 43-column 4, lines 27; discloses if the confidence associated with an action is 55% and the confidence threshold for automated execution of an action is 90%, the action generator may determine that the confidence associated with an action is too far from the threshold to be automatically actionable and should be displayed to an analyst and therefore given a higher priority for the analyst's attention). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Meyer et al. (U.S. 2023/0421587 A1) discloses a distributed security system includes instances of a compute engine that can receive an event stream comprising event data associated with an occurrence of one or more events on one or more client computing devices and generate new event data based on the event data in the event stream. A predictions engine coupled in communication with the compute engine(s) receives the new event data and applies at least a portion of the received new event data to one or more machine learning models of the distributed security system based to the received new event data. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOE CHACKO whose telephone number is (571)270-3318. The examiner can normally be reached Monday-Friday 7am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached at 5712724001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JOE CHACKO/Primary Examiner, Art Unit 2457