DETECTING INSIDER USER BEHAVIOR THREATS BY COMPARING A USER’S BEHAVIOR TO THE USER’S PRIOR BEHAVIOR

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 04/21/2024 was filed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Objections Regarding claim 1, 15, and 16, Claims 1, 15, and 16 are objected to because of the following informalities: In line 23, “the user behavior scores” should read “the user behavior score”. Appropriate correction is required. Regarding claim 3, Claim 3 is objected to because of the following informalities: In line 3, “one of activity sets” should read “one of the activity sets”. The claim 1 uses “time windows” to specify the time parameter while claim 3 recites “the time periods”, examiner suggest to use the same term for better consistency and avoid confusion. Appropriate correction is required. Regarding claim 9, Claim 9 is objected to because of the following informalities: In line 2, “the user activity data in standard sizes” is vague/indefinite. The specification of instant application refers to “regular shorter time windows w” and “staggered windows of size z” and does not use standard sizes. Examiner suggest to revise to align with specification. In line 5-6, “aggregated frequency the user activity sets” should read “aggregated frequency of the user activity sets”. Appropriate correction is required. Regarding claim 14, Claim 14 is objected to informality and indefiniteness. The phrase “taking one or more real-world steps, as a human being, to address, investigate, and/or remedy the effects of a user's behavior” is vague and subjective. The term “real world steps” lacks clear meaning and does not specify what actions are performed or by whom. Examiner suggest to revise claim 14 and use clear, objective language that defines the specific remedial or investigative actors taken by the system or user. Appropriate correction is required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Independent claims 1, 15 and 16: Step1: Claims 1 is drawn to “a method”, claim 15 is drawn to “a system”, and claim 16 is drawn to “A non-transitory computer readable medium”, therefore each of these claim groups falls under one of four categories of statutory subject matter (process/method, machines/products/apparatus, manufactures, and compositions of matter). Step 2A, Prong 1: Claims 1, 15, and 16 are directed to a judicially recognized exception of an abstract idea without significantly more. Each of claims 1, 15, and 16 recites limitations “recording user activity data representing activities by a user at one or more endpoints within a tenant on a computer network”, “generating a sampled activity matrix for the user based on the recorded user activity data, wherein the sampled activity matrix comprises data that represents occurrences of a plurality of activity-sets performed by the user at the one or more endpoints over each respective one of a plurality of time windows”, “computing a user activity weight for each respective one of the activity-sets represented in the sampled activity matrix, wherein the user activity weight is based on a variance associated with the user activity-sets over the plurality of time windows”, “computing a historical user activity score across the user's tenant for each respective one of the activity-sets represented in the sampled activity matrix over a selected plurality of the time windows”, “computing a contextual user activity score across the user's tenant for each respective one of the activity-sets represented in the sampled activity matrix in a particular one of the time windows”, “computing a user behavior vector and user behavior score for the user in each respective one of plurality of time windows, based on an aggregated frequency the user activity-sets in the time window, the computed historical user activity score; the contextual user activity score, and the user activity weight ”, “using the user behavior scores to detect a deviation beyond a threshold amount from a baseline behavior for the user ”and “creating an internal user behavior threat notification in response to detecting a deviation beyond the threshold amount ” that under its broadest reasonable interpretation, enumerates an abstract ideas. Other than reciting high level multi-tenant SaaS system, and generic “computer processor” (Claim 16), nothing in the claims preclude the steps from practically being performed in the human mind. For example, other than the “computer processors” language, the claims encompass a user visually and manually collect data, analyze the data using mathematical formulas, and use the results to generate alert. The mere nominal recitation of a generic computer component (computer processor) to automate the mental and mathematical concepts are nothing more than abstract mental and mathematical concepts (See MPEP 2106.04(a)(2)(I)(III)). Step 2A, Prong 2: Claim 1, 15, and 16 recites additional element “one or more computer readable storage media” to store computer program instructions and “computer processors” to execute the computer program instructions. The computer readable storage media, the computer processor, and multitenant software as a service (SaaS) security system are recited at a high level of generality (i.e., as generic computer components performing generic computer functions to store and to process data respectively). These generic computer functions are no more than mere instructions to apply the exception using generic computer components. The combination of these additional elements does not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea (MPEP 2106.05(f)). Step 2B: The additional elements “one or more computer readable storage media” to store computer program instructions and “computer processors” to execute the computer program instructions are no more than generic, off-the-shelf computer components, and the Symantec, TLI, OIP Techs, and Versata court decisions cited in MPEP 2106.05(d)(II) indicate that mere collection/receipt of data over a network and/or storing and retrieving information in memory are well-understood, routine, and conventional functions when it is claimed in a merely generic manner (See MPEP 2106.05(d)(II)(IV)). As such, claims 1, 15, and 16 are not patent eligible. Dependent claims 2-14: Step 1: Claims 2-14 are drawn to “a method” therefore each of these claims falls under one of four categories of statutory subject matter (process/method, machines/products/apparatus, manufactures, and compositions of matter). Steps 2A-2B: Dependent claims 2-14 are also ineligible for the same reasons given with respect to claim 1. Claims 2-14 recite further abstract and mental concept of collecting and storing data (logging events, timestamps, and metadata), computing historical and real-time user score, analyzing and comparing data using mathematical models, and generating notifications or alerts based on thresholds (MPEP 2106.04(a)(2)(I)). Claims 2-14 fail to recite any additional elements/steps that might integrates the abstract idea into a practical application. As such, claims 2-14 are not patent eligible. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-8, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Saunders (US 20180337937 A1) in view of Biswas (US 20200128047 A1). Regarding claim 1, Saunders teaches a computer-facilitated method to detect internal user behavior threats in a multitenant software as a service (SaaS) security system by comparing a user's behavior to the user's prior behavior, the method comprising: recording user activity data representing activities by a user at one or more endpoints within a tenant on a computer network (Saunders, in a multitenant cloud-based platform, all enterprise customers share the same infrastructure and the same version of the platform. ..an “organization” (i.e., within a tenant) is a standalone enterprise customer, a tenant on the multitenant platform and a “user” corresponds to an individual user account (i.e., endpoints), [0016] the detection system relies on application logs as input to provide and utilize a user-profiling module and an anomaly-detection module. The log files can be maintained with, for example, Apache Spark, which is an open-source cluster-computing framework, [0024] feature engineering module 120 operates on log data 110 to generate parsed data 130, [0027]) [Examiner interprets that system capturing logs from user application layer events inside the multitenant platform as recording user activity data representing activities by a user at one or more endpoints within a tenant on a computer network]; generating a sampled activity matrix for the user based on the recorded user activity data, wherein the sampled activity matrix comprises data that represents occurrences of a plurality of activity-sets performed by the user at the one or more endpoints over each respective one of a plurality of time windows (Saunders, the detection architecture can be considered a chain structure.. feature engineering module 120 operates on log data 110 to generate parsed data 130…log data is first mapped into low-variance projected directions 140 using PCA matrix 145 to determine if the user has deviated from his/her stable behavior. For example, if the user has not changed his IP address in the past, but suddenly switches to a new IP address, that could constitute a low-variance anomaly of interest, [0027] the profiling module functions is to scan the most recent log history to aggregate statistics for characterizing user behavior. In one embodiment, it can run over hundreds of terabytes of data to build PCA mapping matrices at the organization level (in a multitenant environment) and users' profiles for each extracted feature set. In one embodiment, the PCA matrix is used for feature extraction (e.g. selecting high-variance and low-variance directions), which can be utilized as discussed above. In one embodiment, profiles are built for each feature subset. Profiles can be refreshed periodically to keep the users' most recent behavior. log data 200 is parsed by feature engineering agent 205 to generate parsed data 210, which can be analyzed by PCA module 215 to generate one or more PCA matrices 220. Similarly, log data 240 can be parsed by feature engineering agent 245 to generate parsed data 250, [0032-0033]) [Examiner interprets that system organizing user behavior into matrix/feature from PCA mapping matrices (i.e., a sampled activity matrix) computed from historical (multi window) data as limitation above]; computing a user activity weight for each respective one of the activity-sets represented in the sampled activity matrix, wherein the user activity weight is based on a variance associated with the user activity-sets over the plurality of time windows (Saunders, Principal Component Analysis (PCA) techniques can be utilized to extract high-variance and low-variance feature subsets. The low-variance feature subset can contain strong indicators of anomalous behavior when, for example, actions deviate from a user's prior behavior. The high-variance feature subset can be utilized to provide dimension reduction (as compared to raw features), [0011] for the high-variance feature set, the top N dimensions that represent at least 90% of total variance can be selected. Other and/or different high-variance parameters can be used, for example, the top N dimensions that represent 95% of the total variance or use of one or more specified high-variance dimensions. In one embodiment, for the low-variance feature set, the lowest M dimensions which represent no more than 5% of total variance can be selected. Other and/or different low-variance parameters can be used, for example, the lowest M dimensions that represent 10% of the total variance or use of one or more specified low-variance dimensions. Detection models can be built for each feature set, for use with the detection architecture that can run in a sequenced mode, [0036]) [Examiner interprets that system using variance to prioritize /choose features (i.e., the user activity weight) as limitation above]; creating an internal user behavior threat notification in response to detecting a deviation beyond the threshold amount (Saunders, Results from low-variance analysis 140 (using PCA matrix 145) can be compared with one or more profiles 155 to determine if any of the behaviors are considered suspicious, 150. If the behavior is suspicious, 150, one or more actions can be taken, 190, which can include, for example, providing notifications to one or more parties, limiting access, blocking the user account, etc. If the behavior is not considered suspicious, 150, a high-variance analysis can be performed, [0029]). Although, Saunders teaches the structure (features, time/history feeding PCA and profiles) (i.e., sampled activity matrix) comprising periodic data [0032-0033], relative deviation (RD) [0022-0023], Saunders does not explicitly teach: sampled activity matrix comprises data that represents occurrences of a plurality of activity-sets performed by the user at the one or more endpoints over each respective one of a plurality of time windows; computing a user activity the user activity-sets over the plurality of time windows; computing a historical user activity score across the user's tenant for each respective one of the activity-sets represented in the sampled activity matrix over a selected plurality of the time windows; computing a user behavior vector and user behavior score for the user in each respective one of plurality of time windows, based on an aggregated frequency the user activity-sets in the time window, the computed historical user activity score the contextual user activity score, and the user activity weight; using the user behavior scores to detect a deviation beyond a threshold amount from a baseline behavior for the user However, Biswas teaches: sampled activity matrix comprises data that represents occurrences of a plurality of activity-sets performed by the user at the one or more endpoints over each respective one of a plurality of time windows (Biswas, activity profiles can cover different time periods. In some examples, activity profiles can use a fixed moving window covering a time period measured in weeks. In some examples, an “emerging profile” can be generated, which capture events that are relatively recent, such as within the last week or within a week prior to a target date. In some examples, a “stable profile” can be generated, which includes events within the last four (or eight) weeks or within four (or eight) weeks prior to a target date. In various examples, other profiles or profile types can be generated, [0134], fixed moving windows can be non-overlapping. That is, a window that goes further back in time can exclude events in a window that is more recent in time. For example, an eight-week profile does not include events in a four-week profile or one week profile and similarly the four-week profile does not include events within the one-week profile. Daily (or periodic) aggregation processes may be run intra-day or inter-day, [0135]Table 4 below shows example daily aggregation matrix vectors. The first column provides example application providers, the second column illustrates vector dimensions that may be supported by the providers, and the third column illustrates values that can be assigned to each dimension.TABLE-US-00007 TABLE 4 Application Dimension Description Amazon, Login (# of count, Avg, Salesforce, Box Stddev, Max)…, [0138] Table 5 below lists example values for several possible daily aggregation matrix vectors. The example vectors illustrated here include a count of logins per day for one day (“logcntday_1dy”), a count of failed logins per day for one day (“logfailcntday_1dy”), a count per day of IP addresses from which failed logins occurred over one day (“logfailipdisday_1dy”), and a count per day of IP addresses used to log in over one day (“logipdisday_1dy”).TABLE-US-00008 TABLE 5 User ID logcntday_1dy logfailcntday_1dy logfailipdisday_1dy logipdisday_1dy User1 5 4 3 2 User2 6 2 2 1 User3 4 3 2 2 User4 4 4 2 1 User5 5 5 1 1, [0139]) [Examiner interprets that aggregation matrix vectors comprising counts per day/week as a sampled activity matrix of occurrences per activity set per window]; computing a user activity the user activity-sets over the plurality of time windows (Biswas, activity profiles can cover different time periods. In some examples, activity profiles can use a fixed moving window covering a time period measured in weeks. …In some examples, a “stable profile” can be generated, which includes events within the last four (or eight) weeks or within four (or eight) weeks prior to a target date. In various examples, other profiles or profile types can be generated., [0134] fixed moving windows can be non-overlapping.. …. Daily (or periodic) aggregation processes may be run intra-day or inter-day, [0135] Table 3 below shows example calculated statistics for some user activities. The example user activities include an average login count for a four-week window profile (“avglogcntday4wk”), an average login IP address count for a four-week window profile (“avglogipcntday42k”), a standard deviation of login count for a one-week window profile (“stdlogcntday1wk”), and a standard deviation of login IP address count for a one-week window profile (“stdlogipcntday1wk”). Similar and other statistics can be calculated, depending on the available data and/or the threat being predicted, [0136] Statistics such as those can be combined into a feature vector. Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24-hour time period, and/or other measures. Feature vectors may be aggregated per cloud application and/or per user per cloud application, [0137] Table 4 and 5 shows daily aggregation vectors computed over time windows (1 day, 1 week, 4 week etc.,), [0138-0139]) [Examiner interprets system computing user activities (logins, failed logins downloads etc.,) (i.e., the activity sets) across plurality of time windows and these recurring aggregation windows forming user activity sets as computing a user activity the user activity-sets over the plurality of time windows]; computing a historical user activity score across the user's tenant for each respective one of the activity-sets represented in the sampled activity matrix over a selected plurality of the time windows (Biswas, Table 3 below shows example calculated statistics for some user activities. The example user activities include an average login count for a four-week window profile (“avglogcntday4wk”), an average login IP address count for a four-week window profile (“avglogipcntday42k”), a standard deviation of login count for a one-week window profile (“stdlogcntday1wk”), and a standard deviation of login IP address count for a one-week window profile (“stdlogipcntday1wk”). Similar and other statistics can be calculated, depending on the available data and/or the threat being predicted, [0136] Statistics such as those can be combined into a feature vector. Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24-hour time period, and/or other measures. Feature vectors may be aggregated per cloud application and/or per user per cloud application, [0137] Table 4 and 5 shows daily aggregation vectors computed over time windows (1 day, 1 week, 4 week etc.,), [0138-0139] Z-Scores can be calculated to determine deviation of user behavior over different time periods using maximum distances as calculated above. As an example, time periods of 1 week, 4 weeks, and 8 weeks are shown.. The Z-scores may be combined with weights (w1 . . . w3) assigned to each score, as follows:L Combined=(w1×L1 ZScore)+(w2×L2 ZScore)+(w3×L3 ZScore)….. default baselines may be applied using values calculated based on existing data, including a default Avg (average) and default Stddev (standard deviation)… An anomaly condition in the variation in login IP addresses may be defined as L_Combined>T where T is a threshold. The threshold can be determined from previous data and/or can be modified over time, [0152-0154] scores such as well as other indicators, can be used to compute a risk score, … a risk score can be computed as a weighted sum of the available indicators, [0161-0163]) [Examiner interprets that system computing user activities (logins, failed logins downloads etc.,) (i.e., the activity sets) across plurality of time windows, computing historical or past user activity statistics (averages, standard deviations) across multiple windows for each user and service, and computing z score and risk scores over weeks (i.e., historical user score) using those statistics as limitation above]; computing a user behavior vector and user behavior score for the user in each respective one of plurality of time windows, based on an aggregated frequency the user activity-sets in the time window, the computed historical user activity score the contextual user activity score, and the user activity weight (Biswas, the contextual data can include, for example, identification of a type of the client device, IP addresses used by the client device, geolocation data computed by a Global Positioning System (GPS) receiver of the client device, and other information about the client device or that can be obtained from the client device.., [0133] Statistics such as those can be combined into a feature vector. Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24-hour time period, and/or other measures. Feature vectors (i.e., a user behavior vector) may be aggregated per cloud application and/or per user per cloud application, [0137] multiple algorithms computing weighted Z cores (L1, L2, L#) using averages and standard deviations across 1, 4, and 8 weeks (i.e., the computed historical user activity score) …The Z-scores may be combined with weights (w1 . . . w3) assigned to each score, as follows:L Combined=(w1×L1 ZScore)+(w2×L2 ZScore)+(w3×L3 ZScore), weights in Z score (i.e., the user activity weight) [0143-0154] Indicators used to compute a risk score can provide a particular risk factor, also in the form of a score….indicators that can be used to compute a risk score can be associated with a user, a service, a service provider, a geolocation where the user appears to be located, a domain where the user appears to be located, a time of day or day of the week or time of the year, or another factor (i.e., contextual user activity score) . An indicator for a user can be obtained, for example, from the organization with which the user is associated, from a reputation site, from social media sites, from news organizations, or from another source. An indicator for a service or service provider can be obtained, for example, from threat intelligence aggregators or distributors, who may track the reputation of a service or service provider. Other indicators may be provided by internal threat intelligence data 314, …a risk score can be computed as a weighted sum of the available indicators (i.e., historical, contextual, behavioral), [0162-0163]) [Examiner interprets that system creating feature vectors (i.e., user behavior vectors) from aggregated activities such as login counts, IP addresses, downloads (i.e., an aggregated frequency the user activity-sets in the time window) and computing weighted Z scores or risk scores (i.e., user behavior score) as limitation above]; using the user behavior scores to detect a deviation beyond a threshold amount from a baseline behavior for the user (Biswas, The Z-scores may be combined with weights (w1 . . . w3) assigned to each score, as follows:L Combined=(w1×L1 ZScore)+(w2×L2 ZScore)+(w3×L3 ZScore) ..weights that are applied may be calculated dynamically depending on when the calculation is performed. For example, at day one, default baselines may be applied using values calculated based on existing data, including a default Avg (average) and default Stddev (standard deviation). In this example, the weights can be varied as time progresses, as provided above. An anomaly condition in the variation in login IP addresses may be defined as L_Combined>T where T is a threshold. The threshold can be determined from previous data and/or can be modified over time, [0153-0154]) [Examiner interprets that system computing weight z scores or risk score (i.e., user behavior score) and using those scores to identify the deviation from historical baselines or normal behavior if the score is above the threshold amount from baselines as limitation above]; Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Saunders to include a concept of sampled activity matrix comprises data that represents occurrences of a plurality of activity-sets performed by the user at the one or more endpoints over each respective one of a plurality of time windows; computing a user activity the user activity-sets over the plurality of time windows; computing a historical user activity score across the user's tenant for each respective one of the activity-sets represented in the sampled activity matrix over a selected plurality of the time windows; computing a user behavior vector and user behavior score for the user in each respective one of plurality of time windows, based on an aggregated frequency the user activity-sets in the time window, the computed historical user activity score the contextual user activity score, and the user activity weight; using the user behavior scores to detect a deviation beyond a threshold amount from a baseline behavior for the user as taught by Biswas for the purpose of detecting actions that are taken more/less than normal, this detects action patterns that are not in line with the historical usage pattern for the user [Biswas:0214]. Regarding claim 2, Saunders and Biswas the computer-facilitated method of claim 1, wherein recording the user activity data comprises: collecting the user activity data from a plurality of sources within a portion of the computer network that corresponds to a tenant over time; and storing the collected user activity data in a computer-based activity data store together (Saunders, in a second phase, on each feature subset, using historical data, a profile is built for each user to characterize the user's baseline normal behavior(i.e., a historical user activity score) as well as legitimate abnormal behavior, [0012], the detection system relies on application logs as input to provide and utilize a user-profiling module and an anomaly-detection module. The log files can be maintained with, for example, Apache Spark, which is an open-source cluster-computing framework, [0024] Some on-demand database services may store information from one or more tenants stored into tables of a common database image to form a multi-tenant database system (MTS), [0048] With a multi-tenant system, data for multiple tenants may be stored in the same physical database object, however, tenant data typically is arranged so that data of one tenant is kept logically separate from that of other tenants so that one tenant does not have access to another tenant's data, [0052]) [Examiner interprets that system obtaining logs from application servers from different tenants (i.e., plurality of sources) over time and storing to the database system as limitation above]. Saunders does not explicitly teach: Collecting from multiple sources and storing the collected user activity data with associated timestamps and associated metadata However, Biswas teaches: Collecting from multiple sources and storing the collected user activity data with associated timestamps and associated metadata (Biswas, the security monitoring and control system 102 can use data logs from the service provider 110. In various examples, the service provider 110 can record user activity as the services 112a-112b of the service provider 110 are used. For example, the service provider 110 can record when users log into a service, a network and/or geographic location for a user when the user logs in, actions performed by the user when the user uses a service, a resource affected by the action, and other information related to use of a service. Data from service providers are referred to herein as activity data or activity logs, [0069] activity data (e.g., an audit log record) that can be obtained from a service provider: TABLE-US-00001 “entries”: [ { “source”: { “type”: “user”, “id”: “222853877”, “name”: “Sandra Lee”, “login”: “sandra@company.com” }, “created_by”: { “type”: “user”, “id”: “222853866”, “name”: “Mike Smith”, “login”: “mike@company.com” }, “created_at”: “2016-12-02T011:41:31-08:00”, “event_id”: “b9a2393a-20cf-4307-90f5-004110dec233”, “event_type”: “ADD_LOGIN_ACTIVITY_DEVICE”, “ip_address”: “140.54.34.21”, “type”: “event”, “session_id”: null, “additional_details”: null }… Table 2, Table 3…, [0068-0073] the data loader application 206 can store retrieved activity data in the analytics and threat intelligence repository 211. The analytics and threat intelligence repository 211 can be any database or data repository with query capability. In some examples, the analytics and threat intelligence repository 211 is built in a NoSQL based infrastructure such as Apache Cassandra or another distributed data processing system,[0110]) [Examiner interprets that storing user activity logs obtained from multiple cloud service providers through APIs in the repositories and database system with time stamps, and metadata associated with the logs shown in table1, 2,3, as limitation above]. Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Saunders to include a concept of collecting from multiple sources and storing the collected user activity data with associated timestamps and associated metadata as taught by Biswas for the purpose of storing retrieved activity data in the analytics and threat intelligence repository 211 [Biswas:0110]. Regarding claim 3, Saunders and Biswas teaches the computer-facilitated method of claim 1, wherein the sampled activity matrix for the user comprises a plurality of cells, wherein each cell identifies how many times the user performed a corresponding one of activity-sets during a particular one of the time periods (Saunders, the profiling module functions is to scan the most recent log history to aggregate statistics for characterizing user behavior..it can run over hundreds of terabytes of data to build PCA mapping matrices at the organization level (in a multitenant environment) and users' profiles for each extracted feature set. In one embodiment, the PCA matrix is used for feature extraction (e.g. selecting high-variance and low-variance directions),..profiles are built for each feature subset. Profiles can be refreshed periodically to keep the users' most recent behavior, [0032] log data 200 is parsed by feature engineering agent 205 to generate parsed data 210, which can be analyzed by PCA module 215 to generate one or more PCA matrices 220. Similarly, log data 240 can be parsed by feature engineering agent 245 to generate parsed data 250, [0033]) Although, Saunders teaches PCA matrix which inherently teaches a table of user features, Saunders does not explicitly teach: each cell identifies how many times the user performed a corresponding one of activity-sets during a particular one of the time periods However, Biswas teaches: each cell identifies how many times the user performed a corresponding one of activity-sets during a particular one of the time periods (Biswas, Table 4 below shows example daily aggregation matrix vectors. The first column provides example application providers, the second column illustrates vector dimensions that may be supported by the providers, and the third column illustrates values that can be assigned to each dimension.TABLE-US-00007 TABLE 4 Application Dimension Description Amazon, Login (# of count, Avg, Salesforce, Box Stddev, Max)…., [0138] Table 5 below lists example values for several possible daily aggregation matrix vectors. The example vectors illustrated here include a count of logins per day for one day (“logcntday_1dy”), a count of failed logins per day for one day (“logfailcntday_1dy”), a count per day of IP addresses from which failed logins occurred over one day (“logfailipdisday_1dy”), and a count per day of IP addresses used to log in over one day (“logipdisday_1dy”), TABLE-US-00008 TABLE 5 User ID logcntday_1dy logfailcntday_1dy logfailipdisday_1dy logipdisday_1dy User1 5 4 3 2 User2 6 2 2 1 User3 4 3 2 2 User4 4 4 2 1 User5 5 5 1 1, [0139]) [Examiner interprets each (activity, day) pair holding a count as shown in Table 5 as limitation above]. Regarding claim 4, Saunders teaches the computer-facilitated method of claim 1, wherein each respective one of the activity- sets is an activity or a set of related activities that were performed by a corresponding one of the users at one of the endpoints on the computer network within a predetermined amount of time (Saunders, the detection architecture can be considered a chain structure. Feature engineering module 120 operates on log data 110 to generate parsed data 130. In one embodiment, log data is first mapped into low-variance projected directions 140 using PCA matrix 145 to determine if the user has deviated from his/her stable behavior. For example, if the user has not changed his IP address in the past, but suddenly switches to a new IP address, that could constitute a low-variance anomaly of interest, [0027] The low-variance analysis is focused on conditions/events that happen relatively infrequently for a specific user. Other examples of low-variance characteristics include, for example, device operating system type (e.g., Windows®, MacOS®, Linux), hardware computing device being used (e.g., device address, device identifier, processor identifier), etc. Other types of low-variance characteristics and conditions can also be utilized, [0028]) [Examiner interprets that system grouping corelated events as low variance characteristics such as OS type, hardware device, and IP address changes (i.e., the activity sets) over a period of time (pat to present) as limitation above]. Regarding claim 5, Saunders and Biswas teaches the computer-facilitated method of claim 1, further comprising: creating a user profile for the user, wherein creating the user profile comprises: projecting the user activity data from the sampled activity matrix into N dimensions using principal component analysis, wherein N is a number of activity-sets represented in the sampled activity matrix; and ranking the activity-sets represented in the sampled activity matrix according to degree of variance to produce a ranked list of activity sets for the user (Saunders, In a first phase, Principal Component Analysis (PCA) techniques can be utilized to extract high-variance and low-variance feature subsets. The low-variance feature subset can contain strong indicators of anomalous behavior when, for example, actions deviate from a user's prior behavior. The high-variance feature subset can be utilized to provide dimension reduction (as compared to raw features), [0011], log data is first mapped into low-variance projected directions 140 using PCA matrix 145 to determine if the user has deviated from his/her stable behavior. For example, if the user has not changed his IP address in the past, but suddenly switches to a new IP address, that could constitute a low-variance anomaly of interest, [0027] for the high-variance feature set, the top N dimensions that represent at least 90% of total variance can be selected. Other and/or different high-variance parameters can be used, for example, the top N dimensions that represent 95% of the total variance or use of one or more specified high-variance dimensions. In one embodiment, for the low-variance feature set, the lowest M dimensions which represent no more than 5% of total variance can be selected. Other and/or different low-variance parameters can be used, for example, the lowest M dimensions that represent 10% of the total variance or use of one or more specified low-variance dimensions. Detection models can be built for each feature set, for use with the detection architecture that can run in a sequenced mode, [0036]) [Examiner interprets that system using PCA techniques to extract high variance and low variance subsets, and top N dimensions representing 90% of total variance or use of one or more specified high-variance dimensions and the lowest M dimensions that represent 10% of the total variance or use of one or more specified low-variance dimensions as limitation above]. Regarding claim 6, Saunders and Biswas teaches the computer-facilitated method of claim 5, wherein computing the user activity weight for each respective one of the activity-sets represented in the sampled activity matrix comprises: assigning a normalized weight to each of the activity-sets in the ranked list of activity sets for the user (Saunders, Principal Component Analysis (PCA) techniques can be utilized to extract high-variance and low-variance feature subsets. The low-variance feature subset can contain strong indicators of anomalous behavior when, for example, actions deviate from a user's prior behavior. The high-variance feature subset can be utilized to provide dimension reduction (as compared to raw features), [0011] for the high-variance feature set, the top N dimensions that represent at least 90% of total variance can be selected. Other and/or different high-variance parameters can be used, for example, the top N dimensions that represent 95% of the total variance or use of one or more specified high-variance dimensions. In one embodiment, for the low-variance feature set, the lowest M dimensions which represent no more than 5% of total variance can be selected. Other and/or different low-variance parameters can be used, for example, the lowest M dimensions that represent 10% of the total variance or use of one or more specified low-variance dimensions. Detection models can be built for each feature set, for use with the detection architecture that can run in a sequenced mode, [0036]) [Examiner interprets that system using variance to prioritize /choose features (i.e., the user activity weight) as limitation above]; Saunders does not explicitly teach: assigning a normalized weight to each of the activity-sets in the ranked list of activity sets for the user However, Biswas teaches: assigning a normalized weight to each of the activity-sets in the ranked list of activity sets for the user (Biswas, The Z-scores may be combined with weights (w1 . . . w3) assigned to each score, as follows:L Combined=(w1×L1 ZScore)+(w2×L2 ZScore)+(w3×L3 ZScore)…the sum of the weights is one. Weights that are applied may be calculated dynamically depending on when the calculation is performed. …for the first week, starting from day two, an L1 Z-Score is available, so that the weights can be set to w1=1, w2=0, w3=0. Continuing with the example, after five weeks, L1 and L2 Z-Scores are available, and the weights can be set to w1=0.4, w2=0.6, w3=0. After 14 weeks, L1, L2, and L3 Z-Scores are available, so that the weight can be set to w1=0.2, w2=0.3, w3=0.5, [0144-0145] a risk score can be computed as a weighted sum of the available indicators… In the preceding equation, “W.sub.1, W.sub.2, . . . W.sub.n” are weights. In various examples, a weight value can indicate the relative importance of an indicator, with less important indicators receiving a lower weight value, [0163-0164]) [Examiner interprets that system dynamically adjusting feature weights per indicators (i.e., each of the activity-sets) and normalized weight is inherently satisfied by z score standardization and weighting as limitation above] The same motivation applies as claim 1. Regarding claim 7, Saunders and Biswas teaches the computer-facilitated method of claim 1, wherein Although Saunders teaches computing historical statistics across users and time windows, [0012] [0038-0041], Biswas further teaches: computing the historical user activity score for each respective one of the activity-sets comprises: computing a historical user activity matrix, wherein each cell in the historical user activity matrix includes a sum of frequencies of the activity-sets for the user over the selected plurality of the time windows, wherein the selected plurality of time windows corresponds to a period of time that includes the last X days, wherein the historical user activity matrix comprises N rows, each row corresponding to a particular one of the users in the tenant, and P columns, each column corresponding to a particular one of the activity-sets performed by the users in the tenant; and wherein the historical user activity score is computed as: HA where HCj corresponds to the frequency in the user activity matrix for activity-sets and useri,->v= {HC1 , HC23, ... , HCNj}. (Biswas, activity profiles can cover different time periods. In some examples, activity profiles can use a fixed moving window covering a time period measured in weeks. In some examples, a “stable profile” (i.e., historical profile) can be generated, which includes events within the last four (or eight) weeks or within four (or eight) weeks prior to a target date..other profiles or profile types can be generated, [0134] Statistics such as those can be combined into a feature vector. Feature vectors can include, for example, a count of a number of logins, a count of a number of distinct IP addresses used for logging in, a maximum distance between any two IP addresses used to log in within a 24-hour time period, a count of a number of distinct browsers used in connections to the cloud application within a 24-hour time period, and/or other measures. Feature vectors may be aggregated per cloud application and/or per user per cloud application, [0137] Table 4 and 5 shows daily aggregation vectors computed over time windows (1 day, 1 week, 4 week etc.,), [0138-0139] Z-Scores can be calculated to determine deviation of user behavior over different time periods using maximum distances as calculated above. As an example, time periods of 1 week, 4 weeks, and 8 weeks are shown.. The Z-scores may be combined with weights (w1 . . . w3) assigned to each score, as follows:L Combined=(w1×L1 ZScore)+(w2×L2 ZScore)+(w3×L3 ZScore)….. default baselines may be applied using values calculated based on existing data, including a default Avg (average) and default Stddev (standard deviation)… An anomaly condition in the variation in login IP addresses may be defined as L_Combined>T where T is a threshold. The threshold can be determined from previous data and/or can be modified over time, [0152-0154]) [Examiner interprets that system computing user activities (logins, failed logins downloads etc.,) (i.e., the activity sets) across plurality of time windows, computing historical or past user activity statistics (averages, standard deviations) across multiple windows for each user and service, and computing z score and risk scores over weeks (i.e., historical user score) using those statistics as limitation above]. The same motivation applies as claim 1. Although, Biswas does not explicitly teach the exact logarithmic formula as given in claim 7, its use of averages, variances, and normalized Z score achieves same statistical purpose, furthermore, Biswas computes all the parameters/elements as claimed in claim 7 that is needed to build the logarithmic formula such as Multiweek (time window based ) historical matrices of user metrics (count average, std. dev), these matrices forming a table (Matrix) where rows = users and columns = activities (activity sets such as login, download, IP change) , the total daily/weekly counts stored in aggregation matrix (table 4-5) (i.e., sum of frequencies of activity sets), moving time windows 1,4, 8 weeks to compute long term averages (i.e., the selected plurality of time windows), Computing Z scores and standard deviation based on the deviation formula, thus, it is obvious that to use those parameters to create the given equation and compute the historical user behavior score. Regarding claim 8, Saunders and Biswas teaches the computer-facilitated method of claim 7, wherein computing the contextual user activity score comprises: using live-streaming user activity data from the user's tenant to compute a contextual user activity matrix, wherein each cell in the contextual user activity matrix includes a sum of the frequencies of a particular one of the activity-sets for the user in a current one of the plurality of time windows, wherein the contextual user activity matrix comprises N rows and P columns, wherein N represents a number of active users in the tenant during the current one of the plurality of time windows and P represents a number of current activity-sets in the tenant during the current one of the plurality of time windows, and wherein the contextual user activity score is computed as:, where CC corresponds to the frequency in the user activity matrix for activity-sets and user,->v= {CCia , CC23, ... . ) (Biswas, the activity data 310 can include activity logs for multiple services and/or multiple service providers. In these and other examples, one activity log can include user activity for one service or for multiple services provided by the same service provider, the analytics engine 300 receives updated activity data 310 once per day, every other day, or periodically over another time interval, [0128-0129] activity profiles can cover different time periods. In some examples, activity profiles can use a fixed moving window covering a time period measured in weeks. In some examples, an “emerging profile” can be generated, which capture events that are relatively recent, such as within the last week or within a week prior to a target date. fixed moving windows can be non-overlapping. That is, a window that goes further back in time can exclude events in a window that is more recent in time….Daily (or periodic) aggregation processes may be run intra-day or inter-day, [0135] Z-Scores can be calculated to determine deviation of user behavior over different time periods using maximum distances as calculated above. As an example, time periods of 1 week, 4 weeks, and 8 weeks are shown.. The Z-scores may be combined with weights (w1 . . . w3) assigned to each score, as follows:L Combined=(w1×L1 ZScore)+(w2×L2 ZScore)+(w3×L3 ZScore)….. default baselines may be applied using values calculated based on existing data, including a default Avg (average) and default Stddev (standard deviation)… An anomaly condition in the variation in login IP addresses may be defined as L_Combined>T where T is a threshold. The threshold can be determined from previous data and/or can be modified over time, [0152-0154] Table 4 and 5 shows daily aggregation vectors computed over time windows (1 day, 1 week, 4 week etc.,), [0138-0139] different models can be developed from users' activities in using a cloud service. These activities may be monitored in real time and/or by analyzing the audit trail log described above, [0185]) [Examiner interprets system collecting continuous user activity data from endpoint