Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
The following is a final office action is in response to communication filed on February 17, 2026. Claims 1, 12, 14 and 15 are amended. Claims 16-18 are newly added. Therefore, claims 1-18 are pending and addressed below.
Allowable Subject Matter
Claim 12, Claim 17 and claim 18 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Drawings
The drawings are not of sufficient quality to permit examination. Accordingly, replacement drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to this Office action. The replacement sheet(s) should be labeled “Replacement Sheet” in the page header (as per 37 CFR 1.84(c)) so as not to obstruct any portion of the drawing figures. If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action.
Applicant is given a shortened statutory period of TWO (2) MONTHS to submit new drawings in compliance with 37 CFR 1.81. Extensions of time may be obtained under the provisions of 37 CFR 1.136(a) but in no case can any extension carry the date for reply to this letter beyond the maximum period of SIX MONTHS set by statute (35 U.S.C. 133). Failure to timely submit replacement drawing sheets will result in ABANDONMENT of the application.
Figures 2-5 and Figures 8-10 are not of sufficient quality to permit examination.
Response to Arguments
Applicant's arguments filed February 17, 2026 have been fully considered but they are not persuasive for the following reasons:
As per the prior art rejection of claim 1 in page 13, applicant argues: “The “feature vectors” in paragraph [0044] of Eldardiry are not “ranked lists of activity-sets for each user…derived from the recorded user activity data for that user,” as recited in claim 1, and the “clustering” described in paragraph [0044] of Eldardiry does not “grouping users…into clusters based on similarity between ranked lists of activity sets for the users,” as recited in claim 1”.
The examiner respectfully disagrees. Eldardiry teaches “the ranked lists of activity-sets” in paragraph [0038] and [0050]: “the system may generate a rank list of the users based on the anomaly scores”. They both generate a ranked lists of user activity-set based on the assigned user activity weight. Eldardiry teaches “grouping users…into clusters based on similarity between ranked lists of activity sets for the users” in paragraph [0024]: “During operation, the system observes users' activities and clusters the users into different peer groups (grouping users into clusters) based on their activities in each domain (based on similarity between ranked lists of activity sets for the users). The system detects unusual behavior changes by comparing a user's behavior changes with behavior changes of his peers.”; Eldardiry further teaches in paragraph [0044]: “users with similar job roles tend to behave similarly, and hence would belong to the same cluster within each domain”.
As per the prior art rejection of claim 1 in page 14 and 15, applicant argues: The “list of users” in the paragraph [0050] of Eldardiry is not a “list of …activity-sets” for users, as recited in claim 1; and the “list of users” in Eldardiry is “based on the anomaly scores”, it is not “based on a variance computation” as recited in claim1.
The examiner respectfully disagrees. “ranked list of the users based on the anomaly scores” in the paragraph [0050] of Eldardiry is a “ranked list of activity-sets for users” as they are both a ranked list based on the assigned weights for user activity-sets. It is based on a variance computation as taught in paragraph [0050] of Eldardiry: “The second step computes, for each user i, the weighted anomaly score a for each source s, then aggregates the weighted anomaly scores from each source to compute the final anomaly score f.”
As per the prior art rejection of claim 1 in page 15 and 16, applicant argues: The “feature vectors” in paragraph [0044] of Eldardiry simultaneously correspond to the “sampled activity matrix” and the “user behavior vector” of claim 1, verse the claim 1 recites these claim elements (the sampled activity matrix and the user behavior vector) as separate and different limitations within the claimed system.
The examiner respectfully disagrees. “feature vectors” in paragraph [0044] and paragraph [0008] of Eldardiry corresponds to the “user behavior vector” of claim 1 because they both are vectors which holds user activities as user behaviors or features, while “feature set” in paragraph [0044], [0028] and [0030] of Eldardiry corresponds to the “sampled activity matrix” of claim 1 because they are both generated based on the recorded user activity data as activity-set.
Therefore, claims 1, 14 and 15 are rejected under 35 U.S.C 103. As claims 2-13 are dependent directly or indirectly on claim 1, applicant’s argument with respect to the rejections of claim 2-13 are remain the same.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-5, 11, 13-16 are rejected under 35 U.S.C. 103 as being unpatentable over Eldardiry et al (US PG-PUB No. 20150235152 A1) in view of Thampy (US PG-PUB No. 20190068627 A1).
Regarding claim 1, claim 14 and claim 15, Eldardiry teaches a computer-facilitated method, a computer system and a non-transitory computer readable medium having stored thereon computer-readable instructions that, when executed by a computer-based processor, cause the computer-based processor to detect internal user behavior threats in a multitenant software as a service (SaaS) security system by comparing behavior of a user in a particular one of the tenants to behavior of other users in the tenant, by: recording user activity data representing activities by a plurality of users within the tenant at endpoints on a computer network associated with the tenant (Paragraph [0024]: “Embodiments of the present invention provide a solution for detecting malicious insiders (detect internal user behavior threats) based on large amounts of work practice data (user activity data). More specifically, the system monitors the users' behaviors (recording user activity data representing activities by a plurality of users within the tenant at endpoints on a computer network associated with the tenant) and detects two types of anomalous activities: the blend-in anomalies (where malicious insiders try to behave similarly to a group to which they do not belong), and the unusual change anomalies (where malicious insiders exhibit changes in their behaviors that are different from their peers' behavior changes). The system detects unusual behavior changes by comparing a user's behavior changes with behavior changes of his peers (comparing behavior of a user in a particular one of the tenants to behavior of other users in the tenant).” Paragraph [0043]: “During operation, the multi-domain anomaly-detection system receives a large amount of work practice data for a large number of users (recording user activity data representing activities by a plurality of users), which are often employees of a large company or a government agency (users are within a tenant or multitenant at endpoints on a computer network associated with the tenant), over a certain time period.”); generating a sampled activity matrix for each respective one of the plurality of users based on the recorded user activity data; grouping users from the particular tenant into clusters based on similarity between ranked lists of activity-sets for the users, wherein the ranked list of activity-sets for each user is derived from the recorded user activity data for that user (Paragraph [0044]: “Subsequently, the system constructs feature vectors for each domain (operation 308), and clusters users (grouping users) based on the constructed feature vectors within each domain (operation 310). Note that the feature set (sampled activity matrix) for each domain includes domain-specific attributes (generating sampled activity matrices, one for each respective one of the plurality of users based on the recorded user activity data). As discussed previously, users with similar job roles tend to behave similarly, and hence would belong to the same cluster within each domain (grouping users into clusters based on similarity).”; Paragraph [0024]: “During operation, the system observes users' activities and clusters the users into different peer groups based on their activities in each domain (grouping users from the particular tenant into clusters). The system detects unusual behavior changes by comparing a user's behavior changes with behavior changes of his peers.”; Paragraph [0038]: “Anomaly-detection server 114 includes any computational node having a mechanism for running anomaly-detection algorithms. In addition, anomaly-detection server 114 is able to output a suspect list, which identifies individuals with abnormal behaviors (identifies abnormal user activities). In some embodiments, anomaly-detection server 114 is capable of outputting a list that ranks all users based on their anomaly scores (generate a ranked lists of activity-sets for each user). A security analyst can view the list and determine which individuals need to be investigated further.”); assigning a user activity weight to each respective one of the activity-sets in the sampled activity matrices; creating a ranked list of the user activity-sets for all the users within the tenant in each respective one of a plurality of time windows across all the discrete periods of time, based on a variance computation (Paragraph [0050]: “The first step calculates the weights for each source s to reflect the differences in the domain or source predictabilities. Highly predictable domains are assigned larger weights (assigning a user activity weight), and vice versa. The second step computes, for each user i, the weighted anomaly score a for each source s, then aggregates the weighted anomaly scores from each source to compute the final anomaly score f (variance computation). The system then outputs the aggregated anomaly scores (operation 316). In some embodiments, the system may generate a rank list of the users (creating a ranked list of the user activity-sets for all the users) based on the anomaly scores.” Paragraph [0057]: “Subsequently, the system clusters the users based on the constructed feature vectors. Note that unlike the previous approach where the clustering is performed on features over the entire time span, here the clustering is performed on the users' daily behavior features (time windows across all the discrete periods of time).”); computing a user behavior vector for each respective one of the users in the tenant; comparing the user behavior vector for a particular one of the users in the tenant to other users in the tenant to determine whether the user behavior vector indicates that the user behavior deviates beyond a threshold amount from the other users in the tenant (Paragraph [0008]: “In a variation on this embodiment, modeling the user behaviors within the respective domain involves constructing feature vectors for the plurality of users based on the work practice data associated with the respective domain (computing a user behavior vector for each respective one of the users in the tenant) and applying a clustering algorithm to the feature vectors, wherein a subset of users are clustered into a first cluster.”; Paragraph [0024]: “The system detects unusual behavior changes (determine whether the user behavior vector indicates that the user behavior deviates beyond a threshold amount from the other users in the tenant) by comparing a user's behavior changes with behavior changes of his peers (comparing the user behavior vector for a particular one of the users in the tenant to other users in the tenant).”);
Eldardiry fails to explicitly disclose creating an internal user behavior threat notification.
However, Thampy teaches creating an internal user behavior threat notification in response to a determination that the user behavior deviates beyond the threshold amount from the other users in the tenant (Paragraph [0242]: “At step 1114 of the process 1100, one or more remediation actions may be performed (remediation actions may be performed after the determination that the user behavior deviates beyond the threshold amount from the other users in the tenant) for each of the one or more accessed applications. A remediation action is an action performed on a remedial or corrective basis to address a security problem (e.g., a security risk or a threat) posed by an application or a user with respect to the application. Examples of remediation action, include, for example, sending a notification (creating an internal user behavior threat notification) message about security of a user accessing an application, displaying information about security of an application, adjusting operation and/or access of an application (e.g., restrictive adjustment of access).”).
Eldardiry and Thampy are both considered to be analogous to the claimed invention because they both teach detecting insider threat and modeling user behavior change. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing data of the claimed invention to have modified the method, system and non-transitory storage medium disclosed by Eldardiry with adding creating an internal user behavior threat notification in response to a determination that the user behavior deviates beyond the threshold amount from the other users in the tenant disclosed by Thampy.
One of the ordinary skills in the art would have been motivated to make this modification in order to prevent, if not reduce, security risks and/or minimize inefficient or undesirable consumption of computing resources, as suggested by Thampy in paragraph [0092].
Regarding claim 2, Eldardiry and Thampy, hereinafter ET, teaches all of the features with respect to claim 1, as outlined above.
Eldardiry further teaches wherein recording the user activity data comprises: collecting the user activity data from a plurality of sources within a portion of the computer network that corresponds to the tenant over time; and storing the collected user activity data in a computer-based activity data store together with associated timestamps and associated metadata (Paragraph [0025]: “In order to detect the anomalous behaviors, many approaches make use of the readily available work practice data, which can include users' various work-related activities on their company-issued or personal computers (collecting the user activity data from a plurality of sources within a portion of the computer network that corresponds to the tenant over time), such as logging on/off, accessing websites, sending and receiving emails, accessing external devices or files, etc.”; Paragraph [0043]: “Note that each event recorded in the work practice data (user activity data are recorded) is tagged with auxiliary information such as user ID, computer ID, activity code (which identifies activity as logon, logoff, file download, file upload, web-browsing, etc.), and a timestamp (user activity data store together with associated timestamps).”; Paragraph [0053]: “An anomalous user is the one who exhibits changes in behavior that are unusual compared to his peers. The intuition is that user activity should reflect the user's job role in any domain (user activity data associated metadata), and users with similar job roles should exhibit similar behavior changes within each domain, over time.”).
Regarding claim 3, ET teaches all of the features with respect to claim 1, as outlined above.
Eldardiry further teaches wherein the sampled activity matrix for each respective one of the plurality of users comprises a plurality of cells, wherein each cell identifies how many times that user performed a corresponding one of activity-sets during a particular one of the discrete periods of time (Paragraph [0046]: “In FIG. 4, table 400 (sampled activity matrix comprises a plurality of cells) lists the per-domain clustering outcomes for users 1 through 7 with each cell showing the cluster index of a certain user in a certain domain.”; Paragraph [0057]: “Subsequently, the system clusters the users based on the constructed feature vectors (user behavior vectors) (operation 610). Note that unlike the previous approach where the clustering is performed on features over the entire time span, here the clustering is performed on the users' daily behavior features. Moreover, the system constructs a transition probability matrix Q.sub.d for each domain d (sampled activity matrix) (operation 612). In some embodiments, the system computes Q.sub.d by computing the transition probability q.sub.d(c.sub.k,c.sub.m) between each possible cluster pair (c.sub.k,c.sub.m) by counting the number of such changes aggregating over all users and all time instances (each cell identifies how many times that user performed a corresponding one of activity-sets during a particular one of the discrete periods of time).”).
Regarding claim 4, ET teaches all of the features with respect to claim 1, as outlined above.
Eldardiry further teaches wherein each respective one of the activity- sets is an activity or a set of related activities that were performed by a corresponding one of the users at one of the endpoints on the computer network within a predetermined amount of time (Paragraph [0043]: “During operation, the multi-domain anomaly-detection system receives a large amount of work practice data (activity-sets) for a large number of users (related activities were performed by corresponding users at endpoints on the company’s computer network), which are often employees of a large company or a government agency, over a certain time period (within a predetermined amount of time) (operation 302).”).
Regarding claim 5, ET teaches all of the features with respect to claim 1, as outlined above.
Eldardiry further teaches wherein grouping the users from the particular tenant into clusters comprises: applying spectral clustering to a similarity matrix that provides a measure of similarity between each respective one of the users in the tenant to each respective other user in the tenant to create the clusters (Paragraph [0042]: “As shown in FIG. 2, the software engineers (solid circles) exhibit similar behaviors and are clustered together (applying spectral clustering to a similarity matrix). In addition, each user should belong to the cluster of the same set of users across multiple domains (provides a measure of similarity between each respective one of the users in the tenant to each respective other user in the tenant to create the clusters). For example, a user who behaves similarly to (and hence belongs to the same cluster as) engineers within the "HTTP" domain, based on her web-browsing activities, should also belong to the same cluster as engineers within the "logon" domain. If such a user belongs to a different cluster in the "logon" domain (say, the cluster for system administrators), this can indicate suspicious behavior in which an engineer frequently logs on to multiple machines. Such cross-domain behavior inconsistency can be used to identify anomalies.”; Paragraph [0044]: “Subsequently, the system constructs feature vectors (similarity matrix) for each domain (operation 308), and clusters users based on the constructed feature vectors within each domain (operation 310) (grouping users from the particular tenant into clusters). As discussed previously, users with similar job roles tend to behave similarly, and hence would belong to the same cluster within each domain (grouping users into clusters based on similarity).”).
Regarding claim 11, ET teaches all of the features with respect to claim 1, as outlined above.
Eldardiry further teaches wherein creating each of the ranked lists of the user activity-sets comprises: grouping the user activity data into multiple different time buckets based on timestamping of the user activity data; further grouping the user activity data into multiple different cluster groups based on cluster identifying data associated with the user activity data; after multiple cycles of the grouping and further grouping, aggregating the grouped and further grouped user activity data over the multiple cycles to create a grouped user activity matrix, wherein each cell in the matrix holds a value of the sum of frequency of a particular user activity-set represented in the user activity data for a particular one of the users in a particular one of the time buckets over the multiple cycles; ranking the user activities across multiple groupings in the tenant using a contextual relative activity variance for each of the activity-sets in all the groupings (Paragraph [0056]: “During operation, the system receives a large amount of work practice data and bins the recorded events into user-day records (operation 602) (grouping the user activity data into multiple different time buckets based on timestamping of the user activity data). Note that other time units, such as week or month, can also be used depending on the desired temporal granularity. In each bin of a (user, day) pair, the system categorizes the events into different domains (operation 604), applies domain-appropriate tags to raw events (606), and then constructs a feature vector (user activity matrix) for each (user, day) pair in each domain (operation 608). Here the aggregated statistics are collected for work practice data associated with each (user, day) pair (multiple cycles of the grouping and further grouping, aggregating the grouped and further grouped user activity data over the multiple cycles to create a grouped user activity matrix)” Paragraph [0057]: “Subsequently, the system clusters the users based on the constructed feature vectors (operation 610) (further grouping the user activity data into multiple different cluster groups based on cluster identifying data associated with the user activity data). Moreover, the system constructs a transition probability matrix Q.sub.d for each domain d (operation 612). In some embodiments, the system computes Q.sub.d by computing the transition probability q.sub.d(c.sub.k,c.sub.m) between each possible cluster pair (c.sub.k,c.sub.m) by counting the number of such changes aggregating over all users and all time instances (each cell in the matrix holds a value of the sum of frequency of a particular user activity-set represented in the user activity data for a particular one of the users in a particular one of the time buckets over the multiple cycles). Paragraph [0058]: “Note that users are ranked based on their transition scores; the lower the transition score, the higher the anomaly ranking. Hence, a user with the rarest transitions compared with her peers would be the most suspicious. Once anomaly scores for the same set of users within each domain are obtained, the system can combine this information from the different domains to generate a final score for each user (operation 616) (ranking the user activities across multiple groupings in the tenant using a contextual relative activity variance for each of the activity-sets in all the groupings.). In some embodiments, the final score is computed based on a user's worst rank (i.e., the smallest transition score) from all the domains. s.sub.final.sup.u=min.sub.d(s.sub.d.sup.u). The final ranking for each user thus reflects the highest suspicious indicator score across all the domains.”).
Regarding claim 13, ET teaches all of the features with respect to claim 1, as outlined above.
Eldardiry fails to explicitly disclose internal user behavior threat notification and remediation.
However, Thampy teaches the method further comprising: taking one or more real-world steps, as a human being, to address, investigate, and/or remedy the effects of a user's behavior at one of the endpoints on the network in response to receiving the internal user behavior threat notification at one of the endpoints on the network (Paragraph [0242]: “At step 1114 of the process 1100, one or more remediation actions may be performed (remediation actions) for each of the one or more accessed applications. A remediation action is an action performed on a remedial or corrective basis to address a security problem (e.g., a security risk or a threat) posed by an application or a user with respect to the application. Examples of remediation action, include, for example, sending a notification message about security of a user accessing an application, displaying information about security of an application, adjusting operation and/or access of an application (e.g., restrictive adjustment of access).”).
It would have been obvious for one of ordinary skill in the art before the effective filing data of the claimed invention to have modified the method disclosed by Eldardiry with adding internal user behavior threat notification and remediation disclosed by Thampy.
One of the ordinary skills in the art would have been motivated to make this modification in order to prevent, if not reduce, security risks and/or minimize inefficient or undesirable consumption of computing resources, as suggested by Thampy in paragraph [0092].
Regarding claim 16, ET teaches all of the features with respect to claim 1, as outlined above.
Eldardiry further teaches wherein computing the user behavior vector for each respective one of the users in the tenant comprises grouping user activity-sets into a plurality of groups based on assigned cluster identifiers in each of a plurality of time buckets (Paragraph [0057]: “Subsequently, the system clusters the users based on the constructed feature vectors (user behavior vector) (operation 610) (grouping user activity-sets into a plurality of groups). Moreover, the system constructs a transition probability matrix Q.sub.d for each domain d (operation 612). In some embodiments, the system computes Q.sub.d by computing the transition probability q.sub.d(c.sub.k,c.sub.m) between each possible cluster pair (c.sub.k,c.sub.m) by counting the number of such changes aggregating over all users and all time instances (grouping based on assigned cluster identifiers in each of a plurality of time buckets).”).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Eldardiry et al (US PG-PUB No. 20150235152 A1) and Thampy (US PG-PUB No. 20190068627 A1), in further view of Kapoor et al (US PG-PUB No. 20220400130 A1).
Regarding claim 6, ET teaches all of the features with respect to claim 5, as outlined above.
ET fails to explicitly disclose generating activity-sets for user ranked in ascending/descending order according to relative variance.
However, Kapoor teaches generating the similarity matrix, wherein generating the similarity matrix comprises: generating a first list of the activity-sets for a particular one of the users ranked in ascending order according to relative variance; generating a second of activity-sets for the particular one of the users ranked in descending order according to relative variance (Paragraph [0172]: “Deviations (variance) from the expected normal behavior can then be detected and automatically reported (e.g., as anomalies or threats detected). Such deviations may be due to a desired change, a misconfiguration, or malicious activity. As applicable, data platform 12 can score the detected deviations (e.g., based on severity and threat posed). Additional examples of analysis groups include models of machine communications, models of privilege changes, and models of insider behaviors (monitoring the interactive behavior of human users as they operate within the datacenter).” Paragraph [0566] ORDERS: a JSON array of ORDER BY for returning fields. Possible attributes for the ORDER BY clause include: [0567] field (field ordinal index (1 based) or field alias) [0568] order (asc/desc, default is ascending order) (generating the activity-sets for a particular one of the users ranked in ascending order or descending order according to relative variance)).
ET and Kapoor are both considered to be analogous to the claimed invention because they both teach detecting malicious insider behavior. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing data of the claimed invention to have modified the method disclosed by ET with adding generating the activity-sets for a particular one of the users ranked in ascending order or descending order according to relative variance disclosed by Kapoor.
One of the ordinary skills in the art would have been motivated to make this modification in order to prioritize searching by user filtering and order sorting for optimization, as suggested by Kapoor in paragraph [0122] and [0123].
Claim 7, 8 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Eldardiry et al (US PG-PUB No. 20150235152 A1) and Thampy (US PG-PUB No. 20190068627 A1), in view of Kapoor et al (US PG-PUB No. 20220400130 A1), in further view of Roustant et al (US PG-PUB No. 20190361985A1).
Regarding claim 7, Eldardiry, Thampy and Kapoort, hereinafter ETK, teaches all of the features with respect to claim 6, as outlined above.
ETK fails to explicitly disclose rank-biased overlap algorithm.
However, Roustant teaches wherein generating the similarity matrix further comprises: calculating a first similarity score between each pair of users in the tenant using a rank biased overlap algorithm with a tunable parameter that determines a contribution of top-ranked activity-sets in the list of the activity-sets to a first similarity score, wherein the first similarity score is calculated from the first list of the activity-sets; and calculating a second similarity score between each pair of users in the tenant using the rank biased overlap algorithm, wherein the second similarity score is calculated from the second list of the activity-sets (Paragraph [0076]: “ The Rank-Biased Overlap metric (calculating the similarity matrix using a rank biased overlap algorithm) falls in the range [0,1], where 0 means disjoint, and 1 means identical. The parameter p (tunable parameter) determines how steep the decline in weights is: the smaller p, the more top-weighted the Rank-Biased Overlap metric is (the tunable parameter determines a contribution of top-ranked activity-sets to a similarity score). In the limit, when p=0, only the top-ranked item is considered, and the Rank-Biased Overlap metric is either zero or one. Consider a user comparing two ranked lists. Assume the user always looks at the first item in each ranked list. At each depth down the two ranked lists, the user has the probability p of continuing to the next item at the next position, and conversely the user has the probability 1−p of deciding to stop. Thus, the parameter p models the user's persistence. Once the user has run out of patience at depth d, the agreement between the two ranked lists at that depth is calculated and taken as the measure of similarity between the lists.”).
ETK and Roustant are both considered to be analogous to the claimed invention because they both teach information retrieval systems that provide ranked lists to system users. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing data of the claimed invention to have modified the method disclosed by ETK with adding rank-biased overlap algorithm disclosed by Roustant.
One of the ordinary skills in the art would have been motivated to make this modification similarity measure, as suggested by Roustant in paragraph [0017].
Regarding claim 8, Eldardiry, Thampy, Kapoort and Roustant, hereinafter ETKR, teaches all of the features with respect to claim 7, as outlined above.
Roustant further teaches wherein generating the similarity matrix further comprises: calculating a mean similarity score for each respective pair of users in the tenant based on the first and second similarity scores; and populating each cell of a matrix with one of the mean similarity scores to produce the similarity matrix, wherein each cell in the similarity matrix corresponds to a particular one of the pairs of users (Paragraph [0073]: “Having determined a first weighted overlap (first similarity score) and a second weighted overlap (second similarity score), an average weighted overlap (mean similarity score) is determined based on the first weighted overlap and the second weighted overlap (calculating a mean similarity score for each respective pair of users in the tenant based on the first and second similarity scores), block 412. The system averages the item-weighted overlaps.”; Paragraph [0074]: “After determining an average weighted overlap (calculating a mean similarity score), the average weighted overlap is output as an efficiency evaluation of an information retrieval system that created a test list, block 414. The system outputs Asymmetric Rank-Biased Overlap metrics (produce the similarity matrix) to enable efficiency evaluations of information retrieval systems.”).
Regarding claim 10, ET teaches all of the features with respect to claim 1, as outlined above.
ET fails to explicitly teaches calculating the user activity weights average.
However, Roustant teaches wherein assigning a user activity weight to each respective one of the activity-sets in the sampled activity matrices comprises: calculating each of the user activity weights as: weights = {max _score * x/N for x in range(1, N + 1)}, weights =sorted (scores ,reverse =True), wherein N represents a number of entries (Paragraph [0034]: “In a similar example, FIG. 2B depicts that the 4 probability-adjusted overlap metrics of 0.0, 0.25, 0.25, and 0.125 are summed to result in a total of 0.625, the summed total of 0.625 is multiplied by the probability of 0.5 (1−0.5) to produce the probability adjusted sum of 0.3125, and the probability-adjusted total of 0.3125 is divided by 4 (the 4 positionally-weighted overlap metrics) to produce a Rank-Biased Overlap metric of 0.078125 for the ranked lists L.sub.ref and L.sub.2.”).
It would have been obvious for one of ordinary skill in the art before the effective filing data of the claimed invention to have modified the method disclosed by ET with adding user activity weights average disclosed by Roustant.
One of the ordinary skills in the art would have been motivated to make this modification for efficiency evaluation, as suggested by Roustant in abstract.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Eldardiry et al (US PG-PUB No. 20150235152 A1) and Thampy (US PG-PUB No. 20190068627 A1), in view of Tauschinsky et al (US PG-PUB No. 20190007432 A1).
Regarding claim 9, ET teaches all of the features with respect to claim 1, as outlined above.
ET fails to explicitly teaches principal component analysis (PCA).
However, Tauschinsky teaches the method further comprising: creating each of the ranked lists of activity-sets for each user by: applying principal component analysis (PCA) to project the data from the sampled activity matrix for each respective one of the users into N dimensions, where N is the number of activity sets represented in the sampled activity matrix; and ranking the activity-sets from the sampled activity matrix based on relative variance following the PCA of the sampled activity matrix to produce a corresponding one of the ranked lists (Paragraph [0002]: “ranking the plurality of anomaly detection algorithms relative to the set of unlabeled data based on a distance between a first quantile and a second quantile of each of the plurality of data distributions (ranking the activity-sets from the sampled activity matrix based on relative variance following the PCA of the sampled activity matrix to produce a corresponding one of the ranked lists).”; Paragraph [0050]: “The metrics (sampled activity matrix) are processed by a variety of anomaly detection algorithms (404). Examples of anomaly detection algorithms include principal component analysis (PCA)-based approaches (applying PCA to project the data from the sampled activity matrix), linear regression, neural network approaches and others. The processing can include using the anomaly detection algorithms to calculate scores from the sensor data.”).
ET and Tauschinsky are both considered to be analogous to the claimed invention because they both teach anomaly detection. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing data of the claimed invention to have modified the method disclosed by ET with adding principal component analysis disclosed by Tauschinsky.
One of the ordinary skills in the art would have been motivated to make this modification in order to improve the performance of ranking the anomaly detection algorithms, as suggested by Tauschinsky in paragraph [0024].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Chari et al (US 10341372 B2, US 20180359270 A1) discloses Clustering for Detection of Anomalous Behavior and Insider Threat;
Elsner et al (US 20190349391 A1) discloses Detection of User Behavior Deviation from Defined User Groups;
Xu et al (US 11930024 B2) discloses Detecting Behavior Anomalies of Cloud Users;
Scheidler et al (US 20180167402 A1) discloses Computer-implemented Method For Determining Computer System Security Threats, Security Operations Center System And Computer Program Product;
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASMINE DAY whose telephone number is (571)272-0204. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.M.D./ Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499
Prosecution Insights