CHARACTERIZATION OF ACTIVITY OF USERS IN CLOUD APPLICATIONS AND SERVICES

DETAILED ACTION Claims 1-20 are examined and pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 8-10, 12, 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (U.S. 2018/0359270 A1, hereinafter “Chari”) in view of Beilis et al. (U.S. 2022/0382736 A1, hereinafter “Beilis”). As to claims 1, 8, 15, Chari discloses one or more non-transitory computer-readable media that include stored thereon computer-executable instructions that, when executed by at least a processor of a computing system cause the computing system to: generate a dataset of data points from a batch of electronic log messages that describe electronic actions taken by a plurality of accounts, wherein a data point collectively describes those of the actions that are performed by a single account (para. [0031]; discloses ; model distinct activities based on clustering of the data points into M behavioral groups (para.[0034]; discloses anomalous user behavior detector utilizes clustering process to cluster user activities numerical representations into user peer groups) and, wherein the value of M is derived automatically during the clustering (para. [0034]; discloses clustering process includes a machine learning method that learns one or more numbers that represent their user activities and their results. User peer groups represent a plurality of different peer groups of users, each different peer group of users performing a similar set of activities within the network of data processing systems during a respective time interval. Further, para. [0036]; discloses detector may infer peer groups based on distance threshold metrics from the group of users ) ; generate an electronic alert that indicates the one or more accounts that have non-conformant activity (para. [0036]; discloses sending a notification of anomalous user behavior ). In an analogous art, Beilis discloses inferring M or more distinct activities from the dataset by probabilistic activity modeling of the actions (para. [0059]; discloses using a probabilistic model to determine whether transactions is anomalous) predict activity of one or more user accounts to be non-conformant based on other accounts in a behavioral group to which the one or more user accounts belong satisfying a threshold for similarity with respect to the one or more user accounts (para. [0023]; datasets obtained by the model parameter may be used by prediction models such as neural network model to determine whether to flag a record with an anomaly. Para. [0024]; discloses determining a probability parameter is greater than an anomaly threshold ) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari by incorporating a prediction module that uses a threshold of a probability parameter to determine an anomaly in the system as taught by Beilis in order to proactively detect anomaly before it can impact the system adversely. As to claim 2, Chari-Beilis discloses the non-transitory computer-readable media of claim 1, wherein the instructions to model distinct activities and predict activity of one or more user accounts further cause the computing system to perform the modeling and prediction in two phases, a group-level phase that detects non-conformant activity that is anomalous and a user-level phase that detects non-conformant activity that is deviant (Beilis, para. [0018]; discloses the account may include other information related to user behavior, such as a list of previous purchase types indicating categories of goods or services purchased by a user. Other information may also include values such as statistical weights used to predict the likelihood of future changes to the record, weighting values, or an indicator that the account had previously satisfied a set of criteria indicating an anomaly, an indicator that another account associated with the account record has satisfied the set of criteria). As to claim 3, Chari-Beilis discloses the non-transitory computer-readable media of claim 1, wherein the instructions to model distinct activities cause the computing system to: perform the probabilistic activity modeling by latent Dirichlet allocation of weights to actions that occur in the dataset to characterize a number of distinct activities; determine that the distinct activities are not sufficiently dissimilar based on diagonality of a similarity matrix of the distinct activities; and increase the number of distinct activities and repeat the probabilistic activity modeling until the distinct activities become sufficiently dissimilar based on the similarity matrix. (Chari, para. [0048]-[0049]; discloses token Frequency/Inverse Document Frequency treats different types of activity as tokens in a document and measures their relative frequency over all activity as a numeric feature vector. Latent Dirichlet Allocation treats system logs as a bag of words and derives semantic topics from the words as a numeric feature vector. Markov Chain Activity measures transitions between different user activities in system logs and records probabilities of transitions between user activities.) As to claim 4, Chari-Beilis discloses the non-transitory computer-readable media of claim 3, wherein: at a group level, the number of distinct activities is initially M, the number of the behavioral groups inferred by escort clustering of the dataset; and at a user level, the number of distinct activities is initially T, a number of actions in one behavioral group that have highest weights (Chari, para.[0047]; discloses “convert each time interval of logged user activity to numerical representations of users' activities for a respective time interval. Illustrative embodiments may accomplish this conversion using a variety of machine learning techniques. After conversion of user activity to numerical representations, illustrative embodiments utilize a clustering process on the numerical representations of user activity to determine which users have similar patterns of activity in each time period. Illustrative embodiments classify users to peer groups based on which users are performing similar patterns of activities. ). As to claim 9, Chari-Beilis discloses the computing system of claim 8, wherein the instructions to model distinct activities and predict activity of one or more user accounts further cause the computing system to perform the modeling and prediction in two phases, a group-level phase that detects non-conformant activity that is anomalous and a user-level phase that detects non-conformant activity that is deviant (Beilis, para. [0018]; discloses the account may include other information related to user behavior, such as a list of previous purchase types indicating categories of goods or services purchased by a user. Other information may also include values such as statistical weights used to predict the likelihood of future changes to the record, weighting values, or an indicator that the account had previously satisfied a set of criteria indicating an anomaly, an indicator that another account associated with the account record has satisfied the set of criteria). As to claim 10, Chari-Beilis discloses the computing system of claim 8, wherein the instructions to model distinct activities cause the computing system to: perform the probabilistic activity modeling by latent Dirichlet allocation of weights to actions that occur in the dataset to characterize a number of distinct activities; determine that the distinct activities are not sufficiently dissimilar based on diagonality of a similarity matrix of the distinct activities; and increase the number of distinct activities and repeat the probabilistic activity modeling until the distinct activities become sufficiently dissimilar based on the similarity matrix. (Chari, para. [0048]-[0049]; discloses token Frequency/Inverse Document Frequency treats different types of activity as tokens in a document and measures their relative frequency over all activity as a numeric feature vector. Latent Dirichlet Allocation treats system logs as a bag of words and derives semantic topics from the words as a numeric feature vector. Markov Chain Activity measures transitions between different user activities in system logs and records probabilities of transitions between user activities.). As to claim 12, Chari-Beilis discloses the computing system of claim 8, wherein the data point is represented as a sparse frequency vector of actions associated with term frequency inverse document frequency values (Beilis, para. [0039]; discloses scores represented as embedding vectors in a feature space where the embedding vectors may used in a statistical or probabilistic model). As to claim 14, Chari-Beilis discloses the computing system of claim 8, wherein the instructions further cause the computing system to determine whether the activity of an account that is non-conformant has changed with respect to previous activity (Beilis, para. [0018]; discloses the account may include other information related to user behavior, such as a list of previous purchase types indicating categories of goods or services purchased by a user. Other information may also include values such as statistical weights used to predict the likelihood of future changes to the record, weighting values, or an indicator that the account had previously satisfied a set of criteria indicating an anomaly, an indicator that another account associated with the account record has satisfied the set of criteria). As to claim 16, Chari-Beilis discloses the method of claim 15, further comprising performing the modeling and prediction in two phases, including: (i) a group-level phase configured to detect non-conformant activity that is anomalous, and (ii) a user-level phase configured to detect non-conformant activity that is deviant (Beilis, para. [0018]; discloses the account may include other information related to user behavior, such as a list of previous purchase types indicating categories of goods or services purchased by a user. Other information may also include values such as statistical weights used to predict the likelihood of future changes to the record, weighting values, or an indicator that the account had previously satisfied a set of criteria indicating an anomaly, an indicator that another account associated with the account record has satisfied the set of criteria). As to claim 17, Chari-Beilis discloses the method of claim 15, wherein the modeling further comprises latent Dirichlet allocation of weights to actions that occur in the dataset to characterize a number of distinct activities (Chari, para. [0048]; discloses each vector represents the volume of activity of categories, inferred latent variable that use the Latent dirichelt allocation). As to claim 18, Chari-Beilis discloses the method of claim 17, further comprising performing the latent Dirichlet allocation with the number of distinct activities progressively increased until the distinct activities become sufficiently dissimilar based on diagonality of a similarity matrix of the distinct activities (Chari, para. [0048]-[0049]; discloses token Frequency/Inverse Document Frequency treats different types of activity as tokens in a document and measures their relative frequency over all activity as a numeric feature vector. Latent Dirichlet Allocation treats system logs as a bag of words and derives semantic topics from the words as a numeric feature vector. Markov Chain Activity measures transitions between different user activities in system logs and records probabilities of transitions between user activities.). Claims 5-7, 11, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Beilis in further view of Urmanov et al. (U.S. 2018/0322363 A1, hereinafter “Urmanov”). As to claims 5 , Chari-Beilis discloses the non-transitory computer-readable media of claim 1, however Chari-Beilis does not explicitly disclose the media wherein the instructions for clustering further cause the computing system to: generate first similarity values for one or more nearest neighbors of each data point of the dataset; generate second similarity values for one or more random neighbors of each data point of the dataset; recursively split the plurality of data points into the behavioral groups based on the first similarity values for the nearest neighbors; and stop the recursive splitting when the data points are split into a total of M behavioral groups based on the second similarity values for the random neighbors, wherein the value of M is not set prior to the recursive splitting. In an analogous art, Urmanov discloses the media wherein the instructions for clustering further cause the computing system to: generate first similarity values for one or more nearest neighbors of each data point of the dataset (Urmanov, para. [0025]; discloses a spatial relationship between the data points in the data point pair); generate second similarity values for one or more random neighbors of each data point of the dataset (Urmanov ,para. [0025]; discloses second distance between the arbiter point and the first data point); recursively split the plurality of data points into the behavioral groups based on the first similarity values for the nearest neighbors ( Urmanov ,para.[0063]; discloses splitting the matrix into a number of sub matrices. Further , para. [0068]; discloses once cross cluster similarity is determined , the pairwise similarities are combined in such a manner ); and stop the recursive splitting when the data points are split into a total of M behavioral groups based on the second similarity values for the random neighbors, wherein the value of M is not set prior to the recursive splitting (Urmanov , para. [0069]; discloses when no sub-matrices remain that need to be split). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Chari-Beilis by incorporating a spatial relationship between data points in the data point pair and splitting the matrix into sub martices and detecting cluster similarity and pair based similarities are combined as taught by Urmanov in order to help improve account security and service access security is improved. (see Urmanov, para. [0042]) As to claim 6, Chari-Beilis-Urmanov discloses the non-transitory computer-readable media of claim 1, wherein similarity is measured by tri-point arbitration (Urmanov, para. [0023]). As to claim 7, Chari-Beilis- Urmanov discloses the non-transitory computer-readable media of claim 1, wherein the data points are bags of attribute-value tuples with counts (Urmanov, para. [0032]; discloses data containing attributes coverted into numeric values). As to claim 11, Chari-Beilis-Urmanov discloses the computing system of claim 8, wherein the instructions wherein the instructions for clustering further cause the computing system to: recursively split the dataset into behavioral groups by spectral partitioning based on first similarities of nearest neighbors to the data points ( Urmanov ,para.[0063]; discloses splitting the matrix into a number of sub matrices. Further , para. [0068]; discloses once cross cluster similarity is determined , the pairwise similarities are combined in such a manner ); and terminate splitting at the M behavioral groups based on second similarities of random neighbors to the data points (Urmanov , para. [0069]; discloses when no sub-matrices remain that need to be split). As to claim 19, Chari-Beilis- Urmanov discloses the method of claim 15, wherein the threshold for similarity is an aggregate tri-point arbitration similarity of activity-probability distributions of the other accounts with an activity-probability distribution of the user account set as an arbiter point (Urmanov, para.[0061]; discloses a threshold may be set of level of similarity for adding a data point to a cluster). As to claim 20, Chari-Beilis-Urmanov discloses the method of claim 15, wherein similarity is measured by tri-point arbitration and expressed in a range between negative one indicating complete dissimilarity, and positive one indicating complete similarity (Urmanov, para. [0061]; discloses A threshold may be set for on level of similarity for adding a data point to a cluster. For example, given a similarity that ranges from −1 to 1, a similarity of +0.5 may be used as the threshold for adding a data point to a cluster.). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Lu et al. (U.S. 2017/0316079 A1) discloses performing cluster analysis on a set of data points using tri-point arbitration. In one embodiment, a first cluster that includes a set of data points is generated within volatile and/or non-volatile storage of a computing device. A set of tri-point arbitration similarity values are computed where each similarity value in the set of similarity values corresponds to a respective data point pair and is computed based, at least in part, on a distance between the respective data point pair and a set of one or more arbiter data points. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOE CHACKO whose telephone number is (571)270-3318. The examiner can normally be reached Monday-Friday 7am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached at 5712724001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JOE CHACKO/Primary Examiner, Art Unit 2457