DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/19/2020 has been entered.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-26 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 


Claims 1, 2, 3, 6, 7, 8, 9, 10, 11, 12, 16, 17, 18, 19, 20, 21, 22, 25, 26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Applicant’s admitted prior art (Background) and in view of Chan et al. (US 2013/0275385).

With respect to claim 1, Applicant’s admitted prior art teaches a system for acquiring time limited data (time limited data is taught by Chan in paragraph [0036]) to facilitate integrity verification in real-time applications (RTAs) (background; [0002, Some proceedings or analyses involve or utilize data collected by or extracted from one or more computer based real-time applications (RTA)]; fig. 1; examiner’s note: data is collected in real-time; [0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k.]; examiner’s note: integrity verification is determined for all the events), comprising: 
an agent associated with a RTA in communication with a collector, the agent comprising a processor and a memory configured to store non-transient instructions which when executed by the processor perform the (fig. 1, [0006, 0007]; examiner’s note: the RTA gathers data events and calculated the data integrity and stores it, therefore, the RTA has the agents, and the computer comprises the memory and processors and also shown in fig.1) steps of: 
calculating a first local integrity checks from the collection and an initialization key (fig. 1; [0007, An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation]; examiner’s note: the first local 
calculating subsequent local integrity checks for each of the additional collections and a key based on a prior local integrity check ([0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k. Integrity checks are stored in integrity storage, for example, a hard drive. An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation.  An events source produces multiple events, so n integrity checks k.sub.1, k.sub.2, k.sub.n, k.sub.0+1 are performed as a result of the occurrence of n events event_0, event_1, . . . , event n. Each integrity check k is calculated per event, independently of when each event occurred]; examiner’s note: each subsequent integrity check is performed for the subsequent events and they are based on the key K sub 1, k sub 2 based on the prior integrity check k sub 0. And the next events event 1, 2, 3, 4 are the additional collections); 
calculating a global integrity check from a combination of the first local integrity check and the subsequent local integrity checks ([0007, Consecutive integrity checks are chained together to calculate a single check for all of them]; examiner’s note: the single check for all the integrity check is calculated as a single check, therefore, that is the global integrity check); and 
the collector comprising a storage, a processor, and a memory configured to store instructions which when executed by the processor perform the steps of (fig. 1, 0007; examiner’s note: the storage hard drive collects data therefore, it is a examiner’s note: the computer incudes a memory and processor): 
receiving the global integrity check from the agent ([0007, fig. 1]; examiner’s note: all the integrity checks is stored in the storage, therefore, global integrity is also sent in the storage facility to store); and 
storing the received global integrity check in the storage ([0007, fig. 1]; examiner’s note: all the integrity checks is stored in the storage, therefore, global integrity is also sent in the storage facility to store).
Applicant’s admitted prior art does not explicitly teach defining a plurality of time ordered time frames, wherein each time frame of the plurality of time ordered time frames comprises a time duration; retrieving a collection comprising an event signifying a change in state of data of the RTA during a time frame of the plurality of time frames; retrieving additional collections for subsequent time frames from the plurality of time ordered time frames; wherein each of the collections comprises an event signifying a change in state of data of the RTA during for each subsequent time frame of the plurality of time frames.
However, Chan teaches defining a plurality of time ordered time frames ([0044, At 404, an initial integrity verification of successfully archiving the mutable and immutable portions associated with the time period is determined]; examiner’s note: data is for the specific time period. [0030-0032, 0037]; examiner’s note: The first time frame is T1 and the next time frames are T2-T5, therefore, they are time ordered); 
wherein each time frame of the plurality of time ordered time frames comprises a time duration([0029, the time period is one day and each row in the examiner’s note: the time frames includes time durations); 
retrieving a collection comprising an event signifying a change in state of data of the RTA during a time frame of the plurality of time frames ([0011]; [0012, A security event is a type of event and is any activity that can be analyzed to determine if it is associated with a security threat. The activity may be associated with a user, also referred to as an actor, to identify the security threat and the cause of the security threat. Activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network]; [0036]; fig. 1; examiner’s note: data is coming from data sources and events are extracted from the data; each event, records the change of data within a time frame which is change of state of data such as login/logout which is a change in sessions data.  Also teaches in paragraph [0028] and Fig. 3 that the modified data within a time frame; the events are collected in real time and RTA is also taught by Applicant’s admitted prior art in [0005]);
retrieving additional collections for subsequent time frames from the plurality of time ordered time frames ([0028, T1-T5 in FIG. 3 represents a timeline whereby T1 is the earliest time and T5 is the latest time. T1-T5 are used to show the examiner’s note: the time frames T1 is the first time frame and the subsequent time frames are T2-T5 and each time frame is associated with events), wherein each of the collections comprises an event signifying a change in state of data of the RTA during for each subsequent time frame of the plurality of time frames ([0011], [0012], [0029], [0036], fig.1; examiner’s note: data is coming from data sources and events are extracted from the data; each event records the change of data within a time frame which is change of state of data such as login/logout which is a change in sessions data; [0028]; examiner’s note: the time frame T1 is the first time frames and the T2-T5 are the subsequent time frames; Also teaches in paragraph [0028] and Fig. 3 that the modified data within a time frame; the events are collected in real time and RTA is also taught by Applicant’s admitted prior art in [0005]).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify applicant’s admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events and integrity checks of time framed events.  Applicant’s admitted prior art and Chan are in the same field of invention because both of them teach detecting events and checking integrity. One would have been motivated to make this modification because it provides predictable results to reconstruct an integrity check to a specified time period to retrieve specific events in a specific time period in case there is a system hack or failure for reproducible time limited evidences.

wherein the agent further executes the step of transmitting the collections and the global integrity check to the collector (fig. 1, [0006-0007]; examiner’s note: the integrity check is calculated and send to the storage for storing, therefore, the global integrity check is also sent to the storage).

With respect to claim 3, Applicant’s admitted prior teaches the system of claim 1, and wherein each of the local integrity checks for the corresponding time frame comprises: one or more of the events and the initialization key or the key based or the key based on a prior local integrity check (Chan teaches events based on the time frame in paragraph [0036] and Admitted prior art teaches in [0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k, An initial random key k.sub.0]; examiner’s note: each integrity key K comprises a prior local integrity check and K o is the initialization key).
Applicant’s admitted prior art does not explicitly teach a hash calculation and the time frame
However, Chan teaches a hash calculation and the time frame ([0036, At 404, an initial integrity verification of successfully archiving the mutable and immutable portions associated with the time period is determined]; [0036, the initial integrity verification is a hash (e.g., SHA-256, MD-5, etc.) of the archived mutable and immutable portions generated at 403.]; examiner’s note: the hash key is generated and the events are within a timeframe).


With respect to claim 6, Applicant’s admitted prior art and Chan in combination teach the system of claim 1, Applicant’s admitted prior art teaches wherein the agent and collector are in communication via a data network ([0006]; examiner’s note: RTA sends data to the storage device, therefore, there is a network, moreover, Chan teaches a network in [0023]).

With respect to claim 7, Admitted prior art and Chan in combination teach the system of claim 1, Admitted prior art teaches wherein the data network is configured to ensure data integrity ([0006, 0007]; examiner’s note:  the integrity is checked for all the events, therefore, the integrity is ensured).

With respect to claim 8, Applicant’s admitted prior teaches the system of claim 1, and global integrity ([0007]; examiner’s note: the single check for all the events) but do not explicitly teach wherein the collector further executes the step of verifying the validity of the integrity check.
wherein the collector further executes the step of verifying the validity of the integrity check ([0036, At 404, an initial integrity verification of successfully archiving the mutable and immutable portions associated with the time period is determined]; examiner’s note: the integrity check is verified).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Applicant’s admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events and verifying the integrity check of an event.  Admitted prior art and Chan are in the same field of invention because both of them teach detecting events. One would have been motivated to make this modification because it provides predictable results to validate the integrity of the integrity check to have proper integrity to protect the data.

With respect to claim 9, Applicant’s admitted prior art and Chan in combination teach the system of claim 1, Applicant’s admitted prior art teaches wherein the collector is further configured to perform the step of receiving the collection from the agent ([0007], fig. 1; examiner’s note: receiving and storing the collections of events from the RTA).

With respect to claim 10, Applicant’s admitted prior art and Chan in combination teach the system of claim 1, Applicant’s admitted prior art teaches wherein the real-time application comprises a business-critical application ([0006, Since an RTA such as a BCA is constantly being heavily used, information within the BCA is modified at every moment]; examiner’s note: the BCA is business critical application).

With respect to claim 11, Applicant’s admitted prior art teaches a method executed by a computer processor for acquiring time limited data from a Real-Time Application (RTA) for integrity verification (background; [0002, Some proceedings or analyses involve or utilize data collected by or extracted from one or more computer based real-time applications (RTA)]; fig. 1; examiner’s note: data is collected in real-time; [0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k.]; examiner’s note: integrity verification is determined) comprising the steps of: 
calculating one or more local integrity checks for each of the collections, wherein the calculating is based on the collection and a key (fig. 1; [0007, An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation]; examiner’s note: the first local integrity check is calculated and the key k sub 0 is a key because this key is used for the integrity calculation and each event is a collection of data), further wherein a first collection at is based on the key being an initialization key while subsequent keys are based on at least one preceding local integrity check (fig. 1; [0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k. An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation]; examiner’s note: the first local integrity check is calculated and the key k sub 0 is the initialization key because this key is used for the first integrity calculation and the next key includes the previous integrity checks); and 
calculating a global integrity check from a combination of each the one or more local integrity checks ([0007, Consecutive integrity checks are chained together to calculate a single check for all of them]; examiner’s note: the single check for all the integrity check is calculated as a single check, therefore, that is the global integrity check).
Applicant’s admitted prior art does not explicitly teach integrity checks for each collections at the 3Application No. 15/463,192Docket No. 16735-42corresponding one of the time frame; defining a time frame of a plurality of time ordered time frames, wherein each time frame of the plurality of time ordered time frames comprises a time duration; wherein a first collection at a first time frame.
However, Chan teaches integrity checks for each collections at the 3Application No. 15/463,192Docket No. 16735-42corresponding one of the time frame ([0036, At 404, an initial integrity verification of successfully archiving the mutable and immutable portions associated with the time period is determined]; examiner’s note: integrity checks are calculated at each time periods);
defining a time frame of a plurality of time ordered time frames ([0030-0032, 0037];  examiner’s note: the specific time period is defining time periods and the time periods T1 is the initial time periods and the time periods after T1 are T2, T3-T5.  Therefore, the are time ordered time frames), wherein each time frame of the plurality of time ordered time frames comprises a time duration ([0032, At a later time T4, such as 1 month, 3 months, 6 months after T1 or any time before the mutable portions 301 and 303 are purged from the storage system 1, a supplemental archive is performed on 303]; [0029, Of course the time periods may be different than a day, such examiner’s note: the months, day, hours are the time duration); 
wherein a first collection at a first time frame ([0028, FIG. 3 represents a timeline whereby T1 is the earliest time and T5 is the latest time]; examiner’s note: the T1 is the first time period for the first events).
retrieving one or more collections ([0036, At 404, an initial integrity verification of successfully archiving the mutable and immutable portions associated with the time period is determined]; examiner’s note: the events within a specified time period is a collection), with each collection comprising an event signifying a change in state of data of the RTA during a corresponding one of the time frames ([0011]; [0012, A security event is a type of event and is any activity that can be analyzed to determine if it is associated with a security threat. The activity may be associated with a user, also referred to as an actor, to identify the security threat and the cause of the security threat. Activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network]; [0036]; [0024, The connector 202 may provide efficient, real-time (or near real-time) local event data capture]; fig. 1; examiner’s note: data is coming from data sources and events are extracted from the data; each event records the change of data within a time frame which is change of state of data such as login/logout which is a 
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Applicant’s admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events.  Applicant’s admitted prior art and Chan are in the same field of invention because both of them teach detecting events and checking integrity. One would have been motivated to make this modification because it provides predictable results to reconstruct an integrity check to a specified time period to retrieve specific events in a specific time period in case there is a system hack or failure to reproduce time limited evidences.

	With respect to claim 12, Applicant’s admitted prior art and Chan in combination teach the method of claim 11, Applicant’s admitted prior art teaches further comprising the step of transmitting the collection and the global integrity check to a secure collector ([0007, An initial random key k.sub.0 is stored in secure storage]; examiner’s note: the data is stored in a secured storage).

	Claim 16 is rejected on the same basis of rejection of claim 10.

With respect to claim 17, Applicant’s admitted prior art teaches a computer-readable medium configured to store non- transient instructions for execution by a processor (fig. 1; [004-006]; examiner’s note: the computer includes memory and processor), the instructions defining modules for acquiring time limited data to facilitate integrity verification in real-time applications (RTAs) comprising (background; [0002, Some proceedings or analyses involve or utilize data collected by or extracted from one or more computer based real-time applications (RTA)]; fig. 1; examiner’s note: data is collected in real-time; [0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k.]; examiner’s note: integrity verification is determined): 
an initialization module configured to provide an initialization key (fig. 1; [0007, An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation]; examiner’s note: the first local integrity check is calculated and the key k sub 0 is the initialization key because this key is used for the first integrity calculation); 
an integrity check module for calculating a first integrity check from the initialization key and the first collection, and for calculating a second integrity check from the first integrity check and the second collection (([0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k. Integrity checks are stored in integrity storage, for example, a hard drive. An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation.  An events source produces multiple events, so n integrity checks k.sub.1, k.sub.2, k.sub.n, k.sub.0+1 are performed as a result of the occurrence of n events event_0, event_1, . . . , event n. Each integrity check k is calculated per event, independently of when each event occurred]; examiner’s note: each subsequent 
Applicant’s admitted prior art does not explicitly teach a time frame module configured to define a first time frame and a second time frame, wherein each time frame comprises a time duration; a collection processing module for retrieving a first collection comprising one or more events signifying a change in state of data of the RTA occurring during the first time frame and retrieving a second collection comprising one or more events signifying a change in state of data o
However, Chan teaches a time frame module configured to define a first time frame and a second time frame, wherein each time frame comprises a time duration ([0030-0032, 0037];  examiner’s note: the specific time period is defining time periods and the time periods T1 is the initial time periods and the time periods after T1 are T2, T3-T5.  Therefore, the are time ordered time frames. 
([0032, At a later time T4, such as 1 month, 3 months, 6 months after T1 or any time before the mutable portions 301 and 303 are purged from the storage system 1, a supplemental archive is performed on 303]; [0029, Of course the time periods may be different than a day, such as hourly, weekly, etc.]; examiner’s note: the months, day, hours are the time duration); 
a collection processing module for retrieving a first collection comprising one or more events signifying a change in state of data of the RTA occurring during the first time frame (([0011]; [0012, A security event is a type of event and is any activity that can be analyzed to determine if it is associated with a security threat. The activity may be associated with a user, also referred to as an actor, to identify the security threat and the cause of the security threat. Activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network]; [0036]; fig. 1; examiner’s note: data is coming from data sources and events are extracted from the data; each event records the change of data within a time frame which is change of state of data such as login/logout which is a change in sessions data. Also teaches in paragraph [0028] and Fig. 3 that the modified data within a time frame; the events are collected in real time and RTA is also taught by Applicant’s admitted prior art in [0005]);
and retrieving a second collection comprising one or more events signifying a change in state of data of the RTA occurring during the second time frame (([0028, FIG. 3 shows some examples of data stored in the storage systems 1 and 2 and the archive system 120 of FIG. 1. FIG. 3 is also used to describe methods 300 and 400 discussed below. T1-T5 in FIG. 3 represents a timeline whereby T1 is the earliest time and T5 is the latest time. T1-T5 are used to show the approximate order of examiner’s note: the time frames T1 is the first time frame and the second time frame is T2; [0012], [0036], fig.1; examiner’s note: data is coming from data sources and events are extracted from the data; each event records the change of data within a time frame which is change of state of data such as login/logout which is a change in sessions; Also teaches in paragraph [0028] and Fig. 3 that the modified data within a time frame; the events are collected in real time and RTA is also taught by Applicant’s admitted prior art in [0005]).  4Application No. 15/463,192Docket No. 16735-42 
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Applicant’s admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events.  Admitted prior art and Chan are in the same field of invention because both of them teach detecting events and checking integrity. One would have been motivated to make this modification because it provides predictable results to reconstruct an integrity check to a specified time period to retrieve specific events in a specific time period in case there is a system hack or failure to reproduce time limited evidences. 

With respect to claim 18, Applicant’s admitted prior art teaches the computer-readable medium of claim 17, but do not explicitly teach wherein the initialization module is further configured to define a source definition comprising a source in the RTA of one or more events.
However, Chan teaches wherein the initialization module is further configured to define a source definition comprising a source in the RTA of one or more events ([0021, Event data includes metadata that may include information about examiner’s note: the events are collected from variety of source).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches defining a source of events.  Admitted prior art and Chan are in the same field of invention because both of them teach detecting events and checking integrity. One would have been motivated to make this modification because it provides predictable results to find out from which source the data is coming from and then organizing the data according to the source type.

With respect to claim 19, Applicant’s admitted prior art and Chan in combination the computer-readable medium of claim 17, Applicant’s admitted prior art teaches wherein the processor and memory are integral to the RTA ([0005, Since an RTA such as a BCA is constantly being heavily used, information within the BCA is modified at every moment, so every elapsed second may represent thousands of changes in the information]; fig. 1; examiner’s note: The RTA includes memory and processor; moreover, Chan teaches a memory and processor in fig. 1, 2).

With respect to claim 20, Applicant’s admitted prior art teaches a device for acquiring reproducible time limited (Chan teaches time limited data in paragraphs [0036]) data to facilitate integrity verification in real-time applications (RTAs) examiner’s note: data is collected in real-time; [0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k.]; examiner’s note: integrity is determined; Chan teaches verifying the integrity in [0036]), comprising a processor and a memory configured to store non-transient instructions which when executed by the processor perform the steps of (fig. 1, [0006, 0007]; examiner’s note: the RTA gathers data events and calculated the data integrity and stores it, therefore, the RTA comprises the memory and processors and fig. 1): 
calculating a first local integrity checks from the collection and an initialization keys retrieving additional collections (fig. 1; [0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k. Integrity checks are stored in integrity storage, for example, a hard drive. An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation. An events source produces multiple events, so n integrity checks k.sub.1, k.sub.2, k.sub.n, k.sub.0+1 are performed as a result of the occurrence of n events event_0, event_1, . . . , event n. Each integrity check k is calculated per event, independently of when each event occurred]; examiner’s note: the first local integrity check is calculated and the key k sub 0 is the initialization key because this key is used for the first integrity calculation and the other keys such as k1…Kn is also generated for other collections of events), 
calculating subsequent local integrity checks for each of the additional collections and a key based on a prior local integrity check ([0007, An integrity check for each subsequent event is calculated using the current event and the previous integrity check k. An initial random key k.sub.0 is stored in secure storage, and used for the first integrity calculation. An events source produces multiple events, so n integrity checks k.sub.1, k.sub.2, k.sub.n, k.sub.0+1 are performed as a result of the occurrence of n events event_0, event_1, . . . , event n. Each integrity check k is calculated per event, independently of when each event occurred]; examiner’s note: integrity checks are performed based on  a Key K and the prior local integrity check; each individual integrity check is the local integrity check).
Applicant’s admitted prior arts does not explicitly teach defining a time frame of a plurality of time ordered time frames, wherein each time frame of the plurality of time ordered time frames comprises a time duration; 
retrieving a collection comprising an event signifying a change in state of data of the RTA during the time frame; and for subsequent time frames from the plurality of time ordered time frames and wherein each of the collections comprises an event signifying a change in state of data of the RTA during for each subsequent time frame of the plurality of time frames.
However, Chan teaches defining a time frame of a plurality of time ordered time frames ([0044, At 404, an initial integrity verification of successfully archiving the mutable and immutable portions associated with the time period is determined]; examiner’s note: data is for the specific time period), wherein each time frame of the plurality of time ordered time frames comprises a time duration ([0030-0032, examiner’s note: the specific time period is defining time periods and the time periods T1 is the initial time periods and the time periods after T1 are T2, T3-T5.  Therefore, the are time ordered time frames.  ([0032, At a later time T4, such as 1 month, 3 months, 6 months after T1 or any time before the mutable portions 301 and 303 are purged from the storage system 1, a supplemental archive is performed on 303]; [0029, Of course the time periods may be different than a day, such as hourly, weekly, etc.]; examiner’s note: the months, day, hours are the time duration)); 
retrieving a collection comprising an event signifying a change in state of data of the RTA during the time frame ([0011]; [0012, A security event is a type of event and is any activity that can be analyzed to determine if it is associated with a security threat. The activity may be associated with a user, also referred to as an actor, to identify the security threat and the cause of the security threat. Activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network]; [0036]; fig. 1; examiner’s note: data is coming from data sources and events are extracted from the data; each event records the change of data within a time frame which is change of state of data such as login/logout which is a change in sessions data; Also teaches in paragraph [0028] and Fig. 3 that the modified data within a time frame; the events are 
for subsequent time frames from the plurality of time ordered time frames and wherein each of the collections comprises an event signifying a change in state of data of the RTA during for each subsequent time frame of the plurality of time frames (([0028, FIG. 3 shows some examples of data stored in the storage systems 1 and 2 and the archive system 120 of FIG. 1. FIG. 3 is also used to describe methods 300 and 400 discussed below. T1-T5 in FIG. 3 represents a timeline whereby T1 is the earliest time and T5 is the latest time. T1-T5 are used to show the approximate order of actions]; examiner’s note: the time frames T1 is the first time frame and the subsequent time frames are T2-T5); ([0011], [0012], [0036], fig.1; examiner’s note: data is coming from data sources and events are extracted from the data; each event records the change of data within a time frame which is change of state of data such as login/logout which is a change in sessions data; Also teaches in paragraph [0028] and Fig. 3 that the modified data within a time frame; the events are collected in real time and RTA is also taught by Applicant’s admitted prior art in [0005]).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events.  Admitted prior art and Chan are in the same field of invention because both of them teach detecting events and checking integrity. One would have been motivated to make this modification because it provides predictable results to reconstruct an integrity check to a 

With respect to claim 21, Applicant’s admitted prior art and Chan in combination teach the device of claim 20, Applicant’s admitted prior art further teaches wherein the device further executes the step of calculating a global integrity check from a combination of the one or more local integrity checks ([0007, Consecutive integrity checks are chained together to calculate a single check for all of them]; examiner’s note: the single check for all the integrity check is calculated as a single check, therefore, that is the global integrity check).

Claim 22 is rejected on the same basis of rejection of claim 3.

With respect to claim 25, Applicant’s admitted prior art teaches the device of claim 20, and further teaches global integrity check ([0007, Consecutive integrity checks are chained together to calculate a single check for all of them]; examiner’s note: the single check for all the integrity check is calculated as a single check, therefore, that is the global integrity check) but do not explicitly teach wherein the global integrity check comprises reproducible time limited evidence.
However, Chan further teaches reproducible time limited evidence ([0032, This metadata may be used to retrieve all the initial archived data and supplemental archived data for the time period if a restore needs to be performed for the time period]; examiner’s note: the data is restored at a certain time period, therefore, the system is reproducing time limited evidence).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events.  Applicant’s admitted prior art and Chan are in the same field of invention because both of them teach detecting events and checking integrity. One would have been motivated to make this modification because it provides predictable results to reconstruct an integrity check to a specified time period to retrieve specific events in a specific time period in case there is a system hack or failure to reproduce time limited evidences.

Claim 26 is rejected on the same basis of rejection of claim 10.

Claims 4, 13, 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Applicant’s admitted prior art and in view of Chan et al. (US 2013/0275385) and in view of Slick et al. (US 2005/0235145).

With respect to claim 4, Applicant’s admitted prior art and Chan in combination teach the system of claim 1, Applicant’s admitted prior art further teaches the key ([0007], examiner’s note: the key K).
Applicant’s admitted prior art and Chauhan in combination do not explicitly teach comprises a combination of the local integrity check of two or more preceding collections.
 a combination of the local integrity check of two or more preceding collections ([0093, An integrity check (HMAC) is then run for the second data block 852, with the HMAC being run over the previous HMAC (in this case, HMAC 854 of the first data block) and the second data block 852. The process continues in this chain fashion until an integrity check value (HMAC hash) has been obtained for each data block. Thus, in order to cause the final HMAC result to represent the integrity of the entire job, each preceding HMAC is combined with each subsequent data field, such that the last hash is a representation of the entire job.]; examiner’s note: each subsequent hash represents the previous hash integrity for the previous events.  The last hash has integrity checks for all the previous events. Therefore, it includes two or more local integrity (each individual integrity check) checks for the previous two or more events).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Applicant’s admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events to include Slick which teaches combining integrity checks of previous events.  Applicant’s admitted prior art, Chan and Slick are in the same field of invention because all of them teach detecting events. One would have been motivated to make this modification because it provides predictable results to compute all the events integrity accurately.

Claim 13 is rejected on the same basis of rejection of claim 4.
Claim 23 is rejected on the same basis of rejection of claim 4.

Claims 5, 14, 15, 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Applicant’s  admitted prior art and in view of Chan et al. (US 2013/0275385) and in view of Cunningham et al. (US 2013/0290360).

With respect to claim 5, Applicant’s admitted prior art and Chan in combination teach the system of claim 1, further teaches calculating the local integrity check (0007; examiner’s note: calculating integrity for each event) but do not explicitly teach wherein further comprises calculating a checksum of the collection of events.
However, Cunningham teaches calculating a checksum of the collection of events ([0018, the integrity check portion 126 may be a type of checksum]; examiner’s note: the checksum is calculated for the events).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events to include Cunningham which teaches calculating a checksum for events.  Applicant’s admitted prior art, Chan and Cunningham are in the same field of invention because all of them teach detecting events. One would have been motivated to make this modification because it provides predictable results to calculate the integrity check securely with a checksum calculation.

Claim 14 is rejected on the same basis of rejection of claim 5.

 method of claim 11, Applicant’s admitted prior art teaches wherein the global integrity check comprises a combination of one or more local integrity checks ([0007, Consecutive integrity checks are chained together to calculate a single check for all of them]; examiner’s note: the global integrity check comprises one or more local integrity check) but do not explicitly teach a checksum.
However, Cunningham teaches a checksum ([0018, the integrity check portion 126 may be a type of checksum]; examiner’s note: the checksum is calculated for the events).
It would have been obvious to one of ordinary skill in the art before the effective filling date to modify Admitted prior art’s invention which teaches calculating global and local integrity of events to include Chan which teaches time frames of events to include Cunningham which teaches calculating a checksum for events.  Applicant’s admitted prior art, Chan and Cunningham are in the same field of invention because all of them teach detecting events. One would have been motivated to make this modification because it provides predictable results to calculate the integrity check securely with a checksum calculation.

Claim 24 is rejected on the same basis of rejection of claim 5.

Conclusion


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mariela Reyes can be reached on 571-270-1006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FATIMA P MINA/           Examiner, Art Unit 2159