Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/22/2021 has been entered. Claims 1-3, 5, 6, 12 and 13 are amended. Claims 4 and 11 are cancelled. Claims 1-3, 5-10 and 12-20 are pending.
Response to Arguments
Examiner’s Remark’s - - Double Patenting
In view of applicant’s remarks of, “Applicant respectfully requests that these rejections be held in abeyance until the application is otherwise in condition for allowance”, the examiner maintains rejection(s) issued under Double Patenting.  
Examiner’s Remarks - 35 USC § 103
Applicant’s arguments have been considered but are moot in view of the new grounds of rejection(s) listed below. 
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1-3 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,360,399 hereinafter. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to the claim elements of, “normalizing extracted event data from an event log file, the event log file including information associated with an attempt to access protected data by the authorized user, the authorized user having a plurality of different associated user identifiers, the normalizing of the event data being based on a predefined format; generating a notification, based on a determination that the attempt to . 

Claims 1-3 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 9,916,468. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to “normalizing extracted event data from an event log file, the event log file including information associated with an attempt to access protected data by the authorized user, the authorized user having a plurality of different associated user identifiers, the normalizing of the event data being based on a predefined format…”. 

Claims 1-3 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 9,202,189. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to, “normalizing extracted event data from an event log file, the event log file including information associated with an attempt to access protected data by the authorized user, the authorized user having a plurality of different associated user identifiers, the normalizing of the event data being based on a predefined format; processing the normalized event data to determine at least one of the plurality of different associated authorized user identifiers is linked to the attempt to access the protected data; determining, based on the normalized event data and the at least one of the plurality of different associated authorized user identifiers, whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by a monitoring system, the at least one rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined . 

Claims 1-3 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 8,578,500. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to, “normalizing extracted event data from an event log file, the event log file including information associated with an attempt to access protected data by the authorized user, the authorized user having a plurality of different associated user identifiers, the normalizing of the event data being based on a predefined format; processing the normalized event data to determine at least one of the plurality of different associated authorized user identifiers is linked to the attempt to access the protected data; determining, based on the normalized event data and the at least one of the plurality of different associated authorized user identifiers, whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by a monitoring system, the at least one rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific authorized user; storing normalized event data that is incapable of being associated with a known user in a list separate from normalized event data having the at least one of the plurality of different associated authorized user identifiers; generating a notification, based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse….”. 

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-3, 5-9, 12-15, 17, 18 and 20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Sakamoto (US Patent Publication No. 2005/0203881) in view of Drake et al. (US Patent No. 6,347,374 and Drake hereinafter).

Claims 1, 2 and 3, Sakamoto teaches a method of detecting improper access of protected data by an authorized user, the method comprising: 
normalizing extracted event data from an event log file, the event log file including information associated with an attempt to access protected data by the authorized user (i.e., …teaches in paragraph 0056 the following: “The data collector collects user behavior data from audit trail or dynamic performance views, processes the information, and stores the data as historical data. The historical data can be saved in an internal database for example. In one embodiment, a variety of attributes are recorded in the historical data for each action of interest. For example, a SELECT or a LOGIN action will include attributes such as, without limitation: (1) an operating system user identifier (OSUSER); (2) a database user identifier of the user who performs the action (DBUSER); (3) a subject schema object identifier (OBJECT); (4) owner of the object (OWNER); (5) a client system identifier (LOCATION); (6) an action identifier (ACTION); (7) a time of action (TIMESTAMP); (8) number of logical reads for the session (READ); (9) number of logical writes for the session (WRITE); and (10) a success or failure reason code 
the authorized user having a plurality of different associated user identifiers (i.e., …teaches in paragraph 0004 the following: “privileges are difficult to administer, users can often access data that is outside of the scope of their work, and security can easily be breached”.  Further teaches in paragraph 0056 the following: “an operating system user identifier (OSUSER”.), 
the normalizing of the event data being based on a predefined format (i.e., …teaches in paragraph 0056 the following: “The data collector collects user behavior data from audit trail or dynamic performance views, processes the information, and stores the data as historical data. The historical data can be saved in an internal database for example. In one embodiment, a variety of attributes are recorded in the historical data for each action of interest. For example, a SELECT or a LOGIN action will include attributes such as, without limitation: (1) an operating system user identifier (OSUSER); (2) a database user identifier of the user who performs the action (DBUSER); (3) a subject schema object identifier (OBJECT); (4) owner of the object (OWNER); (5) a client system identifier (LOCATION); (6) an action identifier (ACTION); (7) a time of action (TIMESTAMP); (8) number of logical reads for the session (READ); (9) number of logical writes for the session (WRITE); and (10) a success or failure reason code (RETURNCODE).”. The examiner notes that arranging the data in a database structure is a form of normalizing data.); 
processing the normalized event data to determine at least one of the plurality of different associated authorized user identifiers is linked to the attempt to access the protected data (i.e., …teaches in paragraph 0097 the following: “FIG. 4 is a graph that illustrates an example probability distribution of accesses to a database in one embodiment. FIG. 4 depicts an example of database access activities by a particular user during a 24-hour period. In FIG. 4, each bar represents the number of object accesses per hour by this user. In the example probability distribution depicted by FIG. 4, the 
determining, based on the normalized event data and the at least one of the plurality of different associated authorized user identifiers (i.e., …teaches in paragraph 0047 the following: “detectable by database audit engine 110 include without limitation unauthorized access using a stolen password, insider fraud, misuse, or privilege abuse. An example of insider fraud is copying valuable customer account information by bank tellers. An example of privilege abuse is accessing employee salary information by a database administrator (DBA).” …further teaches in paragraph 0056 the following: “(1) an operating system user identifier (OSUSER);”.) , 
whether the attempt to access the protected data is fraudulent or indicative of probable misuse based on at least one rule applied by a monitoring system (i.e., …teaches in paragraph 0029 the following: “determining if the new set of data violates a rule-based policy is performed. If the new set of data violates the rule-based policy, then the new set of data is determined to represent anomalous activity. In one embodiment, anomalous activity comprises suspicious activity”.),
the at least one rule comprising at least one criterion related to accesses in excess of a specific volume, accesses during a pre-determined time interval, or accesses by a specific authorized user (i.e., …teaches in par. 26 the following: “determining a frequency of database access from the historical data includes one or more of determining a frequency of one or more of user access frequency by hour of day, user access frequency by hour of day and operating system user, user access frequency by hour of day and database user, user access frequency by hour of day and location, user access frequency by hour of day or a combination of at least two of operating system user, database user, and location.”.); 
storing normalized event data that is incapable of being associated with a known user in a list separate from normalized event data having the at least one of the plurality of different associated 
generating a notification, based on a determination that the attempt to access the protected data is fraudulent or indicative of probable misuse (i.e., …teaches in paragraph 0008 the following: “A database access violating the rules will be detected and alerted”.); 
 generating additional data for the rule associated with the event data based on the notification (i.e., …teaches in paragraph 0046 the following: “For example, the anomaly detector 116 may send e-mail alerts 96 to signal an intrusion to the administrator station 144. The anomaly detector 116 may also or in addition provide reports 94 or create visualizations 98.”), 
wherein the monitoring system processes the normalized event data at intervals of pre-determined time periods (i.e., teaches in par. 91 the following: “the user configures a monitoring schedule for the specified database. During the process of configuring the monitoring schedule includes, the user specifies how often the data analyzer is to `learn` the user behavior data and reconstruct the statistical model, as shown in FIG. 6C. The user also specifies how often the anomaly detector is to `guard` against anomalous data, and send out the alerts, again using the screen depicted in FIG. 6C.”.), 
and the event log file corresponds with an application of the plurality of applications accessible by the authorized user (i.e., …teaches in paragraph the following: “monitoring of accesses to the database 132 by users and/or processes.”.), 
each application of the plurality of applications has a corresponding event log file (i.e., …teaches in paragraph the following: “monitoring of accesses to the database 132 by users and/or processes.”.). 

Sakamoto does not expressly teach:

In this instance the examiner notes the teachings of prior art reference Drake. 
With regards to applicant’s claim limitation element of, “and the event log file of each application of the plurality of applications has a file format of the plurality of different file formats”, Drake teaches in teaches in column 8 lines 15-20 the following: “audit acquisition is unique to each audit source 18, since the format of each audit source 18, and the interface to the operating system or application being audited is potentially unique.
It would have been obvious to one of ordinary skill in the art to combine the teachings of Sakamoto with the teachings of Drake by including the feature of data file formatting. Utilizing data file formatting as taught by Drake above allows a system to provide comprehensive data integrity and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Sakamoto's system will obtain the capability to provide enhanced data handling. 

Claims (4 and 11) (Cancelled).

As to claims 5 and 12, Sakamoto teaches a method of claim 1, wherein predetermined time period is based on a detected system activity (i.e., …teaches paragraph 0048 the following: “new data represents anomalous activity. In block 380, a targeted operation is performed in the event that anomalous activity has been detected by block”.).

As to claims 6, 13 and 18, Sakamoto teaches a method of claim 1, further comprising: causing the pre-determined time period to change based on one or more of a detected system activity or an 

As to claims 7 and 14, Sakamoto teaches a method of claim 1, further comprising: causing one or more of an alert based on the notification to be output to a display communicatively coupled with the monitoring system or to an electronic device communicatively coupled with the monitoring system (i.e., …teaches in paragraph 0095 the following: “user views alerts and/or graphs”).

As to claims 8 and 15, Sakamoto teaches a method of claim 1, further comprising: obtaining role information of the authorized user (i.e., …teaches in paragraph 0093 the following: “The user specifies who will be allowed to access this object. For multiple dimension object rules, it can be defined as a combination of attributes. For example, database user WANI can access this object only when she is logged in as OS user IPLOCKS/WTANG and from client system WLINUX, as shown in FIG. 6G. The user also specifies the access frequency policies to activate in order to monitor this object, as shown in FIG. 6H.”.), 
wherein the at least one rule applied by the monitoring system is based on a user's specific role (i.e., …teaches in paragraph 0038 the following: “A privilege may alternatively be referred to as an authorization, or a set of authorizations.”.).

As to claims 9 and 17, Sakamoto teaches a method of claim 1, wherein the protected data is business information associated with customer relationship management (i.e., …teaches in paragraph 0041 the following: “critical data may include, for example and without limitation, audit records, customer account information, and employee salary information.”.).

As to claim 20, Sakamoto teaches a non-transitory computer-readable storage medium of claim 3, wherein the protected data is business information associated with customer relationship management (i.e., …teaches in paragraph 0041 the following: “critical data may include, for example and without limitation, audit records, customer account information, and employee salary information.”.).

Claims 10, 16 and 19 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Sakamoto in view of as applied to claims 1-3 above and further in view of Haskell et al. (US Patent Publication No. 2005/0158767 and Haskell hereinafter).

As to claims 10, 16 and 19, the system of Sakamoto and Walker teaches data access monitor however neither reference teaches a method of claim 1, wherein the protected data is a patient's protected health information.
In this instance the examiner notes the teachings of prior art reference Haskell. 
Haskell is noted to teach in paragraph 00057 the following: “access to his/her own data as the central electronic health record”.
It would have been obvious to one of ordinary skill in the art to combine the teachings of Sakamoto and Drake with the teachings of Haskell by including the feature of health record monitoring. Utilizing health record monitoring as taught by Haskell above allows a system to provide comprehensive data access control and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Sakamoto and Drake will obtain the capability to provide enhanced system data security. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRYAN F WRIGHT/Examiner, Art Unit 2497