Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Detailed Action

Allowable Subject Matter
Claims 7 – 10 are objected to as being dependent upon a rejected based claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 5 and 11 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddo (US Pub. No. 2017/0063912 A1) in view of Fry (US Pub. No. 2021/0133202 A1).


Per claim 11, Muddo suggests a data processing system for optimizing ingestion of security structured data into a graph database for security analytics, the data processing system comprising (see Muddo para 0741 – 0744 and Figure 85 block 8500): a bus system (see Muddo Figure 85 block 8560); a storage device connected to the bus system (see Muddo Figure 85 block 8520), wherein the storage device stores program instructions (see Muddo para 0742); and a set of processors connected to the bus system (see Muddo Figure 85 block 8510), wherein the set of processors executes the program instructions to (see Muddo para 0742): receive a plurality of streams of information (reads on receives event data from various data sources, see Muddo para 0409) from a plurality of security information sources (reads on from various data sources, see Muddo para 0409); ingest respective subsets of information from each of the plurality of security information sources to generate small subgraphs of security information (reads on using extract, transform and load functions to create a mini-graph for each event, see Muddo para 0157 – 0161, 0409 and claim 1), wherein each of the small subgraphs comply to a schema used by a master knowledge graph (The Examiner construes this to be an obvious limitation of the mini-graphs being combined into the composite relationship graph because one of ordinary skill in the art would consider it obvious that some sort of schema compliance is present in order for the composite relationship graph to be composed of the plurality of mini-graphs, see Muddo para 0411, 0413, 0426 and claim 1); and perform a batch process to ingest a plurality of small subgraphs into the master knowledge graph (reads on at a predetermined periodicity merging the individual mini-graphs into the composite relationship graph, see Muddo para 0179 and 0413). The prior art of record does not explicitly state receive a plurality of streams of information.
Fry suggests 
receive a plurality of streams of information (reads on ingest data streams from a wide range of source devices and the data is transformed into a JSON compatible file format, see Fry para 0017, 0018 and 0107).

[0017] The present technology thus provides computer-implemented techniques and logic apparatus for providing compilable data models that enable data to be sourced from large numbers of heterogeneous devices and made available in forms suitable for processing by many different analysis and learning systems without requiring extensive product-specific tailoring.
[0018] The present technology is operable as part of a data digest service that can ingest data from a wide range of source devices, process it into one or more internal representations and then enable access to the data to one or more subscribers wishing to access the content. The present technology is driven, not by the built-in constraints of the data source devices, but by the needs of the consuming application, thus making each data source behave as if it was specifically tuned to the needs of the consuming application. This enables the possibility that one single device can take on many different data delivery configurations without the need to reconfigure the device itself, and this in turn forms the basis of IoT device data sharing.
 [0107] Turning now to FIG. 4, there is shown a further example of a computer-implemented method 400 that uses a compilable data model according to the presently described data digest technology. The method 400 begins at START 402, and at 404 a data stream is received from many data sources in a variety data types having differing specific data rates, data patterns, data formats and data shapes as described in relation to the data stream input 102. At 406, the data is transformed using a compilable data model to a pre-determined format that is agnostic to the variety of data types such as consumption pattern, rate or shape of the data. The data transformed to the pre-determined format is received and stored at 408 in the form of multiple canonical data formats provided by the compilable data model. The data at 408 is now stored in a neutral format that can in practice be communicated with any number of tools having the appropriate application software to retrieve and read the data. In 410 any one or more of the multiple canonical data formats are retrieved and in 412 applied to a value algorithm for data processing. In 412 the value algorithm transforms the data using the compilable data model to a form required by an endpoint, for example, in 414 the data may be transformed to a sparse matrix format, in 416 into a file format or in 418 into formats compatible with XML or JSON usage. At 420, data that has been transformed in the sparse matrix format is output as a data stream to an application for its use and analysis by the application at the endpoint at 422. For example, such a use may be in deep learning and machine learning. The process completes at END step 424.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the data receiving teachings of the prior art of record (see Muddo para 0409) by integrating the data stream ingestion teachings of Fry (see Fry para 0017, 0018 and 0107) to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the ingestion of data streams from a wide range of source devices and transforming each stream into a JSON compatible file format of the Fry reference for the data receiving teachings of the primary reference. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. The motivation to combine the references applies to all claims under this heading.

Per claim 12, the prior art of record further suggests use the master knowledge graph to determine whether a security incident event is associated with a known or suspected malicious action during security incident analysis (reads on processing at least a portion of the composite relationship graph to detect a security threat, see Muddo para 0432 – 0433).
Per claim 13, the prior art of record further suggests: perform a set of action steps to mitigate the known or suspected malicious action (reads on reports the threat to administrator, see Muddo para 0603).
Per claim 14, the prior art of record further suggests divide the plurality of streams of information into respective JSON security risk data files for each of the plurality of security information sources (reads on generates a specific mini-graph data structure corresponding to event data from a particular data stream JSON file, see Muddo para 0406 – 0410 and Fry para 0017, 0018 and 0107). 
Per claim 15, the prior art of record further suggests wherein the set of processors further executes the program instructions to: generate a plurality of security risk knowledge subgraphs (reads on using extract, transform and load functions to create a mini-graph for each data stream, see Muddo para 0157 – 0161, 0409 and claim 1 and Fry para 0017, 0018 and 0107) in a plurality of different local knowledge graph databases (The Examiner asserts one of ordinary skill in the art would consider the common definition of the word database to comprise a structured set of data held in a computer. The Examiner further asserts the generated mini-graphs associated with each data stream are necessarily stored in some structured way in the computer in order for the mini-graphs to be combined into the composite relationship graph at a specified time, see Fry para 0017, 0018, 0107 and Muddo para 0179, 0411, 0413, 0426 and claim 1), each particular security risk knowledge subgraph is generated from a corresponding JSON security risk data file (reads on generates a specific mini-graph data structure corresponding to event data from a particular data stream JSON file, see Muddo para 0406 – 0410 and Fry para 0017, 0018 and 0107).
Claim 16 the computer program product is analyzed with respect to claim 11.
Claim 17 is analyzed with respect to claim 12.
Claim 18 is analyzed with respect to claim 13.
Claim 19 is analyzed with respect to claim 14.
Claim 20 is analyzed with respect to claim 15.
Claim 1 is analyzed with respect to claim 16.
Claim 2 is analyzed with respect to claim 17.
Claim 3 is analyzed with respect to claim 18.
Claim 4 is analyzed with respect to claim 19.
Claim 5 is analyzed with respect to claim 20.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Muddo in view of Fry in view of Spackman (US Pub. No. 2010/0083003).

Per claim 6, the prior art of record suggests the method of claim 1, and inserting a new node or edge into the master knowledge graphs as part of bulk upload (reads on at a predetermined periodicity merging the individual mini-graphs into the composite relationship graph, see Muddo para 0179 and 0413). The prior art of record is silent on explicitly stating performing a look ahead procedure prior to inserting. Spackman suggests performing a look ahead procedure prior to inserting (reads on determining whether the data to be stored is unique prior to storing and if it already exists do not insert the data, see Spackman para 0002 – 0003).
[0002] Conventional computer data storage systems such as conventional file systems organize and index pieces of stored data by name or identifier. These conventional systems make no attempt to identify and eliminate repeated pieces of data within the collection of stored files. Depending on the pattern of storage, a conventional file system might contain a thousand copies of the same megabyte of data in a thousand different files. A reduced-redundancy storage system reduces the occurrence of duplicate copies of the same data by partitioning the data it stores into sub-blocks and then detecting and eliminating duplicate sub-blocks. See WILLIAMS, U.S. Pat. No. 5,990,810 and U.S. patent application publication US 2007/0192548A1, published Aug. 16, 2007, inventor WILLIAMS, both incorporated herein by reference in their entirety describing such a system. See also PCT international publication WO 2006/094366, inventor WILLIAMS, published 14 Sep. 2006 and also published international patent application WO 2006/094365, inventor WILLIAMS, published 14 Sep. 2006, both also incorporated herein by reference in their entirety describing other aspects of such systems. This technique is also referred to as "de-duplication technology" in the computer storage field. The goal is to reduce the amount of capacity consumed by file storage. The ultimate storage is typically either on magnetic tape or hard disk, but this of course is not limiting. Typically in such systems as files are written into the system (or alternatively in a subsequent, separate de-duplication step) they are analyzed by a de-duplication engine (processor) and broken into sub-files referred to as sub-blocks or blocklets. Each blocklet is examined by the engine to see if it is unique. If it is, the blocklet is stored to disk and consumes disk or tape capacity. If the blocklet is determined not to be unique that means it has already been stored and one of the two copies may be discarded. After the entire file has been examined, an index record is stored that lists what blocklets or sub-blocks make up the file and how to rebuild the file, that is how to locate them in the storage.
[0003] More technically, this approach to data storage reduction systematically substitutes reference pointers in the index for redundant fixed or variable-length blocks or data segments, also referred to as blocklets or sub-blocks, in a specific data set. The more sophisticated version uses variable length data segments. Data de-duplication operates by partitioning the file into the blocklets (sub-blocks) and writing those sub-blocks to a disk or tape. To identify the sub-blocks in a stream, the data de-duplication engine creates a digital signature, also sometimes referred to as a fingerprint, for each sub-block and an index of all the digital signatures for a given storage repository. The index, which can be recreated from the stored sub-blocks, provides a reference list to determine whether sub-blocks already exist in the repository. The index is used to determine which new sub-blocks need to be stored or alternatively which old sub-blocks can be discarded and also which need to be copied during a reproduction operation. When the data de-duplication engine determines that a particular sub-block has been processed (stored) before, instead of storing the sub-block again it merely inserts a pointer to the original sub-block in the "metadata" kept in the index. If the same sub-block shows up multiple times, multiple pointers to it are generated.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the data storing teachings of the prior art of record (reads on generates a specific mini-graph data structure corresponding to event data from a particular data stream JSON file, see Muddo para 0406 – 0410 and Fry para 0017, 0018 and 0107) by integrating the data storing teachings of Spackman (see Spackman para 0002 – 0003) to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the storing of the ingestion data of the primary references with the storing only after looking ahead to determine the data is not currently stored according the teachings of Spackman. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. The motivation to combine the references applies to all claims under this heading.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is ((571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Ashok Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/BRIAN F SHAW/Primary Examiner, Art Unit 2491