DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 12 is objected to because of the following informalities:  
Claim 12 recites “at least one a”.  The Examiner believes that this is a typographical mistake and the Applicant meant to recite “at least one of a”.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-6, 8-9, 11-12, 14-15, and 17-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Pratt et al.  (US Patent No. US 10673880 B1, hereinafter Pratt).

Regarding Claim 1, Pratt discloses a system for implementing a behavior analysis engine (BAE) to improve computer query processing (Fig. 2A, rules-based network security system 124), comprising: 
at least one processor operatively coupled to a memory (Fig. 34, computer system 3600 includes one or more processor(s) 3610, memory 3620) and configured to implement: 
a user interface displayed on a device to manage and visualize rules associated with system behavior (Fig. 1, [Col. 8, lines 42-45]: For example, user input specifying an anomaly detection rule may be input via graphical user interface (GUI) 162 associated with a rules-based network security system 124); and 
a BAE service including program code ([Col. 9, lines 10-12]: Similarly, the respective functionalities of systems 108, 122, 124, may be implemented as one or more services by one or more service providers. These services may be accessible to end-users via any of client applications 110 or host applications 114) to: 
receive, via the user interface, a job request to execute an input rule on target log data ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 8, lines 40-42]: As shown in FIG. 1B, at step 166 a user 164 (e.g. a network administrator) provides input that defines a rule for detecting anomalies based on received data (e.g. machine data); [Col. 3, lines 41-42]: Machine-generated data can include system logs);
(Fig. 1B; [Col. 8, lines 54-56]: A rules-based network security system 124 can process received data with the user-specified rule to detect anomalous activity and output anomaly data based on that activity),
 parsing the input rule to create a data structure (Fig. 3, step 306; [Col. 5, lines 17-20]: The system divides this raw data into blocks (e.g., buckets of data, each associated with a specific time frame, etc.), and parses the raw data to produce timestamped events. The system stores the timestamped events in a data store [The timestamped event corresponds to the data structure]), 
optimizing the data structure (Fig. 3, step 310; [Co1. 17, lines 36-41]: In one embodiment, the stored events are organized into “buckets,” where each bucket stores events associated with a specific time range based on the timestamps associated with each event. This may not only improve time-based searching, but also allows for events with recent timestamps, which may have a higher likelihood of being accessed, to be stored in a faster memory to facilitate faster retrieval), and 
executing one or more operations using the optimized data structure ([Col. 17, lines 41-43]: By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query);  and 
store the result in a result database (Fig. 3, [Col. 17, lines 22-23]: At block 318, the indexer stores the events with an associated timestamp in a data store 208).

Regarding Claim 2, Pratt discloses the system of claim 1, wherein the user interface permits user composition of rules ([Col. 59, lines 10-17]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection. In the example embodiment, view 3500 includes an option 3502 to input a title for the rule, an option 3504 to set a category for anomaly detected according to the rule, and an option 3506 to specify the rule. As shown in FIG. 33, the option to specify a rule can include an editable text field into which a user may input text defining the rule).

Regarding Claim 3, Pratt discloses the system of claim 1, wherein the user interface permits user verification of a new rule generated by the machine learning component ([Col. 9, lines 58-65]: As in the real-time data path, anomalies, threat indicators and threats discovered by the batch analyzer may be actionable automatically or may be presented to a human operator for decision on whether to take action. The action taken by the operator to validate or invalidate the conclusions reached by the batch analyzer may serve as a source of feedback to the security platform to improve its evaluation of subsequently processed data; [Col. 22, lines 55-57]: These anomalies, threat indicators and threats may be provided to a user interface (UI) system 850 for review by a human operator 852).

Regarding Claim 4, Pratt discloses the system of claim 1, wherein the user interface permits execution of the input rule on the target log data (Fig. 1B, step 166; [Col. 8, lines 40-42]: As shown in FIG. 1B, at step 166 a user 164 (e.g. a network administrator) provides input that defines a rule for detecting anomalies based on received data (e.g. machine data); [Col. 8, lines 54-56]: A rules-based network security system 124 can process received data with the user-specified rule to detect anomalous activity and output anomaly data based on that activity).

Regarding Claim 5, Pratt discloses the system of claim 1, wherein the BAE service provides one or more application programming interfaces (APIs) for accessing the BAE service ([Col. 21, lines 27-30]: The data sources 802 provide data to data receivers 810, which implement various APIs and connectors to receive (or retrieve, depending on the mechanism) the data for the security platform 800).

Regarding Claim 6, Pratt discloses the system of claim 5, wherein the one or more APIs include one or more RESTful APIs ([Col. 21, lines 35-40]: Technologies employed to implement the data receiver 810 may include Flume™ and REST™. Flume™ is an open-source distributed service for collecting, aggregating, and moving large amounts of log data. REST™ is an interface for accessing large databases).

Regarding Claim 8, Pratt discloses the system of claim 1, wherein the BAE service further includes program code to validate or compose a rule ([Col. 59, lines 10-15]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection. In the example embodiment, view 3500 includes an option 3502 to input a title for the rule, an option 3504 to set a category for anomaly detected according to the rule, and an option 3506 to specify the rule), and
store the validated or composed rule in one or more types of rule bases (Fig. 5; [Col. 19, lines 48-50]: Also, in some embodiments users may provide input via applications in the applications layer to specify rules in the rules layer 612).

Regarding Claim 9, Pratt discloses the system of claim 8, wherein the one or more types of rule-bases include a local rule-base and a global rule-base ([Col. 2, lines 55-56]: FIG. 25 illustrates an example use case for identifying threat indicators based on local and global rarity analysis; [Col. 54, lines 30-36]:As shown in Fig. 25… The events 2280 can also be processed according to a user specified anomaly detection rules that are associated with a particular entity (e.g. local rule associated with entity 1. For example a network administrator may specify a rule to output an anomaly if a particular user has more than 3 failed login attempts. The detected anomalies 1 through M are then analyzed according to a global rarity analysis model to identify a threat indicator).

Regarding Claim 11, Pratt discloses the system of claim 1, wherein the job request includes a single run request or a batch process request ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 9, lines 33-35]: Processing of data (at both systems 122 and 124) may be performed in real time as data is received or in batch mode using stored data.

Regarding Claim 12, Pratt discloses the system of claim 1, wherein the one or more operations include at least one a logical operation, a set operation and a temporal operation ([Col. 40, lines 4-7]: Examples of entity-specific behavioral analysis include hierarchical temporal memory processes that employ modified probabilistic suffix trees (PST), collaborative filtering, content-based recommendation analysis).

Regarding Claim 14, Pratt discloses a computer-implemented method for implementing a behavior analysis engine (BAE) to improve computer query processing, comprising: 
receiving, at a BAE service via a user interface, a job request to execute an input rule on target log data ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 8, lines 40-42]: As shown in FIG. 1B, at step 166 a user 164 (e.g. a network administrator) provides input that defines a rule for detecting anomalies based on received data (e.g. machine data); [Col. 3, lines 41-42]: Machine-generated data can include system logs); 
executing, by the BAE service, the job request to generate a result, including obtaining the input rule from a rule-base (Fig. 1B; [Col. 8, lines 54-56]: A rules-based network security system 124 can process received data with the user-specified rule to detect anomalous activity and output anomaly data based on that activity), 
parsing the input rule to create a data structure (Fig. 3, step 306; [Col. 5, lines 17-20]: The system divides this raw data into blocks (e.g., buckets of data, each associated with a specific time frame, etc.), and parses the raw data to produce timestamped events. The system stores the timestamped events in a data store [A timestamped event corresponds to a data structure]), 
optimizing the data structure (Fig. 3, step 310; [Co1. 17, lines 36-41]: In one embodiment, the stored events are organized into “buckets,” where each bucket stores events associated with a specific time range based on the timestamps associated with each event. This may not only improve time-based searching, but also allows for events with recent timestamps, which may have a higher likelihood of being accessed, to be stored in a faster memory to facilitate faster retrieval), and
([Col. 17, lines 41-43]: By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query); and
storing, by the BAE service, the result in a result database (Fig. 3, [Col. 17, lines 22-23]: At block 318, the indexer stores the events with an associated timestamp in a data store 208); wherein the BAE service is implemented by at least one processor operatively coupled to a memory (Fig. 34, computer system 3600 includes one or more processor(s) 3610, memory 3620).

Regarding Claim 15, Pratt discloses the method of claim 14, further comprising providing, by the BAE service, one or more application programming interfaces (APIs) for accessing the BAE service ([Col. 21, lines 27-30]: The data sources 802 provide data to data receivers 810, which implement various APIs and connectors to receive (or retrieve, depending on the mechanism) the data for the security platform 800).

Regarding Claim 17, Pratt discloses the method of claim 14, further comprising the BAE service validating or composing a rule ([Col. 59, lines 10-15]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection. In the example embodiment, view 3500 includes an option 3502 to input a title for the rule, an option 3504 to set a category for anomaly detected according to the rule, and an option 3506 to specify the rule), and
(Fig. 5; [Col. 19, lines 48-50]: Also, in some embodiments users may provide input via applications in the applications layer to specify rules in the rules layer 612),
wherein the one or more types of rule-bases include a local rule-base and a global rule-base ([Col. 2, lines 55-56]: FIG. 25 illustrates an example use case for identifying threat indicators based on local and global rarity analysis; [Col. 54, lines 30-36]: As shown in Fig. 25… The events 2280 can also be processed according to a user specified anomaly detection rules that are associated with a particular entity (e.g. local rule associated with entity 1. For example a network administrator may specify a rule to output an anomaly if a particular user has more than 3 failed login attempts. The detected anomalies 1 through M are then analyzed according to a global rarity analysis model to identify a threat indicator).

Regarding Claim 18, Pratt discloses the method of claim 14, wherein the job request includes a single run request or a batch process request ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 9, lines 33-35]: Processing of data (at both systems 122 and 124) may be performed in real time as data is received or in batch mode using stored data).

Regarding Claim19, Pratt discloses the method of claim 14, wherein the one or more operations include at least one a logical operation, a set operation and a temporal operation ([Col. 40, lines 4-7]: Examples of entity-specific behavioral analysis include hierarchical temporal memory processes that employ modified probabilistic suffix trees (PST), collaborative filtering, content-based recommendation analysis).

Regarding Claim 20, Pratt discloses a computer program product comprising 
a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method for implementing a behavior analysis engine (BAE) to improve computer query processing, the method comprising ([Col. 60, lines 50-56]: Embodiments of the techniques introduced here may be implemented, at least in part, by a computer program product which may include a non-transitory machine-readable medium having stored thereon instructions that may be used to program/configure a computer or other electronic device to perform some or all of the operations described above): 
receiving, at a BAE service via a user interface, a job request to execute an input rule on target log data ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 8, lines 40-42]: As shown in FIG. 1B, at step 166 a user 164 (e.g. a network administrator) provides input that defines a rule for detecting anomalies based on received data (e.g. machine data); [Col. 3, lines 41-42]: Machine-generated data can include system logs); 
executing, by the BAE service, the job request to generate a result, including obtaining the input rule from a rule-base (Fig. 1B; [Col. 8, lines 54-56]: A rules-based network security system 124 can process received data with the user-specified rule to detect anomalous activity and output anomaly data based on that activity), 
parsing the input rule to create a data structure (Fig. 3, step 306; [Col. 5, lines 17-20]: The system divides this raw data into blocks (e.g., buckets of data, each associated with a specific time frame, etc.), and parses the raw data to produce timestamped events. The system stores the timestamped events in a data store [A timestamped event corresponds to a data structure]), 
optimizing the data structure (Fig. 3, step 310; [Co1. 17, lines 36-41]: In one embodiment, the stored events are organized into “buckets,” where each bucket stores events associated with a specific time range based on the timestamps associated with each event. This may not only improve time-based searching, but also allows for events with recent timestamps, which may have a higher likelihood of being accessed, to be stored in a faster memory to facilitate faster retrieval), and 
executing one or more operations using the optimized data structure (Fig. 3, step 312; [Col. 17, lines 41-43]: By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query); and 
storing, by the BAE service, the result in a result database (Fig. 3, [Col. 17, lines 22-23]: At block 318, the indexer stores the events with an associated timestamp in a data store 208).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. US 10673880 B1, hereinafter Pratt) in further view of Reid et al. (US 20170024258 A1, hereinafter Reid).

Regarding Claim 7, Pratt discloses the system of claim 1.
However, Pratt does not explicitly teach “wherein the data structure includes a tree of execution order, and optimizing the data structure includes optimizing the tree of execution order to reduce a number of future executions.”
On the other hand, in the same field of endeavor, Reid teaches wherein the data structure includes a tree of execution order ([Abstract]: The viewing application receives a query result from the scheduling server and depicts, on an electronic display, a dependency tree that includes one or more precedent batch jobs and the target batch job; [0047]: A dependency tree 98 is a data structure and/or visual depiction of the subset of financial batch jobs 12, within a batch stream, returned by the scheduling server 14 query), and 
optimizing the data structure includes optimizing the tree of execution order to reduce a number of future execution ([0005]: The viewing application may provide optimization tools that allow the user to make one or more optimizations to the execution order of the plurality of batch jobs. The one or more optimizations may optimize the execution order such that a total execution runtime of the one or more critical jobs is decreased such that the target batch job finishes executing earlier than the target batch job would have finished executing without the one or more optimizations).

The motivation for combining would be to optimize dependencies of batch jobs, as recognized by Reid ([0005] of Reid: In one embodiment, provided is a computer system for optimizing dependencies of batch jobs).

Regarding Claim 16, Pratt discloses the method of claim 14.
However, Pratt does not explicitly teach “wherein the data structure includes a tree of execution order, and optimizing the data structure includes optimizing the tree of execution order to reduce a number of future executions.”
On the other hand, in the same field of endeavor, Reid teaches wherein the data structure includes a tree of execution order ([Abstract]: The viewing application receives a query result from the scheduling server and depicts, on an electronic display, a dependency tree that includes one or more precedent batch jobs and the target batch job; [0047]: A dependency tree 98 is a data structure and/or visual depiction of the subset of financial batch jobs 12, within a batch stream, returned by the scheduling server 14 query), and 
optimizing the data structure includes optimizing the tree of execution order to reduce a number of future execution ([0005]: The viewing application may provide optimization tools that allow the user to make one or more optimizations to the execution order of the plurality of batch jobs. The one or more optimizations may optimize the execution order such that a total execution runtime of the one or more critical jobs is decreased such that the target batch job finishes executing earlier than the target batch job would have finished executing without the one or more optimizations).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the method of Pratt with the teachings of Reid to include “wherein the data structure includes a tree of execution order, and optimizing the data structure includes optimizing the tree of execution order to reduce a number of future executions.”
The motivation for combining would be to optimize dependencies of batch jobs, as recognized by Reid ([0005] of Reid: In one embodiment, provided is a computer system for optimizing dependencies of batch jobs).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. US 10673880 B1, hereinafter Pratt) in further view of White et al. (US 20140358923 A1, hereinafter White).

Regarding Claim 10, Pratt discloses the system of claim 8.
However, Pratt does not explicitly teach “wherein the BAE service further includes program code to export rules.”
On the other hand, in the same field of endeavor, White teaches wherein the BAE service further includes program code to export rules ([Col. 13, lines 6-13]: Analysis rules can be shared across multiple compliance system servers. There are a number of ways to export rules from one compliance system instance and import them into another… A similar mechanism is typically needed to import/export rule configuration settings, i.e. which rules should be used).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the system of Pratt with the teachings of White to include “wherein the BAE service further includes program code to export rules.”
The motivation for combining would be to allow one system to extract rules directly from another, as recognized by White ([Col. 13, lines 9-11] of White: This can be accomplished by storing rules on disk in an XML or binary format or by wiring up plumbing to allow one compliance system to extract rules directly from another).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. US 10673880 B1, hereinafter Pratt) in further view of Yamanishi et al. (US 20030004902 A1, hereinafter Yamanishi).

Regarding Claim 13, Pratt discloses the system of claim 1.
However, Pratt does not explicitly teach “a machine learning component including program code to generate new rules associated with system behavior by learning abnormal system behavior from training data, and converting the learned abnormal system behavior into the new rules.”
On the other hand, in the same field of endeavor, Yamanishi teaches a machine learning component including program code to generate new rules associated with system behavior by learning abnormal system behavior from training data, and converting the learned abnormal system behavior into the new rules ([Abstract]: The outlier detection device for detecting abnormal data in a data set includes… a supervised learning unit for generating a new rule characterizing abnormal data by supervised learning based on a set of the respective data to which the label is applied and adding the new rule to the set of rules held in the outlier rule preservation unit to update the rules).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the system of Pratt with the teachings of Yamanishi to include “a machine learning component including program code to generate new rules associated with system behavior by learning abnormal system behavior from training data, and converting the learned abnormal system behavior into the new rules.”
The motivation for combining would be to detect abnormal data in a data set, as recognized by Yamanishi ([Abstract] of Yamanishi: The outlier detection device for detecting abnormal data in a data set includes an outlier rule preservation unit for holding a set of rules characterizing abnormal data).




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIRLEY D. HICKS whose telephone number is (571)272-3304.  The examiner can normally be reached on Mon - Fri 7:30 - 4:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/S.D.H./Examiner, Art Unit 2168      

/IRETE F EHICHIOYA/Supervisory Patent Examiner, Art Unit 2168