DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Amendment
In response to the amendment filed on September 9, 2021:
The abstract is amended.
Claims 1-30 are amended.
Claims 1-30 are pending.

Response to Arguments
In response to the remarks filed on September 9, 2021:
a.	Objection to the abstract is withdrawn in view of Applicant’s amendment.
b.	The double patenting rejections of the pending claims are maintained since Applicant’s amendment does not distinct the pending claims from the claims of Pat. No. U 10,521,331 as presented in the comparison table below.
c.	35 U.S.C. 101 rejections of the pending claims are withdrawn in view of Applicant’s amendment and remarks.
d. 	Applicant’s remarks regarding the 35 U.S.C. 103 rejections of the pending claims have been fully considered but are moot in view of a new ground of rejections presented hereon.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed  determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-30 are rejected on the ground of nonstatutory double patenting over claims 1-33 of Pat. No. US 10521331.
The subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the instant application are claiming common subject matter of evaluation and detection of patterns based on happened-before relationships.
	Claims 1-30 of the instant application recite similar limitations and claims 1-33 of ‘331 as being compared in the table below. For illustration purposes, only claims 1-10 of the instant application are compared to the conflicting claims of ‘331 (underlining is used to highlight the conflict). Claims 11-30 are identical in scope to claims 1-10 so they are not being compared hereon.
Instant Application
Pat. No. US 10,521,331
Claim 1
A method, comprising: 




receiving one or more messages communicated between components of a distributed computing system, wherein the distributed computing system comprises a plurality of components, wherein each component implements a portion of a functionality of a software program running on the distributed computing system; 


receiving one or more watch points, wherein the one or more watch points are specified in a domain-specific language; 






converting the one or more watch points into one or more regular expressions; 


determining a presence of one or more patterns within the received one or more messages based on the one or more regular expressions; and 

generating one or more alerts if it is determined that one or more patterns are present within the received one or more messages.
Claim 1
A method, comprising: at an electronic device with a display and an interface configured to accept one or more inputs from a user of the electronic device: 

receiving one or more log files, wherein the one or more log files are based on a plurality of messages generated by a plurality of components in a distributed computing system during an execution of a distributed software program implemented on the plurality of components, and wherein each log file of the one or more log files includes a time stamp; and 

wherein in response to a user providing one or more watchpoints in a domain-specific language via the interface, the electronic device is caused to: 

determine if the one or more user provided watchpoint declarations include one or more errors; 
convert the one or more user provided watchpoint declarations into one or more regular expressions; 

determine the presence of one or patterns within the one or more log files based on the one or more regular expressions; and 


generate one or more visual indications on the visual progress bar, wherein the one or more visual indications on the visual progress bar are based on the one or more log files in which the presence of the one or more patterns is determined.
Claim 2
The method of claim 1, wherein determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes determining if the received one or more messages partially matches a pattern identified by the one or more regular expressions.
Claim 1





…determine the presence of one or patterns within the one or more log files based on the one or more regular expressions…
Claim 3
The method of claim 2, wherein determining if the one or more messages partially matches a pattern identified by the one or more regular expressions includes determining if the received one or more messages continues a partially matched pattern found in a previously received message.

See mapping of Watanabe (Pub. No. US 2017/0270297) below.
Claim 4
The method of claim 1, wherein determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes determining if the one or more messages completely matches a pattern identified by the one or more regular expressions.


See mapping of Watanabe (Pub. No. US 2017/0270297) below.


Claim 5
The method of claim 1, wherein the method further comprises adding the received one or more messages to one or more previously received messages to generate a window of messages, wherein the number of messages contained within a window is based on a predefined threshold.

See mapping of Bhattacharjee (Pub. No. US 2019/0095494) below.
Claim 6
The method of claim 5, wherein the method further comprises converting the messages contained within a window into an intermediate log file format.

Claim 3
…converting the one or more log files into one or more intermediate log format files and determining the presence of the one or more patterns within the one or more intermediate log format files.
Claim 7
The method of claim 6, wherein determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes determining the presence of the one or more patterns within the intermediate log file based on the one or more regular expressions.
Claim 3
…converting the one or more log files into one or more intermediate log format files and determining the presence of the one or more patterns within the one or more intermediate log format files.


Claim 8
The method of claim 1, wherein receiving one or more messages communicated between components of a distributed computing system includes receiving the one or more messages at a detection engine implemented on a device or plurality of devices in a distributed computing system.

See mapping of Bhattacharjee (Pub. No. US 2019/0095494) below.
Claim 9
The method of claim 1, wherein generating one or more alerts if it is determined that one or more patterns are present within the received one or more messages includes displaying a visual representation of the alert on a display of an electronic device.

Claim 1
…generate one or more visual indications on the visual progress bar, wherein the one or more visual indications on the visual progress bar are based on the one or more log files in which the presence of the one or more patterns is determined.
Claim 10
The method of claim 1, wherein determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes discarding the one or more messages from a memory of a device if it is determined that the one or more messages does not match the one or more patterns based on the one or more regular expressions.

See mapping of Klissner (Pub. No. US 2010/0100893) below.


Although the conflicting claims are not identical, they are not patentably distinct from each other because they are substantially similar in scope and they use the similar limitations to produce the same end result of detecting event patters based on happened-before relationships.
	It would have been obvious to a person with ordinary skills in the art at the time of the invention was effectively filed to modify or to omit the additional elements of claims 1-33 of ‘331 in view of at least one of the disclosures of Bhattacharjee, Watanabe, or Klissner to arrive at claims 1-30 of the instant application for the purpose of using graph database to analyze and monitor a status of an enterprise computer network that can allow a network analyst to analyze the real-time status of a computer network based on user-provided criteria.










Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-9, 11, 15-19, 21, and 25-29 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee et al. (Pub. No. US 2019/0095494, published on March 28, 2019; hereinafter Bhattacharjee) in view of Noel et al. (Pub. No. US 2017/0289187, published on October 5, 2017; hereinafter Noel) and further in view of Damodaran et al. (Pub. No. US 2019/0243746, published on August 8, 2019; hereinafter Damodaran, see further MPEP 715.01(a) for using a published application naming different inventive entity). 

Regarding claims 1, 11, and 21, Bhattacharjee clearly shows and discloses a method (Abstract); a computing system, comprising: a memory; one or more processors; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs when executed by the one or more processors cause the processor to implement the method; and a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which, when executed by an electronic device with a display and a user input interface, cause the device to implement the method (Figure 24); wherein the method comprising:
receiving one or more messages between a plurality of devices in a distributed computing system (the enterprise security application system stores large volumes of minimally-processed security-related data at ingestion time for later retrieval and analysis at search time when a live security threat is being investigate, [0366]. The security-related information can originate from various sources within a data center, such as hosts, virtual machines, storage devices and sensors. The security-related information can also originate from various sources in a network, such as routers, switches, email servers, proxy servers, gateways, firewalls and intrusion-detection systems, [0367]); 
receiving one or more watch points (a user can define a "correlation search" specifying criteria for a notable event, and every time one or more events satisfy the criteria, the application can indicate that the one or more events correspond to a notable event; and the like, [0368]. While a query can be formulated in many ways, a query can start with a search command and one or more corresponding search terms at the beginning of the pipeline. Such search terms can include any combination of keywords, phrases, times, dates, Boolean expressions, fieldname-field value pairs, etc. that specify which results should be obtained from an index, [0268]); 
converting the one or more watch points into one or more regular expressions (In response to receiving the search query, search head 210 uses extraction rules to extract values for the fields associated with a field or fields in the event data being searched. The search head 210 obtains extraction rules that specify how to extract a value for certain fields from an event. Extraction rules can comprise regex rules that specify how to extract values for the relevant fields, [0290], [0297], [0336]); 
determining a presence of one or more patterns within the received one or more messages based on the one or more regular expressions (the enterprise security application facilitates detecting "notable events" that are likely to indicate a security threat. A notable event represents one or more anomalous incidents, the occurrence of which can be identified based on one or more events (e.g., time stamped portions of raw machine data) fulfilling pre-specified and/or dynamically-determined (e.g., based on machine-learning) criteria defined for that notable event, [0366]-[0368]); and 
generating one or more alerts if it is determined that one or more patterns are present within the received one or more messages (A user can alternatively select a pre-defined correlation search provided by the application. Note that correlation searches can be run continuously or at regular intervals (e.g., every hour) to search for notable events. Upon detection, notable events can be stored in a dedicated "notable events index," which can be subsequently accessed to generate various visualizations containing security-related information. Also, alerts can be generated to notify system operators when important notable events are discovered, [0366]-[0368]).  
Noel then discloses the one or more watch points are specified in a domain-specific language (A domain-specific query language may be helpful in creating a user-friendly syntax that allows a user to query the graph database explained with respect to FIG. 2, [0036]. Once a user has input a query into the domain-specific language, it can then be converted into the native graph database query language used by the graph database platform employed by the analysis system 100 of FIG. 1, [0038]).

It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Noel with the teachings of Bhattacharjee for the purpose of using graph database to analyze and monitor a status of an enterprise computer network that can allow a network analyst to analyze the real-time status of a computer network based on domain-specific query language.
Damodaran then discloses the received one or more messages are communicated between components of a distributed computing system wherein the distributed computing system comprises a plurality of components, wherein each component implements a portion of a functionality of a software program running on the distributed computing system, receiving one or more messages communicated between components of a distributed computing system wherein the distributed computing system comprises a plurality of components, wherein each component implements a portion of a functionality of a software program running on the distributed computing system (the variables section 514 can be used to detect the presence of malicious users or activity during the operation of the distributed software program under inspection. As an example, if an unexplained change in the variable occurs as indicated by the variables section 514, then the software developer can be alerted to the possibility that the variable change was caused by an unauthorized and/or malicious user who is manipulating the messages between the individual components of the distributed computing system that is executing the distributed software program under inspection. In this way, while the visualization section 512 allows a user to see the activity occurring between components, the variables section can allow the user of the replay debugger to visualize the substantive changes to variables occurring during the visualized activity, [0061]).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Damodaran with the teachings of Bhattacharjee, as modified by Noel, for the purpose of analyzing communications between components of a distributed program enable users to visualize variables that are contained within the communication.
Regarding claims 5, 15, and 25, Bhattacharjee further discloses adding the received one or more messages to one or more previously received messages to generate a 74window of messages, wherein the number of messages contained within a window is based on a predefined threshold (During each scheduled report update, the query engine determines whether intermediate summaries have been generated covering portions of the time period covered by the report update. If so, then the report is generated based on the information contained in the summaries. Also, if additional event data has been received and has not yet been summarized, and is required to generate the complete report, the query can be run on these additional events, ][0362]).  
Regarding claims 6, 16, and 26, Bhattacharjee further discloses converting the messages contained within a window into an intermediate log file format (a summarization engine automatically examines the query to determine whether generation of updated reports can be accelerated by creating intermediate summaries. If reports can be accelerated, the summarization engine periodically generates a summary covering data obtained during a latest non-overlapping time period. For example, where the query seeks events meeting a specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, [0361]-[0362]).  
Regarding claims 7, 17, and 27, Bhattacharjee further discloses determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes determining the presence of the one or more patterns within the intermediate log file based on the one or more regular expressions (a summarization engine automatically examines the query to determine whether generation of updated reports can be accelerated by creating intermediate summaries. If reports can be accelerated, the summarization engine periodically generates a summary covering data obtained during a latest non-overlapping time period. For example, where the query seeks events meeting a specified criteria, a summary for the time period includes only events within the time period that meet the specified criteria, [0361]-[0362]).
Regarding claims 8, 18, and 28, Bhattacharjee further discloses receiving one or more messages communicated between components of a distributed computing system includes receiving the one or more messages at a detection engine implemented on a device or plurality of devices in a distributed computing system (The enterprise security application provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications. Through the use of the data intake and query system searching and reporting capabilities, the enterprise security application provides a top-down and bottom-up view of an organization's security posture, [0363]-[0372]. Enabling application of a query across distributed data systems, which may also be referred to as dataset sources, including internal data stores coupled to indexers (illustrated in FIG. 10), external data stores coupled to the data intake and query system over a network (illustrated in FIGS. 10, 17, 18), common storage (illustrated in FIGS. 17, 18), query acceleration data stores (e.g., query acceleration data store 1008 illustrated in FIGS. 10, 17, 18), ingested data buffers (illustrated in FIG. 18) that include ingested streaming data, [0373]-[0377]).  
Regarding claims 9, 19, and 29, Bhattacharjee further discloses generating one or more alerts if it is determined that one or more patterns are present within the received one or more messages includes displaying a visual representation of the alert on a display of an electronic device (After the search is executed, the search screen 800 in FIG. 8A can display the results through search results tabs 804, wherein search results tabs 804 includes: an "events tab" that displays various information about events returned by the search; a "statistics tab" that displays statistics about the search results; and a "visualization tab" that displays various visualizations of the search results. The events tab illustrated in FIG. 8A displays a timeline graph 805 that graphically illustrates the number of events that occurred in one-hour intervals over the selected time range. The events tab also displays an events list 808 that enables a user to view the machine data in each of the returned events, [0305]).  



Claims 2-4, 12-14, and 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee in view of Noel in view of Damodaran and further in view of Watanabe et al. (Pub. No. US 2017/0270297, published on September 21, 2017; hereinafter Watanabe).

Regarding claims 2, 12, and 22, Watanabe then discloses determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes determining if the received one or more messages partially matches a pattern identified by the one or more regular expressions (in some cases, the behavior is partially matched with the behavior pattern in other cases. Therefore, the analysis device 100 in the present example embodiment uses an extent of matching between behavior to be an estimation object of a purpose and previously identified behavior of malware as a matching degree of behavior and estimates the purpose of the behavior, [0082]).  
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Watanabe with the teachings of Bhattacharjee, as modified by Noel and Damodaran, for the purpose of finding information relating to the intention and purpose of an attacker based on predetermined behavior in the computer and knowledge information that includes the relation between the behavior and the purpose of executing the behavior.


Regarding claims 3, 13, and 23, Watanabe further discloses determining if the one or more messages partially matches a pattern identified by the one or more regular expressions includes determining if the received one or more messages continues a partially matched pattern found in a previously received message (in some cases, the behavior is partially matched with the behavior pattern in other cases. Therefore, the analysis device 100 in the present example embodiment uses an extent of matching between behavior to be an estimation object of a purpose and previously identified behavior of malware as a matching degree of behavior and estimates the purpose of the behavior, [0082]).  
Regarding claims 4, 14, and 24, Watanabe further discloses determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes determining if the one or more messages completely matches a pattern identified by the one or more regular expressions (In the configuration illustrated in FIG. 1, for example, the behavior of malware detected by the detection device 150 is completely matched with a behavior pattern of malware held on the detection device 150, [0082]).  
Claims 10, 20, and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee in view of Noel in view of Damodaran and further in view of Klissner et al. (Pub. No. US 2010/0100893, published on April 22, 2010; hereinafter Klissner).

Regarding claims 10, 20, and 30, Klissner then discloses determining the presence of one or more patterns within the received one or more messages based on the one or more regular expressions includes discarding the one or more messages from a memory of a device if it is determined that the one or more messages does not match the one or more patterns based on the one or more regular expressions (The regular expression may determine which IFDs 14 from among a list of available IFDs 14 will be matched and selected for further processing. (The unmatched IFD names in the list may be discarded), [0029]).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Klissner with the teachings of Bhattacharjee, as modified by Noel and Damodaran, for the purpose of providing a concise and flexible means for identifying strings of text of interest based on regular expressions to examine text and identifies parts that match a provided specification.
Claims 1, 11, and 21 are alternatively rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharjee in view of Noel and further in view of Buskens et al. (Pub. No. US 2005/0278699, published on December 15, 2005; hereinafter Buskens). The remaining claims are rejected by the references cited above in view of Buskens.

Regarding claims 1, 11, and 21, Bhattacharjee clearly shows and discloses a method (Abstract); a computing system, comprising: a memory; one or more processors; and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs when executed by the one or more processors cause the processor to implement the method; and a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which, when executed by an electronic device with a display and a user input interface, cause the device to implement the method (Figure 24); wherein the method comprising:
receiving one or more messages between a plurality of devices in a distributed computing system (the enterprise security application system stores large volumes of minimally-processed security-related data at ingestion time for later retrieval and analysis at search time when a live security threat is being investigate, [0366]. The security-related information can originate from various sources within a data center, such as hosts, virtual machines, storage devices and sensors. The security-related information can also originate from various sources in a network, such as routers, switches, email servers, proxy servers, gateways, firewalls and intrusion-detection systems, [0367]); 
receiving one or more watch points (a user can define a "correlation search" specifying criteria for a notable event, and every time one or more events satisfy the criteria, the application can indicate that the one or more events correspond to a notable event; and the like, [0368]. While a query can be formulated in many ways, a query can start with a search command and one or more corresponding search terms at the beginning of the pipeline. Such search terms can include any combination of keywords, phrases, times, dates, Boolean expressions, fieldname-field value pairs, etc. that specify which results should be obtained from an index, [0268]); 
converting the one or more watch points into one or more regular expressions (In response to receiving the search query, search head 210 uses extraction rules to extract values for the fields associated with a field or fields in the event data being searched. The search head 210 obtains extraction rules that specify how to extract a value for certain fields from an event. Extraction rules can comprise regex rules that specify how to extract values for the relevant fields, [0290], [0297], [0336]); 
determining a presence of one or more patterns within the received one or more messages based on the one or more regular expressions (the enterprise security application facilitates detecting "notable events" that are likely to indicate a security threat. A notable event represents one or more anomalous incidents, the occurrence of which can be identified based on one or more events (e.g., time stamped portions of raw machine data) fulfilling pre-specified and/or dynamically-determined (e.g., based on machine-learning) criteria defined for that notable event, [0366]-[0368]); and 
generating one or more alerts if it is determined that one or more patterns are present within the received one or more messages (A user can alternatively select a pre-defined correlation search provided by the application. Note that correlation searches can be run continuously or at regular intervals (e.g., every hour) to search for notable events. Upon detection, notable events can be stored in a dedicated "notable events index," which can be subsequently accessed to generate various visualizations containing security-related information. Also, alerts can be generated to notify system operators when important notable events are discovered, [0366]-[0368]).  
Noel then discloses the one or more watch points are specified in a domain-specific language (A domain-specific query language may be helpful in creating a user-friendly syntax that allows a user to query the graph database explained with respect to FIG. 2, [0036]. Once a user has input a query into the domain-specific language, it can then be converted into the native graph database query language used by the graph database platform employed by the analysis system 100 of FIG. 1, [0038]).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Noel with the teachings of Bhattacharjee for the purpose of using graph database to analyze and monitor a status of an enterprise computer network that can allow a network analyst to analyze the real-time status of a computer network based on domain-specific query language.
Buskens then discloses the received one or more messages are communicated between components of a distributed computing system wherein the distributed computing system comprises a plurality of components, wherein each component implements a portion of a functionality of a software program running on the distributed computing system (The distributed software application 102 comprises a plurality of software components, for example, the software components 124, 126, 128, 178, 180, 182 and 184. The software components 124, 126, 128, 178, 180, 182 and 184 represent software sub-entities of the executables 106, 108, 172, 174 and 176. The executable managers 114 and 116 monitor executables and/or software components of the distributed software application 102 that run on the processors 110 and 112, such as the executables 106, 108, 172, 174 and 176 and the software components 124, 126, 128, 178, 180, 182 and/or 184, [0021]-[0028]), receiving one or more messages communicated between components of a distributed computing system wherein the distributed computing system comprises a plurality of components, wherein each component implements a portion of a functionality of a software program running on the distributed computing system (Upon receipt of the state information, the management support software 132 of the software component 124 in one example sends the checkpoint to the software component 128. For example, the management support software 132 sends one or more messages that comprise the checkpoint over the communication channel 152 to the software component 128. In one example, the management support software 132 of the software component 128 receives the checkpoint. The management support software 132 passes the checkpoint to the application software 130 of the software component 128 through employment of the application programming interface 136, [0041]).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Buskens with the teachings of Bhattacharjee, as modified by Noel, for the purpose of monitoring messages exchanged between components of a distributed software application based on checkpoints to determine validity of the message and a service status of a corresponding component.

Summary of Related Prior Art
The related prior art are summarized as follows:
Giffard (Pub. No. US 2019/0319978) teaches an aspects of an exploit prevention software may be distributed across one or more of client devices. The exploit prevention software may be configured to provide multi-vector protection and threat intelligence services for endpoints and networks by detecting, monitoring, preventing, and/or mitigating malware attacks and suspected threats. In examples, the exploit prevention software may identify, or facilitate the identification of, a list of processes executing on a computing device. Processes may be identified and/or recorded using any known process identifying or process management techniques.
Biever et al. (Pub. No. US 2020/0287929) teaches a threat analyzer that is configured to receive cybersecurity threat data, perform an analysis of the cybersecurity threat data, and determine an action to be performed by response software on response computers in response to a cybersecurity threat. The threat analyzer is also configured to add the cybersecurity threat data to a private threat repository on a private database.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 




Contact Information
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Son Hoang whose telephone number is (571) 270-1752. The Examiner can normally be reached on Monday – Friday (7:00 AM – 4:00 PM).
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Usmaan Saeed can be reached on (571) 272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

         /SON T HOANG/Primary Examiner, Art Unit 2169                                                                                                                                                                                                                September 20, 2021