DETAILED CORRESPONDENCE

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on June 2, 2021 has been entered.
 
Acknowledgment and Response to Applicant’s Remarks
This action is in response to the request for continued examination and amendment filed on June 2, 2021.
Claims 1-6 are currently pending and have been fully examined. Claims 7-20 have been cancelled by Applicant.
With respect to the 101 rejection, Applicant is of the opinion that the claims are not solely directed to a commercial interaction. The examiner respectfully notes that the claims are directed to the abstract idea of calculating transaction fee which is a 
With respect to the 112(a) rejections, Applicant’s amendments raise new issues. For example, amended claim 1 recites "...the security platform receiving information from a plurality of data sources, the plurality of data sources comprising at least two of a security device data source, a server data source, a network and virtual activity data source, a data activity data source, an application activity data source, a configuration information data source, a vulnerabilities and threats information data source and a users and identities data source,” However, the Specification is silent to “at least two data sources” being used, and therefore, the new language constitutes new matter.
 With respect to the 112(b) rejections, the current claim amendments raise new issues. For example, with respect to claim 1, the scope of the claim is rendered indefinite as the claim is directed to a computer-implemented method of a security platform. However, the claim as amended recites: "...the security platform comprising a correlation module...an activity baselining and anomaly detection module...an offense identification module...and a license give back module ..." This makes the scope of the claim unclear because it is not clear whether the claim is directed to the method performed by the security platform or to the structure of the security platform. 
With respect to the 103 rejections, Applicant’s amendments and remarks were fully considered but are not persuasive. Applicant is of the opinion that the prior art fails to teach “executing a plurality of events on a security platform based upon a rate-based license” and  “analyzing the plurality of events to identify any of the plurality of the events not covered by license terms” The examiner respectfully disagrees and notes 
In addition, Applicant is of the opinion that the prior art does not teach giving back internally generated events. The examiner respectfully disagrees and notes that Burchfield at least in [0039]-[0049] teaches adjusting the benchmark services and charges on contracts which are internally generated events.
Moreover, Applicant is of the opinion that the prior art does not teach receiving information from a plurality of data sources. The examiner respectfully disagrees and notes that Zimmerman at least in ([0097]-[0102], [0115]) teaches a plurality of data sources.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



Claims 1-6 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
Claims 1-6 are directed to a method (process). Therefore, these claims fall within the four statutory categories of invention.
Claims 1-6 are directed to the abstract idea of calculating transaction fee, as explained in detail below. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. 
Analysis
The claims are directed to calculating transaction fee. Specifically, the claims are directed to executing a plurality of events based on a rate-based license, identifying any of the events not covered by the license, perform a giveback operation to credit for events not covered by the license, which is a commercial or legal interaction grouped within the “certain methods of organizing human activity” grouping of abstract ideas in prong one of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January 7, 2019)) because the claims involve a series of steps for calculating a transaction fee. Accordingly, the claims recite an abstract idea (See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019)).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional element(s) of a security platform, merely use(s) a computer as a tool to perform the abstract idea. Specifically, executing a plurality of events based on a rate-based license, identifying any of the events not covered by the license, perform a 
The claims do not include additional elements that are sufficient to amount to significantly more than the abstract idea. The claims 1-6 only involve the use of computers as tools to automate and/or implement the abstract idea.
 Taking the claim elements separately, the independent claim 1 involve executing a plurality of events based on a rate-based license, identifying any of the events not covered by the license, perform a giveback operation to credit for events not covered by 
Viewed as a whole, the combination of elements recited in the claims simply recite the concept of calculating transaction fee, including executing a plurality of events based on a rate-based license, identifying any of the events not covered by the license, perform a giveback operation to credit for events not covered by the license. The claims do not, for example, purport to improve the functioning of the computer itself. Nor do they effect an improvement in any other technology or technical field.
The use of a security platform as a tool to implement the abstract idea does not render the claim patent eligible because it does not provide meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment and requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea.
Conclusion
The claims as a whole do not amount to significantly more than the abstract idea itself. This is because the claims do not effect an improvement to another technology or technical field; the claims do not amount to an improvement to the functioning of a computer system itself; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment.
Accordingly, there are no meaningful limitations in the claims that transform the judicial exception into a patent eligible application such that the claims amount to significantly more than the judicial exception itself.
Further support for the rationale discussed above can be found at: 
http://www.uspto.gov/patent/laws-and-regulations/examination-policy/subject-matter-eligibility


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.


Claims 1-6 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.
With respect to claim 1, the amended claim recites, "...the security platform receiving information from a plurality of data sources, the plurality of data sources comprising at least two of a security device data source, a server data source, a network and virtual activity data source, a data activity data source, an application activity data source, a configuration information data source, a vulnerabilities and threats information data source and a users and identities data source,”
However, the Specification is silent to at least two data sources.
According to the Specification (PGPub [0025])
…the security intelligence platform 210 receives information from one or more of a plurality of data sources 220 and performs one or more of correlation operations, activity baselining and anomaly detection operations, offense identification operations to provide an identification of a true offense 222 as well as identification of suspected intendents 224 as well as a license give back operation. In certain embodiments, the security intelligence platform 210 includes one or more of an integrated family of modules that can help detect threats that otherwise would be missed…
  
Therefore, the new claim language constitutes new matter. 
For the purpose of examination, the claim language is interpreted as follows:
the security platform receiving information from one or more 
data sources, the one or more data sources comprising at least one of a security device data source, a server data source, a network and virtual activity data 
With respect to claim 1, the claim recites: “executing a plurality of events…”, “providing a security information and event management (SIEM) function, log management function, anomaly detection function, vulnerability management function, risk management function, and incident forensics function”, “analyzing the plurality of events…”, and “performing a license giveback operation…”, without clearly defining how the “executing…”, “providing…”, “analyzing…”, and “performing…” are performed. An algorithm or steps/procedure taken to perform the functions “executing…”, “providing…”, “analyzing…”, and “performing…” must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. See MPEP §§2163.02 and 2181, subsection IV.” (MPEP 2161.01 I)
With respect to claim 2, the claim recites: “reviewing the…detected events”, without clearly defining how the “reviewing…”, is performed. An algorithm or steps/procedure taken to perform the function “reviewing…” must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. See MPEP §§2163.02 and 2181, subsection IV.” (MPEP 2161.01 I)
With respect to claim 4, the amended claim recites: “…the rate-based license includes a time-based license…” However, the Specification is silent to this claim recitation. 

… in certain embodiments, the security intelligence platform uses a license which is time-based and the security intelligence platform includes an ability of measuring events included within the amount of time defined by the time-based license. For instance, certain time-based licensing is based on events per second….

Therefore, the specification is silent to a rate-based license that includes a time-based license and the new language constitutes new matter. 
With respect to claim 4, the claim recites: “…the analyzing then being extrapolated”, without clearly defining how the “being extrapolated”, is performed. An algorithm or steps/procedure taken to perform the function “extrapolated” must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. See MPEP §§2163.02 and 2181, subsection IV.” (MPEP 2161.01 I)
With respect to claim 5, the claim recites: “…where credited events decay”, “…the decay function preventing…”, “…the decay function protecting…”, without clearly defining how the “decay”, “preventing” and “protecting” are performed. An algorithm or steps/procedure taken to perform the function “decay”, “preventing” and “protecting” must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. See MPEP §§2163.02 and 2181, subsection IV.” (MPEP 2161.01 I)
Dependent claims 2-6 are also rejected for being directed to the limitations of the rejected claim 1.

The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 1-6 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Unclear Scope
With respect to claim 1, the scope of the claim is rendered indefinite as the claim is directed to a computer-implemented method of a security platform. However, the claim as amended recites: "...the security platform comprising a correlation module...an activity baselining and anomaly detection module...an offense identification module...and a license give back module ..." This makes the scope of the claim unclear because it is not clear whether the claim is directed to the method performed by the security platform or to the structure of the security platform. Specifically because the claim includes no correlation between the components of the platform ( e.g., correlation module, offense identification module,...) and the method steps (e.g., executing a plurality of events..., providing a security information and event management (SIEM) function, a log management function..., analyzing the plurality of events..." Therefore, the scope of the claims is unclear and one of ordinary skill in the art would not be reasonably appraised of the scope of the claim. (In re Zletz, 13 USPQ2d 1320 (Fed. Cir. 1989)). 
With respect to claim 1, the scope of the claim is rendered indefinite as the claim is directed to a computer-implemented method of a security platform. However, the claim also recites “…the configurable percentage being determined by the security platform provider…” It is unclear whether the claim is directed to actions of the security platform, or a combination of the security platform, the security platform provider, and the licensee. Therefore, the scope of the claims is unclear and one of ordinary skill in the art would not be reasonably appraised of the scope of the claim. (In re Zletz, 13 USPQ2d 1320 (Fed. Cir. 1989)).
With respect to claim 1, the scope of the claim is rendered indefinite as the claim recites “executing… on a security platform, the security platform receiving…”
The scope of the claim is unclear because it is not clear whether “receiving” is part of the “executing” or it is a separate claim step. Therefore, the scope of the claims is unclear and one of ordinary skill in the art would not be reasonably appraised of the scope of the claim. (In re Zletz, 13 USPQ2d 1320 (Fed. Cir. 1989)).
With respect to claim 4, the scope of the claim is rendered indefinite as the claim is directed to a computer-implemented method of a security platform. However, the claim also recites “…an amount of time defined by the time-based license…” It is unclear whether the claim is directed to actions of the security platform, or a combination of the security platform, and the time-based license. Therefore, the scope of the claims is unclear and one of ordinary skill in the art would not be reasonably appraised of the scope of the claim. (In re Zletz, 13 USPQ2d 1320 (Fed. Cir. 1989)).
Dependent claims 2-6 are also rejected for being directed to the limitations of the rejected claim 1.
Indefinite Language
With respect to claim 1, the term “given back at a configurable percentage” is a relative term which renders the claim indefinite.  The term is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. 
With respect to claim 3, the term “absolute maximum percentage of detected events” is relative terms which renders the claim indefinite.  The term is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. 
Dependent claims 2-6 are also rejected for being directed to the limitations of the rejected claim 1.
Lack of Antecedent Basis
With respect to claim 3, the claim recites “the customer.”  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1-3, and 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Burchfield et al. (US Patent Publication No. 2005/0102176), in view of Zimmermann et al. (US Patent Publication No. 2018/0027006) further in view of Harris et al. (US Patent Publication No. 2012/0271660).
With respect to claim 1, Burchfield et al. teach:
executing a plurality of events on a security platform…the executing being based upon a rate-based license between a licensee and a security platform provider; (Abstract, [0011]-[0026]) 
analyzing the plurality of events, the analyzing identifying any of the plurality of the events not covered by license terms of the rate-based license, the events not 
performing the license giveback operation, the license giveback operation providing the licensee with an event credit for events not covered by the license terms, the performing being performed by the security platform…([0018], [0022]-[0024], [0039]-[0049])
Burchfield et al. do not explicitly teach:
the security platform receiving information from one or more data sources, the one or more data sources comprising at least one of a security device data source, a server data source, a network and virtual activity data source, a data activity data source, an application activity data source, a configuration information data source, a vulnerabilities and threats information data source and a users and identities data source, 
the security platform comprising a correlation module for performing correlation operations, an activity baselining and anomaly detection module for performing an activity baselining and anomaly detection operation, an offence identification module for performing an offence identification operation and a license give back module for performing a license give back operation, the license give back module executing on a hardware processor of a computer, 
the security platform providing a security information and event management (SIEM) function, a log management function, an anomaly detection function, a vulnerability management function, a risk management function and an incident 
internally generated events are given back at a predetermined ratio and events chosen by the user as not important are given back at a configurable percentage, the configurable percentage being determined by the security platform provider.
However,  Zimmermann et al. teach:
the security platform receiving information from one or more data sources, the one or more data sources comprising at least one of a security device data source, a server data source, a network and virtual activity data source, a data activity data source, an application activity data source, a configuration information data source, a vulnerabilities and threats information data source and a users and identities data source, ([0097]-[0102], [0115])  
the security platform comprising …one or more modules … for performing correlation operations…for performing an activity baselining and anomaly detection operation, …for performing an offence identification operation … for performing a license give back operation, … executing on a hardware processor of a computer, (([0102]-[0137], [0201], [0201], [0324]-[0333], [0350]-[0360]) 
the security platform providing a security information and event management (SIEM) function, a log management function, an anomaly detection function, a vulnerability management function, a risk management function and an incident forensics function, the executing being based upon a rate-based license between a licensee and a security platform provider; ([0102]-[0137], [0201])

Burchfield et al. and Zimmermann et al. do not explicitly teach:
the security platform comprising a correlation module … an activity baselining and anomaly detection module …an offence identification module …and a license give back module …
internally generated events are given back at a predetermined ratio and events chosen by the user as not important are given back at a configurable percentage, the configurable percentage being determined by the security platform provider.
However, Harris et al. teach:
internally generated events are given back at a predetermined ratio and events chosen by the user as not important are given back at a configurable percentage, the configurable percentage being determined by the security platform provider. (FIGS. 7-11, [0061]-[0072]) 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the refund calculation as taught by Harris et al., into the license management system of Burchfield et al., and Zimmermann et al. in order to determine the refund amount based on various events. (Harris et al.: Abstract, [0042])
Burchfield et al., Zimmermann et al., and Harris et al. do not explicitly teach:

However, the claim recitation indicates non-functional descriptive material and does not further limit the scope of the claim. (See MPEP2103 I C and 2111.04)
With respect to claim 2, Burchfield et al., Zimmermann et al. and Harris et al. teach the limitations of claim 1.
Moreover, Burchfield et al. teach:
the analyzing the plurality of events further comprises reviewing predetermined sets of detected events. ([0010]-[0018])
With respect to claim 3, Burchfield et al., Zimmermann et al. and Harris et al.  teach the limitations of claim 2.
Moreover, Burchfield et al. teach:
the predetermine sets of detected events are identified by applying a statistical analysis operation, the applying the statistical analysis identifying any events which should not be charged against the rate-based license. ([0021]-[0022])
the statistical analysis corresponding to a determination of a percentage of events that the customer chooses to be undesired and an absolute maximum percentage of detected events. ([0010]-[0022], [0039]-[0049])
With respect to claim 5, Burchfield et al., Zimmermann et al. and Harris et al.  teach the limitations of claim 1.
Moreover, Harris et al. teach:

the decay function preventing credited events from accumulating indefinitely, the decay function protecting an information pipeline… ([0062], [0063], [0078])
Burchfield et al., Zimmermann et al. and Harris et al. do not explicitly teach:
…to ensure that events are not lost due to exhaustion of resources.
However, the claim recitation “…to ensure that events are not lost due to exhaustion of resources.” Indicates intended use of a decay function and therefore does not further limit the scope of the claim.
With respect to claim 6, Burchfield et al., Zimmermann et al. and Harris et al.  teach the limitations of claim 1.
Moreover, Harris et al. teach:
the license giveback operation comprises a configurable decay percentage per a configurable license interval. ([0062])

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Burchfield et al., in view of Zimmermann et al., and Harris et al., further in view of Hoffberg (US Patent No. 6,850,252)
With respect to claim 4, Burchfield et al., Zimmermann et al. and Harris et al. teach the limitations of claim 1.
Moreover, Harris et al. teach:
the rate-based license includes a time-based license; ([0062], [0063], [0078])
Burchfield et al., Zimmermann et al. and Harris et al. do not explicitly teach:

the analyzing the plurality of events occurs over a certain amount of time, the analyzing then being extrapolated.
However, Hoffberg et al. teach:
the security platform measures events included within an amount of time defined by the time-based license; (Col. 162 ll. 9-56, Col. 209 ll. 6-19, Col. 209 ll. 26-52)
the analyzing the plurality of events occurs over a certain amount of time, the analyzing then being extrapolated. (Col. 162 ll. 9-56, Col. 209 ll. 6-19, Col. 209 ll. 26-52)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the data analysis and extrapolation as taught by Hoffberg et al., into the license management system of Burchfield et al., Zimmermann et al. and Harris et al., in order to use data patterns to predict events. (Hoffberg et al.: Abstract, Col. 23 ll. 19-29)

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMA ASGARI whose telephone number is (571)272-2037.  The examiner can normally be reached on M-F 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SIMA ASGARI/Examiner, Art Unit 3699                                                                                                                                                                                                                                                                                                               /Mohammad A. Nilforoush/Primary Examiner, Art Unit 3685