Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

           DETAILED ACTION

1.	This action is responsive to:  an original application filed on 31 January 2021.	
2.	Claims 1-20 are currently pending and claims 1, 8 and 15 are independent claims. 

                                               Information Disclosure Statement

3.	The information disclosure statement (IDS) submitted on are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
   
        Drawings

4.	The drawings filed on 31 January 2021 are accepted by the examiner. 

					    Abstract

5.	Applicant is reminded of the proper content of an abstract of the disclosure.
A patent abstract is a concise statement of the technical disclosure of the patent and should include that which is new in the art to which the invention pertains. The abstract should not refer to purported merits or speculative applications of the invention and should not compare the invention with the prior art.

Where applicable, the abstract should include the following: (1) if a machine or apparatus, its organization and operation; (2) if an article, its method of making; (3) if a chemical compound, its identity and use; (4) if a mixture, its ingredients; (5) if a process, the steps.
Extensive mechanical and design details of an apparatus should not be included in the abstract. The abstract should be in narrative form and generally limited to a single paragraph within the range of 50 to 150 words in length.
See MPEP § 608.01(b) for guidelines for the preparation of patent abstracts.

Claim Rejections - 35 USC § 103
	
6.	The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained through the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459  (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.


Claims 1-20 are rejected under 35 U.S.C §103(a) as being unpatentable over Applicant’s admitted prior art, Weaver et al. (US Patent No. 10055582), hereinafter Weaver and in view of Rajasekharan et al. (US Publication No. 20190042744), hereinafter Rajasekharan.

In regard to claim 1: 
accessing audit events in a file system during a time interval, the audit events including unique and duplicative file operations within the time interval (Weaver, col 15, lines 16-26, col 11, lines 30-39, col 17, lines 35-39).
de-duplicating the audit events to remove selected duplicative file operations (Weaver, col 9, lines 1-34). 
Weaver does not explicitly suggest, and generate time series data comprising unique file operations devoid of duplicative file operations; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶41, 24).
Weaver does not explicitly suggest, analyzing the time series data to determine whether a subset of the unique file operations includes file-read instructions to copy files corresponding to the subset of unique file operations; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶28, 19).
Weaver does not explicitly suggest, determining that the file-read instructions in the subset of unique file operations are abnormal in the time interval based on determining a pattern or number of the file-read instructions in the time interval; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶30-31).

r Weaver does not explicitly suggest, responsive to determining that the file-read instructions in the subset of unique file operations are abnormal, determining that the file system is subject to a system threat ; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶22-23).
and generating an alert (Weaver, col 12, lines 33-44).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of de-dup method of Weaver with the time-series data analysis disclosed in Rajasekharan in order to generate machine learning model, stated by Rajasekharan at para.24.

In regard to claim 2: 
wherein the audit events include information comprising, for each audit event, a user id, a file name, a type of access, and a timestamp (Weaver, col 8, lies 66-67, col 9, lines 1-34)

In regard to claim 3:
wherein the selection of duplicative file operations for removal in the de-duplication of the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state (Weaver, col 11 lines 41-54).

In regard to claim 4:


In regard to claim 5:
wherein determining whether the file-read instructions in the subset of the file operations files are abnormal comprises applying a set of machine learning models to the audit events, the set of machine learning models trained to determine the pattern or number of the file operations and to compare the pattern or number of the file operations to the normal pattern or number based on features representing a normal or expected behavior of the file system (Weaver, col 5, lines 52-62, col 9, line 30).

In regard to claim 6:
wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine (Weaver, Fig.2, step 204).

In regard to claim 7:
wherein determining that the file-read instructions in the subset of the file operations are abnormal comprises applying Seasonal-Trend Decomposition Procedure Based on Loess (STL) decomposition to file delete audit events to remove seasonal and trend components and using a residue of the decomposition to generate the time series data, and performing an Exploratory Data Analysis (ESD) test on the time series data (Weaver, col 15, lines 16-26).

In regard to claim 8:
at least one processor for executing machine-readable instructions and a memory storing instructions configured to cause the at least one processor to perform operations comprising (Weaver, col 17, lines 20-24) at least: accessing audit events in a file system during a time interval, the audit events including unique and duplicative file operations within the time interval (Weaver, col 15, lines 16-26, col 11, lines 30-39, col 17, lines 35-39).
de-duplicating the audit events to remove selected duplicative file operations and (Weaver, col 9, lines 1-34). 
Weaver does not explicitly suggest, Weaver does not explicitly suggest, generate time series data comprising unique file operations devoid of duplicative file operations; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶41, 24).
Weaver does not explicitly suggest, analyzing the time series data to determine whether a subset of the unique file operations includes file-read instructions to copy files corresponding to the subset of unique file operations; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶28, 19).
Weaver does not explicitly suggest, determining that the file-read instructions in the subset of unique file operations are abnormal in the time interval based on determining a pattern or number of the file-read instructions in the time interval however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶30-31). 
Weaver does not explicitly suggest, and comparing the pattern or number of the file-read instructions to a normal pattern or number of file-read instructions; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶25-26, 30).

and generating an alert (Weaver, col 12, lines 33-44).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of de-dup method of Weaver with the time-series data analysis disclosed in Rajasekharan in order to generate machine learning model, stated by Rajasekharan at para.24.

In regard to claim 9:
wherein the audit events include information comprising, for each audit event, a user id, a file name, a type of access, and a timestamp (Weaver, col 8, lies 66-67, col 9, lines 1-34)

In regard to claim 10:
wherein the selection of duplicative file operations for removal in the de-duplication of the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state (Weaver, col 11 lines 41-54).
 
In regard to claim 11:
wherein the operations further comprise: generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in 

In regard to claim 12:
wherein determining whether the file-read instructions in the subset of the file operations files are abnormal comprises applying a set of machine learning models to the audit events, the set of machine learning models trained to determine the pattern or number of the file operations and to compare the pattern or number of the file operations to the normal pattern or number based on features representing a normal or expected behavior of the file system (Weaver, col 5, lines 52-62, col 9, line 30).
 
In regard to claim 13: 
wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine (Weaver, Fig.2, step 204).

In regard to claim 14:
wherein determining that the file-read instructions in the subset of the file operations are abnormal comprises applying Seasonal-Trend Decomposition Procedure Based on Loess (STL) decomposition to file delete audit events to remove seasonal and trend components and using a residue of the decomposition to generate the time series data, and performing an Exploratory Data Analysis (ESD) test on the time series data (Weaver, col 15, lines 16-26).
 
In regard to claim 15:

de-duplicating the audit events to remove selected duplicative file operations (Weaver, col 9, lines 1-34). 
Weaver does not explicitly suggest, and generate time series data comprising unique file operations devoid of duplicative file operations; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶41, 24).
Weaver does not explicitly suggest, analyzing the time series data to determine whether a subset of the unique file operations includes file-read instructions to copy files corresponding to the subset of unique file operations; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶28, 19).
Weaver does not explicitly suggest, determining that the file-read instructions in the subset of unique file operations are abnormal in the time interval based on determining a pattern or number of the file-read instructions in the time interval however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶30-31).
Weaver does not explicitly suggest, and comparing the pattern or number of the file-read instructions to a normal pattern or number of file-read instructions; however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶25-26, 30).
Weaver does not explicitly suggest, responsive to determining that the file-read instructions in the subset of unique file operations are abnormal, determining that the file system is subject to a system threat however in a same field of endeavor Rajasekharan discloses this limitation (Rajasekharan, ¶22-23).
and generating an alert (Weaver, col 12, lines 33-44).


In regard to claim 16:
wherein the audit events include information comprising, for each audit event, a user id, a file name, a type of access, and a timestamp (Weaver, col 8, lies 66-67, col 9, lines 1-34). 

In regard to claim 17:
wherein the selection of duplicative file operations for removal in the de-duplication of the audit events is based at least in part on an identification of successive file operations that do not lead to a change in a file state (Weaver, col 11 lines 41-54).
 
In regard to claim 18:
wherein the operations further comprise: generating a finite state machine including one or more file states, the file states including a file open state, a file read state, a file write state, a file read/write state, and a file close state; and storing the file states in the finite state machine in a key-value object store (Weaver, col 11, lines 4-29, col 4, lines 1-12).  

In regard to claim 19:

 
In regard to claim 20: 
wherein de-duplicating the audit events includes maintaining a file system state based on the finite state machine (Weaver, Fig.2, step 204).

   Conclusion

7.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890