DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

2.	The information disclosure statement (IDS) submitted on 8/22/2019, 11/06/2019, 12/06/2019, 1/09/2020, 8/05/2020, 9/18/2020, 11/20/2020, 6/15/2021, 6/30/2021, 8/03/2021, 8/25/2021, 9/17/2021, 10/21/2021, 11/01/2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Allowable Subject Matter

3.	Claim 2 has been objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 
Claim 9 has been objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 16 has been objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


4.	Claims 1, 3-8, 10-15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,246,941 B1 to Gibson et al (hereafter referenced as Gibson) in view of Patent No.: 8,490,163 B1 to Harsell et al (hereafter referenced as Harsell), in further view of Patent No.: US 9,419,928 B2 to Miner
Regarding claim 1, Gibson discloses “a computer-implemented method for constructing a distribution of event  features for identifying security risk factors”(system with modules to identify security risk factors [Fig.1]) , “comprising:  receiving a stream of events”(module 104 may receive request [stream of events] of information about how the security policy may impact users [col.7/lines 24-26]) , “the stream of events comprising a plurality of events”(plurality of information/events comprising identifying module 104 may receive a request from an administrator of end-user computing systems for information about how activating security policy 220 may impact users of end-user computing systems [Col.7/lines 26-30]) ;  “extracting a categorical feature from the plurality of events”(module 104 may receive a request/extract[stream of events] of information about how the security policy may impact users from a plurality of data events [Col.7/lines 24-26]).
Gibson does not explicitly disclose “wherein the categorical feature includes a set of categorical feature members, constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events; and, analyzing the distribution of the categorical feature to identify one or more security risk factors.”
However, Harsell in an analogous discloses “wherein the categorical  feature includes a set of categorical feature members”(define a policy based on extracted categorical events Harsell[Fig.4/item 412]), “constructing a distribution for the categorical feature based on categorical feature  members extracted from the plurality of events”(define a policy based on extracted events Harsell [Fig.4/item 412]) ; “and, analyzing the distribution of the categorical feature to identify one or more security risk factors.”(analysis risk module 314 is configured to analyze the integrity of the universal security policy Harsell [Col.6/lines 59-60]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors 
Neither Gibson nor Harsell explicitly disclose “wherein the set of categorical feature members are generated on the fly from string values included in the extracted categorical feature”
However, Miner in an analogous art teaches “wherein the set of categorical feature members are generated on the fly from string values included in the extracted categorical feature” (bin collection category is maintained via a processing/generating feature which includes identifying the user and a bin collection of the user based on the specific routing character string (Miner [Col.5 Lines 19-24]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors and Harsell’s security process comprising categorical features to identify security factors, with Miners message collection system comprising a router character string in order to provide data integrity. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors, Harsell teaches a security process which identifies features from an event of security purposes, Miner discloses a collection system that utilizes character strings 
Regarding claim 3 in view of claim 1, the references combined disclose “wherein the set of categorical feature members include one or more string values corresponding to chronological dates and/or times.” (the server 200 may be provided to generate and output relevant information to the user, such as a listing of bins, listing of string commands, metrics relating to bin content, date information, or other information Miner[Col.9/lines 33-37]).
Regarding claim 4 in view of claim 3, the references combined disclose “wherein the chronological dates and/or times correspond to times of occurrence of the  one or more of the plurality of events”(time information corresponds to listing of Bin information and metrics Miner[Col.9/lines 31-34]).
Regarding claim 5 in view of claim 3, the references combined “wherein the set of categorical feature members include one or more string values corresponding to IP addresses.” (character string corresponds to BIN content of IP content of server Miner [Fig.18]).
Regarding claim 6 in view of claim 1, the references combined disclose “wherein the set of categorical feature members include one or more string values corresponding to web browser types occurring in the plurality of events.”(i.e. plurality of string values extracted from events from behavior information module Gibson [Fig.1/item 126] and categorical prediction information module Gibson [Fig.1/item 126]).
 	Regarding claim 7 in view of claim 1, the references combined disclose “further comprising: converting the string values of the categorical feature to one-hot vectors for (the server 200 may be provided to generate and output relevant information to the user, such as a listing of bins, listing of commands, metrics relating to bin content, date information, or other information Miner[Col.9/lines 33-37]).
Regarding claim 8, Gibson discloses “a  system comprising: a processor;  a data bus coupled to the processor” (system 100 [Fig.1]) ; “and  a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus”(512 includes, without limitation, a communication bus [Col.12/lines 29-33]) , “the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor  and configured for: receiving a stream of events” (module 104 may receive request [stream of events] of information about how the security policy may impact users [col.7/lines 24-26]) , “the stream of events comprising a plurality of  events” (information comprising identifying module 104 may receive a request from an administrator of end-user computing systems for information about how activating security policy 220 may impact users of end-user computing systems [Col.7/lines 26-30]); “extracting a categorical feature from the plurality of events” (module 104 may receive a request/extract[stream of events] of information about how the security policy may impact users from a plurality of data events [Col.7/lines 24-26]).
Gibson does not explicitly disclose “wherein the categorical feature includes a set of categorical feature members, constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events; and, 
However, Harsell in an analogous discloses “wherein the categorical  feature includes a set of categorical feature members”(define a policy based on extracted events Harsell[Fig.4/item 412]), “constructing a distribution for the categorical feature based on categorical feature  members extracted from the plurality of events”(define a policy based on extracted events Harsell [Fig.4/item 412]) ; “and, analyzing the distribution of the categorical feature to identify one or more security risk factors.”(analysis risk module 314 is configured to analyze the integrity of the universal security policy Harsell [Col.6/lines 59-60]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors with Harsell’s security process comprising categorical features in order to identify security factors and to provide additional security as suggested by Harsell. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors, Harsell teaches a security process which identifies features from an event of security purposes and both are from the same field of endeavor.
Neither Gibson nor Harsell explicitly disclose “wherein the set of categorical feature members are generated on the fly from string values included in the extracted categorical feature”
However, Miner in an analogous art teaches “wherein the set of categorical feature members are generated on the fly from string values included in the extracted (bin collection category is maintained via a processing/generating feature which includes identifying the user and a bin collection of the user based on the specific routing character string (Miner [Col.5 Lines 19-24]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors and Harsell’s security process comprising categorical features to identify security factors, with Miners message collection system comprising a router character string in order to provide data integrity. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors, Harsell teaches a security process which identifies features from an event of security purposes, Miner discloses a collection system that utilizes character strings for which are utilized for categorical methods and all are from the same field of endeavor.
Regarding claim 10 in view of claim 8, the references combined disclose “wherein the set of categorical feature members include one or more string values 3 corresponding to chronological dates and/or times. (the server 200 may be provided to generate and output relevant information to the user, such as a listing of bins, listing of commands, metrics relating to bin content, date information, or other information Miner[Col.9/lines 33-37]).
Regarding claim 11 in view of claim 10, the references combined disclose “wherein the chronological dates and/or times correspond to times of occurrence of the  (time information corresponds to listing of Bin information and metrics Miner[Col.9/lines 31-34]).
Regarding claim 12 in view of claim 8, the references combined disclose “wherein the set of categorical feature members include one or more string values  corresponding to IP addresses” (character string corresponds to BIN content of IP content of server Miner[Fig.18]).
Regarding claim 13 in view of claim 8, the references combined disclose “wherein the set of categorical feature members include one or more string values corresponding to web browser types occurring in the plurality of events” (i.e. plurality of string values extracted from events from behavior information module Gibson [Fig.1/item 126] and categorical prediction information module Gibson [Fig.1/item 126]).
Regarding claim 14 in view of claim 8, the references combined disclose “wherein the instructions are further configured for: converting the string values of the categorical feature to one-hot vectors for analyzing the distribution of the categorical feature.” (the server 200 may be provided to generate and output relevant information to the user, such as a listing of bins, listing of commands, metrics relating to bin content, date information, or other information Miner[Col.9/lines 33-37]).
Regarding claim 15, Gibson discloses “a non-transitory, computer-readable storage medium embodying computer program code” (system 100 containing modules for storing medium [Fig.1]), “the computer program code comprising computer executable instructions configured for:  receiving a stream of events” (module 104 may receive request [stream of events] of information about how the security policy may impact users [col.7/lines 24-26]), “the stream of events comprising a plurality of events” (information comprising identifying module 104 may receive a request from an administrator of end-user computing systems for information about how activating security policy 220 may impact users of end-user computing systems [Col.7/lines 26-30]); “extracting a categorical feature from the plurality of events” (module 104 may receive a request/extract[stream of events] of information about how the security policy may impact users from a plurality of data events [Col.7/lines 24-26]).
Gibson does not explicitly disclose “wherein the categorical feature includes a set of categorical feature members, constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events; and, analyzing the distribution of the categorical feature to identify one or more security risk factors. 
However, Harsell in an analogous discloses “wherein the categorical  feature includes a set of categorical feature members”(define a policy based on extracted events Harsell[Fig.4/item 412]), “constructing a distribution for the categorical feature based on categorical feature  members extracted from the plurality of events”(define a policy based on extracted events Harsell [Fig.4/item 412]) ; “and, analyzing the distribution of the categorical feature to identify one or more security risk factors.”(analysis risk module 314 is configured to analyze the integrity of the universal security policy Harsell [Col.6/lines 59-60]).

Neither Gibson nor Harsell explicitly disclose “wherein the set of categorical feature members are generated on the fly from string values included in the extracted categorical feature”
However, Miner in an analogous art teaches “wherein the set of categorical feature members are generated on the fly from string values included in the extracted categorical feature” (bin collection category is maintained via a processing/generating feature which includes identifying the user and a bin collection of the user based on the specific routing character string (Miner [Col.5 Lines 19-24]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors and Harsell’s security process comprising categorical features to identify security factors, with Miners message collection system comprising a router character string in order to provide data integrity. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk 
Regarding claim 17 in view of claim 15, the references combined disclose “wherein  the set of categorical feature members include one or more string values corresponding to chronological dates and/or times” (the server 200 may be provided to generate and output relevant information to the user, such as a listing of bins, listing of commands, metrics relating to bin content, date information, or other information Miner[Col.9/lines 33-37]). 
Regarding claim 18 in view of claim 15, the references combined disclose “wherein 2 the set of categorical feature members include one or more string values 3 corresponding to IP addresses” (character string corresponds to BIN content of IP content of server Miner[Fig.18]).
Regarding claim 19 in view of claim 15, the references combined disclose “wherein the set of categorical feature members include one or more string values corresponding to web browser types occurring in the plurality of events” (i.e. plurality of string values extracted from events from behavior information module Gibson [Fig.1/item 126] and categorical prediction information module Gibson [Fig.1/item 126]).
Regarding claim 20 in view of claim 15, the references combined disclose “wherein the instructions are further configured for: converting the string values of the categorical feature to one-hot vectors for analyzing the distribution of the categorical  (the server 200 may be provided to generate and output relevant information to the user, such as a listing of bins, listing of commands, metrics relating to bin content, date information, or other information Miner [Col.9/lines 33-37]).
Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 





/MICHAEL D ANDERSON/Examiner, Art Unit 2433                                                                                                                                                                                                        /William J. Goodchild/Primary Examiner, Art Unit 2433