DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed 12/02/2021.
Claims 1-20 are pending and are rejected.
Claims 1, 7, and 13 have been amended.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/02/2021 were filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments with respect to claims 1, 7, and 13 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 1-2, 5, 7-8, 11, 13-14, 17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 20170063888 A1) in view of Lin (US 9038178 B1).
As to claim 1, Muddu teaches a computer-implementable method for performing a feature generation operation, comprising:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable by a user, the protected endpoint identifying a plurality of events from the interactions by the user ([0274] the ML-based CEP engine (protected endpoint) is implemented as, or within, analysis module and couples to a data intake and preparation stage that receives raw event data from a target-side computer system.  The data intake and preparation stage creates an event feature set from raw event data pertaining to a single machine-observed event (stream of data representing electronically-observable); [0156] Apache Storm.TM. is a distributed real-time computation engine that processes data stream record-by-record. Apache Spark.TM. is a large-scale data processing engine that collects events together for processing in batches (stream of events comprising a plurality of events); [0183] the security platform can generate a baseline profile for access activities of user, based on event data indicative of network activities of user (events from the interactions by the user));
applying labels to applicable events from the plurality of events, the applying labels providing a labeled event ([0274] the event feature set can include labels for portions of the raw event data; [0292] The event feature sets from the unbounded stream 1502 can be labeled with event view labels corresponding to the event views);

processing the labeled event to extract a feature from the labeled event, the processing  providing a feature associated with an event, the feature referring to a property, characteristic or attribute of the event;
analyzing the feature associated with the event;
generating a risk score for the user based on the analyzing; and,
performing a risk assessment operation via a security analytics system based on the feature associated with the event and the risk score. 
Lin teaches
processing the labeled event to extract a feature from the labeled event, the processing  providing a feature associated with an event, the feature referring to a property, characteristic or attribute of the event (col. 12, lines 6-9, fig. 6, column 612 (labeled event) includes the number of communication events associated with the most probable interTime for the conversation; col. 7, line 33-36, the corresponding values of the set of determined features are extracted for each conversation; col. 7, lines 20-21, a feature is a variable that is used to represent a characteristic of the input information (a property, characteristic or attribute of the event));
analyzing the feature associated with the event (col. 7, lines 45-48, the set of extracted feature values that represent the conversation is then processed (analyzing) by one or more statistical models associated with the set of features to determine whether the conversation is anomalous);
generating a risk score for the user based on the analyzing (col .9, lines 63-67, detection engine 312 is configured to determine a score for each anomalous conversation that indicates the degree of risk (e.g., risk score) associated with the conversation based on the attributes and/or features associated with the anomalous conversation); and,
(col. 12, lines 13-17, anomalous conversations are listed by their final risk scores because anomalous conversations associated with higher final risk scores are to be analyzed first for any remedial action that may need to be taken (performing a risk assessment operation) as a result of the presence of the conversation).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the risk score, as taught by Lin.  One would be motivated to do so to intelligence generation and activity discovery from events in a distributed data processing system.	

As to claim 2, Muddu and Lin teach the method of claim 1, wherein Lin further teaches:
the applying labels to the applicable events from the plurality of events classifies the applicable events from the plurality of events with associated metadata (col. 7, lines 18-19, the input information can be accurately recognized or classified based on the reduced representation of features (associated metadata)).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the classified features associated with the events, as taught by Lin.  One would be motivated to do so to intelligence generation and activity discovery from events in a distributed data processing system.	

As to claim 5, Muddu and Link teach the method of claim 1, wherein Muddu teaches:
the feature associated with the event comprises at least one of a number of bytes uploaded, a time of day, a presence of certain terms in unstructured content, respective domains associated with senders and recipients of information, and a Uniform Resource Locator (URL) classification of a web page visit ([0966] Events can be derived from "time series data," wherein time series data comprises a sequence of data points that are associated with successive points in time (time of day) and are typically spaced at uniform time intervals. Events can also be derived from "structured" or "unstructured" data).

As to claim 7, Muddu teaches a system comprising:
a processor;
a data bus coupled to the processor ([0165] Processor(s) 8510 and adapters 8540); and
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions  executable by the processor and configured for:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable by a user, the protected endpoint identifying a plurality of events from the interactions by the user ([0274] the ML-based CEP engine (protected endpoint) is implemented as, or within, analysis module and couples to a data intake and preparation stage that receives raw event data from a target-side computer system.  The data intake and preparation stage creates an event feature set from raw event data pertaining to a single machine-observed event (stream of data representing electronically-observable); [0156] Apache Storm.TM. is a distributed real-time computation engine that processes data stream record-by-record. Apache Spark.TM. is a large-scale data processing engine that collects events together for processing in batches (stream of events comprising a plurality of events); [0183] the security platform can generate a baseline profile for access activities of user, based on event data indicative of network activities of user (events from the interactions by the user)),
([0274] The event feature set can include labels for portions of the raw event data; [0292] The event feature sets from the unbounded stream 1502 can be labeled with event view labels corresponding to the event views); 
Muddu does not explicitly teach
processing the labeled event to extract a feature from the labeled event, the processing  providing a feature associated with an event, the feature referring to a property, characteristic or attribute of the event;
analyzing the feature associated with the event;
generating a risk score for the user based on the analyzing; and,
performing a risk assessment operation via a security analytics system based on the feature associated with the event and the risk score.
Lin teaches
processing the labeled event to extract a feature from the labeled event, the processing  providing a feature associated with an event, the feature referring to a property, characteristic or attribute of the event (col. 12, lines 6-9, fig. 6, column 612 (labeled event) includes the number of communication events associated with the most probable interTime for the conversation; col. 7, line 33-36, the corresponding values of the set of determined features are extracted for each conversation; col. 7, lines 20-21, a feature is a variable that is used to represent a characteristic of the input information (a property, characteristic or attribute of the event));
analyzing the feature associated with the event (col. 7, lines 45-48, the set of extracted feature values that represent the conversation is then processed (analyzing) by one or more statistical models associated with the set of features to determine whether the conversation is anomalous);
(col .9, lines 63-67, detection engine 312 is configured to determine a score for each anomalous conversation that indicates the degree of risk (e.g., risk score) associated with the conversation based on the attributes and/or features associated with the anomalous conversation); and,
performing a risk assessment operation via a security analytics system based on the feature associated with the event and the risk score (col. 12, lines 13-17, anomalous conversations are listed by their final risk scores because anomalous conversations associated with higher final risk scores are to be analyzed first for any remedial action that may need to be taken (performing a risk assessment operation) as a result of the presence of the conversation).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the risk score, as taught by Lin.  One would be motivated to do so to intelligence generation and activity discovery from events in a distributed data processing system.

As to claim 8, Muddu and Lin teach the system of claim 7, wherein Lin further teaches:
the applying labels to the applicable events from the plurality of events classifies the applicable events from the plurality of events with associated metadata (col. 7, lines 18-19, the input information can be accurately recognized or classified based on the reduced representation of features (associated metadata)).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the classified features associated with the events, as taught by Lin.  One would be motivated to do so to intelligence generation and activity discovery from events in a distributed data processing system.

As to claim 11, Muddu and Lin teach the system of claim 7, wherein Muddu further teaches:
([0966] Events can be derived from "time series data," wherein time series data comprises a sequence of data points that are associated with successive points in time (time of day) and are typically spaced at uniform time intervals. Events can also be derived from "structured" or "unstructured" data).

As to claim 13, Muddu teaches a non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for:
receiving a stream of data via a protected endpoint, the stream of data representing electronically-observable by a user, the protected endpoint identifying a plurality of events from the interactions by the user ([0274] the ML-based CEP engine (protected endpoint) is implemented as, or within, analysis module and couples to a data intake and preparation stage that receives raw event data from a target-side computer system.  The data intake and preparation stage creates an event feature set from raw event data pertaining to a single machine-observed event (stream of data representing electronically-observable); [0156] Apache Storm.TM. is a distributed real-time computation engine that processes data stream record-by-record. Apache Spark.TM. is a large-scale data processing engine that collects events together for processing in batches (stream of events comprising a plurality of events); [0183] the security platform can generate a baseline profile for access activities of user, based on event data indicative of network activities of user (events from the interactions by the user));
([0274] The event feature set can include labels for portions of the raw event data; [0292] The event feature sets from the unbounded stream 1502 can be labeled with event view labels corresponding to the event views);
Muddu does not explicitly teach
processing the labeled event to extract a feature from the labeled event, the processing  providing a feature associated with an event, the feature referring to a property, characteristic or attribute of the event;
analyzing the feature associated with the event;
generating a risk score for the user based on the analyzing; and,
performing a risk assessment operation via a security analytics system based on the feature associated with the event and the risk score.
Lin teaches
processing the labeled event to extract a feature from the labeled event, the processing  providing a feature associated with an event, the feature referring to a property, characteristic or attribute of the event (col. 12, lines 6-9, fig. 6, column 612 (labeled event) includes the number of communication events associated with the most probable interTime for the conversation; col. 7, line 33-36, the corresponding values of the set of determined features are extracted for each conversation; col. 7, lines 20-21, a feature is a variable that is used to represent a characteristic of the input information (a property, characteristic or attribute of the event)).
analyzing the feature associated with the event (col. 7, lines 45-48, the set of extracted feature values that represent the conversation is then processed (analyzing) by one or more statistical models associated with the set of features to determine whether the conversation is anomalous);
(col .9, lines 63-67, detection engine 312 is configured to determine a score for each anomalous conversation that indicates the degree of risk (e.g., risk score) associated with the conversation based on the attributes and/or features associated with the anomalous conversation); and,
performing a risk assessment operation via a security analytics system based on the feature associated with the event and the risk score (col. 12, lines 13-17, anomalous conversations are listed by their final risk scores because anomalous conversations associated with higher final risk scores are to be analyzed first for any remedial action that may need to be taken (performing a risk assessment operation) as a result of the presence of the conversation).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the risk score, as taught by Lin.  One would be motivated to do so to intelligence generation and activity discovery from events in a distributed data processing system.

As to claim 14, Muddu and Lin teach the non-transitory, computer-readable storage medium of claim 13, wherein Lin further teaches:
the applying labels to applicable events from the plurality of events classifies the applicable events from the plurality of events with associated metadata (col. 7, lines 18-19, the input information can be accurately recognized or classified based on the reduced representation of features (associated metadata)).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the classified features associated with the events, as taught by Lin.  One would be motivated to do so to intelligence generation and activity discovery from events in a distributed data processing system.

As to claim 17, Muddu and Lin teach the non-transitory, computer-readable storage medium of claim 13, wherein Muddu further teaches:
the feature associated with the event comprises at least one of a number of bytes 3 uploaded, a time of day, a presence of certain terms in unstructured content, respective domains associated with senders and recipients of information, and a Uniform Resource Locator (URL) classification of a web page visit ([0966] Events can be derived from "time series data," wherein time series data comprises a sequence of data points that are associated with successive points in time (time of day) and are typically spaced at uniform time intervals. Events can also be derived from "structured" or "unstructured" data).

As to claim 19, Muddu and Lin the non-transitory, computer-readable storage medium of claim 13, wherein Muddu further teaches
the computer executable instructions are deployable to a client system from a server system at a remote location ([0144] the consumer controls software deployment and configuration settings and the provider provides the networks, servers, storage devices and other services to host the consumer's application).

As to claim 20, Muddu and Lin the non-transitory, computer-readable storage medium of claim 13, wherein the computer executable instructions are provided by a service provider to user on an on-demand basis ([0369] it is therefore possible to access additional external public information (e.g. a WHOIS lookup) that will provide additional information about the domain, for example, who registered the domain name and how long ago (on-demand basis)).

Claims 3-4, 9-10, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 20170063888 A1) in view of Lin (US 9038178 B1) and further in view of Eden (US 20150356488A1).
As to claim 3, Muddu and Lin teach the method of claim 1, Muddu does not explicitly teach wherein:
extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features.
Eden teaches
extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features ([0117] the feature extraction system 116 generates a subset of task-focused features (smaller set of derived features), each of which characterizes at least one task performed in the crowdsourcing environment).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the subset of task-focused features is generated, as taught by Eden.  One would be motivated to do so to characterize a susceptibility of the identified task to spam-related activity and may characterize an assessed difficulty level of the identified task.	

As to claim 4, Muddu and Lin teach the method of claim 3, Muddu does not explicitly teach wherein:
the smaller set of derived features facilitates determination of a distribution of associated features corresponding to a particular event.
Eden teaches
the smaller set of derived features facilitates determination of a distribution of associated features corresponding to a particular event ([0117] One class of meta-level features characterizes a task under consideration, e.g., by describing the structure of the task under consideration, the distribution of responses associated with the task).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the subset of task-focused features is generated, as taught by Eden.  One would be motivated to do so to characterize a susceptibility of the identified task to spam-related activity and may characterize an assessed difficulty level of the identified task.	

As to claim 9, Muddu and Lin teach the system of claim 7, Muddu does not explicitly teach wherein:
extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features.
Eden teaches
extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features ([0117] the feature extraction system 116 generates a subset of task-focused features (smaller set of derived features), each of which characterizes at least one task performed in the crowdsourcing environment).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the subset of task-focused features is generated, as taught by Eden.  One would be motivated to do so to characterize a susceptibility of the identified task to spam-related activity and may characterize an assessed difficulty level of the identified task.

As to claim 10, Muddu and Lin teach the system of claim 9, Muddu does not explicitly teach wherein:

Eden teaches
the smaller set of derived features facilitates determination of a distribution of associated features corresponding to a particular event ([0117] One class of meta-level features characterizes a task under consideration, e.g., by describing the structure of the task under consideration, the distribution of responses associated with the task).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the subset of task-focused features is generated, as taught by Eden.  One would be motivated to do so to characterize a susceptibility of the identified task to spam-related activity and may characterize an assessed difficulty level of the identified task.

As to claim 15, Muddu and Lin teach the non-transitory, computer-readable storage medium of claim 13, Muddu does not explicitly teach wherein:
extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features.
Eden teaches
extracting features comprises performing transformation operations on certain features associated with an event to generate a smaller set of derived features ([0117] the feature extraction system 116 generates a subset of task-focused features (smaller set of derived features), each of which characterizes at least one task performed in the crowdsourcing environment).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the subset of task-focused features is generated, as taught by Eden.  

As to claim 16, Muddu and Lin teach the non-transitory, computer-readable storage medium of claim 15, Muddu does not explicitly teach wherein:
the smaller set of derived features facilitates determination of a distribution of associated features corresponding to a particular event.
Eden teaches
the smaller set of derived features facilitates determination of a distribution of associated features corresponding to a particular event ([0117] One class of meta-level features characterizes a task under consideration, e.g., by describing the structure of the task under consideration, the distribution of responses associated with the task).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the subset of task-focused features is generated, as taught by Eden.  One would be motivated to do so to characterize a susceptibility of the identified task to spam-related activity and may characterize an assessed difficulty level of the identified task.

Claims 6, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu (US 20170063888 A1) in view of Lin (US 9038178 B1) and further in view of Koh (US 20170171609 A1).
As to claim 6, Muddu and Lin teach the method of claim 1, Muddu does not explicitly teach wherein:
extracting features performs at least one of an exact feature extract operation and a multi match feature extract operation.
Koh teaches
([0135] as a result of determination, when only one matching information is received, for example, when multi-matching does not occur, the content processing a 100 executes a service based on the received matching information. However, as a result of determination, when a plurality of matching information are received, for example, when multi-matching occurs, the content processing a 100 performs matching with second characteristic information extracted).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the exact match and the multimatch information, as taught by Koh.  One would be motivated to do so that a content recognition speed may be improved.

As to claim 12, Muddu and Lin teach the system of claim 7, Muddu does not explicitly teach wherein:
extracting features performs at least one of an exact feature extract operation and a multimatch feature extract operation.
Koh teaches extracting features performs at least one of an exact feature extract operation and a multimatch feature extract operation ([0135] as a result of determination, when only one matching information is received, for example, when multi-matching does not occur, the content processing a 100 executes a service based on the received matching information. However, as a result of determination, when a plurality of matching information are received, for example, when multi-matching occurs, the content processing a 100 performs matching with second characteristic information extracted).


As to claim 18, Muddu and Lin teach the non-transitory, computer-readable storage medium of claim 13, Muddu does not explicitly teach wherein:
extracting features performs at least one of an exact feature extract operation and a multi match feature extract operation.
Koh teaches
extracting features performs at least one of an exact feature extract operation and a multi match feature extract operation ([0135] as a result of determination, when only one matching information is received, for example, when multi-matching does not occur, the content processing a 100 executes a service based on the received matching information. However, as a result of determination, when a plurality of matching information are received, for example, when multi-matching occurs, the content processing a 100 performs matching with second characteristic information extracted).
It would have been obvious to one of ordinary skill in the art at the time the invention was made to include in the Muddu disclosure, the exact match and the multimatch information, as taught by Koh.  One would be motivated to do so that a content recognition speed may be improved.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  







/ANH NGUYEN/Examiner, Art Unit 2454