DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
	
Response to Amendment
In response to the amendment filed on October 21, 2021:
	Claims 1-19 are amended.
	Claims 1-19 are pending.	

Response to Arguments
In response to the remarks filed on October 21, 2021:
a.	Objections to claims 17-18 are withdrawn in view of Applicant’s amendment.
b.	35 U.S.C. 101 rejection of claim 19 is maintained since there is no amendment or response addressing the pending rejection.
c.	Applicant’s remarks towards the 35 U.S.C. 103 rejections of the pending claims have been fully considered but are moot in view of a new ground of rejections presented hereon.




Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 19 is rejected under 35 U.S.C. 101 because the claimed invention is directed to nonstatutory subject matters.

claim 19, “a tangible computer readable storage medium” is being recited for summing query results based on a plurality of non-overlapping queries generated from a query requesting a count of unique data values for a specific attribute. However, since Applicant’s disclosure appears to not have any evidence that the claimed medium is not signal per se (e.g., a carrier wave and/or propagating medium), such claimed medium is interpreted to include a transitory medium such as a communication medium which conveys information such as computer-executable instructions in a modulated data signal. As such, the claim is drawn to a form of energy and is not statutory. 
Applicant is suggested to change the above language to “…a non-transitory computer readable storage medium…” to overcome the raised issue.






Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5, 10-11, 13-14, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Rahut (Pat. No. US 9047246, published on June 2, 2015) in view of Nisbet et al. (Pub. No. US 2019/0268355, filed on August 23, 2018; hereinafter Nisbet).
Regarding claims 1, 10, and 19, Rahut clearly shows and discloses a system, comprising: a processor and a memory configured to implement the method; and a computer program product embodied in a tangible computer readable storage medium and comprising computer instructions for implementing the method (Figure 11), wherein the method comprising:
receiving a query (a search head receives a search query from a client at block 601. Next, at block 602, the search head analyzes the search query to determine what portions can be delegated to indexers and what portions need to be executed locally by the search head, [Column 16, Lines 23-34]); 
using the received query to generate and transmit to a data store a plurality of non-overlapping queries (At block 603, the search head distributes the determined portions of the query to the indexers, [Column 16, Lines 35-47]); 

receiving a plurality of responses from the data store (To determine which events are responsive to the query, the indexer searches for events that match the criteria specified in the query. This criteria can include matching keywords or specific values for certain fields, [Column 16, Lines 35-47]); 
summing results from the plurality of responses (Finally, at block 605, the search head combines the partial results and/or events received from the indexers to produce a final result for the query, [Column 16, Lines 48-56]); and 
Attorney Docket No. PALOP22736PATENTreturning the sum (Waiting  to report results to the client until a complete set of results is ready to return to the client, [Column 16, Lines 57-67]).  
Nisbet then discloses the received query being a cardinality query associated with at least one of a session dimension or a device attribute identifiable from the cardinality query requesting a count of unique data values for a specific attribute for a defied time interval (Activity pattern cardinality query module 224 may be implemented, for example, as an API, and may include any number of queries that are each executable to identify a plurality of detected activity patterns that may, when considered as a group, indicate suspicious or malicious activity. Activity pattern cardinality query module 224 may include queries having a default cardinality (e.g., defined to identify three or more detected activity patterns) and a default time period (e.g., defined to query against defined activity patterns detected within the past two hours. A first activity pattern cardinality query may be executed automatically to identify any monitored computing system 202 on which three or more distinct defined activity patterns have been detected within the past two hours, [0035]-[0041]. See further Figure 4 and texts).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Nisbet with the teachings of Rahut for the purpose of aiding in discovering security threats based on attribute statistics that enables a user to view security metrics of interest, such as counts of different types of notable events.
Regarding claims 2, and 11, Rahut further discloses the specific attribute is destination IP (searching data to determine a number of unique IP addresses that have accessed a particular resource each day, [Column 11, Lines 11-14]).   
Regarding claims 4, and 13, Rahut further discloses the specific attribute is a maliciousness flag (providing various visualizations to aid in discovering security threats, such as a "key indicators view" that enables a user to view security metrics of interest, such as counts of different types of notable events, [Column 22, Line 29 – Column 23, Line 3]). 
Regarding claims 5, and 14, Nisbet further discloses the cardinality query is received from a configured dashboard (Figure 4 and texts).
Claims 3, 6-7, 12, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Rahut in view of Nisbet and further in view of Tsironis (Pub. No. 2018/0316727, published on November 1, 2018).
Regarding claims 3, and 12, Tsironis then discloses the specific attribute is a country (The UI user can select one or more filters and define one or more criteria for each selected filter. The second screen 1500 includes a list of "User Filters" including Anomalies Count, City, Country, HR record, OU, Specific Users, State, Threat Counts, User Status, and User Watchlists. As shown, the UI user selected the Anomalies Count filter. The UI user can then set criteria for the Anomalies Count, including selecting a threshold 1504 equal to greater, less, equal, or combinations thereof and inputting a value in a value field 1506. For example, the UI user can input ">=" a threshold 1504 and 25 in the value field 1506 to define the criteria for the Anomalies Count filter, [0186]). 
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Tsironis with the teachings of Rahut, as modified by Nisbet, for the purpose of monitoring traffic over a computer network to perform malware detection, intrusion detection, detection of atypical or unusual behavior, alerting a user when such activities are detected.
Regarding claims 6, and 15, Nisbet and Tsironis further discloses the cardinality query is received from a configured alert (In the illustrated example, query area 404 indicates the time period and cardinality that was used in the query, [0058] of Nisbet. Figure 13 of Tsironis shows a user interface for an admin to define query rules to search for threats).  
Regarding claims 7, and 16, Nisbet and Tsironis further disclose the cardinality query is received from an administrator in real time (activity pattern detection is performed in near real-time as data is received from monitored computing systems 202, [0037] of Nisbet. Figure 13 of Tsironis shows a user interface for an admin to define query rules to search for threats).
Claims 8-9, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Rahut in view of Nisbet and further in view of Bush (Pub. No. US 2007/0280233, published on December 6, 2007).
Regarding claims 8, and 17, Bush then discloses performing horizontal data compression on a set of session records (Data may be compressed, for example, horizontally (e.g. two layers in different sessions from two or more multicast senders), [0041]).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Bush with the teachings of Rahut, as modified by Nisbet, for the purpose of encoding data packets for efficient transmission and packet analysis based on a respective network coding.
Regarding claims 9, and 18, Bush further discloses performing vertical data compression on a set of session records (Data may be compressed, for example, vertically (e.g. within a single session) using data coding, [0041]).
Claims 1, 5, 10, 14, and 19 are alternatively rejected under 35 U.S.C. 103 as being unpatentable over Rahut in view of Jin et al. (Pat. No. US 11055405, filed on April 30, 2019; hereinafter Jin).
Regarding claims 1, 10, and 19, Rahut clearly shows and discloses a system, comprising: a processor and a memory configured to implement the method; and a computer program product embodied in a tangible computer readable storage medium and comprising computer instructions for implementing the method (Figure 11), wherein the method comprising:
receiving a query (a search head receives a search query from a client at block 601. Next, at block 602, the search head analyzes the search query to determine what portions can be delegated to indexers and what portions need to be executed locally by the search head, [Column 16, Lines 23-34]); 
using the received query to generate and transmit to a data store a plurality of non-overlapping queries (At block 603, the search head distributes the determined portions of the query to the indexers, [Column 16, Lines 35-47]); 
receiving a plurality of responses from the data store (To determine which events are responsive to the query, the indexer searches for events that match the criteria specified in the query. This criteria can include matching keywords or specific values for certain fields, [Column 16, Lines 35-47]); 
summing results from the plurality of responses (Finally, at block 605, the search head combines the partial results and/or events received from the indexers to produce a final result for the query, [Column 16, Lines 48-56]); and 
Attorney Docket No. PALOP22736PATENTreturning the sum (Waiting to report results to the client until a complete set of results is ready to return to the client, [Column 16, Lines 57-67]).  
Jin then discloses the received query being a cardinality query associated with at least one of a session dimension or a device attribute identifiable from the cardinality query (During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat. These notable events can be detected in a number of ways: (2) a user can define a “correlation search” specifying criteria for a notable event. A user can alternatively select a pre-defined correlation search provided by the application. Note that correlation searches can be run continuously or at regular intervals (e.g., every hour) to search for notable events, [Column 21, Lines 5-24]. Assume event E={a, b, c, d, e}, where a, b, c, d, and e are features. For example, event E={Network, KerberosProcess, isDeviceWithADDomain, msspinfoapp, 168.136.162.24}. Further, assume frequent patterns FP1={x, y, z}, FP2={a}, FP3={a, b}, and FP4={a, b, c} are all frequent patterns in a single granularity level for the activity type to which event E belongs. Accordingly, in this example, the frequent patterns FP2, FP3, and FP4 are identified in the event, [Column 40, Lines 4-49]) requesting a count of unique data values for a specific attribute for a defied time interval (In Block 1608, a count for each of the identified frequent patterns is identified. The count is the number of times the identified frequent pattern appears in events belonging to the same activity type, [Column 40, Lines 4-49]. The anomaly detector 910 may reduce the aggregate score for an event (indicating less concern, but still classified as anomaly) when one or more conditions satisfied (e.g., this event contains features that occurred with low frequency among certain users in the past a few days). Further still, the anomaly detector 910 may issue custom reports reporting events that occur with a specific count within a time window, [Column 32, Line 38 – Column 33, Line 3]).
It would have been obvious to an ordinary person skilled in the art at the time of the invention was effectively filed to incorporate the teachings of Jin with the teachings of Rahut for the purpose of aiding in discovering security threats based on attribute statistics that enables a user to view security metrics of interest, such as counts of different types of notable events.
Regarding claims 5, and 14, Jin further discloses the cardinality query is received from a configured dashboard (Figure 6 and texts).
Relevant Prior Art
The following references are considered relevant to the claims:
Foo et al. (Pub. No. US 2020/0042712) teaches an agent which interacts with the vulnerability database can perform a scan of a software project to identify open-source components used in the project and submit queries to the vulnerability database to identify vulnerabilities which may affect the open-source components in the project. Results of the scan are presented to a user in the form of a vulnerability report which indicates vulnerabilities that have been discovered and which open-source components the vulnerabilities affect.
Lalrson et al. (Pub. No. US 2008/0306903) teaches facilitating and effectuating estimating the result of performing a data analysis operation on a set of data. Employing an approximation of the data analysis operation on a statistically valid random sample view of the data allows for a statistically accurate estimate of the result to be obtained. Sequential sampling in the view enables the approximated operation to evaluate accuracy conditions at intervals during the scan of the sample view and obtain the estimated result without having to scan the entire sample view.





Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
 
Contact Information
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Son T. Hoang whose telephone number is (571) 270-1752. The Examiner can normally be reached on Monday – Friday (7:00 AM – 4:00 PM).
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Usmaan Saeed can be reached on (571) 272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

         /SON T HOANG/Primary Examiner, Art Unit 2169                                                                                                                                                                                                                January 24, 2022