DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 01/24/2020, in which, claim(s) 1-21 are pending. Claim(s) 1, 8 and 15 are independent.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/24/2020, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 01/24/2020 are accepted by The Examiner.

Claim Objections
Claims 1, 8 and 15 are objected to because of the following informalities:  
Claim 1 (Line 17), claim 8 (Line 17), and claim 15 (Line 16) recite “later execute the query on new event data”. It is not clear how late it is to execute the query.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:



Claims 1-7 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 1 recites “A system” in the preamble and "a plurality of network sensors”, “one or more decorator pipelines” and “a security frontend”, in the claim body. As recited in the body of the claim, the claimed system lacks a structural component because the sensors,  pipelines and frontend could be implemented as software only. As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter.  Therefore, Claim 1 is directed to non-statutory subject matter for lack of a hardware component. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101 such as “a hardware processor” or “a hardware memory”.
Claims 2-7 don't cure the deficiency of claim 1 and are rejected under 35 U.S.C. 101 for their dependency upon claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 8-9, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. (US 2019/0207966 A1) in view of Weimin Liu (US 2010/0011410 A1)
Regarding Claims 1, 8, and 15, Vashisht discloses
a plurality of network sensors configured to:  
sense the operations of the data network; responsive to sensing the operations of the data network, generate event data objects that record the operations of the data network ([0012], “the cybersecurity sensor collectively operating with an auxiliary network device”, [0025], “cybersecurity source includes cybersecurity sensors located at a periphery of a network (or subnetwork) and perhaps throughout the network”, [0005], “cybersecurity intelligence in efforts to provide more rapid malicious object (or event) detection”, [0020], “The “cybersecurity intelligence” includes meta-information associated with an “artifact” (i.e., an object, an event, indicator of compromise, or other information that may be subjected to cybersecurity analyses)”); 
one or more decorator pipelines configured to: 
decorate the event data objects with data other than from operations of the data network ([0029], “when the artifact is an object or a process behavior or other event related to an identified object (described below), the distinctive metadata (i.e. the data other than from operations) includes a hash value of the object (object ID)”, [0030], “acquiring additional meta-information regarding the artifact including its characteristics and/or behaviors and its present context (e.g., state information, software profile, timestamp, etc.)”); 
a security frontend configured to: 
provide, responsive to receiving the query, results to the query from historic event data that was decorated before the query was received ([0125], “in response to search parameters associated with a query from a customer via the customer portal 246, generates and delivers a report pertaining to some of the stored content”); 
Vashisht does not explicitly teach but Liu teaches
a security frontend configured to: 
generate a graphical user interface (GUI) configured to provide, to a user, query-authoring tools ([0052], “the user interface 310 is a graphical user interface providing the user with easy access to the various features of the capture system 312”, [0063], “the user interface 310 may provide a query-authoring tool”); 
receive a query in a structured language ([0065], “A user query for a pattern is generally in the form of a regular expression. A regular expression is a string that describes or matches a set of strings, according to certain syntax rules. There are various well-known syntax rules such as the POSIX standard regular expressions and the PERL scripting language regular expressions”);  
receive approval for the query; and later execute the query on new event data that has been decorated after the approval for the query is received ([0064], “periodically executes specific queries” after the approval for the query).  
Vashisht and Liu are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Liu with the disclosure of Vashisht. The motivation/suggestion would have been to for data mining and security policy management (Liu, Title).

Regarding Claims 2, 9, and 16, the combined teaching of Vashisht and Liu teaches 
an aggregator datastore configured to store the event data objects after the event data objects have been decorated (Vashisht, [0029], “Given the cybersecurity intelligence hub supports multiple sensors, it is contemplated that meta-information for the same detected artifact (e.g., object) from different sensors may reside within the global data store”, [0030], “acquiring additional meta-information regarding the artifact including its characteristics and/or behaviors and its present context (e.g., state information, software profile, timestamp, etc.) to be subsequently uploaded into the global data store”).

Claims 3-5, 7, 10-12, 14 and 17-19, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. (US 2019/0207966 A1) in view of Weimin Liu (US 2010/0011410 A1) further in view of Thomas et al. (US 2019/0190936 A1).
Regarding Claims 3, 10, and 17, the combined teaching of Vashisht and Liu teaches 
wherein the aggregator datastore, in order to store the event data objects after the event data objects have been decorated, is configured 25to store the event data objects after the event data objects have been decorated (Vashisht, [0029], “Given the cybersecurity intelligence hub supports multiple sensors, it is contemplated that meta-information for the same detected artifact (e.g., object) from different sensors may reside within the global data store”, [0030], “acquiring additional meta-information regarding the artifact including its characteristics and/or behaviors and its present context (e.g., state information, software profile, timestamp, etc.) to be subsequently uploaded into the global data store”),
The combined teaching of Vashisht and Liu does not explicitly teach but Thomas teaches
to store in a rolling buffer in which old data is removed to make room for new data ([0177], “a data recorder or the like may record all activity on an endpoint in a rolling buffer that overwrites data that is older than the predetermined time window”).
Vashisht, Liu and Thomas are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thomas with the combined teaching of Vashisht and Liu. The motivation/suggestion would have been to for improved endpoint security (Thomas, [0003]).

Regarding Claims 4, 11, and 18, the combined teaching of Vashisht, Liu and Thomas teaches 
wherein the aggregator datastore is further configured to generate a search index that indexes only a predetermined amount of the newest event data stored in the aggregator datastore (Vashisht, [0029], “a search index for (a predetermined amount of) stored meta-information within the global data store”).

Regarding Claims 5, 12, and 19, the combined teaching of Vashisht, Liu and Thomas teaches 
wherein later executing the query on new event data that has been decorated after the approval for the query is received comprises use of the search index (Vashisht, [0029], “a search index for (a predetermined amount of) stored meta-information within the global data store”).  

Regarding Claims 7, 14, and 21, the combined teaching of Vashisht, Liu and Thomas teaches 
wherein to later execute the query on new event data that has been decorated after the approval for the query is received, the security frontend is further configured to transmit an alert specifying the result of the later execution (Vashisht, [0114], “Responsive to a malicious verdict, the processor(s) 300 processes the notification logic 350, which generates or initiates the generation of an alert”).

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Vashisht et al. (US 2019/0207966 A1) in view of Weimin Liu (US 2010/0011410 A1) further in view of Thomas et al. (US 2019/0190936 A1) and further in view of Fleming Shi (US 2019/0036958 A1).
Regarding Claims 6, 13, and 20, the combined teaching of Vashisht, Liu and Thomas does not explicitly teach but Shi teaches
wherein generation of the search index and storage of the event data objects after the event data objects have been decorated occur concurrently and continuously ([0032], “BRTS were collecting more intelligence on the samples collected from the attack and matching samples, hashes, and IoC to multiple external references while continuously updating the index” and concurrently).
Vashisht, Liu, Thomas and Shi are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shi with the combined teaching of Vashisht, Liu and Thomas. The motivation/suggestion would have been to prevent a cyber-attack from happening or spreading (Shi, Abstract).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497