DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received 9/23/2020. Claims 1-20 are pending.

Priority
The present application is a continuation of US application 15961659, now US 10819714, claiming priority from provisional application filed in 20170426.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/10/2020, 5/6/2021, 6/21/2021, 7/9/2021 and 1/18/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.
Objections to claims
Claim 3 is objected to because claim 3 recites limitations performed at the server side, while claim 1 from which claim 3 depends recites steps of a method executed in the endpoint computer systems. It is unclear whether the scope of claim 1 is further limited in claim 3. The examiner recommends rewriting the dependent claim in the prospective of the endpoint computer systems.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention (See MPEP 2173.05b).
The terms "relevant”, “irrelevant” in claim 6 are a relative term which renders the claim indefinite.  The terms  "relevant”, “irrelevant” are not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
Claim 11 also recites the relative term “broader”, which scope cannot be ascertained reasonably.
Claim 9 recites  “the responsive data”, which lack antecedent basis and rendered the claim indefinite.


Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “determining, via a threat detection module, that a heightened level of alert is necessary; “ in claim 11. The specification discloses in paragraph [0016] the threat detection module is a machine learning component.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-12,14-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-9, 13-15 of US 10819714 (‘714). Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-12 and 14-20 are anticipated by claims of ‘714:
Claims 1, 2, 11-12, 17-18 and 20 limitations are taught by claims 1, 5 of ‘714.
Claims 3-10 are anticipated respectively by claims 2-9 of ‘714.
Claims 14-15 are anticipated respectively by claims 14-15 of ‘714.
Claim 16 is anticipated by claims 11 of ‘714.
Claim 13 is rejected as being unpatentable over claim 1 of ‘714, in further view of Holeman (see rejection of claim 13 below, see motivation in claim 11 below).
Claims 1-3, 7, 13-14 and 19-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 5-6, 10, 12, 15, 20-21 of US 10354066 (‘066). Although the claims at issue are not identical, they are not patentably distinct 
Claims 1, 17, 20 limitations are taught by claims 1, 10 of ‘066.
Claims 2-3 limitations are taught by claims 5-6 of ‘066, respectively.
Claim 7 limitations are taught by claims 15 of ‘066.
Claims 13-14 limitations are taught by claims 20-21 of ‘066, respectively.
Claim 19 limitations are taught by claims 12 of ‘066, respectively.
Claims 4-5, 8, 10 and 18 are rejected as being unpatentable over claim 1 of ‘066, in further view of Mahaffey (see rejection of claims below, the motivation being to improve monitoring techniques).
Claims 6, 9, 15-16 are rejected as being unpatentable over claim 1 of ‘066, in view of Belakovskiy (see rejection below, the motivation being to improve the maintenance of databases)
Claim 11-12 are rejected as being unpatentable over claim 1 of ‘066, in view of Holeman (see rejection below, the motivation being to add flexibility to the monitoring)
Claims 1, 6, 17 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 of US 10354067 (‘067), in further view of Bradford (the motivation being to improve database retrieval methods. 
Additionally, claims 8-10 limitations are unpatentable over claims 5-7 of ‘067, respectively.
Additionally, claims 14-16 limitations are unpatentable over claims 12-13 of ‘067, respectively.
Claims 2-5, 7 and 18-19  limitations are unpatentable over claims 1 of ‘067, in view of Bradford and Mahaffey (see below).
Claims 11-13  limitations are unpatentable over claims 1 of ‘067, in view of Holeman (see below).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 7-10, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20150163121 to Mahaffey et al., hereinafter Mahaffey, in view of US 6678679 to Bradford, hereinafter Bradford. Mahaffey is cited in IDS dated 5/6/2021.
Regarding claim 1, Mahaffey discloses:
A computer-implemented method comprising ([0048]: method implemented in a computing device (Fig. 2)): monitoring, by each of a plurality of endpoint computer systems, data relating to a plurality of events occurring within an operating environment of the corresponding endpoint computer system, the monitoring comprising receiving and/or inferring the data using one or more sensors executing on the endpoint computer system (Fig. 4 [00083][0087]: devices monitor events and state of device, using sensors ([0110]); selectively storing, for each endpoint computer system, artifacts used in connection with the events and associated with a software-based attack in a vault maintained on such endpoint computer system ([0116]: Fig. 7, 735: capture, loggings of observations associated with events, stored in database ; [0254]: events include attacks that exploit vulnerabilities in application, analyzed at server); receiving, by at least a subset of the plurality of endpoint computer systems from a server, a query ([0298]: database queried by other devices);
However Mahaffey does not describe the details of responding to a query using a database, which is well-known in the art as evidenced by Bradford. Mahaffey does not teach, but Bradford in an analogous art, discloses receiving a query from a user, retrieving information from large databases (col. 5, lines 10-27), identifying and retrieving, by the endpoint computer systems receiving the query, artifacts within the corresponding vaults response to the query; and providing, by the endpoint computer systems receiving the query to the server, results responsive to the query including or characterizing the identified artifacts (col. 5, lines 55-67, col. 6, lines 1-9: apply Boolean logic and LSI to search and retrieve the requested information, rank and provide to requestor (col. 6, lines 19-25) ).  It would have been obvious to a skilled artisan before the instant application was filed to retrieve artifacts from the databases using the technique of Bradford, because it  would provide “closeness” of retrieved data to the formulated query (col. 4, lines 7-13), for user satisfaction.  

Regarding claims 17 and 20, the claims recite substantially the same content as claim 1, and are rejected using the rationales for rejecting claim 1.

Regarding claim 2, Mahaffey in view of Bradford discloses the method of claim 1 further comprising: storing, for each endpoint computer system, the events or data characterizing the events in the vault maintained on such endpoint computer system (Mahaffey [0087][0016]: observations related to network logging, location logging, device’s states sored in database); wherein the identifying and retrieving and providing both further include events or the data characterizing the events within the corresponding vaults responsive to the query (Mahaffey [0298] communicate data to a server, based on query as taught by Bradford (Fig. 6)).  

Regarding claim 3, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims), wherein the server indexes the received results enabling such results to be re-used for subsequent queries without communicating to some or all of the endpoint computer systems (Bradford col. 7, lines  7-27:  results returned to requestor, who provides feedback about relevancy of result, and allow refining of next queries; feedback from the requestor regarding relevancy of results, for use in refined subsequent queries; the refinement narrows the set of selected documents col. 8, lines 11-18).

 Regarding claim 4, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims), wherein the artifacts are a digital item of interest comprising one or more of a file, a program, network connections, registry keys and 

Regarding claim 5, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims), wherein the monitoring further comprises receiving and/or inferring at least some of the data using additional data generated external to the endpoint computer system and received by the endpoint computer system by way of a communications interface (Mahaffey [0110]: monitoring from storage device, external to the device).  

Regarding claim 7, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims), wherein the events comprise actions occurring on the endpoint computer systems and involving at least one artifact on the endpoint computer system and/or wherein the event comprises a capture of what occurred at a specific point in time relating to the at least one artifact (Mahaffey [0067]: record new location of the device, associated with the event of moving).  

Regarding claim 8, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims), wherein the results comprise one or more of one or more times that a particular file was accessed on the corresponding endpoint computer system, how the particular file was used on the corresponding endpoint computer system, when the particular file was first detected on the corresponding endpoint computer system, location of a registry persistence point, and use of a registry by a 

Regarding claim 9, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims) further comprising:  mitigating an amount of the data returned as part of the responsive data, the mitigating comprising interpreting the query at the endpoint computer system and focusing on specific data of the results that are most likely to be relevant to a subject of the query (Bradford, col. 7, lines 12-21: mark result as relevant, irrelevant ...)  

Regarding claim 10, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims), wherein the monitoring of data is performed by one or 

Regarding claim 18, Mahaffey in view of Bradford discloses the system of claim 17 wherein there are a plurality of endpoint computer systems each executing the monitoring, selective storing , receiving , identifying and retrieving, and providing and the server (Mahaffey Fig. 4, server 415 and devices 1-N).
Regarding claim 19, Mahaffey in view of Bradford discloses the system  of claim 18, further comprising the server.

Claims 6, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey and Bradford, in view of US 20140114942 to Belakovskiy et al., hereinafter Belakovskiy. Belakovskiy is cited in IDS dated 5/6/2021.
Regarding claim 6, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims). Mahaffey/Bradford do not disclose but Belakovskiy teaches pruning a database based on search result ([0011]), wherein the storing of the data in the vaults further comprises determining, based on one or more criteria, to retain in each vault a first subset of the data as more likely to be relevant and to exclude from the corresponding vault and a second subset of the data as more likely to be irrelevant 

 Regarding claim 15, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims) but does not teach the method further comprising: pruning, for each endpoint system, data within the vaults meeting pre-determined deletion criteria.  In an analogous art, Belakovskiy teaches pruning a database based on search result ([0011], Fig. 2), teaching the limitation. It would have been obvious to a skilled artisan before the instant application was filed to organize the databases in Mahaffey/Bradford with search indexes and prune irrelevant indexes for improving the efficiency of searching the databases.

Regarding claim 16, Mahaffey in view of Bradford and Belakovskiy  discloses the method of claim 15, wherein the pre-determined deletion criteria is based on a timestamp or time associated with such data or a size of files or objects within such data (Belakovskiy  , [0023][0030]: prune based on time interval).  


Claims 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey and Bradford, in view of US 20180191766  to Holeman et al., hereinafter Holeman. Holeman is cited in IDS dated 5/6/2021.
Regarding claim 11, Mahaffey in view of Bradford discloses the method of claim 1 (any of the preceding claims) further comprising: monitoring the data according to a first set of data collection criteria (Mahaffey [0153]: monitor contextual anomalies); 
Additionally Mahaffey discloses changing monitoring level ([0103]), raising a heightened level of alert, changing level of anomalousness [0169][0170][0171]). However, Mahaffey combined to Bradford does not explicitly teach: determining, via a threat detection module, that a heightened level of alert is necessary; and in response to the a heightened level of alert, monitoring the data according to a second set of data collection criteria that are broader than the first set of data collection criteria.
In an analogous art, Holeman discloses monitoring activities in a computing device (Abstract), determining, via a threat detection module, that a heightened level of alert is necessary ([0080]); and in response to the a heightened level of alert, monitoring the data according to a second set of data collection criteria that are broader than the first set of data collection criteria ([0081]: adjust the monitoring frequency, at a higher frequency, and amount of observation data to collect). Therefore it would have been obvious to a skilled artisan before the instant application was filed effectively to increase the monitoring level according to a higher frequency for instance corresponding to more data collected as taught by Holeman and teach the claim, because it would add flexibility to the monitoring, which would be tailored to performance of the system as well as risks occurring in the system (Holeman [0018]). 


Regarding claim 12, Mahaffey in view of Bradford and Holeman discloses the method of claim 11, wherein the threat detection module comprises a machine learning component (Mahaffey [0084] monitoring include machine learning-based classifiers). 

Regarding claim 13, Mahaffey in view of Bradford and Holeman discloses the method of claim 12, wherein the machine learning component performs at least one operation selected from determining that the heightened level of alert is necessary (machine learning of Mahaffey [0084] used to increase monitoring level as taught by Holeman ([0080]), blocking or terminating execution of a process or thread (Holeman [0082]: suspend process), and determining that the alert level can be lowered back to the first set of data collection criteria (Holeman [0018]: relax the monitoring given a low risk assessment).

Regarding claim 14, Mahaffey in view of Bradford and Holeman discloses the method of claim 13, wherein the machine learning component accomplishes the at least one operation by processing data already in the vault to determine that a potentially undesirable event has occurred and/or by processing the monitored data as it is received to determine that a potentially undesirable event is currently occurring (Mahaffey [0157]: monitor and score the state of the device in real time).  


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Lutas et al 10630643 disclose a client detecting an access violation,  receiving analysis request from a remote server, collecting malware indicative data, retrieved from local database and provided to server.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 



/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        2/12/2022