Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to the Application filed in the U.S. on 4/22/2020. Claims 1-20 are pending in the case. Claims 1, 9, and 18 are written in independent form.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 9-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter because the claims refer to a "computer readable medium" which can include both storage media and communication media, including signals.  The specification only provides non-limiting examples, specifically when reviewing Paragraphs [00234]-[00235].


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ranum et al. (U.S. Pre-Grant Publication No. 2014/0013434, hereinafter referred to as Ranum) and further in view of Liang (U.S. Pre-Grant Publication No. 2005/0144162).

Regarding Claim 1:
Ranum teaches a method comprising:
defining a set of context types, where each context type in the set of context types is a class of context representing a particular type of information as described by an event;
Ranum teaches "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." (Para. [0040]) thereby teaching multiple context types representing types of information related to particular event types.
defining a set of source types, each source type in the set of source types comprising one or more context types included in events from data sources having the source type;
Ranum teaches determining a first source type associated with the first subset of events by teaching “the log aggregator 290 may identify subsets of the events that relate to particular intrusion events" (Para. [0040]) thereby teaching having defined set of source types comprising one or more context types
defining, for each source type of the set of source types, and for each context type of the one or more context types included in the events from data sources having the source type, a context definition comprising a set of fields, in events from the data sources, that are associated with the context type;
Ranum teaches "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." (Para. [0040]), thereby teaching a context definition 
Ranum further teaches "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." (Para. [0040]) thereby teaching multiple subsets of events relating to multiple context types associated with context definitions.
receiving a query, the query comprising a first field value and a time period;
Ranum teaches "the log aggregator 290 may filter events contained in the logs, the information describing the observed network traffic, and/or the information describing the snapshot of the network to limit the information that the log aggregator 290 normalizes, analyzes, and correlates to information relevant to a certain security posture” (Para. [0040]) thereby teaching receiving a query describing events of interest contained in the logs using information describing the observed network traffic at a point in time of a particular snapshot of the network.
retrieving a plurality of events that include the first field value and have the time period;
Ranum teaches performing a first search of a data store by teaching "the active scanners 210 may generally interrogate any suitable device 230 in the network to obtain information describing a snapshot of the network at any particular point in time" (Para. [0041]).  Ranum further teaches using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value by teaching "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." where “the log aggregator 290 may filter events contained in the logs, the information describing the observed network traffic and/or the information describing the snapshot of the network to limit the information that the log aggregator 290 normalizes, analyzes, and correlates to information relevant to a certain security posture” (Para. [0040]).
for each retrieved event, and for each context definition defined for a source type and a context type of a data source from which the retrieved event originated, determining field values and field names of fields in the set of fields of the context definition;
Ranum teaches a context definition defined for a source type by teaching "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." (Para. [0040]) and “only normalizing, analyzing, and correlating the events in a subset of the logs that relate to a certain security posture” (Para. [0040]). Ranum therefore teaches each event in the identified subset(s) having a field value for one or more fields related to “particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc.”, thus determining field values and field names of fields in the set of fields of the context definition for the corresponding source type.

Ranum teaches all of the limitations as stated above except:
aggregating, for each context type, determined field values and field names from the events associated with that context type; and
generating an output comprising a result of the aggregating.

However, in the related field of endeavor of searching, Liang teaches:
aggregating, for each context type, determined field values and field names from the events associated with that context type; and
Liang teaches “one or more files matching the first search criterion are organized into a first set of categories that is a collection of the categories into which the one or more files that match the first search criterion are classified” (Para. [0066]).  Liang further teaches displaying results grouped by categories and subcategories, thereby teaching subsets of the search results of different subcategories sharing the same category being aggregated together under the shared category (Fig. 3 & Para. [0063]).
generating an output comprising a result of the aggregating.
Liang teaches generating a response to the query comprising the results aggregated into sections using categories and subcategories (Fig. 3 & Para. [0063]).

Thus it would have been obvious to one of ordinary skill in the art, having the teachings of Liang, and Ranum at the time that the claimed invention was filed, to have combined the user options on what types of search results to search for, as taught by Liang, with the system and method for anti-malware monitoring taught by Ranum.
One would have been motivated to make such combination because Liang teaches using “generated criteria…to improve a match of results of the search to the user’s intention” (Para. [0086]).

Regarding Claim 2:
Ranum and Liang further teach:
generating a list of contexts organized by context type, wherein each context comprises the determined field values and the associated field names from an event, and wherein the output comprises the list of contexts.
Liang teaches “one or more files matching the first search criterion are organized into a first set of categories that is a collection of the categories into which the one or more files that match the first search criterion are classified” (Para. [0066]).  Liang further teaches displaying results grouped by categories and subcategories, thereby teaching subsets of the search results of different subcategories sharing the same category being aggregated together under the shared category (Fig. 3 & Para. [0063]).

Regarding Claim 3:
Ranum and Liang further teach:
wherein a plurality of events comprise matching contexts;
Ranum teaches performing a first search of a data store by teaching "the active scanners 210 may generally interrogate any suitable device 230 in the network to obtain information describing a snapshot of the network at any particular point in time" (Para. [0041]).  Ranum further teaches using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value by teaching "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." where “the log aggregator 290 may filter events contained in the logs, the information describing the observed network traffic and/or the information describing the snapshot of the network to limit the information that the log aggregator 290 normalizes, analyzes, and correlates to information relevant to a certain security posture” (Para. [0040]).
the method further comprising:
determining a count of instances of each context, wherein the output comprises, for each context, the count of instances of the context.
Liang teaches “the matched pages in a category or subcategory with the highest number of pages…may be displayed as a default” (Para. [0063]) thereby teaching counting the number of matching pages within each category or subcategory and outputting the count for each category or subcategory to affect the display of the matching pages.

Regarding Claim 4:
Ranum and Liang further teach:
generating a dictionary of contexts keyed by context type.
Ranum teaches logs describing connections observed in the network that are associated with potential botnet activity may be collected “wherein potential botnet activity may be detected if at least one connection observed in the network has a source or destination IP address or queries a DNS IP address that appears in the database that lists the known botnet IP addresses” (Para. [0023]) thereby teaching key-value pairs between fields such as source and destination IP addresses and values associated with them being the actual IP addresses. Ranum further teaches aggregating “all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections” (Abstract) thereby teaching generating a dictionary of catalogued contexts wherein a cataloging indicates using a key feature to organize or order the collected contexts.

Regarding Claim 5:
Ranum and Liang further teach:
wherein the first field value is one of an internet protocol address, a host name, a file hash, a media access control address, an account name, a file path, or a universal resource locator.
Ranum teaches using the first field value to identify a plurality of events having the time period and at least one field that comprises the first field value by teaching "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." where “the log aggregator 290 may filter events contained in the logs, the information describing the observed network traffic and/or the information describing the snapshot of the network to limit the information that the log aggregator 290 normalizes, analyzes, and correlates to information relevant to a certain security posture” (Para. [0040]). Ranum further teaches using hashes or other signatures for searching for and detecting malware infections (Abstract) and identifying indexed data using additional field values by teaching “in one implementation, the tables or manifests that list the file hashes, file names, and paths associated with the trusted file systems indexed in operation 310 may therefore describe a directory or folder structure that represent ‘ideal’ or master sets that can be used to baseline subsequent comparisons used to detect whether viruses or other malware have infected the network” (Para. [0046])

Regarding Claim 6:
Ranum and Liang further teach:
wherein the set of context types includes at least one of:
a network context type associated with traffic across networks,
Ranum teaches "the log aggregator 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc." (Para. [0040]) thereby teaching multiple context types representing types of information related to particular event types.
an endpoint context type associated with devices on networks,
a threat context type associated with detected threats,
an identity context type associated with at least one of users or accounts,
an application context type associated with at least one of service requests or service responses, or
a data context type associated with content of network traffic.

Regarding Claim 7:
Ranum and Liang further teach:
wherein at least one event of the plurality of events is associated with a plurality of context types.
Liang taches “the categorization hierarchy can be deeper than two levels with sub-categories, and so on, and a subcategory can belong to more than one upper-level categories” (Para. [0055]) thereby teaching an event can be associated with a plurality of categories and subcategories.

Regarding Claim 8:
Ranum and Liang further teach:
wherein one or more of the events comprise log entries.
Ranum teaches receiving and normalizing “events contained in various logs received from the sources distributed across the network and aggregate the normalized events” (Para. [0015]) thereby teaching the plurality of events comprising log entries having an original log entry format generated from a source that needs to be normalized before being aggregated.

Regarding Claim 9:
Some of the limitations herein are similar to some or all of the limitations of Claim 1.

Ranum and Liang further teach:
a computer readable medium comprising instructions that, when executed by a processing device, cause the processing device to perform operations (Ranum – Para. [0082]).

Regarding Claim 10:
All of the limitations herein are similar to some or all of the limitations of Claim 2.

Regarding Claim 11:
All of the limitations herein are similar to some or all of the limitations of Claim 3.

Regarding Claim 12:
All of the limitations herein are similar to some or all of the limitations of Claim 4.

Regarding Claim 13:
All of the limitations herein are similar to some or all of the limitations of Claim 5.

Regarding Claim 14:
All of the limitations herein are similar to some or all of the limitations of Claim 6.

Regarding Claim 15:
All of the limitations herein are similar to some or all of the limitations of Claim 7.

Regarding Claim 16:
All of the limitations herein are similar to some or all of the limitations of Claim 1.

Regarding Claim 17:
All of the limitations herein are similar to some or all of the limitations of Claim 8.

Regarding Claim 18:
Some of the limitations herein are similar to some or all of the limitations of Claim 1.

Ranum and Liang further teach a system comprising:
a memory to store instructions (Ranum – Para. [0082]); and
a processing device operatively coupled to the memory, the processing device to execute the instructions (Ranum – Para. [0082]).

Regarding Claim 19:
All of the limitations herein are similar to some or all of the limitations of Claims 2, 3, and 4.

Regarding Claim 20:
All of the limitations herein are similar to some or all of the limitations of Claims 1 and 16.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Bingham et al. (U.S. Pre-Grant Publication No. 2014/0324862, hereinafter referred to as Bingham) teaches describing the context of events using fields (Para. [0075]) thereby teaching a context definition comprising a plurality of fields that describe the context of the event, and teaches details of tracked events as field values and/or time stamps that describe a first context of events (Para. [0130]).

Saurabh et al. (U.S. Patent No. 8,930,380, hereinafter referred to as Saurabh) teaches messages received at a receiver of platform 102 from a collector (Fig. 9) where the “messages comprise key-value pairs” that can be “enriched through the addition of other keys” (Col. 9 lines 30-41) and “context data can be mapped to portions of the data received via the message piles” where “such context information is an example of data that can be sued to augment messages” (Col. 9 lines 8-18).  Saurabh further teaches the messages being received by platform 102 as being log information (Col. 2 lines 48-63) and in one particular example, “a payload is a log from a software application indicating that a particular event took place at a particular time” (Col. 5 lines 56-67).Saurabh also teaches “context data can be mapped to portions of the data received via the message piles” where “such context information is an example of data that can be sued to augment messages” (Col. 9 lines 8-18) and “one benefit of enriching a message is that when the message is indexed, the result will be more useful when performing searches (e.g., by allowing the data to be partitioned in more ways)” (Col. 9 lines 30-41).
Makanju et al. (Non-Patent Literature "LogView: Visualizing Event Log Clusters", October 1-3, 2008, IEEE) teaches event clustering algorithms for clustering events of log files and utilizing treemaps to visualize the hierarchical structure of the clusters.
Seitz et al. (U.S. Pre-Grant Publication NO. 2005/0154722) teaches a database for to be queried where “the database 840 also includes one or more divisions in the form of categories provided in category tables 850” where “the category table 850 describes multiple, hierarchical category data structures, and include multiple category records, each of which describes the context of a particular category within the multiple hierarchical category structures” (Para. [00243]).
Cao et al. (U.S. Pre-Grant Publication No. 2016/0004733) teaches an event log system for receiving and storing event log records from a plurality of log sources, parsing the event log records into key-value pairs to be stored based on a time range unit.
Levi et al. (U.S. Pre-Grant Publication No. 2016/0164893) teaches an event management system that determines context for received events and associates the determined context with the event.
Neels et al. (U.S. Pre-Grant Publication No. 2015/0026167) teaches identifying data in response to a search query, discovering fields of the data, selecting a field and one or more criteria for the selected field, and filtering the identified databased on the one or more criteria of the selected field.
Xiong (U.S. Pre-Grant Publication No. 2008/0294596) teaches an abstract query received for querying data sources for a combined hierarchical dimension having at least one hierarchy, the abstract query is mapped into data source specific queries by generating context expressions according to the at least one hierarchy.
Sakamura (U.S. Patent No. 5,182,811) teaches reading internal state variables simultaneously with reading the head address of an EIT process handler from an external memory when an EIT process is started so that it enables the internal state to be set on the basis of the information of the variable when the EIT process handler starts where when a plurality of EIT process requests are generated, the process order is decided based on the priority from the content of the request.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT F MAY whose telephone number is (571)272-3195. The examiner can normally be reached Monday-Friday 9:30am to 6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hosain Alam can be reached on 571-272-3978. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ROBERT F MAY/Examiner, Art Unit 2154                                                                                                                                                                                                        2/26/2022

/HOSAIN T ALAM/Supervisory Patent Examiner, Art Unit 2154