Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed on 1/28/2022. Claims 1-18 are pending. This Office Action is Final.


Response to Arguments
	A) Applicant’s arguments with respect to claim(s) 1, 7 and 13 have been considered but are moot because the new ground of rejection does not rely on the same exact combination of references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
	
Claims 1, 2, 7, 8, 13, 14 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Studnitzer et al. (US 2018/0276541) in view of Turgeman et al. (US 2018/0103047).

	As per claim 1, Studnitzer teaches a computer-implementable method for identifying probability distributions, comprising: receiving a stream of events, the stream of events comprising a plurality of events; extracting features from the plurality of events, at least some extracted features corresponding to interrelated events; identifying items of interest based upon the interrelated events (Studnitzer, Paragraph 0099 recites “ A LSTM network may analyze streams of interrelated events and identify patterns between the events that are similar and have a high probability of recurrence based on historical trends. A LSTM based network may be used to identify similarities in vectors representing partially deconstructed data and produce as output the complete data or identify similarities between data by isolating and analyzing the objects within the data.”). 
	But fails to teach each of the plurality of events referring to an occurrence of an action performed by an entity; generating a distribution value based upon the items of interest; and performing a security analytics operation, the security analytics operation using the distribution value to identify anomalous, abnormal, unexpected or malicious behavior associated with the entity.
	However, in an analogous art Turgeman teaches generating a distribution value based upon the items of interest each of the plurality of events referring to an occurrence of an action performed by an entity; generating a distribution value based upon the items of interest; and performing a security analytics operation, the security analytics operation using the distribution value to identify anomalous, abnormal, unexpected or malicious behavior associated with the entity (Turgeman, Paragraph 0072 recites “Optionally, the Bot/Malware/Script determination module 174 may comprise, or may utilize or may be associated with, a Statistical Analysis Unit which may perform statistical analysis of data of input-unit(s) interactions; for example, calculating average, mean, standard deviation, variance, distribution, distribution pattern(s), and/or other statistical properties of the registered or reported input-unit(s) events or gestures or data; and then, comparing them or matching them to general-population statistical properties of human-users utilization of such input-units, in order to find a mismatch or a significant deviation from human-characterizing statistical properties of human behavior.” The user input interactions would read on events performed by an entity.  And Malware determination would read on malicious behavior).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Turgeman’s detection of computerized bots and automated cyber-attack modules With Studnitzer’s deep learning for credit controls because the use of a malware detection module would help by using statistics to determine abnormal patterns. 
 
	As per claim 2, Studnitzer in combination with Turgeman teaches the method of claim 1, Studnitzer further teaches wherein: each of the plurality of events correspond to a respective time window, the items of interest are associated with events from a sequence of respective time windows (Studnitzer, Paragraph 0152 recites “At act A340, the activity module 142 calculates, using the one or more patterns, an abnormality score that represents a level of deviation between the current transaction data and the historic participant transaction data. The new transaction data is encoded. The encoded value is compared against historic encoded data for the same instrument within a search time window. The nearest matches are returned. If the average of the difference between best matches and the target data set is outside an acceptable value, then an alert may be generated. The extent of the deviation from the acceptable value may be used to direct actions varying from warnings to interruption of trading.”).




Regarding claims 7 and 13, claims 7 and 13 are directed to a system and a non-transitory readable medium associated with the method of claim 1. Claims 7 and 13 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Regarding claims 8 and 14, claims 8 and 14 are directed to a system and a non-transitory readable medium associated with the method of claim 2. Claims 8 and 14 are of similar scope to claim 2, and are therefore rejected under similar rationale.

	As per claim 19, Studnitzer in combination with Turgeman teaches the non-transitory, computer-readable storage medium of claim 13, Studnitzer further teaches wherein the computer executable instructions are deployable to a client system from a server system at a remote location (Studnitzer, Paragraph 0081 recites “ The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. A system may depend on certain rules, logic, and inter-related objects and data. In technical and computing environments, a system may calculate values for multiple objects subject to rules, e.g., business or environment logic, associated with the objects. Certain object types may also depend on other object types.”).

Claims 3, 4, 9, 10, 15  and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Studnitzer et al. (US 2018/0276541) and Turgeman et al. (US 2018/0103047) and in further view of Vizer et al. (US 2018/0107528).

	As per claim 3, Studnitzer in combination with Turgeman teaches the method of claim 2, but fails to teach wherein: the distribution value of individual features associated with interrelated events corresponding to a sequence of time windows are combined to provide a staggered time window distribution.
	However, in an analogous art wherein: the distribution value of individual features associated with interrelated events corresponding to a sequence of time windows are combined to provide a staggered time window distribution (Vizer, Paragraph 0064 recites “Referring to FIG. 5, once a specific event is identified (e.g., as one of the identified events 124) at 500, a user may view the context of similar or time correlated events at 502. For example, a list of events of the specific identified event 500 may be displayed at 502. At 504, the complete text of the identified event may be displayed with parameters highlighted, for example, by an underline. As described herein, the parameters may be identified by the events collection module 108. At 506, a chart, such as a pie chart, may be provided to illustrate a distribution of unique values of the parameter in focus over all instances of the event in a current time window.” The sequence windows would be an obvious variation of observance when using time windows to monitor for events).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Vizer’s aggregation based event identification


	As per claim 4, Studnitzer in combination with Turgeman teaches the method of claim 2, but fails to teach wherein: the respective time windows correspond to discrete periods of time; and, a distribution is generated for each of discrete period of time, the distribution comprising a distribution value based upon events corresponding to the discrete periods of time, each distribution value being iteratively aggregated.
	However, in an analogous art Vizer teaches wherein: the respective time windows correspond to discrete periods of time; and, a distribution is generated for each of discrete period of time, the distribution comprising a distribution value based upon events corresponding to the discrete periods of time, each distribution value being iteratively aggregated (Vizer, Paragraph 0064 recites “Referring to FIG. 5, once a specific event is identified (e.g., as one of the identified events 124) at 500, a user may view the context of similar or time correlated events at 502. For example, a list of events of the specific identified event 500 may be displayed at 502. At 504, the complete text of the identified event may be displayed with parameters highlighted, for example, by an underline. As described herein, the parameters may be identified by the events collection module 108. At 506, a chart, such as a pie chart, may be provided to illustrate a distribution of unique values of the parameter in focus over all instances of the event in a current time window.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Vizer’s aggregation based event identification
With Studnitzer’s deep learning for credit controls because the use of time windows has the advantage of establishing a period in which to observe events. 

Regarding claims 9 and 15, claims 9 and 15 are directed to a system and a non-transitory readable medium associated with the method of claim 3. Claims 9 and 15 are of similar scope to claim 3, and are therefore rejected under similar rationale.

Regarding claims 10 and 16, claims 10 and 16 are directed to a system and a non-transitory readable medium associated with the method of claim 4. Claims 10 and 16 are of similar scope to claim 4, and are therefore rejected under similar rationale.

Claims 5, 6, 11, 12, 17 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Studnitzer et al. (US 2018/0276541) and Turgeman et al. (US 2018/0103047) and in further view of Harutyunyan et al. (US 2018/0349221).

	As per claim 5, Studnitzer in combination with Turgeman teaches the method of claim 2, but fails to teach wherein: the respective time windows comprise a series of sequentially generated time windows, the series of sequentially generated time windows being generated from overlapping periods of time 
	However, in an analogous art Harutyuyan wherein: the respective time windows comprise a series of sequentially generated time windows, the series of sequentially generated time windows being generated from overlapping periods of time (Harutyunyan, Paragraph 0004 recites “In one aspect, event messages generated by an event source of the distributed computing system are ingested over time. A divergence value is computed from the distribution of different types of event messages generated in each overlapping time interval of a sliding time window.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Harutyunyan’s methods and systems to detect and classify changes in a distributed computing system with Studnitzer’s deep learning for credit controls because the use of overlappin time windows has the advantage of establishing a period in which to observe events but not having to stick to a rigid sequence.  

	As per claim 6, Studnitzer in combination with Turgeman and Harutyunyan teaches the method of claim 5, Studnitzer further teaches wherein: the generating the distribution value comprises performing a continuous processing operation, the continuous processing operation continuously processing events from the sequentially generated time windows (Studnitzer, Paragraph 0049 recites “ The activity module 142 may be configured to continuously generate a model for each of a customer, firm, or market. The activity module 142 may be configured to generate an alert to the Exchange or market participant when the activity module 142 detects activity exceeding an abnormality threshold level as established by the neural network through prior training under various market conditions.”).

Regarding claims 11 and 17, claims 11 and 17 are directed to a system and a non-transitory readable medium associated with the method of claim 5. Claims 11 and 17 are of similar scope to claim 5, and are therefore rejected under similar rationale.

Regarding claims 12 and 18, claims 12 and 18 are directed to a system and a non-transitory readable medium associated with the method of claim 6. Claims 12 and 18 are of similar scope to claim 6, and are therefore rejected under similar rationale.

Claim 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Studnitzer et al. (US 2018/0276541) and Turgeman et al. (US 2018/0103047) and in further view of Fiske et al. (US 2013/0290598).

	As per claim 20, Studnitzer in combination with Turgeman teaches the non-transitory, computer-readable storage medium of claim 13, but fails to teach wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis.
	However, in an analogous art Fiske teaches (Fiske, Paragraph 0152 recites “Cloud computing is a model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service. This cloud model may include at least five characteristics, at least three service models, and at least four deployment models.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Fiske’s Reducing Power Consumption by Migration of Data .

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439