DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The action is responsive to the Applicant’s Amendment filed on 11/19/2021. Claims 1, 3, and 5-22 are pending in the application. Claims 1, 12, 14, and 20 are amended, claims 2 and 4 are canceled, and claims 21 and 22 are new.
Applicant’s amendments to the claims have overcome each and every objection previously set forth in the Non-Final Office Action mailed 08/19/2021.

Response to Arguments
Applicant’s arguments with respect to the rejections of claims 1-20 have been fully considered. In view of the claim amendment filed, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made. 
Further, regarding the new limitations recited in claims 1, 14, and 20-22, it is submitted that they are properly addressed by the new ground of rejection.
Furthermore, it is also submitted that all limitations in pending claims, including those not specifically argued, are properly addressed. The reason is set forth in the rejections. See claim analysis below for detail.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 5-6, 8-9, 11-12, 14-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. 10673880 B1, hereinafter Pratt) in view of Orsi et al. (WO 2014093198 A1, hereinafter Orsi).

Regarding Claim 1, Pratt discloses a system for implementing a behavior analysis engine (BAE) to improve computer query processing (Fig. 2A, rules-based network security system 124), comprising: 
at least one processor operatively coupled to a memory (Fig. 34, computer system 3600 includes one or more processor(s) 3610, memory 3620) and configured to implement: 
a system architecture for the system ([Col. 8, lines 35-36]: Fig. 1B is an architecture flow diagram that illustrates, at a high level, the process 160) comprising a system layer (Fig. 1B Machine-Learning Based Network Security System 122), a data layer (Data Intake & Query System 108), and a local rule base (Rules-Based Network Security System 124);
a user interface displayed on a device and configured to manage and visualize rules associated with system behavior, the user interface including an interface for user composition of a rule (Fig. 1, [Col. 57, lines 42-45]: For example, user input specifying an anomaly detection rule may be input via graphical user interface (GUI) 162 associated with a rules-based network security system 124), the rule including a header section, a state section, a behavior section, and a model section, the header section specifying a namespace, a name of a rule file associated with the rule, and rule inheritance, the state section specifying state information to read data from a database, the behavior section defining an execution between one or more of the states using supported operations, and the model section specifies a format of an output (([Col 59, lines 10-34]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection… For example, the rule can be defined as one or more conditional statements in any of a number of programming languages... In some embodiments, option 3506 may include template rules with one or more editable parameters…  In some embodiments, parameters may be set by selecting from a list of available values for each parameter [The sections correspond to fields in a template with editable parameters]); and 
a BAE service including program code ([Col. 9, lines 10-12]: Similarly, the respective functionalities of systems 108, 122, 124, may be implemented as one or more services by one or more service providers. These services may be accessible to end-users via any of client applications 110 or host applications 114) to: 
receive, via the user interface, a job request to execute an input rule on target log data ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 8, lines 40-42]: As shown in FIG. 1B, at step 166 a user 164 (e.g. a network administrator) provides input that defines a rule for detecting anomalies based on received data (e.g. machine data); [Col. 3, lines 41-42]: Machine-generated data can include system logs);
execute the job request to generate a result by obtaining the input rule from a rule-base (Fig. 1B; [Col. 8, lines 54-56]: A rules-based network security system 124 can process received data with the user-specified rule to detect anomalous activity and output anomaly data based on that activity),
optimizing the data structure using temporal order optimization including query optimization by query processing ordering, and executing one or more operations using the optimized data structure ([Col. 17, lines 41-43]: By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query [Time ranges that are relevant to a query correspond to query processing ordering]; [Col. 16, lines 38-42]: The properties may, for example, instruct an indexer to… to interpolate time values based on timestamps associated with temporally proximate events [temporal order optimization]); and 
store the result in a result database (Fig. 3, [Col. 17, lines 22-23]: At block 318, the indexer stores the events with an associated timestamp in a data store 208).
However, Pratt does not explicitly teach “parsing the input rule to create a data structure”.
On the other hand, in the same field of endeavor, Orsi teaches parsing the input rule to create a data structure (Fig. 9; [0189]: Rules and facts are input to the rule engine 632 and routed to either rule parser 902, for the rules, and fact loader 904, for the facts. Parsed rules are then stored in the fact term storage 706 for use by the forward- chaining executor 708 or the backward-chaining executor 710… As rules and facts are executed by the backward-chaining executor 710, proofs or suspended proofs are stored in the proof tree 716 and proof tree splitter 720 [proof tree 716 corresponds to a data structure]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the method of Pratt with the teachings of Orsi to include “parsing the input rule to create a data structure.”
The motivation for doing so would be to allow rules to be implemented by the rule engine, as recognized by Orsi ([0186]: The database 634 includes a number of separate sections of data, including rule storage 810 for the rules to be implemented by the rule engine).

Regarding Claim 3, the combined teachings of Pratt and Orsi disclose the system of claim 1, wherein the user interface permits user verification of a new rule generated by the machine learning component ([Col. 9, lines 58-65]: As in the real-time data path, anomalies, threat indicators and threats discovered by the batch analyzer may be actionable automatically or may be presented to a human operator for decision on whether to take action. The action taken by the operator to validate or invalidate the conclusions reached by the batch analyzer may serve as a source of feedback to the security platform to improve its evaluation of subsequently processed data; [Col. 22, lines 55-57]: These anomalies, threat indicators and threats may be provided to a user interface (UI) system 850 for review by a human operator 852).


Regarding Claim 5, the combined teachings of Pratt and Orsi disclose the system of claim 1, wherein the BAE service provides one or more application programming interfaces ([Col. 21, lines 27-30]: The data sources 802 provide data to data receivers 810, which implement various APIs and connectors to receive (or retrieve, depending on the mechanism) the data for the security platform 800).

Regarding Claim 6, the combined teachings of Pratt and Orsi disclose the system of claim 5, wherein the one or more APIs include one or more RESTful APIs ([Col. 21, lines 35-40]: Technologies employed to implement the data receiver 810 may include Flume™ and REST™. Flume™ is an open-source distributed service for collecting, aggregating, and moving large amounts of log data. REST™ is an interface for accessing large databases).

Regarding Claim 8, the combined teachings of Pratt and Orsi disclose the system of claim 1, wherein the BAE service further includes program code to validate or compose a rule ([Col. 59, lines 10-15]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection. In the example embodiment, view 3500 includes an option 3502 to input a title for the rule, an option 3504 to set a category for anomaly detected according to the rule, and an option 3506 to specify the rule), and
store the validated or composed rule in one or more types of rule bases (Fig. 5; [Col. 19, lines 48-50]: Also, in some embodiments users may provide input via applications in the applications layer to specify rules in the rules layer 612).

Regarding Claim 9, the combined teachings of Pratt and Orsi disclose the system of claim 8, wherein the one or more types of rule-bases include a local rule-base and a global rule-base ([Col. 2, lines 55-56]: FIG. 25 illustrates an example use case for identifying threat indicators based on local and global rarity analysis; [Col. 54, lines 30-36]:As shown in Fig. 25… The events 2280 can also be processed according to a user specified anomaly detection rules that are associated with a particular entity (e.g. local rule associated with entity 1. For example a network administrator may specify a rule to output an anomaly if a particular user has more than 3 failed login attempts. The detected anomalies 1 through M are then analyzed according to a global rarity analysis model to identify a threat indicator).

Regarding Claim 11, the combined teachings of Pratt and Orsi disclose the system of claim 1, wherein the job request includes a single run request or a batch process request ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 9, lines 33-35]: Processing of data (at both systems 122 and 124) may be performed in real time as data is received or in batch mode using stored data.

Regarding Claim 12, the combined teachings of Pratt and Orsi disclose the system of claim 1, wherein the one or more operations include at least one of a logical operation, a set operation and a temporal operation ([Col. 40, lines 4-7]: Examples of entity-specific behavioral analysis include hierarchical temporal memory processes that employ modified probabilistic suffix trees (PST), collaborative filtering, content-based recommendation analysis).

Regarding Claim 14, Pratt discloses a computer-implemented method for implementing a behavior analysis engine (BAE) to improve computer query processing for a computing system, comprising: 
receiving, at a BAE service via a user interface of the computing system, a job request to execute an input rule on target log data ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 8, lines 40-42]: As shown in FIG. 1B, at step 166 a user 164 (e.g. a network administrator) provides input that defines a rule for detecting anomalies based on received data (e.g. machine data); [Col. 3, lines 41-42]: Machine-generated data can include system logs),
the computing system comprising a system architecture ([Col. 8, lines 35-36]: Fig. 1B is an architecture flow diagram that illustrates, at a high level, the process 160) including a system layer (Fig. 1B Machine-Learning Based Network Security System 122), a data layer (Data Intake & Query System 108), and a local rule base (Rules-Based Network Security System 124); 
managing and visualizing rules associated with system behavior using a user interface, the user interface including an interface for user composition of a rule (Fig. 1, [Col. 57, lines 42-45]: For example, user input specifying an anomaly detection rule may be input via graphical user interface (GUI) 162 associated with a rules-based network security system 124), the rule including a header section, a state section, a behavior section, and a model section, the header section specifying a namespace, a name of a rule file associated with the rule, and rule inheritance, the state section specifying state information to read data from a database, the behavior section defining an execution between one or more of the states using supported operations. and the model section specifies a format of an output ([Col 59, lines 10-34]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection… For example, the rule can be defined as one or more conditional statements in any of a number of programming languages... In some embodiments, option 3506 may include template rules with one or more editable parameters…  In some embodiments, parameters may be set by selecting from a list of available values for each parameter [The sections correspond to fields in a template with editable parameters]); 
(Fig. 1B; [Col. 8, lines 54-56]: A rules-based network security system 124 can process received data with the user-specified rule to detect anomalous activity and output anomaly data based on that activity), 
optimizing the data structure using temporal order optimization including query optimization by query processing ordering, and executing one or more operations using the optimized data structure ([Col. 17, lines 41-43]: By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query [Time ranges that are relevant to a query correspond to query processing ordering]; [Col. 16, lines 38-42]: The properties may, for example, instruct an indexer to… to interpolate time values based on timestamps associated with temporally proximate events [temporal order optimization]); and
storing, by the BAE service, the result in a result database (Fig. 3, [Col. 17, lines 22-23]: At block 318, the indexer stores the events with an associated timestamp in a data store 208); wherein the BAE service is implemented by at least one processor operatively coupled to a memory (Fig. 34, computer system 3600 includes one or more processor(s) 3610, memory 3620).
However, Pratt does not explicitly teach “parsing the input rule to create a data structure”.
On the other hand, in the same field of endeavor, Orsi teaches parsing the input rule to create a data structure (Fig. 9; [0189]: Rules and facts are input to the rule engine 632 and routed to either rule parser 902, for the rules, and fact loader 904, for the facts. Parsed rules are then stored in the fact term storage 706 for use by the forward- chaining executor 708 or the backward-chaining executor 710… As rules and facts are executed by the backward-chaining executor 710, proofs or suspended proofs are stored in the proof tree 716 and proof tree splitter 720 [proof tree 716 corresponds to a data structure]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the method of Pratt with the teachings of Orsi to include “parsing the input rule to create a data structure.”
The motivation for doing so would be to allow rules to be implemented by the rule engine, as recognized by Orsi ([0186]: The database 634 includes a number of separate sections of data, including rule storage 810 for the rules to be implemented by the rule engine).

Regarding Claim 15, the combined teachings of Pratt and Orsi disclose the method of claim 14, further comprising providing, by the BAE service, one or more application programming interfaces (APIs) for accessing the BAE service ([Col. 21, lines 27-30]: The data sources 802 provide data to data receivers 810, which implement various APIs and connectors to receive (or retrieve, depending on the mechanism) the data for the security platform 800).

Regarding Claim 17, the combined teachings of Pratt and Orsi disclose the method of claim 14, further comprising the BAE service validating or composing a rule ([Col. 59, lines 10-15]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection. In the example embodiment, view 3500 includes an option 3502 to input a title for the rule, an option 3504 to set a category for anomaly detected according to the rule, and an option 3506 to specify the rule), and
(Fig. 5; [Col. 19, lines 48-50]: Also, in some embodiments users may provide input via applications in the applications layer to specify rules in the rules layer 612),
wherein the one or more types of rule-bases include a local rule-base and a global rule-base ([Col. 2, lines 55-56]: FIG. 25 illustrates an example use case for identifying threat indicators based on local and global rarity analysis; [Col. 54, lines 30-36]: As shown in Fig. 25… The events 2280 can also be processed according to a user specified anomaly detection rules that are associated with a particular entity (e.g. local rule associated with entity 1. For example a network administrator may specify a rule to output an anomaly if a particular user has more than 3 failed login attempts. The detected anomalies 1 through M are then analyzed according to a global rarity analysis model to identify a threat indicator).

Regarding Claim 18, the combined teachings of Pratt and Orsi disclose the method of claim 14, wherein the job request includes a single run request or a batch process request ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 9, lines 33-35]: Processing of data (at both systems 122 and 124) may be performed in real time as data is received or in batch mode using stored data).

Regarding Claim19, the combined teachings of Pratt and Orsi disclose the method of claim 14, wherein the one or more operations include at least one a logical operation, a set operation and a temporal operation ([Col. 40, lines 4-7]: Examples of entity-specific behavioral analysis include hierarchical temporal memory processes that employ modified probabilistic suffix trees (PST), collaborative filtering, content-based recommendation analysis).

Regarding Claim 20, Pratt discloses a computer program product comprising 
a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method for implementing a behavior analysis engine (BAE) to improve computer query processing, the method comprising ([Col. 60, lines 50-56]: Embodiments of the techniques introduced here may be implemented, at least in part, by a computer program product which may include a non-transitory machine-readable medium having stored thereon instructions that may be used to program/configure a computer or other electronic device to perform some or all of the operations described above): 
receiving, at a BAE service via a user interface of the computer system, a job request to execute an input rule on target log data ([Col. 11, lines 65-67]: The communication between a client device 102 and host application 114 may include sending various requests; [Col. 8, lines 40-42]: As shown in FIG. 1B, at step 166 a user 164 (e.g. a network administrator) provides input that defines a rule for detecting anomalies based on received data (e.g. machine data); [Col. 3, lines 41-42]: Machine-generated data can include system logs),
the computer comprising a system architecture ([Col. 8, lines 35-36]: Fig. 1B is an architecture flow diagram that illustrates, at a high level, the process 160) including a system layer (Fig. 1B Machine-Learning Based Network Security System 122), a data layer (Data Intake & Query System 108), and a local rule base (Rules-Based Network Security System 124); 
managing and visualizing rules associated with system behavior using a user interface, the user interface including an interface for user composition of a rule (Fig. 1, [Col. 57, lines 42-45]: For example, user input specifying an anomaly detection rule may be input via graphical user interface (GUI) 162 associated with a rules-based network security system 124), the rule including a header section, a state section, a behavior section, and a model section, the header section specifying a namespace, a name of a rule file associated with the rule, and rule inheritance, the state section specifying state information to read data from a database, the behavior section defining an execution between one or more of the states using supported operations, and the model section specifies a format of an output ([Col 59, lines 10-34]: FIG. 33 shows an example interactive view 3500 through which a user can specify a rule for anomaly detection… For example, the rule can be defined as one or more conditional statements in any of a number of programming languages... In some embodiments, option 3506 may include template rules with one or more editable parameters…  In some embodiments, parameters may be set by selecting from a list of available values for each parameter [The sections correspond to fields in a template with editable parameters]); 
executing, by the BAE service, the job request to generate a result, including obtaining the input rule from a rule-base (Fig. 1B; [Col. 8, lines 54-56]: A rules-based network security system 124 can process received data with the user-specified rule to detect anomalous activity and output anomaly data based on that activity), 
optimizing the data structure using temporal order optimization including query optimization by query processing ordering, and executing one or more operations using the optimized data structure ([Col. 17, lines 41-43]: By storing events in buckets for specific time ranges, an indexer may further optimize data retrieval process by searching buckets corresponding to time ranges that are relevant to a query [Time ranges that are relevant to a query correspond to query processing ordering]; [Col. 16, lines 38-42]: The properties may, for example, instruct an indexer to… to interpolate time values based on timestamps associated with temporally proximate events [temporal order optimization]); and 
storing, by the BAE service, the result in a result database (Fig. 3, [Col. 17, lines 22-23]: At block 318, the indexer stores the events with an associated timestamp in a data store 208).

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. 10673880 B1, hereinafter Pratt) in view of Orsi et al. (WO 2014093198 A1, hereinafter Orsi) and in further view of Reid et al. (US 20170024258 A1, hereinafter Reid).

Regarding Claim 7, the combined teachings of Pratt and Orsi disclose the system of claim 1.
However, the combined teachings of Pratt and Orsi do not explicitly teach “wherein the data structure includes a tree of execution order, and optimizing the data structure includes optimizing the tree of execution order to reduce a number of future executions.”
On the other hand, in the same field of endeavor, Reid teaches wherein the data structure includes a tree of execution order ([Abstract]: The viewing application receives a query result from the scheduling server and depicts, on an electronic display, a dependency tree that includes one or more precedent batch jobs and the target batch job; [0047]: A dependency tree 98 is a data structure and/or visual depiction of the subset of financial batch jobs 12, within a batch stream, returned by the scheduling server 14 query), and 
optimizing the data structure includes optimizing the tree of execution order to reduce a number of future execution ([0005]: The viewing application may provide optimization tools that allow the user to make one or more optimizations to the execution order of the plurality of batch jobs. The one or more optimizations may optimize the execution order such that a total execution runtime of the one or more critical jobs is decreased such that the target batch job finishes executing earlier than the target batch job would have finished executing without the one or more optimizations).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the system of Pratt and Orsi with the teachings of Reid to include “wherein the data structure includes a tree of execution order, and optimizing the data structure includes optimizing the tree of execution order to reduce a number of future executions.”
The motivation for combining would be to optimize dependencies of batch jobs, as recognized by Reid ([0005] of Reid: In one embodiment, provided is a computer system for optimizing dependencies of batch jobs).

Regarding Claim 16, the combined teachings of Pratt and Orsi disclose the method of claim 14.
However, the combined teachings of Pratt and Orsi do not explicitly teach “wherein the data structure includes a tree of execution order, and optimizing the data structure includes optimizing the tree of execution order to reduce a number of future executions.”
On the other hand, in the same field of endeavor, Reid teaches wherein the data structure includes a tree of execution order ([Abstract]: The viewing application receives a query result from the scheduling server and depicts, on an electronic display, a dependency tree that includes one or more precedent batch jobs and the target batch job; [0047]: A dependency tree 98 is a data structure and/or visual depiction of the subset of financial batch jobs 12, within a batch stream, returned by the scheduling server 14 query), and 
optimizing the data structure includes optimizing the tree of execution order to reduce a number of future execution ([0005]: The viewing application may provide optimization tools that allow the user to make one or more optimizations to the execution order of the plurality of batch jobs. The one or more optimizations may optimize the execution order such that a total execution runtime of the one or more critical jobs is decreased such that the target batch job finishes executing earlier than the target batch job would have finished executing without the one or more optimizations).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the method of Pratt and Orsi with the teachings of Reid to include “wherein the data structure includes a tree of execution order, and optimizing the data structure includes optimizing the tree of execution order to reduce a number of future executions.”
The motivation for combining would be to optimize dependencies of batch jobs, as recognized by Reid ([0005] of Reid: In one embodiment, provided is a computer system for optimizing dependencies of batch jobs).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. 10673880 B1, hereinafter Pratt) in view of Orsi et al. (WO 2014093198 A1, hereinafter Orsi) and in further view of White et al. (US 20140358923 A1, hereinafter White).

Regarding Claim 10, the combined teachings of Pratt and Orsi disclose the system of claim 8.
However, the combined teachings of Pratt and Orsi do not explicitly teach “wherein the BAE service further includes program code to export rules.”
On the other hand, in the same field of endeavor, White teaches wherein the BAE service further includes program code to export rules ([Col. 13, lines 6-13]: Analysis rules can be shared across multiple compliance system servers. There are a number of ways to export rules from one compliance system instance and import them into another… A similar mechanism is typically needed to import/export rule configuration settings, i.e. which rules should be used).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the system of Pratt and Orsi with the teachings of White to include “wherein the BAE service further includes program code to export rules.”
The motivation for combining would be to allow one system to extract rules directly from another, as recognized by White ([Col. 13, lines 9-11] of White: This can be accomplished by storing rules on disk in an XML or binary format or by wiring up plumbing to allow one compliance system to extract rules directly from another).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. US 10673880 B1, hereinafter Pratt) in view of Orsi et al. (WO 2014093198 A1, hereinafter Orsi) and in further view of Yamanishi et al. (US 20030004902 A1, hereinafter Yamanishi).

Regarding Claim 13, the combined teachings of Pratt and Orsi disclose the system of claim 1.
However, the combined teachings of Pratt and Orsi do not explicitly teach “a machine learning component including program code to generate new rules associated with system behavior by learning abnormal system behavior from training data, and converting the learned abnormal system behavior into the new rules.”
On the other hand, in the same field of endeavor, Yamanishi teaches a machine learning component including program code to generate new rules associated with system behavior by learning abnormal system behavior from training data, and converting the learned abnormal system behavior into the new rules ([Abstract]: The outlier detection device for detecting abnormal data in a data set includes… a supervised learning unit for generating a new rule characterizing abnormal data by supervised learning based on a set of the respective data to which the label is applied and adding the new rule to the set of rules held in the outlier rule preservation unit to update the rules).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the system of Pratt and Orsi with the teachings of Yamanishi to include “a machine learning component including program code to generate new rules associated with system behavior by learning abnormal system behavior from training data, and converting the learned abnormal system behavior into the new rules.”
The motivation for combining would be to detect abnormal data in a data set, as recognized by Yamanishi ([Abstract] of Yamanishi: The outlier detection device for detecting abnormal data in a data set includes an outlier rule preservation unit for holding a set of rules characterizing abnormal data).




Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. US 10673880 B1, hereinafter Pratt) in view of Orsi et al. (WO 2014093198 A1, hereinafter Orsi) and in further view of Cossock (US Patent No. 6427148).

Regarding Claim 21, the combined teachings of Pratt and Orsi disclose the system of claim 1.
However, the combined teachings of Pratt and Orsi do not explicitly teach “wherein the processor is further configured to extract two different types of keys, the two different types of keys being a partition key including attributes from each of one or more datasets connected by an equality operator in normal constraints and a sorting key extracted from temporal constraints.”
On the other hand, in the same field of endeavor, Cossock teaches  wherein the processor is further configured to extract two different types of keys, the two different types of keys being a partition key including attributes from each of one or more datasets connected by an equality operator in normal constraints and a sorting key extracted from temporal constraints ([Abstract]: An embodiment of the present invention provides a method and apparatus for sorting very large data sets using a parallel merge sort. Given sorted work files S1, . . . , Sp, produced by P processes, the described embodiment of the method effectively implements a parallel merge onto respective output partitions O1, . . . , Op of the processes P. Because each of these output partitions O has a finite size, the invention must quickly determine “splitting keys” for each output partition O in such a way that the data in the work files will be split between the multiple output partitions O without overrunning the size of any of the partitions O. Once the splitting keys for each partition are determined, the processes exchange data so that the output partitions of each process contains data between the splitting keys associated with that output partition).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have combined the system of Pratt and Orsi with the teachings of Cossock to include “wherein the processor is further configured to extract two different types of keys, the two different types of keys being a partition key including attributes from each of one or more datasets connected by an equality operator in normal constraints and a sorting key extracted from temporal constraints.”
The motivation for combining would be to partition data in conjunction with a parallel sorting method, as recognized by Cossock ([Abstract] of Cossock: This invention relates generally to data processing and, specifically, to a method and apparatus that partitions data in conjunction with, for example, a parallel sorting method).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al.  (US Patent No. US 10673880 B1, hereinafter Pratt) in view of Orsi et al. (WO 2014093198 A1, hereinafter Orsi) and in further view of Cossock (US Patent No. 6427148) and Leida et al. (US 20130262443-A1, hereinafter Leida).

Regarding Claim 22, the combined teachings of Pratt and Orsi disclose the system of claim 1, 
However, the combined teachings of Pratt and Orsi do not explicitly teach “wherein the processor is further configured for extracting two types of keys, the two types of keys being a partition key including attributes from each of one or more datasets connected by an equality 
On the other hand, in the same field of endeavor, Cossock teaches
 wherein the processor is further configured for extracting two types of keys, the two types of keys being a partition key including attributes from each of one or more datasets connected by an equality operator in normal constraints and a sorting key ([Abstract]: An embodiment of the present invention provides a method and apparatus for sorting very large data sets using a parallel merge sort. Given sorted work files S1, . . . , Sp, produced by P processes, the described embodiment of the method effectively implements a parallel merge onto respective output partitions O1, . . . , Op of the processes P. Because each of these output partitions O has a finite size, the invention must quickly determine “splitting keys” for each output partition O in such a way that the data in the work files will be split between the multiple output partitions O without overrunning the size of any of the partitions O. Once the splitting keys for each partition are determined, the processes exchange data so that the output partitions of each process contains data between the splitting keys associated with that output partition).
	Additionally, Leida teaches wherein sorting keys for each of the states correspond to a begin time for StartWith implementations and correspond to an end time for EndWith implementations (Fig. 2; [0141]-[0142]: FIG. 2 illustrates the data model that is used by the CEP and Dynamic Visualization components… The two components need to have some “entry point” in the data graph in order to start the analysis. This entry point is made by the concepts “Process” and “Tasks” from FIG. 2, together with the relations “hastasks”, “startWith”, “endWith”, “followedBy” and “BelongsToProject”).

The motivation for combining would be to partition data in conjunction with a parallel sorting method, as recognized by Cossock ([Abstract] of Cossock: This invention relates generally to data processing and, specifically, to a method and apparatus that partitions data in conjunction with, for example, a parallel sorting method), and to provide a high performance within the data model, with optimized query execution, as recognized by Leida ([Abstract] of Leida: The invention relates to a method and system that provide a high performance and extremely scalable triple store within the Resource Description Framework (or alternative data models), with optimized query execution).



Examiner Note
Examiner has cited particular columns/paragraph and line numbers in the references applied to the claims above for the convenience of the applicant. Although the specified citations are representative of the teachings of the art and are applied to specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant in preparing responses, to fully consider the references in entirety as potentially 
In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution. MPEP 714.02 recites: "Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 163.06. An amendment which does not comply with the provisions of 37 CFR 1.12l(b), (c),  (d), and (h) may be held not fully responsive. See MPEP § 714." Amendments not pointing to
specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R. 1.131(b), (c), (d), and (h) and therefore held not fully responsive. Generic statements such as "Applicants believe no new matter has been introduced" may be deemed insufficient.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIRLEY D. HICKS whose telephone number is (571)272-3304.  The examiner can normally be reached on Mon - Fri 7:30 - 4:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Fred Ehichioya can be reached on (571) 272-4034.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/IRETE F EHICHIOYA/Supervisory Patent Examiner, Art Unit 2168