DETAILED ACTION

Information Disclosure Statement

1.	The information disclosure statement (IDS) submitted on 3/22/2022 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


2.    Pending claims for reconsideration are claims 1, 3-10, 12-20. Claims 1, 10, and 19 have been amended. Claims 2and 11 have been cancelled. 


Response to Arguments

3.	Applicant's arguments filed 3/22/2022 have been fully considered but they are not persuasive. 

In the remarks, applicant argues in substance:

a.	That- Harsell does not disclose or suggest extracting a categorical feature from the plurality of events where some of the plurality of events comprise multiple feature types, the multiple feature types comprising non-categorical features and categorical features, as required by claims 1, 10 and 19. This deficiency of Harsell is not cured by Gibson.
In response to applicant’s argument-  It is the combination of Gibson, Harsell, and Whitney that teaches the claimed language, neither Gibson, Harsell, nor Whitney alone.  As stated in the below 112 rejection, Claim one discloses the amended  claim limitation “some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features.” It is unclear as to what the applicant regards as ‘non-categorical’ within the claim language. Gibson in its broadest most reasonable interpretation in light of applicants specification also teaches that the module 104 may receive a request/extract (stream of events) of information about how the security policy may impact users from a plurality of data events in Col.7/lines 24-26.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



4.	Claim 1 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim one discloses the claim limitation “some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features.” It is unclear as to what the applicant regards as ‘non-categorical’ within the claim language.  
5.	Claim 10 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim one discloses the claim limitation “some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features.” It is unclear as to what the applicant regards as ‘non-categorical’ within the claim language.  
6.	Claim 19 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim one discloses the claim limitation “some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features.” It is unclear as to what the applicant regards as ‘non-categorical’ within the claim language.  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


7.	Claims 1, 3-10, and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,246,941 B1 to Gibson et al (hereafter referenced as Gibson) in view of Patent No.: 8,490,163 B1 to Harsell et al (hereafter referenced as Harsell), in further view of Pub.No.: US 2002/123865 A1 to Whitney et al (hereafter referenced as Whitney).
Regarding claim 1, Gibson discloses “a computer-implementable method for constructing a distribution of event features for identifying security risk factors” (system configured with modules to identify security risk factors [Fig.1]) , “comprising: receiving a stream of events” (module 104 may receive a request(stream of events) of information about how the security policy may impact users [Col.7/lines 24-26]) , “the stream of events comprising a plurality of events” (information comprising identifying module 104 may receive a request from an administrator of end-user computing systems for information about how activating security policy 220 may impact users of end-user computing systems [Col.7/lines 26-30]), “some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features extracting a categorical feature front the plurality of events”, (module 104 may receive a request/extract(stream of events) of information about how the security policy may impact users from a plurality of data events [Col.7/lines 24-26]), 
Gibson does not explicitly disclose “wherein the categorical feature includes a set of categorical feature members, and the categorical feature members are strings having one or more common characteristics defined by the categorical feature that are extracted from events of the stream of events; constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events, and, analyzing the distribution of the categorical feature to identify one or more security risk factors.”
However, Harsell in an analogous art discloses “wherein the categorical feature includes a set of categorical feature members” (define a policy based on extracted events Harsell [Fig.4/item 412]: “and the categorical feature members are strings having one or more common characteristics defined by the categorical feature that are extracted from events of the stream of events(i.e. within control module 310 comprises  definition input mode 312, and analysis module 318 which are utilized to define characteristics and configured to import and/or export the universal security policy from and/or to external sources Harsell [Fig.3]) constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events” (define a policy based on extracted events Harsell [Fig.4/item 412]); “and, analyzing the distribution of the categorical feature to identify one or more security risk factors.” (analysis module 314 is configured to analyze the integrity of the universal security policy Harsell [Col.6/lines 59-60]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors with Harsell’s security process comprising categorical features to identify security factors in order to provide data integrity. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors and Harsell teaches a security process which identifies features from an event of security purposes and both are from the same field of endeavor.
Neither Gibson nor Harsell explicitly disclose “the distribution representing a discrete probability distribution, the discrete probability distribution describing a possibility that a categorical feature member of the set of categorical feature members will occur in an event.”
However, Whitney in an analogous art discloses “the distribution representing a discrete probability distribution, the discrete probability distribution describing a possibility that a categorical feature member of the set of categorical feature members will occur in an event.”(numerical data can be adapted for the converted categorical data via the representation of categorical data as vectors of discrete probability distributions Whitney [par.0018]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors and Harsell’s security process comprising categorical features with Whitney’s method for generating an analysis of categorical data in which numerical data can be adapted for the converted categorical data via the representation of categorical data as vectors of discrete probability distributions in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors, Harsell teaches a security process which identifies features from an event of security purposes, Whitney teaches an analysis of categorical data via a discrete probability and they are from the same field of endeavor.
Regarding claim 3 in view of claim 1, the references combined disclose “wherein the set of categorical feature members comprises a fixed set of categorical feature members” (behavior information module monitors fixed events of the user on the end-user computing system Gibson [Fig.3/item 304]).
Regarding claim 4 in view of claim 1, the references combined disclose “wherein the set of categorical feature members comprises a variable set of categorical feature members that are generated on the fly from string values included in the extracted categorical feature” (i.e. string values extracted from events from the behavior information module Gibson [Fig.1/item 126] and categorical prediction information module Gibson [Fig.1/item 126]).
Regarding claim 5 in view of claim 1, the references combined disclose “wherein construction of the distribution comprises: constructing a categorical distribution for the categorical feature using occurrences of the categorical feature members of the categorical feature extracted from the plurality of events” (identifying module creates a categorical description Gibson[Fig.1/item 104]).
claim 6 in view of claim 1, the references combined disclose “wherein ail constructing the distribution for occurrences of the members of the categorical feature set comprises: grouping the members of the categorical feature into a plurality of mutually exclusive subsets” (notifying module notifies administrator how to group members into a plurality categorical behavior features Gibson[Col.9/lines 49-59]) ; “and the distribution using bins respectively associated with the plurality of mutually exclusive subsets” (i.e. string values extracted from events from the behavior information module Gibson[Fig.1/item 126] and categorical prediction information module Gibson [Fig.1/item 126]).
Regarding claim 7 in view of claim 1, the references combined disclose “wherein construction of the distribution  comprises: assigning a probability that a given member of the categorical feature set will occur based on a likelihood that a member of the categorical feature set, other than the given member, will occur.” (prediction module assigns probability based on predicted data analysis [Fig.1/item 106]).
Regarding claim 8 in view of claim 1, neither Gibson nor Harsell explicitly discloses “further comprising: mapping the string values to respective one-hot encoded values” (values are mapped/defined using security inform/string values Harsell [Fig.4/item 412]).
Regarding claim 9 in view of claim 1, the references combined disclose “wherein the characteristic feature comprises one or more of: a temporal characteristic feature of an event; and a communication protocol characteristic of an event” (behavior information module discloses information on characteristics of how the security policies impact user behavior of a communication/data event Gibson [Fig.1/item 126]).
Regarding claim 10, Gibson discloses “a  system comprising: a processor; a data bus coupled to the processor; and a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory', computer-readable storage medium being coupled to the data bus” (medium coupled to bus of computer system [Fig.5]), “the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: receiving a stream of events, the stream of events comprising a plurality of events, some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features extracting a categorical feature from the plurality of events” (module 104 may receive a request/extract(stream of events) of information about how the security policy may impact users [Col.7/lines 24-26]).
Gibson does not explicitly disclose “wherein the categorical feature includes a set of categorical feature members; and the categorical feature members are strings having one or more common characteristics defined by the categorical feature that are extracted from events of the stream of events; constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events  and, analyzing the distribution of the categorical feature to identify one or more security risk factors”
However, Harsell in an analogous art discloses “wherein the categorical feature includes a set of categorical feature members and the categorical feature members are strings having one or more common characteristics defined by the categorical feature that are extracted from events of the stream of events(i.e. within control module 310 comprises  definition input mode 312, and analysis module 318 which are utilized to define characteristics and configured to import and/or export the universal security policy from and/or to external sources Harsell [Fig.3]); constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events” (define a policy based on extracted events Harsell [Fig.4/item 412]); and, analyzing the distribution of the categorical feature to identify one or more security risk factors” (analysis module 314 is configured to analyze the integrity of the universal security policy Harsell [Col.6/lines 59-60]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors with Harsell’s security process comprising categorical features to identify security factors in order to provide data integrity. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors and Harsell teaches a security process which identifies features from an event of security purposes and both are from the same field of endeavor.
Neither Gibson nor Harsell explicitly disclose “the distribution representing a discrete probability distribution, the discrete probability distribution describing a possibility that a categorical feature member of the set of categorical feature members will occur in an event.”
However, Whitney in an analogous art discloses “the distribution representing a discrete probability distribution, the discrete probability distribution describing a possibility that a categorical feature member of the set of categorical feature members will occur in an event.”(numerical data can be adapted for the converted categorical data via the representation of categorical data as vectors of discrete probability distributions Whitney [par.0018]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors and Harsell’s security process comprising categorical features with Whitney’s method for generating an analysis of categorical data in which numerical data can be adapted for the converted categorical data via the representation of categorical data as vectors of discrete probability distributions in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors, Harsell teaches a security process which identifies features from an event of security purposes, Whitney teaches an analysis of categorical data via a discrete probability and they are from the same field of endeavor.

Regarding claim 12 in view of claim 10, the references combined disclose “wherein the set of categorical feature members comprises a fixed set of categorical feature members” (behavior information module monitors fixed events of the user on the end-user computing system Gibson [Fig.3/item 304]).
Regarding claim 13 in view of claim 10, the references combined disclose “wherein the set of categorical feature members comprises a variable set of categorical feature members that are generated on the fly from string values included in the extracted categorical feature.” (i.e. string values extracted from events from the behavior information module Gibson [Fig.1/item 126] and categorical prediction information module Gibson [Fig.1/item 126]).
Regarding claim 14 in view of claim 10, the references combined disclose  “wherein construction of the distribution comprises: constructing a categorical distribution for the categorical feature using occurrences of the categorical feature members of the categorical feature extracted from the plurality of events” (identifying module creates a categorical description Gibson[Fig.1/item 104]).
Regarding claim 15 in view of claim 10, the references combined disclose  “wherein all constructing the distribution for occurrences of the members of the categorical feature set comprises: grouping the members of the categorical feature into a plurality of mutually exclusive subsets” (notifying module notifies administrator how to group members into a plurality categorical behavior features Gibson[Col.9/lines 49-59]); “and constructing the distribution using bins respectively associated with the plurality of mutually exclusive subsets.” (i.e. string values extracted from events from the behavior information module Gibson [Fig.1/item 126] and categorical prediction information module Gibson [Fig.1/item 126]).
Regarding claim 16 in view of claim 10, the references combined disclose “wherein construction of the distribution comprises: assigning a probability that a given member of the categorical feature set will occur based on a likelihood that a member of the categorical feature set, other than the given member, will occur” (prediction module assigns probability based on predicted data analysis [Fig.1/item 106]).
Regarding claim 17 in view of claim 10, the references combined disclose “further comprising: mapping the string values to respective one-hot encoded values” (values are mapped/defined using security inform/string values Harsell [Fig.4/item 412]).
Regarding claim 18 in view of claim 10, the references combined disclose “wherein the characteristic feature comprises one or more of: a temporal characteristic feature of an event; and a communication protocol characteristic of an event” (behavior information module discloses information on characteristics of how the security policies impact user behavior of a communication/data event Gibson [Fig.1/item 126]).
Regarding claim 19, Gibson discloses “a non-transitory, computer-readable storage medium embodying computer program code, the computer program code comprising computer executable instructions configured for: receiving a stream of events, the stream of events comprising a plurality of events” (module 104 may receive a request(stream of events) of information about how the security policy may impact users [Col.7/lines 24-26]); “some of the plurality of events comprising multiple feature types, the multiple feature types comprising non-categorical features and categorical features: extracting a categorical feature from the plurality of events” (receiving data and extracting categorical information regarding that maybe potentially regulated using a security policy [Fig.3/item 302]) 
Gibson does not explicitly disclose “wherein the categorical feature includes a set of categorical feature members, and the categorical feature members are strings having one or more common characteristics defined by the categorical feature that are extracted from events of the stream of events constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events; and, analyzing the distribution of the categorical feature to identify one or more security risk factors.”
However, Harsell in an analogous art discloses “wherein the categorical feature includes a set of categorical feature members, and the categorical feature members are strings having one or more common characteristics defined by the categorical feature that are extracted from events of the stream of events(i.e. within control module 310 comprises  definition input mode 312, and analysis module 318 which are utilized to define characteristics and configured to import and/or export the universal security policy from and/or to external sources Harsell [Fig.3]), constructing a distribution for the categorical feature based on categorical feature members extracted from the plurality of events” (define a policy based on extracted events Harsell [Fig.4/item 412]); “and, analyzing the distribution of the categorical feature to identify one or more security risk factors.” (analysis module 314 is configured to analyze the integrity of the universal security policy Harsell [Col.6/lines 59-60]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors with Harsell’s security process comprising categorical features to identify security factors in order to provide data integrity. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors and Harsell teaches a security process which identifies features from an event of security purposes and both are from the same field of endeavor.
Neither Gibson nor Harsell explicitly disclose “the distribution representing a discrete probability distribution, the discrete probability distribution describing a possibility that a categorical feature member of the set of categorical feature members will occur in an event.”
However, Whitney in an analogous art discloses “the distribution representing a discrete probability distribution, the discrete probability distribution describing a possibility that a categorical feature member of the set of categorical feature members will occur in an event.”(numerical data can be adapted for the converted categorical data via the representation of categorical data as vectors of discrete probability distributions Whitney [par.0018]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Gibson’s method for identifying risk factors and Harsell’s security process comprising categorical features with Whitney’s method for generating an analysis of categorical data in which numerical data can be adapted for the converted categorical data via the representation of categorical data as vectors of discrete probability distributions in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Gibson discloses a method for identifying risk factors, Harsell teaches a security process which identifies features from an event of security purposes, Whitney teaches an analysis of categorical data via a discrete probability and they are from the same field of endeavor.
Regarding claim 20 in view of claim 19, the references combined disclose “wherein the categorical feature members include one or more string values” (i.e. categorical feature members are string values extracted from events, see categorical behavior information module Gibson [Fig.1/item 126] also see categorical prediction information module Gibson [Fig.1/item 126]).

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/Examiner, Art Unit 2433           

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433