DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/16/2022 has been entered.
 

Status of Claims
	Claims 1-20 are pending of which claims 1, 7 and 13 are in independent form.
Claims 1-20 are rejected under 35 U.S.C. 103.

Response to Arguments
Applicant's arguments filed 5/16/2022 have been fully considered but they are not persuasive.

Applicant’s Argument:
Applicant argues, on page 6 of the "Remarks”, that “When discussing the element of generating a query relating to the plurality of events, the query comprising condition information, the condition information defining a subset of query relevant events, the examiner cites to Swafford. Specifically, the examiner cites to a portion of Swafford which discloses that a policy query may include data, metadata or a combination thereof (See e.g., Swafford, Paragraph [0086]). However, it is respectfully submitted that generating a query relating to the plurality of events as disclosed and claimed is patentably distinct from the policy query disclosed by Swafford. Specifically, Swafford does not disclose or suggest the query comprising condition information, the condition information defining a subset of query relevant events, much less a query relevant event comprising an event whose associated event information is relevant to certain conditions contained in the query, as required by claims 1, 7 and 13. Additionally, neither Swafford nor Das, alone or in combination, disclose or suggest the analyzing the distribution of features from the plurality of events identifying a subset of conditions that are of analytic utility based upon features extracted from query, the analyzing computing a conditional probability, the conditional probability providing a measure of a probability of an event occurring given that another event has occurred, as required by claims 1, 7 and 13”. 

	Examiner's Response:
Examiner respectfully disagrees; the combination of Swafford and Das clearly teaches, the analyzing the distribution of features from the plurality of events identifying a subset of conditions that are of analytic utility based upon features extracted from query, the analyzing computing a conditional probability, the conditional probability providing a measure of a probability of an event occurring given that another event has occurred (Swafford: In certain embodiments, events are not inspected prior to initializing scoring containers. In certain embodiments, a repository of persistent event data 670 may be queried for a random sampling of events containing the configured features 620. In certain embodiments, the resulting random sampling of events may be used during various scoring container initialization 702 operations to generate an initial probability distribution of their associated features. In certain embodiments, the initial probability distribution of associated features may likewise be stored in the repository of persistent event data 670 for re-use ¶ [0112] and [0166]. In certain embodiments, the event queue analytics 404 operations may be implemented to determine whether or not a feature associated with a particular document matches one or more policy queries 610. In certain embodiments, the policy query 610 may include data, metadata, or a combination thereof, related to an event ¶ [0086], [0099]-[0103], [0106]).
Regarding, “query comprising condition information”, examiner specifies that queries are considered conditional statements (information), the condition therefore have to be met for the query to result in connection with the events.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 7-10, 13-16, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Swafford; Brandon L. et al. (US 20190036969 A1) [Swafford] in view of Das; Dipock et al. (US 20190034813 A1) [Das].

	Regarding claims 1, 7 and 13, Swafford discloses, a computer-implementable method for constructing a distribution of interrelated event features, comprising: receiving a stream of events via a protected endpoint the protected endpoint comprising an endpoint device and an endpoint agent (FIG. 3 is a simplified block diagram of an endpoint agent implemented in accordance with an embodiment of the invention. As used herein, an endpoint agent 306 broadly refers to a software agent used in combination with an endpoint device 304 to establish a protected endpoint 302 ¶ [0034], [0036], [0043]), the stream of events comprising a plurality of events (In certain embodiments, an event stream collector 402 may be implemented to collect event and related contextual information, described in greater detail herein, associated with various user behaviors. In these embodiments, the method by which the event and contextual information is selected to be collected by the event stream collector 402 is a matter of design choice. In certain embodiments, the event and contextual information collected by the event stream collector 402 may be processed by an enrichment module 406 to generate enriched user behavior information ¶ [0047], [0048], [0088], [0090]-[0092]); 
generating a query relating to the plurality of events, the query comprising condition information, the condition information defining a subset of query relevant events (In certain embodiments, the event queue analytics 404 operations may be implemented to determine whether or not a feature associated with a particular document matches one or more policy queries 610. In certain embodiments, the policy query 610 may include data, metadata, or a combination thereof, related to an event ¶ [0086], [0099]-[0103], [0106], [0112]), a query relevant event comprising an event whose associated event information is relevant to certain conditions contained in the query (In certain embodiments, a repository of persistent event data 670 may be queried for a random sampling of events containing the configured features 620. In certain embodiments, the resulting random sampling of events may be used during various scoring container initialization 702 operations to generate an initial probability distribution of their associated features. In certain embodiments, the initial probability distribution of associated features may likewise be stored in the repository of persistent event data 670 for re-use ¶ [0112] and [0166]. In certain embodiments, the event queue analytics 404 operations may be implemented to determine whether or not a feature associated with a particular document matches one or more policy queries 610. In certain embodiments, the policy query 610 may include data, metadata, or a combination thereof, related to an event ¶ [0086], [0099]-[0103], [0106]. Regarding, “query comprising condition information”, examiner specifies that queries are considered conditional information, the condition therefore have to be met for the query to result in connection with the events); 
constructing a distribution of the features from the plurality of events based upon the query (In certain embodiments, a repository of persistent event data 670 may be queried for a random sampling of events containing the configured features 620. In certain embodiments, the resulting random sampling of events may be used during various scoring container initialization 702 operations to generate an initial probability distribution of their associated features. In certain embodiments, the initial probability distribution of associated features may likewise be stored in the repository of persistent event data 670 for re-use ¶ [0112], [0166]);
the analyzing the distribution of features from the plurality of events identifying a subset of conditions that are of analytic utility based upon features extracted from query, the analyzing computing a conditional probability, the conditional probability providing a measure of a probability of an event occurring given that another event has occurred (Swafford: In certain embodiments, events are not inspected prior to initializing scoring containers. In certain embodiments, a repository of persistent event data 670 may be queried for a random sampling of events containing the configured features 620. In certain embodiments, the resulting random sampling of events may be used during various scoring container initialization 702 operations to generate an initial probability distribution of their associated features. In certain embodiments, the initial probability distribution of associated features may likewise be stored in the repository of persistent event data 670 for re-use ¶ [0112] and [0166]. In certain embodiments, the event queue analytics 404 operations may be implemented to determine whether or not a feature associated with a particular document matches one or more policy queries 610. In certain embodiments, the policy query 610 may include data, metadata, or a combination thereof, related to an event ¶ [0086], [0099]-[0103], [0106]).
However Swafford does not explicitly facilitate processing the query relating to the plurality of events, extracting features from the plurality of events based upon the query; analyzing the distribution of the features from the plurality of events based upon the query.
Das discloses, processing the query relating to the plurality of events, extracting features from the plurality of events based upon the query (The data intake and query system uses a flexible schema to specify how to extract information from events. A flexible schema may be developed and redefined as needed. Note that a flexible schema may be applied to events "on the fly," when it is needed (e.g., at search time, index time, ingestion time, etc.). When the schema is not applied to events until search time, the schema may be referred to as a "late-binding schema." ¶ [0044]-[0048], [0181], [0184]);
analyzing the distribution of the features from the plurality of events based upon the query (Each indexer 206 may be responsible for storing and searching a subset of the events contained in a corresponding data store 208. By distributing events among the indexers and data stores, the indexers can analyze events for a query in parallel. For example, using map-reduce techniques, each indexer returns partial responses for a subset of events to a search head that combines the results to produce an answer for the query. By storing events in buckets for specific time ranges, an indexer may further optimize the data retrieval process by searching buckets corresponding to time ranges that are relevant to a query ¶ [0120], [0180]).
It would have been obvious to one ordinary skilled in the art at the time of filing of the present invention to combine the teachings of the cited references because Das’ system would have allowed Swafford to facilitate processing the query relating to the plurality of events, extracting features from the plurality of events based upon the query; analyzing the distribution of the features from the plurality of events based upon the query. The motivation to combine is apparent in the Swafford’s reference, because there is a need for more effective techniques for interfacing with various underlying data sources via natural language applications.

Regarding claims 2, 8 and 14, the combination of Swafford and Das discloses, the query comprises a domain specific language (DSL) query (Swafford: a Domain Specific Language (DSL) broadly refers to a computer language specialized to a particular application domain ¶ [0087]).

Regarding claims 3, 9 and 15, the combination of Swafford and Das discloses, the DSL query comprises a plurality of Boolean predicates (Swafford: In certain embodiments, the rule may include one or more parameters, factors, limits, restrictions, constraints, numeric values, numeric operators, Boolean operators, or a combination thereof ¶ [0070]).

Regarding claims 4, 10 and 16, the combination of Swafford and Das discloses, the plurality of Boolean predicates comprise a matching query predicate and a conditioning query predicate (Swafford: In certain embodiments, the rule may include one or more parameters, factors, limits, restrictions, constraints, numeric values, numeric operators, Boolean operators, or a combination thereof ¶ [0070]. Examiner specifies that Boolean operators are conditioning queries).

Regarding claim 19, the combination of Swafford and Das discloses, wherein the computer executable instructions are deployable to a client system from a server system at a remote location (Swafford: The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider) ¶ [0210] and claim 19).

Regarding claim 20, the combination of Swafford and Das discloses, wherein the computer executable instructions are provided by a service provider to a user on an on-demand basis (Swafford: In certain embodiments, the security analytics system 118 may be implemented to provide log storage, reporting, and analytics capable of performing streaming 408 and on-demand 410 analytics operations ¶ [0044]. Also see ¶ [0048]-[0050]).


Claims 5, 6, 11, 12, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Swafford in view of Das in view of Ford; Richard A. et al. (US 20190034625 A1) [Ford].

Regarding claims 5, 11 and 17, the combination of Swafford and Das teaches all the elements of claims 4 and 10.
However neither Swafford nor Das explicitly facilitate the analyzing the distribution of features is performed by a DSL query processing module.
Ford discloses, the analyzing the distribution of features is performed by a DSL query processing module (Referring now to FIG. 7, enriched events 610 resulting from performance of the event enrichment operations 600 described in the text associated with FIG. 6 may be provided in certain embodiments to a DSL query processing 702 module. In certain embodiments, the DSL query processing 702 module may be implemented to provide a streaming query framework. In certain embodiments, the streaming query framework may be implemented to extract features, as described in greater detail herein, and construct probability distributions in real-time, in batch mode, or on-demand. In certain embodiments, the DSL query processing 702 module may be implemented to receive certain DSL queries 704 that include terms, features, tags, or other items of interest that may be associated with certain interrelated events ¶ [0096]-[0100]).

Regarding claims 6 , 12 and 18, the combination of Swafford, Das and Ford discloses, the conditioning query is implemented to cause the DSL query processing module to identify a subset of conditions of analytic utility (Ford: Referring now to FIG. 7, enriched events 610 resulting from performance of the event enrichment operations 600 described in the text associated with FIG. 6 may be provided in certain embodiments to a DSL query processing 702 module. In certain embodiments, the DSL query processing 702 module may be implemented to provide a streaming query framework. In certain embodiments, the streaming query framework may be implemented to extract features, as described in greater detail herein, and construct probability distributions in real-time, in batch mode, or on-demand. In certain embodiments, the DSL query processing 702 module may be implemented to receive certain DSL queries 704 that include terms, features, tags, or other items of interest that may be associated with certain interrelated events ¶ [0096]-[0100]).

Conclusion
The examiner requests, in response to this Office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application.
When responding to this office action, Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections See 37 CFR 1.111(c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD S ROSTAMI whose telephone number is (571)270-1980. The examiner can normally be reached Mon-Fri From 9 a.m. to 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hosain T Alam can be reached on (571)272-3978. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





6/17/2022
/MOHAMMAD S ROSTAMI/Primary Examiner, Art Unit 2154