Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a normalizer configured to receive…, a profile builder that builds…, at least one primitive creator configured to generate…, a compromise detector that receives” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1 limitation “a normalizer configured to receive…, a profile builder that builds…, at least one primitive creator configured to generate…, a compromise detector that receives” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim 12 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential elements, such omission amounting to a gap between the elements.  See MPEP § 2172.01.  The omitted elements are: and creating a corresponding primitive for each extracted feature corresponding to a staged primitive that meets a prescribed client frequency threshold in comparison to the historical information in the corresponding created primitive – if this is what is intended by the applicant or the applicant has to indicate the intended element. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1 – 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al (US 20170063905), hereafter Mud and Jones et al (US 20200314122), hereafter Jon.
Claim 1: Mud teaches a system for identifying attack patterns or suspicious activity in computer networks relating to a plurality of clients, comprising: a normalizer configured to receive raw data from the computer networks and normalize the raw data into one or more structured data sets; ([0274] complex event processing (CEP) engine receives the event feature set that includes at least a subset of the raw event data... transformed, summarized, and/or normalized representation of portions of the raw event data);
a profile builder that builds one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith using the one or more structured data sets; ([0182-183, Fig. 6] the security platform determines behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices, the security platform generates a baseline profile for access activities of user, based on event data indicative of network activities of user);
at least one primitive creator configured to generate primitives that are possibly indicative or suggestive of attack patterns or suspicious activity in the computer networks, ([0205] the format detector performs pattern matching for all known formats to determine the most likely format of a particular event data, embeds regular expression rules and/or statistical rules (i.e., primitives) in performing the format detection and employs a number of heuristics that uses a hierarchical way to perform pattern matching on complex data format);
and a compromise detector that receives primitives from the at least one primitive creator, wherein the compromise detector organizes the received primitives into groups according to prescribed grouping information and identifies combinations or sequences of primitives in the groups, and for each identified combination or sequence of primitives that meets one or more selected criteria, the compromise detector generates a compromise event to be provided to affected clients. ([0663]  two different groups can be of different classes of traffic. The traffic classification module forms the group based on various criteria. The traffic classification module forms a group by grouping the connection requests in the outgoing traffic log that are closer to each other in time. [0673-678] a beacon type includes a group or a number of similar groups that are identified as likely to be anomalous. A beacon type stores beacon parameters such as destination IP address(es) of connection requests in a group, destination port(s), the type of connection request; In determining whether the group to which the beacon data corresponds is anomalous, the anomaly detection module compares the beacon data with the beacon types to determine if the beacon data matches with any of the beacon types. If the beacon data matches with any of the beacon types, e.g., beacon type C, the anomaly detection module adds the beacon data to the beacon type C. The anomaly detection module determines if the group represents an anomaly as a function of a frequency of the occurrence of the groups in the beacon type C and [0544] the security platform provides for the administrator to receive alert).
Mud is silent on wherein the at least one primitive creator extracts features from the one or more data sets, and creates primitives for each extracted feature that are found to occur below a selected frequency threshold based on information in the one or more baseline activity profiles;
But analogous art Jon teaches wherein the at least one primitive creator extracts features from the one or more data sets, and creates primitives for each extracted feature that are found to occur below a selected frequency threshold based on information in the one or more baseline activity profiles; ([032] this classifier analyzes a character string of a URL and/or features extracted from the character string to classify the URL as either likely legitimate or possibly malicious, and [054] if the URL classification platform identifies that the URL has a low popularity score (below a predetermined threshold), then the URL is classified as malicious and/or the feature is indicative of the URL being malicious, the popularity score(s) is/are an indication of whether the URL corresponds to a malicious site or a legitimate site and a feature used by a classifier in determining whether the URL corresponds to a malicious site or a legitimate site in combination with one or more other features).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mud to include the idea of feature extraction and primitive creation as taught by Jon so that the URL classification platform captures common redirects and thus captures the redirection chain of the one or more URLs corresponding to the redirection chain relatively quicker and/or more efficiently than other substitute methods (057).
Claim 2: the combination of Mud and Jon teaches the system of claim 1, wherein the profile builder populates entity profiles for each entity associated with the clients with historical information related to the extracted features, and the profile builder populates the client profiles for each of the clients with historical information related to the extracted features. (Mud: [0150-153] historical and third party data are used as inputs but the majority of the data used for evaluation in the real-time processing path still pertains to contemporaneous incoming event data, to uncover, more subtle anomalies and threats than the real-time processing path can uncover because of the real-time processing path's responsive time constraints, [0526] a profiling window of successive prediction can be used to build the baseline prediction profile, for a specific entity, to learn that how many unusual events per window for the specific entity is consider normal).
Claim 3: the combination of Mud and Jon teaches the system of claim 2, wherein the at least one primitive creator compares the extracted features to the historical information in a corresponding entity profile, and if the extracted features in comparison to the historical information in the entity profile meet a prescribed entity frequency threshold, the at least one primitive creator establishes a staged primitive to be investigated further for each identified primitive feature meeting the prescribed entity frequency threshold, and wherein the at least one primitive creator further compares the extracted features corresponding to each staged primitive to the historical information in a corresponding client profile, and if the identified primitives features corresponding to a staged primitive in comparison to the historical information in the client profile meet a prescribed client frequency threshold, the at least one primitive creator creates a corresponding primitive to be provided to the compromise detector. (Mud: [0176, 182] analysis module takes into account the historical event data stored in databases and then comparing activities of those entities to their behavior baselines to determine whether the activities are anomalous, or even rise to the level of threat. The behavior baselines can be adaptively varied by the platform as new data are received, [0186] anomalies and threats are detected by comparing incoming event data against the baseline profile for an entity to which the event data relates, if the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected, [0204] output of the job processing cluster is received back into the security platform for further analysis; [0673-678] a beacon type includes a group or a number of similar groups that are identified as likely to be anomalous. A beacon type stores beacon parameters such as destination IP address(es) of connection requests in a group, destination port(s), the type of connection request; In determining whether the group to which the beacon data corresponds is anomalous, the anomaly detection module compares the beacon data with the beacon types to determine if the beacon data matches with any of the beacon types. If the beacon data matches with any of the beacon types, e.g., beacon type C, the anomaly detection module adds the beacon data to the beacon type C. The anomaly detection module determines if the group represents an anomaly as a function of a frequency of the occurrence of the groups in the beacon type C and [0544] the security platform provides for the administrator to receive alert).
Claim 4: the combination of Mud and Jon teaches the system of claim 1, further comprising at least one additional primitive creator that creates primitives independent of historical client or entity information. (Mud: [0205] the format detector performs pattern matching for all known formats to determine the most likely format of a particular event data, embeds regular expression rules and/or statistical rules (i.e., primitives) in performing the format detection and employs a number of heuristics that uses a hierarchical way to perform pattern matching on complex data format).
Claim 5: the combination of Mud and Jon teaches the system of claim 4, wherein the at least one additional primitive creator includes an indicator of compromise primitive creator, a business email compromise primitive creator, a cloud account hijacking primitive creator, or combinations thereof. (Mud: [0443] network activities include log-ins, email traffic, internet browsing, or file transfers on a network operated by a corporation, university, household, or other organization. Event data comprises timestamped machine data related to network activity by various entities, including users, devices, and applications).
Claim 6: the combination of Mud and Jon teaches the system of claim 1, wherein the compromise detector groups the primitives received from the at least one primitive creator in session windows that are open for a prescribed time period. (Mud: [0259] sessionization is created by using the same or similar data structure as that used for correlating users with devices in identity resolution... With the identity resolution and the device resolution techniques, all data events resolved to the user within the time window of an active session are associated with the session).
Claim 7: the combination of Mud and Jon teaches the system of claim 1, wherein if the primitives received from the at least one primitive creator includes a number of primitives that exceed a prescribed number, match a specific combination or sequence of primitives that relate to known attack patterns or suspicious activities, are likely to correspond to one or more attack patterns or suspicious activities according to a prescribed probability, or combinations thereof, the compromise detector generates the event. (Mud: [0673-678] a beacon type includes a group or a number of similar groups that are identified as likely to be anomalous. In determining whether the group to which the beacon data corresponds is anomalous, the anomaly detection module compares the beacon data with the beacon types to determine if the beacon data matches with any of the beacon types. If the frequency of the groups satisfy a periodicity criterion, if an average timing between the occurrences of the groups satisfies a specified timing threshold, and the groups occur at least a first threshold number of times, the anomaly detection module determines the group to which the beacon data corresponds and the other groups of the beacon type with which the beacon data matches as anomalous; [0701] After determining the probability of the particular value relative to the other values, the technique may compute a confidence interval of that probability to obtain the rarity score).
Claim 8: the combination of Mud and Jon teaches the system of claim 1, further comprising a client value machine learning system that receives client feedback information as one or more inputs, and generates one or more outputs that are provided to the compromise detector to facilitate suppression of events below a certain probability threshold. (Mud: [0319] the model deliberation process thread generates a user interface element to accept feedback from a user to confirm or reject the security-related conclusion. The model execution engine provides the feedback to a model training process thread to update the model state used to configure the model deliberation process thread, [0151] the decisions by the user (that the anomalies and threats are correctly diagnosed, or that the discovered anomalies and threats are false positives) are then be provided as feedback data in order to update and improve the models).
Claim 9: the combination of Mud and Jon teaches the system of claim 1, wherein the raw data includes unstructured logs aggregated from the computer networks and wherein the normalizer normalizes the unstructured logs into the structured data sets, each having a prescribed schema. (Mud: [0248] binding is a process in which unstructured data is processed and transformed into structured data and [0274] the event feature set includes at least a subset of the raw event data... transformed, summarized, and/or normalized representation of portions of the raw event data).
Claim 10: Mud teaches a method for identifying attack patterns or suspicious activity in computer networks relating to a plurality of clients, comprising: receiving data from the computer networks; building one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith; organizing the primitives into groups according to prescribed grouping information, identifying combinations or sequences of primitives in the groups; generating an event for each identified combination or sequence of primitives that meets one or more selected threshold criteria; and notifying affected clients of each generated event to indicate an identified attack pattern or suspicious activity and facilitate investigation or remediation thereof. ([0274] complex event processing (CEP) engine receives the event feature set includes at least a subset of the raw event data... transformed, summarized, and/or normalized representation of portions of the raw event data; [0182-183, Fig. 6] the security platform determines behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices, the security platform generates a baseline profile for access activities of user, based on event data indicative of network activities of user; [0205] the format detector performs pattern matching for all known formats to determine the most likely format of a particular event data, embeds regular expression rules and/or statistical rules (i.e., primitives) in performing the format detection and employs a number of heuristics that uses a hierarchical way to perform pattern matching on complex data format; [0663]  two different groups can be of different classes of traffic. The traffic classification module forms the group based on various criteria. The traffic classification module forms a group by grouping the connection requests in the outgoing traffic log that are closer to each other in time. [0673-678] a beacon type includes a group or a number of similar groups that are identified as likely to be anomalous. A beacon type stores beacon parameters such as destination IP address(es) of connection requests in a group, destination port(s), the type of connection request; In determining whether the group to which the beacon data corresponds is anomalous, the anomaly detection module compares the beacon data with the beacon types to determine if the beacon data matches with any of the beacon types. If the beacon data matches with any of the beacon types, e.g., beacon type C, the anomaly detection module adds the beacon data to the beacon type C. The anomaly detection module determines if the group represents an anomaly as a function of a frequency of the occurrence of the groups in the beacon type C and [0544] the security platform provides for the administrator to receive alert).
Mud is silent on extracting features from the received data for comparison with information in the one or more baseline activity profiles, creating primitives that are possibly indicative or suggestive of attack patterns or suspicious activity in the computer networks for features that occur below a selected frequency threshold based on information in the one or more baseline activity profiles;
But analogous art Jon teaches extracting features from the received data for comparison with information in the one or more baseline activity profiles, creating primitives that are possibly indicative or suggestive of attack patterns or suspicious activity in the computer networks for features that occur below a selected frequency threshold based on information in the one or more baseline activity profiles;  ([032] this classifier analyzes a character string of a URL and/or features extracted from the character string to classify the URL as either likely legitimate or possibly malicious, and [054] if the URL classification platform identifies that the URL has a low popularity score (below a predetermined threshold), then the URL is classified as malicious and/or the feature is indicative of the URL being malicious, the popularity score(s) is/are an indication of whether the URL corresponds to a malicious site or a legitimate site and a feature used by a classifier in determining whether the URL corresponds to a malicious site or a legitimate site in combination with one or more other features).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mud to include the idea of feature extraction and primitive creation as taught by Jon so that the URL classification platform captures common redirects and thus captures the redirection chain of the one or more URLs corresponding to the redirection chain relatively quicker and/or more efficiently than other substitute methods (057).
Claim 11: the combination of Mud and Jon teaches the method of claim 10, further comprising: populating entity profiles for each entity associated with the clients with information related to the extracted features, and populating client profiles for each of the clients with information related to the extracted features. (Mud: [0150-153] historical and third party data are used as inputs but the majority of the data used for evaluation in the real-time processing path still pertains to contemporaneous incoming event data, to uncover, more subtle anomalies and threats than the real-time processing path can uncover because of the real-time processing path's responsive time constraints, [0526] a profiling window of successive prediction can be used to build the baseline prediction profile, for a specific entity, to learn that how many unusual events per window for the specific entity is consider normal).
Claim 12: the combination of Mud and Jon teaches the method of claim 11, further comprising: comparing the extracted features to the historical information in a corresponding entity profile; establishing a staged primitive to be investigated further for each extracted feature meeting a prescribed entity frequency threshold in comparison to the historical information in the entity profile; comparing the extracted features corresponding to each staged primitive to the historical information in a corresponding client profile; and creating a corresponding primitive for each extracted feature corresponding to a staged primitive that meets a prescribed client frequency threshold in comparison to the historical information in the corresponding. (Mud: [0176, 182] analysis module takes into account the historical event data stored in databases and then comparing activities of those entities to their behavior baselines to determine whether the activities are anomalous, or even rise to the level of threat. The behavior baselines can be adaptively varied by the platform as new data are received, [0186] anomalies and threats are detected by comparing incoming event data against the baseline profile for an entity to which the event data relates, if the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected, [0204] output of the job processing cluster is received back into the security platform for further analysis; [0673-678] a beacon type includes a group or a number of similar groups that are identified as likely to be anomalous. A beacon type stores beacon parameters such as destination IP address(es) of connection requests in a group, destination port(s), the type of connection request; In determining whether the group to which the beacon data corresponds is anomalous, the anomaly detection module compares the beacon data with the beacon types to determine if the beacon data matches with any of the beacon types. If the beacon data matches with any of the beacon types, e.g., beacon type C, the anomaly detection module adds the beacon data to the beacon type C. The anomaly detection module determines if the group represents an anomaly as a function of a frequency of the occurrence of the groups in the beacon type C and [0544] the security platform provides for the administrator to receive alert).
Claim 13: the combination of Mud and Jon teaches the method of claim 11, further comprising creating additional primitives independent of historical client or entity information. (Mud: [0205] the format detector performs pattern matching for all known formats to determine the most likely format of a particular event data, embeds regular expression rules and/or statistical rules (i.e., primitives) in performing the format detection and employs a number of heuristics that uses a hierarchical way to perform pattern matching on complex data format).
Claim 14: the combination of Mud and Jon teaches the method of claim 11, further comprising grouping the received primitives into session windows. (Mud: [0259] sessionization is created by using the same or similar data structure as that used for correlating users with devices in identity resolution... With the identity resolution and the device resolution techniques, all data events resolved to the user within the time window of an active session are associated with the session).
Claim 15: the combination of Mud and Jon teaches the method of claim 11, further comprising generating events if the received primitives in the session windows include a number of primitives that exceed a prescribed number, match a specific combination or sequence of primitives that relate to known attack patterns or suspicious activities, or are likely to correspond to one or more attack patterns or suspicious activities according to a prescribed probability. (Mud: [0673-678] a beacon type includes a group or a number of similar groups that are identified as likely to be anomalous. In determining whether the group to which the beacon data corresponds is anomalous, the anomaly detection module compares the beacon data with the beacon types to determine if the beacon data matches with any of the beacon types. If the frequency of the groups satisfy a periodicity criterion, if an average timing between the occurrences of the groups satisfies a specified timing threshold, and the groups occur at least a first threshold number of times, the anomaly detection module determines the group to which the beacon data corresponds and the other groups of the beacon type with which the beacon data matches as anomalous; [0701] After determining the probability of the particular value relative to the other values, the technique may compute a confidence interval of that probability to obtain the rarity score).
Claim 16: the combination of Mud and Jon teaches the method of claim 11, further comprising: aggregating unstructured logs from networks managed by the plurality of clients, and normalizing the unstructured logs into normalized logs having a prescribed schema. (Mud: [0248] binding is a process in which unstructured data is processed and transformed into structured data and [0274] the event feature set includes at least a subset of the raw event data... transformed, summarized, and/or normalized representation of portions of the raw event data).
Claim 17: Mud teaches a system for identifying attack patterns or suspicious activity on computer networks related to a plurality of clients, comprising: one or more processors and at least one memory having stored therein instructions that when executed by the one or more processors, cause the system to: receive data from the computer networks; build one or more baseline activity profiles for each client of the plurality of clients or entities associated therewith; organize the primitives into groups according to prescribed grouping information, identifying combinations or sequences of primitives in the groups; generate an event for each identified combination or sequence of primitives that meets one or more selected threshold criteria; and notify affected clients of each generated event to indicate an identified attack pattern or suspicious activity and facilitate investigation or remediation thereof. ([0274] complex event processing (CEP) engine receives the event feature set includes at least a subset of the raw event data... transformed, summarized, and/or normalized representation of portions of the raw event data; [0182-183, Fig. 6] the security platform determines behavior baselines of various entities that are part of, or that interact with, a network, such as users and devices, the security platform generates a baseline profile for access activities of user, based on event data indicative of network activities of user; [0205] the format detector performs pattern matching for all known formats to determine the most likely format of a particular event data, embeds regular expression rules and/or statistical rules (i.e., primitives) in performing the format detection and employs a number of heuristics that uses a hierarchical way to perform pattern matching on complex data format; [0663]  two different groups can be of different classes of traffic. The traffic classification module forms the group based on various criteria. The traffic classification module forms a group by grouping the connection requests in the outgoing traffic log that are closer to each other in time. [0673-678] a beacon type includes a group or a number of similar groups that are identified as likely to be anomalous. A beacon type stores beacon parameters such as destination IP address(es) of connection requests in a group, destination port(s), the type of connection request; In determining whether the group to which the beacon data corresponds is anomalous, the anomaly detection module compares the beacon data with the beacon types to determine if the beacon data matches with any of the beacon types. If the beacon data matches with any of the beacon types, e.g., beacon type C, the anomaly detection module adds the beacon data to the beacon type C. The anomaly detection module determines if the group represents an anomaly as a function of a frequency of the occurrence of the groups in the beacon type C and [0544] the security platform provides for the administrator to receive alert).
Mud is silent on extract features from the one or more data sets for comparison with information in the one or more baseline activity profiles; create primitives that are possibly indicative or suggestive of attack patterns or suspicious activity in the computer networks for features that occur below a selected frequency threshold based on information in the one or more baseline activity profiles;
But analogous art Jon teaches extract features from the one or more data sets for comparison with information in the one or more baseline activity profiles; create primitives that are possibly indicative or suggestive of attack patterns or suspicious activity in the computer networks for features that occur below a selected frequency threshold based on information in the one or more baseline activity profiles;  ([032] this classifier analyzes a character string of a URL and/or features extracted from the character string to classify the URL as either likely legitimate or possibly malicious, and [054] if the URL classification platform identifies that the URL has a low popularity score (below a predetermined threshold), then the URL is classified as malicious and/or the feature is indicative of the URL being malicious, the popularity score(s) is/are an indication of whether the URL corresponds to a malicious site or a legitimate site and a feature used by a classifier in determining whether the URL corresponds to a malicious site or a legitimate site in combination with one or more other features).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mud to include the idea of feature extraction and primitive creation as taught by Jon so that the URL classification platform captures common redirects and thus captures the redirection chain of the one or more URLs corresponding to the redirection chain relatively quicker and/or more efficiently than other substitute methods (057).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /P'Examiner, Art Unit 2496.