DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status
Claims 1-7, 10-16, and 19 are allowed in this Office action.

Examiner’s Amendment
An Examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to the Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this instant Examiner’s amendment was given in a telephonic communication (see attached Interview Summary) from Applicant’s representative Ms. Robyn Wagner on July 14, 2022.
The claims are amended as presented below and will replace all previous version(s):
Claim 1. (Currently Amended) A system, comprising: 
a hardware processor configured to: 
receive, from a client device, a cardinality query associated with at least one of a session dimension or a device attribute identifiable from the cardinality query requesting a count of unique data values for a specific attribute for a defined time interval; 
use the received query to generate and transmit to a data store a plurality of non- overlapping queries, wherein irrelevant time attributes and a horizontal data compression engine removing one or more irrelevant non-time attributes; 
receive a plurality of responses from the data store based on the compressed session records; 
aggregate results from the plurality of responses; and 
return the aggregated results to the client device; and 
a memory coupled to the hardware processor and configured to provide the processor with instructions.  
Claim 2. (Previously Presented) The system of claim 1, wherein the specific attribute is destination IP.  
Claim 3. (Previously Presented) The system of claim 1, wherein the specific attribute is a country.  
Claim 4. (Previously Presented) The system of claim 1, wherein the specific attribute is a maliciousness flag.  
Claim 5. (Currently Amended) The system of claim 1, wherein the cardinality query is received from a configured dashboard associated with the client device.  
Claim 6. (Currently Amended) The system of claim 1, wherein the cardinality query is received from a configured alert associated with the client device.
Claim 7. (Currently Amended) The system of claim 1, wherein the cardinality query is received from an administrator associated with the client device in real time .  
Claims 8-9. (Canceled)
Claim 10. (Currently Amended) A method, comprising: 
receiving, from a client device, a cardinality query associated with at least one of a session dimension or a device attribute identifiable from the cardinality query requesting a count of unique data values for a specific attribute for a defined time interval; 
using the received query to generate and transmit to a data store a plurality of non-overlapping queries, wherein irrelevant time attributes and a horizontal data compression engine removing one or more irrelevant non-time attributes; 
receiving a plurality of responses from the data store based on the compressed session records; 
aggregating results from the plurality of responses; and 
returning the aggregated results to the client device.  
Claim 11. (Previously Presented) The method of claim 10, wherein the specific attribute is destination IP.  
Claim 12. (Previously Presented) The method of claim 10, wherein the specific attribute is a country.  
Claim 13. (Previously Presented) The method of claim 10, wherein the specific attribute is a maliciousness flag.  
Claim 14. (Currently Amended) The method of claim 10, wherein the cardinality query is received from a configured dashboard associated with the client device.  
Claim 15. (Currently Amended) The method of claim 10, wherein the cardinality query is received from a configured alert associated with the client device.
Claim 16. (Currently Amended) The method of claim 10, wherein the cardinality query is received from an administrator associated with the client device in real time.  
Claims 17-18. (Canceled)  
Claim 19. (Currently Amended) A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for: 
receiving, from a client device, a cardinality query associated with at least one of a session dimension or a device attribute identifiable from the cardinality query requesting a count of unique data values for a specific attribute for a defined time interval; 
using the received query to generate and transmit to a data store a plurality of non-overlapping queries, wherein irrelevant time attributes and a horizontal data compression engine removing one or more irrelevant non-time attributes;
receiving a plurality of responses from the data store based on the compressed session records; 
aggregating results from the plurality of responses; and 
returning the aggregated results to the client device.  
Summary of Related Prior Arts
The following prior art are deemed relevant to the claims:
Rahut et al. (Pat. No. US 9,047,246) teaches a high availability scheduler of tasks in a cluster of server devices is provided. A server device of the cluster of server devices enters a leader state based upon the results of a consensus election process in which the server device participates with others of the cluster of server devices. Upon entering the leader state, the server device schedules one or more tasks by assigning each of the one or more tasks to a server device in the cluster.
Nisbet et al. (Pub. No. US 2019/0268355) teaches Cardinality-based activity pattern detection is described herein. Events on a computing system are monitored to detect patterns matching defined activity patterns. A cardinality-based activity pattern query is executed over data representing detected activity patterns to identify multiple, distinct defined activity patterns that have occurred during a particular time period..
Tsironis (Pub. No. US 2018/0316727) teaches receiving first user input defining a filter of an anomaly action rule, the filter defining at least one of an attribute of an anomaly or an attribute of a computer network entity; and receiving second user input defining an action of the anomaly action rule. The anomaly action rule is generated based on the first user input and the second user input, wherein the anomaly action rule causes performance of the action upon detecting an anomaly on the computer network that satisfies the anomaly action rule.
Bush (Pub. No. US 2007/0280233) teaches sending a message through a network of nodes comprising network coding the message using encoding vectors to generate network coded packets; compressing the encoding vectors used for the network coding; including the compressed encoding vectors within the network coded packets; and sending the network coded packets from a sender through the network of nodes.
Jin et al. (Pat. No. US 11,055,405) teaches receiving, at a computing device, an event log including a plurality of events, where the plurality of events are derived from machine data generated by components of an information technology environment; determining a first score associated with a first granularity level by comparing a first event from the event log with a first plurality of frequent patterns generated for the first granularity level; determining an aggregate score for the first event based on the first score and the second score; comparing the aggregate score for the first event with an anomaly score threshold; and issuing an alert identifying the first event as an anomaly based on the aggregate score exceeding the anomaly score threshold.
Foo et al. (Pub. No. US 2020/0042712) teaches an agent which interacts with the vulnerability database can perform a scan of a software project to identify open-source components used in the project and submit queries to the vulnerability database to identify vulnerabilities which may affect the open-source components in the project. Results of the scan are presented to a user in the form of a vulnerability report which indicates vulnerabilities that have been discovered and which open-source components the vulnerabilities affect.
Lalrson et al. (Pub. No. US 2008/0306903) teaches facilitating and effectuating estimating the result of performing a data analysis operation on a set of data. Employing an approximation of the data analysis operation on a statistically valid random sample view of the data allows for a statistically accurate estimate of the result to be obtained. Sequential sampling in the view enables the approximated operation to evaluate accuracy conditions at intervals during the scan of the sample view and obtain the estimated result without having to scan the entire sample view.

Reasons for Allowance
The following is an examiner's statement of reasons for allowance of Claims 1-7, 10-16, and 19:
In interpreting the claims filed on 28 March 2022, in view of the updated search / examination, in light of the interview dated 14 July 2022, and the available prior art, the Examiner finds the claimed invention to be patentably distinct from the prior art of records. Specifically, the prior art of records, individually or in combination, fail to explicitly teach, suggest or render obvious the claimed invention as recited in independent claims 1, 10, and 19.
Other dependent claims are also allowed based on their dependencies on claims 1, 10, and 19.
Any comments considered necessary by the Applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”




Contact Information
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Son Hoang whose telephone number is (571) 270-1752. The Examiner can normally be reached on Monday – Friday (7:00 AM – 4:00 PM).
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Usmaan Saeed can be reached on (571) 272-4046. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

          /SON T HOANG/
 Primary Examiner, Art Unit 2169                                                                                                                                                                                                  July 14, 2022