DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This communication is in response to Application filed on February 2, 2021. Claims 1-20 are pending. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/1/2021 is being considered by the examiner.

Claim Objections
Claim 5 is objected to because of the following informalities:  a typo error in the term ‘keystoke logging component’ which should read ‘keystroke logging component’.  Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: intrusion detection component, audit component, system log component, logging component, secure login component, keystroke component, kernel security component, in claims 1, 4, 5, 6, 7, 8, and 10.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 	
Claim 1 recites an intrusion detection component configured to monitor and detect attempted circumvention of security protocols associated with the security control server; an audit component configured to: generate one or more system calls responsive to user interaction with the security control server; and generate one or more action logs indicative of the user interaction responsive to generation of the one or more system calls; a system log component configured to generate one or more system logs indicative of system-level activity associated with the security control server; and a logging component configured to receive and store the one or more action logs and the one or more system logs, wherein the logging component prohibits modification of the stored logs.
The limitations of an intrusion detection component that monitors and detects attempted circumvention of security protocols, an audit component that generates one or more system calls responsive to user interaction with the security control server and generates one or more action logs indicative of the user interaction responsive to generation of the one or more system calls, a system log component that generates one or more system logs indicative of system-level activity, as drafted, are processes that, under their broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. That is, other than reciting a “security control server”, nothing in the claim limitations precludes the steps from practically being performed in the mind. Furthermore, the recitation of 'an intrusion detection component', ‘an audit component’, and ‘a system log component’ as performing these steps are interpreted under 35 USC 112(f) and their structure is described in the instant specification as ' intrusion detection component 512' [para 71], ‘audit component 516’ and ‘system log component 514’ [para 72, Fig 5], which are software programs stored on computer readable medium and configured for execution on computing devices [para 91, computer system 600, Fig 6] by processor 604 [Fig 6]. Similarly, the recitation of software functions being realized by a computer processor is merely recitation of generic computer components. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea. 
This judicial exception is not integrated into a practical application. In particular, the claim recites the additional elements of using ‘a logging component’ to receive and store the one or more action logs and the one or more system logs, wherein the logging component prohibits modifications of the stored logs. 
The receiving and storing step is recited at a high level of generality (i.e. as a general means of receiving and storing log information) and amounts to mere data gathering, which is a form of insignificant extra-solution activity. Furthermore, the receiving and storing step is recited as being performed by 'a logging component' and is interpreted under 35 USC 112(f) and its structure is described in the instant specification as 'tamper-proof database 404' [para 69] which is data storage structure [para 114] and is merely recitation of generic computer components. 
The combination of this additional element is no more than mere instructions to apply the exception using a generic computer component (i.e. the ‘logging component’). Accordingly, even in combination, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the ‘logging component’ interpreted as 'tamper-proof database 404' are described in the specification as nothing but a generic data storage structure which performs the receiving and storing step. Furthermore, this function is similar to those found by the courts to be well‐understood, routine, and conventional when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra- solution activity, namely Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). As such, the receiving and storing step is well understood, routine and conventional activity performed by generic computer components. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.

Claim 2 depends from claim 1 and thus includes all the limitations of claim 1, therefore claim 2 recites the same abstract idea of "mental process". Claim 2 furthermore recites that the logging component is an immutable datastore that stores data according to an append-only protocol, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 2 is therefore not patent eligible.
Claim 3 depends from claim 1 and thus includes all the limitations of claim 1, therefore claim 3 recites the same abstract idea of "mental process". Claim 3 furthermore recites that the one or more action logs and the one or more system logs are redundantly stored at a log server that is distinct from the logging component, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 3 is therefore not patent eligible.

Claim 4 depends from claim 1 and thus includes all the limitations of claim 1, therefore claim 4 recites the same abstract idea of "mental process". Claim 4 furthermore recites that the audit component is configured to generate the one or more system calls responsive to accessing a kernel of an application being hosted on the security control server., which is a mental step that can also be performed in the human mind and is considered insignificant extra solution activity. It therefore does not amount to significantly more than the judicial exception. Claim 4 is therefore not patent eligible.

Claim 5 depends from claim 1 and thus includes all the limitations of claim 1,
therefore claim 5 recites the same abstract idea of "mental process". Claim 5
furthermore recites that a front-end security component comprising: a secure login component configured to generate a first one or more front-end logs of activity relating to authenticating a user; and a keystroke logging component configured to generate a second one or more front-end logs indicative of keystrokes inputted by the user, which are mental step that can be performed in the human mind and is considered insignificant extra solution activity. The function of the ‘front-end security component ’, ‘secure login component', and ‘keystroke logging component’ interpreted under 35 USC 112(f) are described in the instant specification as being performed by ‘front-end security component  304‘, secure login component 304a', and ‘keystroke logging component 304c’ [para 67 of specification] and is merely recitation of generic computer components that perform the judicial exception. They therefore do not amount to significantly more than the judicial exception. Claim 5 is therefore not patent eligible.
Claim 6 depends from claim 5 and thus includes all the limitations of claim 5, therefore claim 6 recites the same abstract idea of "mental process". Claim 6 furthermore recites that the logging component is further configured to receive and store the first one or more front-end logs and the second one or more front-end logs, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 6 is therefore not patent eligible.

Claim 7 depends from claim 1 and thus includes all the limitations of claim 1,
therefore claim 7 recites the same abstract idea of "mental process". Claim 7
furthermore recites a kernel security component configured to generate one or more logs indicative of potential conflicts relating to access restriction, which is a mental step that can be performed in the human mind and is considered insignificant extra solution activity. The function of the ‘a kernel security component ’ interpreted under 35 USC 112(f) is described in the instant specification as being performed by ‘a kernel security component  518‘ [para 73 of specification] and is merely recitation of generic computer components that perform the judicial exception. It therefore does not amount to significantly more than the judicial exception. Claim 7 is therefore not patent eligible.
Claim 8 depends from claim 1 and thus includes all the limitations of claim 1, therefore claim 8 recites the same abstract idea of "mental process". Claim 8 furthermore recites that the logging component is further configured to receive data chunks representative of at least one log;  and store the compressed data chunks in association with the one or more hash codes, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). Furthermore, the compressing of the data chunks and generation of one or more hash codes are mathematical calculations performed on the data and as such fall under ‘Mathematical concepts’ abstract grouping. It therefore does not amount to significantly more than the judicial exception. Claim 8 is therefore not patent eligible.

Claim 9 depends from claim 8 and thus includes all the limitations of claim 8, therefore claim 9 recites the same abstract idea of "mental process" and “mathematical concept”. Claim 9 furthermore recites that the logging component is a datastore, and wherein the one or more hash codes comprises one or more block addresses by which the stored compressed data chunks can be accessed in the datastore, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 9 is therefore not patent eligible.
Claim 10 depends from claim 8 and thus includes all the limitations of claim 8, therefore claim 10 recites the same abstract idea of "mental process" and “mathematical concept”. Claim 10 furthermore recites that the system log component is configured to re-store the one or more hash codes, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 10 is therefore not patent eligible.

Claim 11 recites monitoring for attempted circumvention of security protocols associated with a system; generating one or more system calls responsive to user interaction with the system; generating one or more action logs indicative of the user interaction responsive to generation of the one or more system calls; generating one or more system logs indicative of system-level activity associated with the system; receiving and storing the one or more action logs and the one or more system logs in a datastore that prohibits modification of the stored logs.
The limitations of monitoring for attempted circumvention of security protocols associated with a system; generating one or more system calls responsive to user interaction with the system; generating one or more action logs indicative of the user interaction responsive to generation of the one or more system calls; and generating one or more system logs indicative of system-level activity associated with the system, as drafted, are processes that, under their broadest reasonable interpretation, covers performance of the limitations in the mind but for the recitation of generic computer components. That is, other than reciting “system”, nothing in the claim limitations preclude the steps from practically being performed in the mind. For example, but for the “system” language, monitoring for attempted circumvention of security protocols, generating one or more system calls responsive to user interaction, generating one or more action logs indicative of the user interaction responsive to generation of the one or more system calls; and generating one or more system logs indicative of system-level activity, in the context of these claims encompasses the user visually monitoring for attempted security threats and mentally making note or writing down system call procedures or logs of events that are problematic. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea. 
This judicial exception is not integrated into a practical application. In particular, the claims recite the additional step of receiving and storing the one or more action logs and the one or more system logs in a datastore that prohibits modifications of the stored logs. 
The receiving and storing step is recited at a high-level of generality (i.e., as a general means of receiving and storing log information) and amounts to mere data gathering, which is a form of insignificant extra-solution activity. Furthermore, this function is similar to those found by the courts to be well‐understood, routine, and conventional when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra- solution activity, namely Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). As such, the receiving and storing steps are well understood, routine and conventional activity performed by generic computer components. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.

Claim 12 depends from claim 11 and thus includes all the limitations of claim 11, therefore claim 12 recites the same abstract idea of "mental process". Claim 12 furthermore recites that the datastore is an immutable datastore that stores data according to an append-only protocol, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 12 is therefore not patent eligible.
Claim 13 depends from claim 11 and thus includes all the limitations of claim 11, therefore claim 13 recites the same abstract idea of "mental process". Claim 13 furthermore recites that the one or more action logs and the one or more system logs are redundantly stored at a log server that is distinct from the datastore, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 13 is therefore not patent eligible.

Claim 14 depends from claim 11 and thus includes all the limitations of claim 11, therefore claim 14 recites the same abstract idea of "mental process". Claim 14 furthermore recites detecting access of a kernel of an application being hosted , wherein the one or more system logs are generated responsive to the detection, which is a mental step that can also be performed in the human mind and is considered insignificant extra solution activity. It therefore does not amount to significantly more than the judicial exception. Claim 14 is therefore not patent eligible.

Claim 15 depends from claim 11 and thus includes all the limitations of claim 11,
therefore claim 15 recites the same abstract idea of "mental process". Claim 15
furthermore recites generating a first one or more front-end logs of activity relating to authenticating a user; and generating a second one or more front-end logs indicative of keystrokes inputted by the user, which are mental steps that can be performed in the human mind and is considered insignificant extra solution activity. They therefore do not amount to significantly more than the judicial exception. Claim 15 is therefore not patent eligible.
Claim 16 depends from claim 15 and thus includes all the limitations of claim 15, therefore claim 16 recites the same abstract idea of "mental process". Claim 16 furthermore recites receiving and storing the first one or more front-end logs and the second one or more front-end logs on the data store, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 16 is therefore not patent eligible.

Claim 17 depends from claim 11 and thus includes all the limitations of claim 11,
therefore claim 17 recites the same abstract idea of "mental process". Claim 17
furthermore recites generating one or more logs indicative of potential conflicts relating to access restriction, which is a mental step that can be performed in the human mind and is considered insignificant extra solution activity. It therefore does not amount to significantly more than the judicial exception. Claim 17 is therefore not patent eligible.
Claim 18 depends from claim 11 and thus includes all the limitations of claim 11, therefore claim 18 recites the same abstract idea of "mental process". Claim 18 furthermore recites receiving data chunks representative of at least one log;  and storing the compressed data chunks in association with the one or more hash codes, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). Furthermore, the compressing of the data chunks and generation of one or more hash codes are mathematical calculations performed on the data and as such fall under ‘Mathematical concepts’ abstract grouping. It therefore does not amount to significantly more than the judicial exception. Claim 18 is therefore not patent eligible.
Claim 19 depends from claim 18 and thus includes all the limitations of claim 18, therefore claim 19 recites the same abstract idea of "mental process" and “mathematical concept”. Claim 19 furthermore recites that the one or more hash codes comprises one or more block addresses by which the stored compressed data chunks can be accessed in the datastore, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 19 is therefore not patent eligible.
Claim 20 depends from claim 18 and thus includes all the limitations of claim 18, therefore claim 20 recites the same abstract idea of "mental process" and “mathematical concept”. Claim 20 furthermore recites re-storing the one or more hash codes in a non-immutable datastore, which is considered insignificant extra solution activity similar to Versata Dev. Group, Inc. v. SAP Am. (storing and retrieving information in memory). It therefore does not amount to significantly more than the judicial exception. Claim 20 is therefore not patent eligible.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 4, 7-12 14, 17-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 2017/0249461 by Permeh et al (hereafter Permeh), as disclosed by Applicant in IDS dated 4/1/21.

Referring to claim 11, Permeh discloses a method [Abstract] comprising:
monitoring for attempted circumvention of security protocols associated with a system [monitoring forensic data events related to security of data and cyber threats in operating environment of endpoint computer system, para 24-25, para 3-5; harvested/forensic data, para 29]; 
generating one or more system calls responsive to user interaction with the system [initiating a query based on malware detection, para 11]; 
generating one or more action logs indicative of the user interaction responsive to generation of the one or more system calls [data characterizing events stored in audit log, para 7,38, Fig 2; malware or viruses, para 3; suspicious event such as malware detection or user authentication verification process, para 12]; 
generating one or more system logs indicative of system-level activity associated with the system [forensic data retained includes malicious code e.g. threads, executable files that perform damaging operations to the computer/network, para 5]; 
receiving and storing the one or more action logs and the one or more system logs in a datastore that prohibits modification of the stored logs [forensic data is written to container in audit log in append-only manner, para 14].

Referring to claim 1, the limitations of the claim are similar to those of claim 11 in the form of a security control server [server, para 3], comprising: components [para 15] to perform the instructions addressed in the method steps. As such, claim 1 is rejected for the same reasons as claim 11. 
Referring to claims 2 and 12, Permeh discloses that the data store is an immutable datastore that stores data according to an append-only protocol [forensic data is written to container in audit log in append-only manner, para 14].
Referring to claims 3 and 13, Permeh discloses that the one or more action logs and the one or more system logs are redundantly stored at a log server that is distinct from the logging component [local cache 220 separate from audit log stores rolling snapshot of forensic data in audit log over time, para 40].
Referring to claims 4 and 14, Permeh discloses detecting access of a kernel of an application being hosted on the system, wherein the one or more system logs are generated responsive to detecting access of the kernel [kernel enforced access control, para 56].
Referring to claims 7 and 17, Permeh generating one or more logs indicative of potential conflicts relating to access restriction [conflicts with restriction of access rights, para 3; authentication reverification, para 26].

Referring to claims 8 and 18, Permeh discloses receiving data chunks representative of at least one log; compressing the received data chunks [wherein the audit log is stored in series of compressed data containers, para 49; chunked approach, para 33]; generating one or more hash codes; and storing the compressed data chunks in association with the one or more hash codes [tamper resistant feature-cryptographic fingerprint/hash, para 14,31,33; chunked approach, para 33].
Referring to claims 9 and 19, Permeh discloses that the one or more hash codes comprises one or more block addresses by which the stored compressed data chunks can be accessed in the datastore [cryptographic fingerprint of each container references cryptographic fingerprint of at least one preceding container in series (i.e. addresses blocks of other containers in series, para 32].
Referring to claims 10 and 20, Permeh discloses that the system log component is configured to re-store the one or more hash codes [audit log is a series of linked data containers secured by cryptographic fingerprint, para 31-33].

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 5, 6, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Permeh as applied to claims 1 and 11 above, and further in view of US 8646080 issued to Williamson et al (hereafter Williamson), as disclosed by Applicant in IDS dated 4/1/21.
Referring to claims 5 and 15, Permeh discloses generating a first one or more front-end logs of activity including relating to authenticating a user [restriction of access rights, para 3; authentication reverification, para 26 ], however remains silent as to including keystrokes inputted by the user within the log as forensic data.  
Williamson teaches the installation of a keylogger to capture keystrokes as a way to log suspicious data [col. 13, lines 40-59]. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the harvesting process of data to include in the audit log of Permeh to include forensic data including the keystrokes captured by the keylogger of Williamson.
The ordinary skilled artisan would have been motivated to modify the harvesting of forensic data to store in the audit log of Permeh by incorporating the functionality of  the keylogger of Williamson because it would enable the system to recognize suspicious data in the system [Williamson, col. 13, lines 40-59]. This modification would be possible because Permeh is already directed to recording of forensic events [Permeh, para 5]- Williamson further narrows these forensic events to suspicious keylogging events.

Referring to claims 6 and 16, Permeh/Williamson discloses that the logging component is further configured to receive and store the first one or more front-end logs and the second one or more front-end logs [Permeh, see generating logs limitations in claim 1; Williamson, keylogger, col. 13, lines 40-59].

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHERYL M SHECHTMAN whose telephone number is (571)272-4018.  The examiner can normally be reached on Mon-Fri: 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Robert Beausoliel can be reached on 571-272-3645.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

CHERYL M SHECHTMANPatent Examiner
Art Unit 2167                                                                                                                                                                                                        

/C.M.S/
/ROBERT W BEAUSOLIEL JR/Supervisory Patent Examiner, Art Unit 2167