DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 6/26/2022. Claims 1-20 are pending.

Response to Arguments
The arguments/remarks filed by the applicant on 6/26/2022 have been fully considered and are responded in the following.

Applicant's amendments to claims have overcome the Claim Objections and Claim Rejections - 35 USC § 112(b) previously set forth in the Non-Final Office Action mailed 4/14/2022. All previous objections and 35 USC § 112(b) rejections have been withdrawn. However, a new grounds of 35 USC § 112(d) rejections – as necessitated by amendment – is made in this Office action.

Applicant’s arguments, ‘the proposal for amendment is not disclosed by Qi and Enoki. Further, the proposal for amendment is included herein. Accordingly, in light of this amendment, Applicant respectfully requests withdrawal of the rejection and the allowance of claims 1 and 9, see p.9, last paragraph - p.10, ¶1, filed 6/26/2022, with respect to the amended claims overcoming the cited prior art references of the rejection of claims 1 and 9 under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn; however, upon further search and consideration, a new grounds of rejection – as necessitated by amendment – is made in view of previous cited prior art Jas. Please refer to "Claim Rejections - 35 USC § 103" section below for detail analysis.

Claim Rejections - 35 USC § 112(d)
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 20 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. This claim does not further limit the subject matter of the claim upon which it depends. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Qi (US 20180121326 A1) in view of Enoki (US 20160179981 A1) and Jas (US 20190207974 A1).

Regarding claim 1, Qi teaches a computer-implemented method for identifying database transactions, comprising:
generating a token marker sequence of the database transaction (query), wherein the token marker sequence comprises a plurality of token markers (a symbol or group of symbols in the query), and wherein one of the plurality of token markers comprises: ([0006] When a request to execute a query is received, the query is scanned to determine position of a symbol or group of symbols in the query. The determined position is included in a parse tree that is generated based on the query.)
a token of the database transaction; and ([0006, 0024] the query is scanned to determine position of a symbol or group of symbols in the query. A query may include one or more tokens. A token is a symbol or a group of symbols of query 105 that is recognized as a single unit by parser 120. A token may be a letter, a keyword, an identifier, or a special character including but not limited to the special characters described above.)
a position corresponding to the token of the database transaction; ([0006] the query is scanned to determine position of a symbol or group of symbols in the query.)

Qi teaches generating a token marker sequence of a database transaction, but does not explicitly teach sorting the plurality of token markers based on a probability of each token occurring in a stream of database transactions comprising the database transaction; and reducing a size of the token marker sequence based on a first predetermined threshold. This aspect of the claim is identified as a difference.
However, Enoki in an analogous art explicitly teaches
sorting the plurality of token markers based on a probability of each token occurring in a stream of database transactions comprising the database transaction; and ([0006] attributes are sequentially selected in descending order of their frequency of appearance in the whole of the collection of target data items.)
reducing a size of the token marker sequence based on a first predetermined threshold (top k words). ([0006] top k attributes that are included in more target data items meeting the search condition are selected in descending order of the number of the target data items. The selected attributes then become the result of aggregation. [0043] The aggregation processing unit 130 identifies and aggregates words that frequently appear in the documents designated as a target of the aggregation processing among documents stored in the document DB 200. Specifically, the aggregation processing unit 130 aggregates the top k words in terms of their frequency of appearance, wherein k is preliminarily determined.) Indeed, it would be obvious to change the size of the sequence if it is desired; See MPEP 2144.04(IV)(A).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “parse tree with positions of symbols” concept of Qi, and the “sorting in descending order of frequencies” approach of Enoki. One of ordinary skill in the art would have been motivated to perform such a modification to reduce required memory area/storage capacity and save time/effort needed when number of types of attributes/target data items is large and processing is lengthy (Enoki [0006-0007, 0010]).

Qi in view of Enoki teaches generating token marker sequence of database transaction and reducing size of the token marker sequence, but does not explicitly teach generating a unique identifier for a database transaction, wherein the unique identifier for the database transaction comprises the token marker sequence having the reduced size. This aspect of the claim is identified as a difference.
However, Jas in an analogous art explicitly teaches
generating a unique identifier for a database transaction, wherein the unique identifier for the database transaction comprises the token marker sequence having the reduced size. ([0011] As shown by reference number 130, analysis device 110 may receive a query from a client device. As shown by reference number 140, analysis device 110 may generate an abstract syntax tree. As shown by reference number 150, analysis device 110 may compare the abstract syntax tree to a whitelist. For example, the whitelist may identify abstract syntax trees for queries that are deemed to be permissible for processing by a storage device. [0035] Generating an abstract syntax tree may be beneficial for analysis device 220 for a variety of reasons. For example, and as described above, analysis device 220 may be efficient at generating an abstract syntax tree since analysis device 220 may already use abstract syntax trees when processing queries. Abstract syntax trees allow for analysis device 220 to make threshold-based comparisons between queries, so that queries having a threshold similarity to whitelisted queries can be easily identified.) It is clear that unique identifier for a database transaction is for trees that do not match the whitelist.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “parse tree with positions of symbols” concept of Qi, and the “abstract syntax trees” approach of Jas. One of ordinary skill in the art would have been motivated to perform such a modification to detect anomalous queries, which may be more flexible and computationally efficient than other approaches for detecting anomalous queries, such as statistical approaches. Furthermore, abstract syntax trees enable the usage of threshold-based similarity comparisons between queries and whitelist entries, weighted comparisons between queries and whitelist entries, thereby increasing versatility and effectiveness of implementations and reducing false positives based on inexact matches with the whitelist (Jas [0013]).

Regarding claims 9 and 17, the scope of the claims are similar to that of claim 1, respectively. Accordingly, the claims are rejected using a similar rationale.

Claim 2-4, 10-12 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Qi (US 20180121326 A1) in view of Enoki (US 20160179981 A1), Jas (US 20190207974 A1) and Busch (US 20150227624 A1).

Regarding claim 2, Qi in view of Enoki and Jas teaches all the features with respect to claim 1, as outlined above. The combination further teaches
performing, based on the determination, a security validation on an abstract syntax tree (AST) for the previous database transaction; and ([Jas 0011] FIG. 1: As shown by reference number 130, analysis device 110 may receive a query from a client device. For example, the query may include a SQL query, although the query may include any query. As shown by reference number 140, analysis device 110 may generate an abstract syntax tree. As shown by reference number 150, analysis device 110 may compare the abstract syntax tree to a whitelist.)
determining whether the database transaction represents a security threat based on the security validation. ([Jas 0012-0013] As shown by reference number 160, analysis device 110 may determine that the abstract syntax tree does not match the whitelist. As shown by reference number 170, based on the abstract syntax tree not matching the whitelist, analysis device 110 may perform one or more actions. For example, analysis device 110 may notify an administrator associated with security server 120. As another example, analysis device 110 may block a source of the query. In this way, analysis device 110 uses abstract syntax trees to detect anomalous queries.)
But the combination does not teach generating a hash of a portion of the database transaction; retrieving a plurality of token marker sequences associated with the hash; determining whether the database transaction is a duplicate of a previous database transaction based on the retrieved token marker sequences. This aspect of the claim is identified as a difference.
However, Busch in an analogous art explicitly teaches 
generating a hash of a portion of the database transaction; ([0132] the dictionary is implemented as a hash table such that each entry in the dictionary is a hash bucket. Terms can then be hashed, using a predefined hash function, to a bucket in the dictionary.)
retrieving a plurality of token marker sequences associated with the hash; determining whether the database transaction is a duplicate of a previous database transaction based on the retrieved token marker sequences; ([0133] the text reference array can be used to resolve hash collisions. For example, if the two terms “text” and “foo” hash to the same dictionary entry, the second term “foo” can be rehashed to a different entry when writing to the dictionary. Upon receiving a request to read the term “foo”, the real-time search engine can first hash the term to the first dictionary entry. In this example, the real-time search engine reads identifies a portion of a byte array corresponding to that entry and reads the term “text” from the byte array. The real-time search engine determines that a hash collision has occurred (based on the byte array not containing the requested term, “foo”) and then rehashes the term to the second dictionary entry.) Here Busch discloses hash collision (when two pieces of data in a hash table share the same hash value), and determining duplication based on certain criteria (byte array), which can be the tokens and positions (claim limitation “token marker sequences”) disclosed by Qi. Therefore the combination discloses the entire limitation.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “parse tree with positions of symbols” concept of Qi, and the “hash function” approach of Busch. One of ordinary skill in the art would have been motivated to perform such a modification to provide an efficient mechanism to identify representation/duplication and handle/resolve hash collisions (Busch [0133]).

Regarding claim 3, Qi in view of Enoki, Jas and Busch teaches all the features with respect to claim 2, as outlined above. The combination further teaches wherein the plurality of token marker sequences comprise a subset of tokens of the database transaction, wherein the subset of tokens comprises a plurality of encountered tokens of the database transaction in the stream of database transactions, wherein a frequency of the plurality of encountered tokens is less than a second predetermined threshold. ([Enoki 0006] top k attributes that are included in more target data items meeting the search condition are selected in descending order of the number of the target data items. The selected attributes then become the result of aggregation. [0043] The aggregation processing unit 130 identifies and aggregates words that frequently appear in the documents designated as a target of the aggregation processing among documents stored in the document DB 200. Specifically, the aggregation processing unit 130 aggregates the top k words in terms of their frequency of appearance, wherein k is preliminarily determined.) Indeed, it would be obvious to rearrange the data using ascending order if it is desired; See MPEP 2144.04(VI)(C).

Regarding claim 4, Qi in view of Enoki, Jas and Busch teaches all the features with respect to claim 3, as outlined above. The combination further teaches wherein the portion of the database transaction comprises a predetermined number of characters starting at a first character of the database transaction. ([Qi 0020, 0024] query 105 represents a string of symbols including, but not limited to, upper and/or lower case Latin letters (A-Z), digits (0-9), and special characters such as space character, left and right parenthesis, single and/or double quote mark, percent sign, ampersand, multiplication sign, division sign, plus sign, minus sign (e.g., dash), comma, period, colon, semicolon, etc. A query may include one or more tokens. A token is a symbol or a group of symbols of query 105 that is recognized as a single unit by parser 120. A token may be a letter, a keyword, an identifier, or a special character.) Here Qi discloses that query (analogous to claim limitation “database transaction”) represents a group of characters with certain length (number of characters). Indeed, it would be obvious to change the size/proportion of the query if it is desired; See MPEP 2144.04(IV)(A).

Regarding claims 10-12 and 18-20, the scope of the claims are similar to that of claims 2-4, respectively. Accordingly, the claims are rejected using a similar rationale.

Allowable Subject Matter
Claims 5-8 and 13-16 are objected to over prior art as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and further amended to overcome claim objections and rejections set forth in this office action. The reasons for allowance remains the same as the Non-Final Rejection mailed 4/14/2022.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20210224281 A1, "Unique sql query transfer for anomaly detection", by Lee, teaches receiving a set of structured query language (SQL) queries from one or more software applications, generating a set of SQL syntax trees that correspond to the set of SQL queries, identifying a unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees, and transmitting the unique subset of SQL syntax trees to a computing system.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.Y./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493