DETAILED ACTION
This action is in response to amendments filed 5/16/2022. Claims 1-20 are pending with claims 1 and 13 having been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/19/2022, 6/23/2022 and 5/16/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant’s arguments filed 5/16/2022, with respect to the rejection(s) of claim(s) 1 and 13 under 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Avidan et al (US 10,382,454) in view of Diehl et al (US 2017/0109530) in view of Carpenter et al (US 2007/0192080).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-10 and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Avidan et al (US 10,382,454) in view of Diehl et al (US 2017/0109530) in view of Carpenter et al (US 2007/0192080).
With respect to claim 1 Avidan teaches a method, comprising: 
receiving, by a storage engine of a security network, event data associated with occurrences of events on one or more client devices (see Avidan figure 5 step 510 and column 7 lines 48-55 i.e. In block 510, the detection engine 109 detects events. As
explained above, these events may include any type of event that may have a security
impact, such as downloads, logins and login attempts, commands, remote connections, account creation and manipulation, and beaconing activity. These event types are illustrative and by way of example only, and other types of security events may be provided);
processing, by the storage engine, the event data in a topic associated with the one or more client devices, using a storage processor associated with the topic (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so); 
providing, by the storage engine, the event data from the storage processor associated with the topic to a compute engine associated with the topic (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so); 
storing, by the storage engine, the event data in storage (see Avidan figure 5 step 520 and column 7 lines 55-59 i.e. The detection engine 109 detects the events and then in block 520, the data extraction agent 113 may be employed to extract data relevant to the specific event and store the event data, such as in the events repository 111);                                                                                                                                                                                                
Avidan does not teaches wherein the storage engine is remote from the one or more client device; updating, by the storage engine, reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero.
Diehl teaches wherein the storage engine is remote from the one or more client device (see Diehl paragraph 0055 i.e. At 306, the kernel-level security agent may then store the gathered data in a model that tracks actions taken by processes of a system which executed the first action. Alternatively or additionally, at 308, the kernel-level security agent may inform a remote security service of the occurrence of the first action and paragraph 0030)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Avidan in view of Diehl to have the client kernel-level security agent store the gathered data in a model that tracks actions taken by the client as well as inform a remote security service of the occurrence of the first action so that the analysis module of the remote security service can also maintain and utilize one or more models and update these models based on the received notifications and utilize the models in analyzing the interesting events. Therefore one would have been motivated to have analyzed the event data on both the client device and have the remote security service. So that the remote security service can also provide updates responsive to interesting events to the kernel-level security agents responsive to notification from the computing device (see Diehl paragraph 0030-0032).
Carpenter teaches updating, by the storage engine, reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero. (see Carpenter figure 3 and paragraph 0033 i.e. Referring still to FIG. 3, and in an embodiment, there are shown client tokens 306 having pointers to child objects 304A, parent objects 304B, and grandparent object 304C. Each object 304A, 304B and each token 306 in the structure within data model 302 holds a reference to its parent. This reference, which is also referred to as a pointer, causes retention of the object 304A, 304B, 304C in memory. As each one of the objects 304A, 304B, 304C have a reference from at least one token 306, each one of the objects 304A, 304B, 304C will not be deleted until each one of child objects and tokens referring thereto are deleted).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Avidan in view of Carpenter to have prevented event data from being deleted after a threshold period of time when related event data is still relevant (see Carpenter paragraph 0033). Therefore one would have been motivated to have used reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero.

	With respect to claim 2 Avidan teaches the method of claim 1, further comprising receiving, by the storage processor from the compute engine, a claim check for expected event data related to the event data (see column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so).

With respect to claim 3 Avidan teaches the method of claim 2, wherein the providing comprises: determining that the claim check is satisfied based on the storage engine having received the event data and the expected event data, and providing the event data and the expected event data to the compute engine in response to determining that the claim check is satisfied (see column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so).

With respect to claim 4 Avidan teaches the method of claim 1, wherein the processing comprises at least one of de-duplicating, batching, or sorting the event data in the topic, by the storage processor, prior to providing the event data to the compute engine (see Avidan column 7 line 66 – column 8 lines 23 i.e. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610).

With respect to claim 5 Avidan teaches the method of claim 1, wherein the storage engine includes a plurality of shards, and individual shards are associated with distinct topics, include distinct instances of the storage processor, and are associated with distinct instances of the compute engine (see column 6 line 28-48 i.e. Moreover, the actual processes and ontology (i.e., the aggregate tasks performed by the processes) of an endpoint 103 are not directly observable. Only the output events and process behaviors, such as emitted system calls are observable. Thus, the advanced correlation engine 112 determines and models the endpoint ontology based on those observable events (termed herein “actual events”). This condition is referred to as a hidden Markov model (HMM). The advanced correlation engine 112 applies a categorical sequence-labeling algorithm based on the endpoint ontology to identify a targeted attack pattern in the actual event sequences. The sequence-labeling algorithm is probabilistic, relying on statistical inference to find the best-fit sequence that describes the targeted attack. Each state has a probability distribution over possible output sequences. Using the HMM, the advanced correlation engine 112 generates a sequence of events that provide information of a possible endpoint states, i.e., a sequence of events that best fits a predefined compromised endpoint ontology. Once a best-fit state according to a defined threshold is identified, a security alert is generated, along with actual suspicious state description. HMM statistical treatment is known in the art).

With respect to claim 6 Avidan teaches the method of claim 5, further comprising: receiving, by the storage engine, an event stream comprising the event data associated with the one or more client devices and additional event data associated with one or more additional sets of client devices; and dividing, by the storage engine, the event data and the additional event data from the event stream into the distinct topics associated with different shards of the plurality of shards based on identifiers of security agents executing on individual ones of the one or more client devices and the one or more additional sets of client devices (see column 6 line 28-48 i.e. Moreover, the actual processes and ontology (i.e., the aggregate tasks performed by the processes) of an endpoint 103 are not directly observable. Only the output events and process behaviors, such as emitted system calls are observable. Thus, the advanced correlation engine 112 determines and models the endpoint ontology based on those observable events (termed herein “actual events”). This condition is referred to as a hidden Markov model (HMM). The advanced correlation engine 112 applies a categorical sequence-labeling algorithm based on the endpoint ontology to identify a targeted attack pattern in the actual event sequences. The sequence-labeling algorithm is probabilistic, relying on statistical inference to find the best-fit sequence that describes the targeted attack. Each state has a probability distribution over possible output sequences. Using the HMM, the advanced correlation engine 112 generates a sequence of events that provide information of a possible endpoint states, i.e., a sequence of events that best fits a predefined compromised endpoint ontology. Once a best-fit state according to a defined threshold is identified, a security alert is generated, along with actual suspicious state description. HMM statistical treatment is known in the art).

With respect to claim 7 Avidan teaches the method of claim 6, wherein the event data and the additional event data is unordered in the event stream, and one or more resequencers of the storage engine associated with the plurality of shards order the event data and the additional event data and output the event data and the additional event data into the distinct topics (see column 6 line 28-48 i.e. Moreover, the actual processes and ontology (i.e., the aggregate tasks performed by the processes) of an endpoint 103 are not directly observable. Only the output events and process behaviors, such as emitted system calls are observable. Thus, the advanced correlation engine 112 determines and models the endpoint ontology based on those observable events (termed herein “actual events”). This condition is referred to as a hidden Markov model (HMM). The advanced correlation engine 112 applies a categorical sequence-labeling algorithm based on the endpoint ontology to identify a targeted attack pattern in the actual event sequences. The sequence-labeling algorithm is probabilistic, relying on statistical inference to find the best-fit sequence that describes the targeted attack. Each state has a probability distribution over possible output sequences. Using the HMM, the advanced correlation engine 112 generates a sequence of events that provide information of a possible endpoint states, i.e., a sequence of events that best fits a predefined compromised endpoint ontology. Once a best-fit state according to a defined threshold is identified, a security alert is generated, along with actual suspicious state description. HMM statistical treatment is known in the art).

With respect to claim 8 Avidan teaches the method of claim 6, further comprising: identifying, by the storage engine, a set of event data from the event stream that matches output event stream criteria; adding, by the storage engine, the set of event data to an output event stream associated with the output event stream criteria; and providing, by the storage engine, the output event stream for consumption by one or more consumers in the security network (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so.

With respect to claim 9 Avidan teaches the method of claim 8, wherein the output event stream criteria is associated with an experiment being run via an experimentation engine of the security network (see Avidan column 6 lines 49-53 i.e. The advanced correlation engine 112 applies a sequence-labeling algorithm, as described above, to the attack based on the calculated endpoint ontology. Table 2 outlines an actual event sequence corresponding to a targeted attack).

With respect to claim 10 Avidan teaches 10 the method of claim 1, wherein the event data is formatted according to an ontological definition of a context collection format stored at an ontology service of the security network (See Avidan column 5 line 27 i.e. FIG. 2 illustrates an endpoint ontology 200 calculated by a BDA server 102 based on the sequence outlined in Table 1. Ontology 200 is a graphical representation of the event sequences calculated based on the attack outlined in Table 1. In this example, event E1 occurs in sequence S1, which is followed by event E2 occurring in sequence S2. Multiple sequences S2 may occur, as indicated by the arrow looping back to sequence S2. Following sequence S2, events E3 or E4 may occur, causing sequence S3 or S4. Sequence S4 may be followed by other instances of sequence S4, or by sequence S5 (event E5). Sequence S5 may be followed by sequences S4 and S6. The calculated ontology 200 is periodically pushed to the endpoint 103 so that the advanced correlation engine 112 can use it as a reference).

With respect to claim 12 Avidan teaches the method of claim 1, further comprising routing, by the storage engine, the event data to one or more elements of the security network based on markup added to the event data by bounding managers executing on the one or more client devices that identify one or more reasons why the event data was sent to the security network (see column 4 lines 13-29 i.e. Endpoint 103 stores its personal (or group) endpoint profile 107 and enterprise ontology model 108 within TEE local storage. Endpoint 103 extracts events raised by detection engine 109 using endpoint rules 110 and the endpoint profile 107. Those events are extracted into events repository 111. Events repository 111 is contained within endpoint 103, preferably in protected storage of the TEE 106, however operating system accessible storage may also be used, as illustrated in FIG. 1. Endpoint 103 detects suspicious behavioral patterns by running advanced correlation engine 112 over the events repository 111 and the locally stored ontology models 108. Events generated by advanced correlation engine 112 are sent to the SIEM server 101 and BDA server 102 for further machine learning and further correlation analysis. Data extraction agent 113 facilitates the extraction of events. Data extraction agent 113 and events repository 111 can be components of the endpoint operating system 114).

With respect to claim 13 Avidan teaches one or more computing elements of a security network, comprising: one or more processors; memory storing computer-executable instructions that, when executed by the one or more processors, cause the one or more computing elements to perform operations comprising: 
receiving event data associated with occurrences of events on one or more client devices (see Avidan figure 5 step 510 and column 7 lines 48-55 i.e. In block 510, the detection engine 109 detects events. As explained above, these events may include any type of event that may have a security impact, such as downloads, logins and login attempts, commands, remote connections, account creation and manipulation, and beaconing activity. These event types are illustrative and by way of example only, and other types of security events may be provided); 
processing the event data in a topic associated with the one or more client devices, using a storage processor associated with the topic (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so); 
providing the event data from the storage processor associated with the topic to a compute engine associated with the topic (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so); 
storing the event data in storage (see Avidan figure 5 step 520 and column 7 lines 55-59 i.e. The detection engine 109 detects the events and then in block 520, the data extraction agent 113 may be employed to extract data relevant to the specific event and store the event data, such as in the events repository 111); 
Avidan does not teaches wherein the storage engine is remote from the one or more client device; updating reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero
Diehl teaches wherein the storage engine is remote from the one or more client device (see Diehl paragraph 0055 i.e. At 306, the kernel-level security agent may then store the gathered data in a model that tracks actions taken by processes of a system which executed the first action. Alternatively or additionally, at 308, the kernel-level security agent may inform a remote security service of the occurrence of the first action and paragraph 0030)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Avidan in view of Diehl to have the client kernel-level security agent store the gathered data in a model that tracks actions taken by the client as well as inform a remote security service of the occurrence of the first action so that the analysis module of the remote security service can also maintain and utilize one or more models and update these models based on the received notifications and utilize the models in analyzing the interesting events. Therefore one would have been motivated to have analyzed the event data on both the client device and have the remote security service. So that the remote security service can also provide updates responsive to interesting events to the kernel-level security agents responsive to notification from the computing device (see Diehl paragraph 0030-0032).
Carpenter teaches updating reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero (see Carpenter figure 3 and paragraph 0033 i.e. Referring still to FIG. 3, and in an embodiment, there are shown client tokens 306 having pointers to child objects 304A, parent objects 304B, and grandparent object 304C. Each object 304A, 304B and each token 306 in the structure within data model 302 holds a reference to its parent. This reference, which is also referred to as a pointer, causes retention of the object 304A, 304B, 304C in memory. As each one of the objects 304A, 304B, 304C have a reference from at least one token 306, each one of the objects 304A, 304B, 304C will not be deleted until each one of child objects and tokens referring thereto are deleted).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Avidan in view of Carpenter to have prevented event data from being deleted after a threshold period of time when related event data is still relevant (see Carpenter paragraph 0033). Therefore one would have been motivated to have used reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero.

With respect to claim 14 Avidan teaches the one or more computing elements of claim 13, wherein the operations further comprise: receiving, by the storage processor from the compute engine, a claim check for expected event data related to the event data; and determining that the claim check is satisfied based on receipt of the event data and the expected event data, wherein the providing comprises providing the event data and the expected event data to the compute engine in response to determining that the claim check is satisfied (see column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so).

With respect to claim 15 Avidan teaches the one or more computing elements of claim 13, wherein the operations further comprise: receiving an event stream comprising the event data associated with the one or more client devices and additional event data associated with one or more additional sets of client devices; and dividing the event data and the additional event data from the event stream into the topic and one or more additional topics associated with different shards of a plurality of shards, based on identifiers of security agents executing on individual ones of the one or more client devices and the one or more additional sets of client devices, wherein the different shards are associated with distinct topics, include distinct instances of the storage processor, and are associated with distinct instances of the compute engine (see column 6 line 28-48 i.e. Moreover, the actual processes and ontology (i.e., the aggregate tasks performed by the processes) of an endpoint 103 are not directly observable. Only the output events and process behaviors, such as emitted system calls are observable. Thus, the advanced correlation engine 112 determines and models the endpoint ontology based on those observable events (termed herein “actual events”). This condition is referred to as a hidden Markov model (HMM). The advanced correlation engine 112 applies a categorical sequence-labeling algorithm based on the endpoint ontology to identify a targeted attack pattern in the actual event sequences. The sequence-labeling algorithm is probabilistic, relying on statistical inference to find the best-fit sequence that describes the targeted attack. Each state has a probability distribution over possible output sequences. Using the HMM, the advanced correlation engine 112 generates a sequence of events that provide information of a possible endpoint states, i.e., a sequence of events that best fits a predefined compromised endpoint ontology. Once a best-fit state according to a defined threshold is identified, a security alert is generated, along with actual suspicious state description. HMM statistical treatment is known in the art).

With respect to claim 16 Avidan teaches the one or more computing elements of claim 15, wherein the operations further comprise: identifying a set of event data from the event stream that matches output event stream criteria; adding the set of event data to an output event stream associated with the output event stream criteria; and providing the output event stream for consumption by one or more consumers in the security network (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so.

With respect to claim 17 Avidan teaches one or more non-transitory computer-readable media storing computer-executable instructions for one or more computing elements of a security network that, when executed by one or more processors of the one or more computing elements, cause the one or more computing elements to perform operations comprising: 
receiving event data associated with occurrences of events on one or more client devices (see Avidan figure 5 step 510 and column 7 lines 48-55 i.e. In block 510, the detection engine 109 detects events. As explained above, these events may include any type of event that may have a security impact, such as downloads, logins and login attempts, commands, remote connections, account creation and manipulation, and beaconing activity. These event types are illustrative and by way of example only, and other types of security events may be provided); 
processing the event data in a topic associated with the one or more client devices, using a storage processor associated with the topic (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so); 
providing the event data from the storage processor associated with the topic to a compute engine associated with the topic (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so); 
storing the event data in storage (see Avidan figure 5 step 520 and column 7 lines 55-59 i.e. The detection engine 109 detects the events and then in block 520, the data extraction agent 113 may be employed to extract data relevant to the specific event and store the event data, such as in the events repository 111); 
Carpenter does not teaches updating reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero (see Carpenter figure 3 and paragraph 0033 i.e. Referring still to FIG. 3, and in an embodiment, there are shown client tokens 306 having pointers to child objects 304A, parent objects 304B, and grandparent object 304C. Each object 304A, 304B and each token 306 in the structure within data model 302 holds a reference to its parent. This reference, which is also referred to as a pointer, causes retention of the object 304A, 304B, 304C in memory. As each one of the objects 304A, 304B, 304C have a reference from at least one token 306, each one of the objects 304A, 304B, 304C will not be deleted until each one of child objects and tokens referring thereto are deleted).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Avidan in view of Carpenter to have prevented event data from being deleted after a threshold period of time when related event data is still relevant (see Carpenter paragraph 0033). Therefore one would have been motivated to have used reference counts associated with the event data based on counts of related pieces of event data stored in the storage and at least occasionally deleting, by the storage engine, pieces of event data from the storage that have reference counts equal to zero.

With respect to claim 18 Avidan teaches the one or more non-transitory computer-readable media of claim 17, wherein the operations further comprise: receiving, by the storage processor from the compute engine, a claim check for expected event data related to the event data; and determining that the claim check is satisfied based on receipt of the event data and the expected event data, wherein the providing comprises providing the event data and the expected event data to the compute engine in response to determining that the claim check is satisfied (see column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so).

With respect to claim 19 Avidan teaches the one or more non-transitory computer-readable media of claim 17, wherein the operations further comprise: receiving an event stream comprising the event data associated with the one or more client devices and additional event data associated with one or more additional sets of client devices; and dividing the event data and the additional event data from the event stream into the topic and one or more additional topics associated with different shards of a plurality of shards, based on identifiers of security agents executing on individual ones of the one or more client devices and the one or more additional sets of client devices, wherein the different shards are associated with distinct topics, include distinct instances of the storage processor, and are associated with distinct instances of the compute engine (see column 6 line 28-48 i.e. Moreover, the actual processes and ontology (i.e., the aggregate tasks performed by the processes) of an endpoint 103 are not directly observable. Only the output events and process behaviors, such as emitted system calls are observable. Thus, the advanced correlation engine 112 determines and models the endpoint ontology based on those observable events (termed herein “actual events”). This condition is referred to as a hidden Markov model (HMM). The advanced correlation engine 112 applies a categorical sequence-labeling algorithm based on the endpoint ontology to identify a targeted attack pattern in the actual event sequences. The sequence-labeling algorithm is probabilistic, relying on statistical inference to find the best-fit sequence that describes the targeted attack. Each state has a probability distribution over possible output sequences. Using the HMM, the advanced correlation engine 112 generates a sequence of events that provide information of a possible endpoint states, i.e., a sequence of events that best fits a predefined compromised endpoint ontology. Once a best-fit state according to a defined threshold is identified, a security alert is generated, along with actual suspicious state description. HMM statistical treatment is known in the art).

With respect to claim 20 Avidan teaches 20. The one or more non-transitory computer-readable media of claim 19, wherein the operations further comprise: identifying a set of event data from the event stream that matches output event stream criteria; adding the set of event data to an output event stream associated with the output event stream criteria; and providing the output event stream for consumption by one or more consumers in the security network (see Avidan column 7 line 60 – column 8 line 31 i.e. In block 610 the advanced correlation engine 112 compares events in the event repository 111 with locally stored ontology models 108. As stated above, the advanced correlation engine 112 may determine and model an actual endpoint ontology using an HMM technique or any other desired technique. In one embodiment, a categorical sequence-labeling algorithm is used to determine a correlation between the event-determined ontology model and the stored ontology model(s) 108, identifying a targeted attack pattern in the actual event sequences. By generating a sequence of events, such as the events illustrated in Table 2, a correlation fit can be determined between the event-determined ontology model and the stored ontology model(s). If the event sequence does not correlate (block 620) to any stored ontology model 108, then the technique may try another sequence of events, returning to block 610. If multiple event sequences fit one or more ontology models, a best fit is determined in block 630. If the event-determined ontology model is a best fit with a stored ontology model 108 meets a predetermined correlation threshold, as determined in block 640, then in block 650 the advanced correlation engine 112 may generate a security alert or cause some other module to do so).

Allowable Subject Matter
Claim 11 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The prior art does not teach with respect to claim 11, wherein the ontological definition provides different authorization levels to different data elements of the event data, and the storage engine provides partial event data to an element of the security network that includes information from a subset of data elements of the event data that have authorization levels corresponding to an authorization level of the element of the security network.

Prior Art not used in Rejection
Coppolino, et al, "A framework for mastering heterogeneity in multi-layer security information and event correlation”
Schoning et al (US 2012/0166688) titled “System and Method for Secure Complex Event Processing in Heterogeneous Environments”
Cohen et al (US 9,202,249) titled “Data Item Clustering and Analysis”

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492     


    /SALEH NAJJAR/    Supervisory Patent Examiner, Art Unit 2492