DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Allowable Subject Matter
Claims 7-8 and 17-18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/30/2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Specification
The use of the term Windows: para 0030, which is a trade name or a mark used in commerce, has been noted in this application. The term should be accompanied by the generic terminology; furthermore the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
Claim Objections
Claims 1, 9, 12, and 19 are objected to because of the following informalities:  
Claim 1, lines 5 and 7: use of “if” should be changed; recommend “when” as to positively recite.
Claim 9, line 2: use of “if” should be changed; recommend “when” as to positively recite.
Claim 12, lines 5 and 7: use of “if” should be changed; recommend “when” as to positively recite.
Claim 19, line 3: use of “if” should be changed; recommend “when” as to positively recite. Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 12 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 12 recites "a computer-readable program product..." presents signal generation which does not bound the claim limitation. The specification does not explicitly limit, exclude and/or define what type of computer readable storage medium is claimed. At most, in paragraph (0061): “...computer-readable medium 1406 may be a non-transitory computer-readable medium. A non-transitory computer-readable medium includes, by way of example, a magnetic storage device (e.g., hard disk, floppy disk, magnetic strip).” As a result, the claimed "computer program product" may include propagate and transmission signals, which are non-eligible subject matter under 35 U.S.C. 101. Therefore, the claims are directed to non-statutory subject matter. The Examiner respectfully suggests that the claims be amended as either "A non-transitory computer program product" to make the claim statutory under 35 USC 101; (emphasis added) (MPEP 2106.03).
Likewise, claims 13-20 are dependent claims that depend on claim 12 fail to resolve the above problems, therefore, claims 13-20 are also rejected under 35 USC 101.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sengupta et al., hereinafter (“Sengupta”), US PG Publication (20160019279 A1), in view of Prunier, US PG Publication (20210286814 A1).
Regarding claims 1 and 12, Sengupta teaches a method for analyzing events in a host device in a computer network system, the method comprising; and a computer-readable medium storing computer executable code, the code when executed by a processor causes the processor to: [Sengupta, ¶0002: system includes a computer-readable storage medium storing executable instructions including a page update manager that obtain update requests to specify updates for a logical page associated with a key-value store]
determining at least one lookup key in a host device for an event occurring in the host device;  [Sengupta, ¶0210: a data retrieval engine 964 may initiate a lookup of a key in the key-value store, to obtain a representation of at least a portion of the logical page; ¶0049: an insert performs a lookup on the key]
determining whether the at least one lookup key is used in a memory to determine if at least one key-value pair exists for the event;  [Sengupta, ¶0022: In this context, a “key-value store” may generally refer to a form of database management system that may store pairs of respective keys (or terms) and values. ¶0210: a data retrieval engine 964 may initiate a lookup of a key in the key-value store; in a current state of the logical page, via a read operation from storage into memory.]
storing the at least one key-value pair in the memory based on the at least one lookup key including replacing existing keys found for the at least one lookup key. [Sengupta, ¶0025: a generic key-value store environment. Hence, a read I/O is involved to perform a write. ¶0158: an UPSERT operation uses a new record version to replace an existing record if it exist]
While Sengupta teaches appending the event [See Sengupta, ¶0257: an incremental flush engine buffer storage area that is appended to storage using a single write operation]; however, Sengupta fails to explicitly teach but Prunier teaches appending at least one key-value pair to the event if at least one key-value pair is determined to exist for the event;  [Prunier 20210286814 A1, ¶0074: if a factor is violated a new schema version is created by adding respective key of given key-value pair of new data point and corresponding data type].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a High throughput data modifications using blind update operations of Sengupta before him or her by including the teachings of a Storage of generic time series data using dynamic schema of Prunier. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier [Prunier, ¶¶0075-0077].  

Claims 2, 5-6, 13, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sengupta et al., hereinafter (“Sengupta”), US PG Publication (20160019279 A1), in view of Prunier, US PG Publication (20210286814 A1), in view of Rogers et al, hereinafter (“Rogers”), US PG Publication (20210216536 A1).

Regarding claims 2 and 13, the combination of Sengupta and Prunier teach claim 1  as described above.
Sengupta teaches the at least one lookup key to denote the at least one lookup key when the at least one key-value pair is determined to exist for the event. [Sengupta, ¶0210: a data retrieval engine 964 may initiate a lookup of a key in the key-value store; in a current state of the logical page, via a read operation from storage into memory.]; however, Sengupta fails to explicitly teach but Rogers teaches modifying the at least one lookup key to denote the at least one lookup key is a previous value when the at least one key-value pair is determined to exist for the event.  [Rogers, ¶0063:  At step 312, the event records with the anonymous identifiers are batched for lookup in the identifier resolution database. As the event records still need a known identifier to be attached to them, the event records may be passed through during this flow. Anonymous identifiers may be stored in a buffer for batch processing. As with the key value pairs buffer, the anonymous identifiers buffer may be configured to merge multiple entries with the same anonymous identifiers. Examiner interprets the merging as analogous to modifying of the anonymous identifiers associated with the key value pairs.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of a Real Time System for Ingestion, Aggregation, & Identity Association of Data from User Actions Performed on Websites or Applications of Rogers. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with identity resolution of event record where the lookup of identifiers of associated key pairs are processed of Rogers [Rogers, ¶¶0056 and 0063].  

Regarding claim 5, the combination of Sengupta and Prunier teach claim 1 as described above.
 	Sengupta teaches wherein the at least one lookup key [Sengupta, ¶0210: a data retrieval engine 964 may initiate a lookup of a key]; however, the combination of Sengupta and Prunier fails to explicitly teach but Rogers teaches wherein the at least one lookup key comprises one of a user ID or a session ID.  [Rogers, ¶¶0057-0059: Fig. 3 depicts performing identity resolution for event records, where event data may include an identifier of a cookie or/ and identifier of a user.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of a Real Time System for Ingestion, Aggregation, & Identity Association of Data from User Actions Performed on Websites or Applications of Rogers. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with corresponding event record to anonymous identifier correlates to event records stored in data repository of Rogers [Rogers, ¶¶0057-0059 and 0066-0067].  
	
Regarding claims 6 and 16, the combination of Sengupta, Prunier, and Rogers teach claim 5 as described above.
However, the combination of Sengupta and Prunier fails to explicitly teach but Rogers teaches determining whether the user ID or session ID is found in available keys in the memory;  [See Rogers, ¶¶0050 and 0057-0059: Fig. 3 depicts performing identity resolution for event records, where event data may include an identifier of a cookie or/ and identifier of a user; event records can be written to memory within the interface analysis server computer 130] and 
determining whether user data for a user is stored in the memory.  [Rogers, ¶0059-0060: interface analysis server computer 130 determines event data and entries stored in buffer]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of a Real Time System for Ingestion, Aggregation, & Identity Association of Data from User Actions Performed on Websites or Applications of Rogers. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with corresponding event record to anonymous identifier correlates to event records stored in data repository of Rogers [Rogers, ¶¶0057-0059 and 0066-0067].  
Regarding claims 9 and 19, the combination of Sengupta and Prunier teach claim 1  as described above.
However, the combination of Sengupta and Prunier fail to explicitly teach but Rogers teaches purging the memory of at least one key-value pair if the key-value pair has a timestamp older than a predetermined time expiration value.  [Rogers, ¶0066: interface analysis server computer 130 is configured to remove event records which have not been matched after...a particular period of time. ¶¶0077 and 0079: Events are aggregated using composite keys; an interface analysis server computer 130 does not perform aggregations on events with a timestamp older than a particular value, such as a year old. Examiner interprets that the non-performance of a aggregated events as analogous to key value pairs that will be removed after a period of time]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of a Real Time System for Ingestion, Aggregation, & Identity Association of Data from User Actions Performed on Websites or Applications of Rogers. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with removal of aggregated data of keys over a predetermined period of time of Rogers [Rogers, ¶¶0066, 0077, and 0079].  


Claims 3 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sengupta et al., hereinafter (“Sengupta”), US PG Publication (20160019279 A1), in view of Prunier, US PG Publication (20210286814 A1), in view of Resch et al, hereinafter (“Resch”), US PG Publication (20190108366 A1).
Regarding claims 3 and 14, the combination of Sengupta and Prunier teach claim 1  as described above.
However, the combination of Sengupta and Prunier fail to explicitly teach but Resch teaches wherein determining the at least one lookup key further comprises deobfuscating the value of the at least one lookup key including parsing the event data, and adding the parsed event data to the event.  [Resch, ¶0128: processing module determines de-selection information at step 240 and continues to step 242 separating randomized encoded data slices. ¶0145: Fig. 9 shows method with step 210-214 to determine an obfuscating method based a vault lookup; ¶0146: processing module determines de-obfuscating method based on one or more of the ...requester identifier, a vault lookup, a key]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of a Secure data transmission utilizing distributed storage of Resch. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with obfuscating/deobfuscating methods performed by the processing module depicted in Figs. 9 and 11 of Resch [Resch, ¶0133].  
Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Sengupta et al., hereinafter (“Sengupta”), US PG Publication (20160019279 A1), in view of Prunier, US PG Publication (20210286814 A1), in view of Resch et al, hereinafter (“Resch”), US PG Publication (20190108366 A1), in view of Nsouli, US PG Publication (20190190947 A1).

Regarding claims 4 and 15, the combination of Sengupta, Prunier, and Resch teach claim 3 as described above.
However, the combination of Sengupta, Prunier, and Resch fail to explicitly teach but Nsouli teaches searching for the presence of known malicious characters used for obfuscating data, or measuring a population standard deviation and variance and comparing the measured population standard deviation and variance with at least one predetermined threshold of change.  [Nsouli, ¶0052: examination of program behavior based on deep functional semantics to analyze and flag suspicious and benign behavior of code/characters; use of obfuscatory language of code/characters]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of a Secure data transmission utilizing distributed storage of Resch. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with obfuscating/deobfuscating methods performed by the processing module depicted in Figs. 9 and 11 of Resch. Further combining the deep functional semantics analysis [Nsouli, ¶0052].  
	
Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sengupta et al., hereinafter (“Sengupta”), US PG Publication (20160019279 A1), in view of Prunier, US PG Publication (20210286814 A1), in view of Griggs, US PG Publication (20200145439 A1).
Regarding claims 10 and 20, the combination of Sengupta and Prunier teach claim 1  as described above.
Sengupta teaches the at least one key-value pair [Sengupta, ¶0022: In this context, a “key-value store” may generally refer to a form of database management system that may store pairs of respective keys (or terms) and values. ¶0210: a data retrieval engine 964 may initiate a lookup of a key in the key-value store]; however, the combination of Sengupta and Prunier fail to explicitly teach but Griggs teaches determining a session ID and a process ID associated with the event;  [Griggs, ¶0051: FIG. 6 the security event monitoring application may collect information from multiple and disparate sources on the first computing device and cross-reference the information for accuracy; attributes used for cross-referencing may include process id and session id for sources of event data] and 
linking the session ID and the process ID to create a single log output including the at least one key-value pair.  [Griggs, ¶¶0052 and 0098: cross reference data from multiple trust levels may then be combined to create one enriched record for the event; format application output, JSON stanzas may be manually populated in some implementations; SON stanzas from a single filtered event are combined into a JSON object. ]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of systems and methods for security monitoring processing of Griggs. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with removal of aggregated data of keys over a predetermined period of time of Rogers with cross-referencing implementations that combine attributes of events into JSON objects/stanzas of Griggs [Griggs, ¶¶0066, 0077, and 0079].  

Regarding claim 11, the combination of Sengupta, Prunier, and Griggs teach claim 10 as described above.
However, the combination of Sengupta and Prunier fail to explicitly teach but Griggs teaches wherein the single log output is configured as a structured document in at least one of JSON, XML, CSV, Binary, Proprietary, UTF-8, or ASCII formats.  [Griggs, ¶0068: JSON log file]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Sengupta and Prunier before him or her by including the teachings of systems and methods for security monitoring processing of Griggs. The motivation/suggestion would have been obvious to try to modify the key-value system of Sengupta by adding the techniques for storing, evaluating, and updating dynamic schema taught by Prunier, with removal of aggregated data of keys over a predetermined period of time of Rogers with cross-referencing implementations that combine attributes of events into JSON objects/stanzas of Griggs [Griggs, ¶¶0066, 0077, and 0079].  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Skelton et al (20130046601 A1) discloses an Enhanced product search system and method.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Sakinah White Taylor/           Primary Examiner, Art Unit 2497