Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2. 	Claims 1-20 are pending in this office action. This action is responsive to Applicant’s application filed 12/13/2021.
Priority
3.	Applicant’s claim for the benefit of a continuation of 16720836, filed 12/19/2019 ,now U.S. Patent #11204924, ,16720836 Claims Priority from Provisional Application 62783287, filed 12/21/2018 is acknowledged.  
Since the Continuation application relied on part of the priority document (Continuation), the claim of priority will be considered on a claim-by-claim basis. The priority date of the instant application is at least 12/13/2021 (the filing date), but depending upon the specific material claimed, could be as early as 12/21/2018. 

Information Disclosure Statement
4.	The references listed in the IDS filed 01/21/2022, and 08/01/2022 has been considered. A copy of the signed or initialed IDS is hereby attached.

Claim Rejections - 35 USC § 112
The following is a quotation of the second paragraph of 35 U.S.C. 112: 
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

5.	Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding independent claims 1, 9, and 16, the claim limitation "maintaining a first timepoint, corresponding to a first point in time, in association with a first content graph set preloaded into a cache” and “accessing the first content graph set to respond to first requests for data received after the first point in time is reached and before the second point in time is reached” render the claim(s) indefinite because the claim(s) include(s) elements not actually disclosed, thereby rendering the scope of the claim(s) unascertainable.  
The claim limitation “maintaining” and “accessing”, both steps do not clear determine/define how to process the data into a cache? How to validation the data for maintaining or accessing the process? The steps "maintain” or “access” the data into a cache do not described any algorithm or criteria for the invention. Possible Applicant has left several steps after or before the “accessing” step.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

6.	Claim(s) 9-11, 13-14, 16, and 17-18 is/are rejected under 35 U.S.C. 102(a1)(a2) as being anticipated by Shu et al. (US Patent Publication No. 2020/0201989 A1, hereinafter “Shu”).
As to Claim 9, Shu teaches the claimed limitations:
 	“A method, comprising:” as an automatic causality tracking method and system that meets real-time analysis needs, such as may be required by a Security Operation Center (SOC) analyst (paragraph 0106).
 	“maintaining, by system comprising a processor, a collection of timepoints, in which respective timepoints in the collection of timepoints are mapped to respective content graph sets maintained in a cache” as the graph database stores both in-memory and on-disk pattern graph portions, and it provides graph query APIs to the interpreter. The main functions of the graph database are to bridge the semantics of the pattern graph and low-level data storage, and to optimize graph retrieval throughput, preferably using multi-layer caches and data arrangement based on PG properties, such as temporal locality of events. To optimize graph queries based on pattern graph properties, a Feature Collection and Correlation Engine (FCCE) schema is used. This schema represents the pattern graph in key-value pairs, and certain values preferably are replicated in one or more schemas for data locality preservation and fast retrieval from different perspectives. Thus, one replica of events may deal with temporal locality, wherein events are indexed by time, and events occurring within a time window are managed on one memory page and stored at consecutive filesystem blocks (paragraph 0103).
  “replacing, by the system, an existing content graph set in the cache with a first new content graph set” as each entity in the endpoint system is associated with a label that describes its category and properties. Labels may be assigned manually or computed via a function. Labels may replace entity names to create behavior patterns for a category of processes. The graph depicts and comprises a set of entities, each of which typically has an associated label (tag) that is defined in an off-line manner (paragraphs 0067, 0074, 0080).
 	“remapping, by the system, an existing timepoint in the collection of timepoints from being mapped to the existing content graph set to being mapped to the first new content graph set” as the ingest function begins by filtering noise, after which events are inserted into an event queue, ordered by time. Then, and to facilities evolving the inter-activity graph, new entities are inserted into an entity-event map, preferably as new keys. As additional events are received, these events are then appended onto the value (list) of associated entities in the entity-event map (paragraphs 0080-0081; see also figure 10). How the aging function is used to evolve an activity graphs, an entity-event map at two distinct times (initially, and then following application of the aging function) (paragraph 0081; see also figures 11-12). 
 	“adding, by the system, a second new content graph set to the cache” as function provides activity graph construction, this processing typically involves ingesting, which extends the graph as new activities occur and are monitored, and aging, whereby vertices/edges of the graph are dropped (pruned) if they are older than a configurable threshold, or if their distance to a newly-extended graph are larger than a configurable threshold. The inter-process activity graph generated by these activity graph construction function is stored in a database (paragraphs 0074, 0080-0081; see also figure 10).
 	“inserting, by the system, a new timepoint into the collection of timepoints, in which the new timepoint is mapped to the second new content graph set” as to facilities evolving the inter-activity graph, new entities are inserted into an entity-event map, preferably as new keys. As additional events are received, these events are then appended onto the value of associated entities in the entity-event map (paragraphs 0080-0081; see also figures 10-12).
 “serving requests for content from an active content graph set in the cache, wherein the active content graph set is selected based on a current time relative to a timepoint mapped to the active content graph set” as an automatic causality tracking system that meets real-time analysis needs. The first sub-task yields the system elements that contribute information to a set of threat indicators backward in time. The second sub-task yields system elements forward in time. Given two sets of threat indicators, the third sub-task yields shortest paths between them. The system enables (e.g., select) efficient multi-point traversal analysis with respect to a set of potential compromise points, and using data from real information flows (paragraph 10). The activity graph typically expresses computations on one or more computing devices (which may include the endpoint) as a temporal graph. An entity is any system element that can either send or receive information. An event is any information/control flow that connects two or more entities. Events typically are information flows between pair of entities at specific times. A timestamp is an integer or real number that records the time of an event (paragraph 0086, 0094).

As to Claim 10, Shu teaches the claimed limitations:
 “wherein the respective timepoints in the collection of timepoints are mapped to the respective content graph sets via respective graph set identifiers” as (paragraph 0081).

As to Claim 11, Shu teaches the claimed limitations:
 	“wherein the replacing the existing content graph set in the cache with the first new content graph set is performed in response to receiving a notification that the existing content graph set is no longer valid” as (paragraphs 0059, 0064, 0067, 0075, 0112, 0117).

As to Claim 13, Shu teaches the claimed limitations:
 	“generating the first new content graph set in response to a change relative to the existing content graph set” as (paragraphs 0074, 0080-0081; see also figure 10).

As to Claim 14, Shu teaches the claimed limitations:
“selecting the first new content graph set as the active content graph set when the current time reaches the existing timepoint, and selecting the second new content graph set as the active content graph set when the current time reaches the new timepoint” as (paragraph 10, 0086, 0094).

As to Claim 16, Shu teaches the claimed limitations:
 	“A machine-readable storage medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations, the operations comprising:” as the instructions are referred to as program code, computer-usable program code, or computer-readable program code that may be read and executed by a processor in processor unit. The program code in the different embodiments may be embodied on different physical or tangible computer-readable media, such as memory or persistent storage (paragraph 0043).
 	“maintaining a collection of timepoints, in which respective timepoints correspond to respective points in time, and in which the respective timepoints are mapped to respective content offering graph sets maintained in a data structure” as the database provides a forensics repository, which distributed and heterogeneous data sets comprising the information collected by the packet capture appliances. The console provides a web- or cloud-accessible user interface that exposes a Forensics dashboard tab to facilitate an incident investigation workflow by an investigator. Using the dashboard, an investigator selects a security incident. The incident forensics module retrieves all the packets for a selected security incident and reconstructs the session for analysis (paragraph 0051). The ingest function begins by filtering noise, after which events are inserted into an event queue, ordered by time. Then, and to facilities evolving the inter-activity graph, new entities are inserted into an entity-event map, preferably as new keys. As additional events are received, these events are then appended onto the value (list) of associated entities in the entity-event map (paragraphs 0080-0081; see also figures 10-12).
 	“serving responses to client requests from a first active content offering graph set maintained in the data structure, in which the first active content offering graph set is selected when current time reaches a first timepoint mapped to the first content offering graph set, and has not reached a later timepoint that is after the first timepoint” as built-in traversal support is provided in the matching processes. Backward and forward traversals are common tasks in threat intelligence for root cause discovery and impact analysis, it is useful to encode traversal semantics as a built-in primitive pattern predicate. A built-in relation reach provides several functionalities: forward traversal, backward traversal and path-finder. In operation, the traversal computes the graph closure over all subgraphs reachable from a provided subgraph or set of entities/events. A touched/untouched variable refers to whether any constraint associated with that variable has been solved in previously iterating constraint-solving steps (paragraph 0107). Dynamic programming refers to bookkeeping results (a set of joinpoints) of all traversal sub-problems solved in previous iterations. A traversal sub-problem is defined by its domain (a connected entity and the query time range) and its codomain (a set of events). Proactive constraint solving is used when a variable in a traversal predicate has other constraints, in which case the additional constraints are proactively and repeatedly solved in each iterating step of the traversal to minimize on-disk data queries, especially for hub entities (0108-0110; see also figures 18-19). A time-series showing an example of running the backward traversal algorithm with respect to a connection graph comprising entities and set of events. One or more entities in this example are a potentially compromised starting point, and a goal of the multi-point causality reasoning is to identify a root cause. As noted, entities are depicted as horizontal lines, and events are depicted as vertical lines (abstract, paragraph 0116; see also figure 20).
  	“serving responses to client requests from a second active content offering graph set maintained in the data structure, in which the second active content offering graph set is selected when the current time reaches a second timepoint mapped to the second content offering graph set, and has not reached a later timepoint that is after the second timepoint” as function block provides activity graph construction. As will be described, this processing typically involves ingesting, which extends the graph as new activities occur and are monitored, and aging, whereby vertices/edges of the graph are dropped (pruned) if they are older than a configurable threshold, or if their distance to a newly-extended graph are larger than a configurable threshold. The inter-process activity graph generated by these activity graph construction function is stored in a database. Typically, the inter-process activity graph evolves as the monitoring, ingesting and aging functions operate, preferably on a continuous basis (paragraph 0074). With respect to a given connection graph, the backward traversal algorithm executes (iterates) until one of three conditions occurs: all stopping points are reached, all maximum traversal steps are reached, or there are no more earlier data points. The algorithm yields the set of events and the set of entities (paragraphs 0114). The technique provides a way to perform multi-point traversal analysis. In effect, the traversal is carried out for a set of points concurrently, in real-time, to enable multi-point causality reasoning that has not heretofore been possible (paragraphs 0115-118; see also figures 19-20).

As to Claim 17, Shu teaches the claimed limitations:
 “wherein the operations further comprise replacing an existing content offering graph set with the second content offering graph set, comprising, before the current time has reached the second timepoint, maintaining the second content offering graph set in the data structure, and remapping the second timepoint from the existing content offering graph set to the second content offering graph set” (paragraphs 0067, 0074, 0080).

As to Claim 18, Shu teaches the claimed limitations:
 	“wherein the operations further comprise receiving a notification that the existing content offering graph is no longer valid, and generating the second content offering graph set in response to the notification” as (paragraphs 0059, 0064, 0075, 0112, 0117).

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

This application currently names joint inventors.  In considering patentability of the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) prior art under 35 U.S.C. 103(a).
 7.	Claims 1-8, 12, 15, and 19-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Huang et al. (US Patent Publication No. 2010/0049678 A1, hereinafter “Huang”) in view of Shu et al. (US Patent Publication No. 2020/0201989 A1).
As to Claim 1, Huang teaches the claimed limitations:
“A system, comprising: a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, the operations comprising:” as a general purpose programmable computer or resource having one or more processor cores, or distributed resource of processor cores, connected to storage media storing machine-readable instructions that, when executed by the processor cores, effect a state machine, and/or perform other operations to carry out the function recited for the engine (paragraph 0027). 
 	“maintaining a first timepoint, corresponding to a first point in time, in association with a first content graph set preloaded into a cache” as the web service request prefetching proxy maintains, based on a history of received web service search requests, a likely next web service request prediction rule or process, and applies the rule or process to received web service requests to prefetch web service results from the web service registry, and preloads the web service request caching proxy with the prefetched results, prior to receiving a subsequent request, providing significant cache hit rate and various benefits including one or more of reduced latency, reduced network load, and reduced web service registry load (paragraph 0012). A directed graph representing queries SQ as nodes, with directed edges connecting the nodes, each edge having a weight representing the conditional probability or likelihood of a search request SQ at the destination end of the edge being the next search request given that the node at the start end of the edge is the present search request, with a weight representing the probability or likelihood (paragraphs 0050-0053, 0055-0056; see also figure 3).
 	“maintaining a second timepoint, corresponding to a second point in time, in association with a second content graph set preloaded into a cache, wherein the second point in time is later than the first point in time” as one example test for determining logical dependency between successive search requests is based on the time lapse between the successive search requests. If the time lapse exceeds a given threshold, which is readily determined, the successive search requests are not likely logically related (paragraph 0059; see also figures 4-5). For example, T seconds after receiving the search request represented by node, i.e., find_business (args). The purpose and operation of the time duration T is to identify, with an acceptable accuracy, that the search request SQ.sub.j+1 is logically related to a preceding search request S.sub.j (paragraphs 0062-0064). A graphical representation of example aspects of generating a directed graph rule for a prefetching and cache pre-load according to various embodiment (paragraphs 0018, 0076-0079).
 	Huang does not explicitly teach the claimed limitation “accessing the first content graph set to respond to first requests for data received after the first point in time is reached and before the second point in time is reached; and accessing the second content graph set to respond to second requests for data received after the second point in time is reached”. 
 	Shu teaches an automatic causality tracking system that meets real-time analysis. It solves causality tracking for cybersecurity, preferably as three sub-tasks: backward tracking, forward tracking, and path-finding. Given a set of threat indicators, the first sub-task yields the system elements that contribute information to a set of threat indicators backward in time. The second sub-task yields system elements forward in time (abstract). A time-series showing an example of running the backward traversal algorithm with respect to a connection graph comprising entities and set of events. One or more entities in this example are a potentially compromised starting point, and a goal of the multi-point causality reasoning is to identify a root cause. As noted, entities are depicted as horizontal lines, and events are depicted as vertical lines (paragraph 0116; see also figure 20). Built-in traversal support is provided in the matching processes. Backward and forward traversals are common tasks in threat intelligence for root cause discovery and impact analysis, it is useful to encode traversal semantics as a built-in primitive pattern predicate. A built-in relation reach provides several functionalities: forward traversal, backward traversal and path-finder. In operation, the traversal computes the graph closure over all subgraphs reachable from a provided subgraph or set of entities/events. A touched/untouched variable refers to whether any constraint associated with that variable has been solved in previously iterating constraint-solving steps (paragraphs 0107-0110; see also figures 18-19).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention, having the teachings of Huang and Shu before him/her, to modify Huang accessing the content graph set to respond to requests for data received after the point in time is reached because that would provide an automatic causality tracking system that meets real-time analysis . It solves causality tracking for cybersecurity enable efficient multi-point traversal analysis with respect to a set of potential compromise points as taught by Shu (paragraphs 0010). 

As to Claim 2, Huang teaches the claimed limitations:
“wherein the first timepoint and an identifier of the first content graph set is maintained in a collection of timepoint, content graph set identifier mappings” as (paragraphs 0068-0069).
Shu teaches (paragraph 0081).

As to Claim 3, Huang teaches the claimed limitations:
 	“wherein the operations further comprise expiring the first content graph set after the second point in time is reached” as (paragraphs 0059-0060, 0069).
Shu teaches (abstract, paragraphs 0106-0110).

As to Claim 4, Huang does not explicitly teach the claimed limitation “wherein the operations further comprise removing the first content graph set from the cache after the expiring the first content graph set”.
Shu teaches (paragraphs 0080-0081, 0116).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention, having the teachings of Huang and Shu before him/her, to modify Huang removing the content graph set from the cache because that would provide an automatic causality tracking system that meets real-time analysis . It solves causality tracking for cybersecurity enable efficient multi-point traversal analysis with respect to a set of potential compromise points as taught by Shu (paragraphs 0010). 

As to Claim 5, Huang teaches the claimed limitations:
 	“wherein the operations further comprise preloading a third content graph set into the cache, and maintaining a third timepoint, corresponding to a third point in time, in association with the third content graph set, wherein the third point in time is later than the second point in time” as (paragraphs 0050-0053, 0055-0056, 0059, 0062-0064)

As to Claim 6, Huang teaches the claimed limitations:
 	“wherein the operations further comprise preloading a fourth content graph set into the cache, maintaining the third timepoint in association with the fourth content graph set, and disassociating the third timepoint from the third content graph set” as (paragraphs 0050-0053, 0055-0056, 0059, 0062-0064, 0076-0079)

As to Claim 7, Huang does not explicitly teach the claimed limitation  “wherein the operations further comprise generating the fourth content graph set in response to a notification received prior to the third point in time indicating that the third content graph set is no longer valid”.
Shu teaches (paragraphs 0059, 0064, 0075, 0112, 0117).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention, having the teachings of Huang and Shu before him/her, to modify Huang a notification indicating that the third content graph set is no longer valid because that would provide an automatic causality tracking system that meets real-time analysis . It solves causality tracking for cybersecurity enable efficient multi-point traversal analysis with respect to a set of potential compromise points as taught by Shu (paragraph 0010). 

As to Claim 8, Huang does not explicitly teach the claimed limitation “wherein the operations further comprise removing the third content graph set from the cache”.
Shu teaches (paragraphs 0080-0081, 0116).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention, having the teachings of Huang and Shu before him/her, to modify Huang removing the content graph set from the cache because that would provide an automatic causality tracking system that meets real-time analysis . It solves causality tracking for cybersecurity enable efficient multi-point traversal analysis with respect to a set of potential compromise points as taught by Shu (paragraphs 0010). 

9.	Claims 12, 15, and 19-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shu et al. (US Patent Publication No. 2020/0201989 A1) as applied to claims 9, and 16 above, and further in view of Tarditi et al. (US Patent Publication No. 2007/0169030 A1, hereinafter “Tarditi”).
As to Claim 12, Shu does not explicitly teach the claimed limitation “garbage collecting the existing content graph set after the remapping”.
	Tarditi teaches (abstract, paragraphs 0217-0229).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention, having the teachings of Shu and Tarditi before him/her, to modify Shu garbage collecting the existing content graph set because that would provide strong atomicity, removal of unnecessary read-to-update upgrades, and removal of operations for newly-allocated objects as taught by Tarditi (abstract). 

As to Claim 15, Shu does not explicitly teach the claimed limitation
 	“garbage collecting the existing timepoint after selecting the second new content graph set as the active content graph set”
Tarditi teaches (abstract, paragraphs 0217-0229).
		Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention, having the teachings of Shu and Tarditi before him/her, to modify Shu garbage collecting the existing content graph set because that would provide strong atomicity, removal of unnecessary read-to-update upgrades, and removal of operations for newly-allocated objects as taught by Tarditi (abstract). 

As to claims 19-20 are rejected under 35 U.S.C 103(a), the limitations therein have substantially the same scope as claims 12, and 15. In addition, The program code in the different embodiments may be embodied on different physical or tangible computer-readable media, such as memory or persistent storage (paragraph 0043). Therefore these claims are rejected for at least the same reasons as claims 12, and 15. 

Examiner’s Note
Examiner has cited particular columns/paragraph and line numbers in the references applied to the claims above for the convenience of the applicant. Although the specified citations are representative of the teachings of the art and are applied to specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant in preparing responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06. An amendment which does not comply with the provisions of 37 CFR 1.121(b), (c), (d), and (h) may be held not fully responsive. See MPEP § 714.”  Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.131(b), (c), (d), and (h) and therefore held not fully responsive.  Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to James Hwa whose telephone number is 571-270-1285. The examiner can normally be reached on 9:00 am – 5:30 pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tamara Kyle can be reached on 571-272-4241. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only, for more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the PAIR system contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
11/01/2022											
										
/SHYUE JIUNN HWA/
Primary Examiner, Art Unit 2156