Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Information Disclosure Statement
	Applicants’ Information Disclosure Statements, filed 11/13/2020, 03/29/2022, have been received, entered into the record, and considered.  See attached form PTO-1449.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable Panigrahy et al. (US Pub No. 2010/0223499), in view of Kanjirathinkal et al. (US Pub No. 2015/0293920).
	As to claims 1, 8, 15, Panigrahy teaches a system, comprising:
	a processor configured to:
		collect logs from a plurality of applications (i.e. obtaining a log of events which are generated as a program executes, where the log of events includes a registry event about the access (e.g., open, query value, delete, create, modify) of a registry key, [0010]; Event Trie Construction, [0106]);
		tokenize a log into a plurality of tokens (i.e. consider the sequence of events: a, b, c→d. This means event a occurs, followed by event b, followed by event c, followed by event d. We can therefore say that a set or sequence of events {a, b, c} is followed by event d, and thus provides a context for d. In this case, the context is a prefix or predecessor to d. We thus have a rule that d follows {a, b, c}, [0063]);
		based at least in part on tokens in the plurality of tokens, match the log to a pattern in a stored trie, wherein the pattern is associated with a unique pattern identifier (i.e. FIG. 4 a shows the construction of an example trie based on identified recurring event sequences and identifying rule edges of the trie, [0018]; we call the event sequence {a, b, c} the context of event d if and only if {a, b, c} will be always followed by d, [0064]; Block 320 identifies event sequence segments S1={a, b, c, d}, S2={e, f, g} and S3={h, i} which are obtained from the threads, [0096]);
		extract a set of free parameters and a set of metadata from the log (i.e. Regarding step 210 of FIG. 2, the input to this system component can be a sequence of registry key events. A registry contains two basic elements: keys and data values. In an example implementation, each event entry contains the following information: event timestamp, process name, process ID, thread ID, registry key, registry value, registry data field, and the operation type, [0089]; ... maintaining data with a rule identification and a time of last use based on a timestamp, [0116]); and
		store the log as a combination of the unique pattern identifier, the set of free parameters, and the set of metadata (i.e. storing the recurring sequences of events, [0011]; Each rule is in the form of A→b, where A is a sequence of events and b is an individual event ... Compute a hash value to represent each event ... Generate flat (on-hierarchical) recurring event sequences from the hierarchical sequences ... Select all the event sequences whose recurrence is above a pre-defined threshold ... Construct a suffix-merged trie using the above selected rules ... Identify event transition rules from the trie, [0067-0073]; Also, it is possible to expire rules which are no longer used, after a specified period of time ... a timestamp, [0116]); and
	a memory coupled to the processor and configured to provide the processor with instructions (i.e. FIG. 15 depicts memory savings due to rule sharing, [0033]; The administrator laptop 140 may include appropriate software processes and processing and memory resources for performing the tasks herein, in one possible approach ... These recurring sequences of events can be stored in memory for subsequent comparison against other events, [0105]).
	Panigrahy does not seem to explicitly teach "token" limitation.
	Kanjirathinkal teaches this limitation (i.e. receiving a log file comprising a plurality of records; tokenizing at least a portion of the log file to produce tokens; generating a sequence from the tokens, [0006]).
	It would have been obvious to one of ordinary skill of the art having the teaching of Panigrahy, Kanjirathinkal before the effective filing date of the claimed invention to modify the system of Panigrahy to include the limitations as taught by Kanjirathinkal. One of ordinary skill in the art would be motivated to make this combination in order to receive a log file, tokenized at least a portion of the log file in view of Kanjirathinkal ([0006]), as doing so would give the added benefit of efficiently generating a sequence from the tokens as taught by Kanjirathinkal ([0006]).

	As to claims 2, 9, 16, Panigrahy teaches tokenizing the log comprises tokenizing the log into a sequence of tokens (i.e. In FIG. 4 a, the input event stream contains a new recurring event sequence FS4={a, b, c, e}. This sequence is inconsistent with the trie since nodes 416 and 418, and nodes 426 and 428, indicate that event c is followed by event d, not e. As a result, we mark the trie edges by deleting the edges between nodes 416 and 418, and between 426 and 428, as indicated by the “X” marks and changing the edges from solid to dashed lines, in the trie 404, [0115]).

	As to claims 3, 10, 17, Panigrahy teaches the matching comprises matching iteratively, token by token, the sequence of tokens to a sequence of nodes in the stored trie (i.e. Lines 5-7 indicate that if the current event matches a child node, then the child node is added to the queue and an edge from the parent node to the child node is marked, [0119]; FIG. 3 b depicts a process for generating hierarchical grammar rules from an event sequence. The process provides a hierarchical sequence which represents a sequence of the events in a compressed form by symbols, where, typically, some of the symbols represent multiple events and other symbols represent single events, [0101]).

	As to claims 4, 11, 18, Panigrahy teaches the unique pattern identifier comprises an identifier of a pattern represented by the sequence of nodes (i.e. In FIG. 4 a, example recurring event sequences 400 include FS1={a, b, c, d}, FS2={a, b, e, f} and FS3={b, c, d}, are used to build a trie 402, [0113]; FIG. 3 b depicts a process for generating hierarchical grammar rules from an event sequence, [0101]; The final grammar is represented by the sequence S→CAC, where A→bc and C→aAd. S is the highest level of the hierarchy, [0104]).

	As to claims 5, 12, 19, Panigrahy teaches the unique pattern identifier is associated with a last matched node in the sequence of nodes (i.e. In FIG. 4 a, example recurring event sequences 400 include FS1={a, b, c, d}, FS2={a, b, e, f} and FS3={b, c, d}, are used to build a trie 402, [0113]; FIG. 3 b depicts a process for generating hierarchical grammar rules from an event sequence, [0101]; The final grammar is represented by the sequence S→CAC, where A→bc and C→aAd. S is the highest level of the hierarchy, [0104]).

	As to claims 6, 13, 20, Kanjirathinkal teaches the sequence of tokens comprises character strings delimited by spaces (i.e. in the present example tokenizing involved designating all non-alphanumeric characters as delimiters, [0030]).

	As to claims 7, 14, 21, Panigrahy teaches the processor is further configured to perform a query at least in part by:
	tokenizing the query request (i.e. A report can include an identification of an event and an identification of which rule has been violated. We can use the rule as a key into a table which identifies the events which are part of the rule, and so we can see the various events. The output can be similar to results of a database query. We can also identify the time and the process involved in the event, [0039]); and
	matching the tokenized query request to one or more patterns associated with the stored trie (i.e. Every five minutes we might update our rules. Whenever the rules are updated, they are used to detect the subsequent events. When the rules are being matched to the event sequences, we can also learn the rules at the same time because the rules can be updated. Thus, we can be constantly learning and detecting. It is also possible to completely separate the learning and detecting processes, [0076]).
Double Patenting 
	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-2 of U.S. Patent No. 10,866,972. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims, if allowed, would improperly extend the “right to exclude” already granted in the patent.
The subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the instant application are claiming common subject matter and they are substantially similar in scope and they use the same limitations, using varying terminology.  They are not patentably distinct from each other because claims 1-14 of U.S. Patent No. 10,866,972 contain every element of claims 1-21 of the instant application.
“A later application claim is not patentably distinct from an earlier claim if the later claim is obvious over, or anticipated by the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651”.
Furthermore, there is no apparent reason why applicant was prevented from presenting claims corresponding to those of the instant application during prosecution of the application which matured into a patent. See In re Schneller, 397 F.2d 350, 158 USPQ 210 (CCPA 1968). See also MPEP § 804.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).


Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MIRANDA LE whose telephone number is (571)272-4112.  The examiner can normally be reached on M-F 7AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alford W Kindred can be reached on 571-272-4037.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MIRANDA LE/Primary Examiner, Art Unit 2153