Prosecution Insights
Last updated: July 17, 2026
Application No. 19/053,659

EVENT DATA PROCESSING

Final Rejection §101§103
Filed
Feb 14, 2025
Priority
Apr 01, 2022 — continuation of 12/231,511
Examiner
UDDIN, MOHAMMED R
Art Unit
2161
Tech Center
2100 — Computer Architecture & Software
Assignee
BlackBerry Limited
OA Round
2 (Final)
78%
Grant Probability
Favorable
3-4
OA Rounds
1y 8m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
572 granted / 734 resolved
+22.9% vs TC avg
Strong +30% interview lift
Without
With
+30.3%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
18 currently pending
Career history
755
Total Applications
across all art units

Statute-Specific Performance

§101
2.5%
-37.5% vs TC avg
§103
89.4%
+49.4% vs TC avg
§102
3.4%
-36.6% vs TC avg
§112
1.1%
-38.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 734 resolved cases

Office Action

§101 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This action is in response to the communication filed on April 09, 2026. Response to Amendment Applicant’s amendment filed on April 09, 2026 with respect to claims 2-21 has been received, entered into the record and considered. As a result of the amendment filed on April 09, 2026, claims 2, 8, 12, 18 and 21 has been amended, claim 1 has been previously cancelled. Claims 2-21 remain pending in this office action. Claim Rejections - 35 USC § 101 As a result of the amendment to the claims, examiner withdrawn the pending 101 rejection from the claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2, 4-12, and 14-21 are rejected under 35 U.S.C. 103 as being unpatentable over Chandrasekharan et al (US 11,676,072 B1), in view of Ma et al (US 2020/0206920 A1), and further in view of Liu et al (US 2022/0318381 A1). As per claim 1, Chandrasekharan discloses: - a computer-implemented method of training a machine learning model, wherein the method comprises (Abstract, line 1-5, “Systems and methods are described for training a machine learning (ML) model”, - receiving an event log comprising a plurality of event records, each event record describing one or more events that have occurred on a computer system (receiving machine data (i.e., event data, event log) with plurality of events, column 6, line 45-55, column 8, line 29-50, column 10, line 55-65, Fig. 2, item 202), column 94, line 20-30, Fig. 21C, item 2139 event record describing event have occurred in a computer system - converting the event log into a graph, wherein the converting comprises (parsing events data stream (i.e., converting the event log) to organize in an event node, Fig. 35B, column 63, line 30-40, column 93, line 5-25, in a graph with node, column 144, line 30-40, column 164, line 45-65, column 167 line 50-67), - normalizing the plurality of event records to generate a plurality of normalized event records (normalizing events into a common format, column 56, line 45-55, column 163, line 60-67, column 163, line 1-10), - representing each normalized event record in the plurality of normalized event records as one or more nodes in the graph (normalized event represent as a node in a graph, column 164, line 1-10, Fig. 51, item 5108, Fig. 52), - generating a plurality of event clusters, wherein each event cluster includes an aggregated group of nodes and is generated based on common attributes of and hierarchical relationships between the plurality of normalized event records represented by the nodes in the aggregated group (clustering events according to attribute distance, Fig. 55-56, where each even cluster include node with common attribute, column 130, line 5-20, column 162, line 10-25, presented in parent/child tree structure, column 115, line 5-25, column 143, line 50-60), - generating, based on one or more node sampled from each of one or more of the plurality of event clusters in the graph, labeled training data that comprises a plurality of training inputs, wherein each training input (i) comprises one or more normalized event records represented by one or more sampled nodes and (ii) is associated with a ground truth classification label that specifies whether the one or more normalized event records represent a threat or suspicious activity (column 104, line 5-45, 60-65 column 105, line 25-40, sampling the events based on filter criteria and categorization criteria to a group (i.e., generating event cluster) and Fig. 39 B, column 151, line 55-65, column 161, line 55-67, column 166, line 1-10, labeling each node in the graph of training input, with Para [0163] line 60-67, [0164], line 1-10, and column 127, line 15-20,column 128, line 15-40, column 171, line 5-40), (i) normalizing event by grouping the events into a common or same defined standard, and (ii), normalization techniques used to detect security relevant threat), Chandrasekharan does not explicitly disclose wherein the normalizing comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value. However, in the same field of endeavor Ma in an analogous art disclose wherein the normalizing comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value (normalization of event with removing and replacing value (i.e., anonymizing unique id) in an event stream, Para [0116] – [0128]), examiner broadest reasonable interpretation: event steam 'res': ['' leftClick: explorer_exe.pane\(\).pane\ (\).button\(Show desktop\)$'], normalized by removing “show desktop” (i.e., event record) by replacing a variable value, r, see Para [0017] – [0121], 'res': [''(.*?)(.*)_CtrlC!_$'],, replace with “copy:{argos()[1]}, see Para [0126] – [0128]). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the normalization of anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value taught by Ma as the means to training a machine learning model with received event to detect threat or abnormal activities by normalizing event in Chandrasekharan, (Chandrasekharan, column 6, line 30-35, column 128, line 14-35, Ma, Para [0126] – [0128]). Chandrasekharan and Ma are analogous prior art since they both deal with analyzing event data received from various machine and normalizing the events into group of similar nodes in a graph. A person of the ordinary skill in the art would have been motivated to make aforementioned modification to efficiently analyzing large group of data. This is because one aspect of Chandrasekharan invention is to reduce the potentially vast amount of data that may be generate and pre-process those data to generate a system for efficient retrieval and analysis, as described at least in column 1, line 25-45. Anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value is part of this process. However, Chandrasekharan doesn’t specify any particular manner in which unique identifier is anonymized and replace with a predetermined value. This would have lead one of the ordinary skill in the art to seek and recognize the unique identifier is anonymized and replace with a predetermined value as taught by Ma. Ma describes how their event normalization process merge similar evet node together to improve the efficiency of task performance as described at least in Para [0266], as desired by Chandrasekharan. Combined method of Chandrasekharan and Ma does not explicitly disclose sampling one or more nodes from each of one or more of the plurality of event clusters in the graph; and using the labeled training data to train the machine learning model that is configured to process a new event log, feature information derived from the new event log, or both and to generate a prediction of an existence of any threat or suspicious activity in the new event log using the labeled training data. However, in the same field of endeavor Liu in an analogous art disclose sampling one or more nodes from each of one or more of the plurality of event clusters in the graph (Para [0068], [0094], sampling node in the graph based on shared attributes of an event), and using the labeled training data to train the machine learning model that is configured to process a new event log, feature information derived from the new event log, or both and to generate a prediction of an existence of any threat or suspicious activity in the new event log using the labeled training data (Para [0022], [0025], [0111], training a machine learning model with batches of labeled training data to detect a threat). Therefore, it would have been obvious to a person of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chandrasekharan, as previously modified with Ma, with the teaching of Liu by modifying Chandrasekharan such that sampling event data and training a machine learning model to detect a threat in a log event. The motivation for doing so would be detecting malicious digital activities over the Internet with accuracy and in real-time to provide an opportunity for an appropriate response by an affected party, (Liu, Para [0005]). As per claim 4, rejection claim 2 is incorporated, and further Chandrasekharan discloses: - wherein the hierarchical relationships comprise a parent- child process relationship between the plurality of normalized event records (tree structure (i.e., hierarchical relationship) with parent-child relationship, column 115, line 1-5). As per claim 5, rejection of claim 2 is incorporated, and further Chandrasekharan discloses: - wherein the hierarchical relationships comprise a file hierarchy relationship between the plurality of normalized event records (tree structure (i.e., hierarchical relationship) with directories of file, Fig. 21B, column 97, line 10-20). As per claim 6, rejection of claim 2 is incorporated, and further Ma discloses: - wherein the nodes in the aggregated group are connected by directed edges to represent the hierarchical relationships (edge represent the sequence and relationship between events in a graph, Para [0169], [0244]). As per clam 7, rejection of claim 2 is incorporated, and further Chandrasekharan discloses: - wherein the common attributes comprise one or more of: process name, command line expression, file path, user name, or event category (command line expression, column 107, line 50-60). As per claim 8, rejection of claim 2 is incorporated, and further Chandrasekharan discloses: - automatically generating the ground truth classification label for each training input in plurality of training inputs in accordance with content of the one or more normalized event records included in the training input (algorithm used for labeling node indication relationship for training dataset, column 166, line 1-15, 40-60). As per claim 9, rejection of claim 2 is incorporated, and further Chandrasekharan discloses: - wherein the machine learning model comprises a neural network model, and wherein training the machine learning model comprises using a gradient- based supervised learning training technique (neural network machine learning model, column 157, line 65-67, column 158, line 10-20), semi-supervised (i.e., supervised) ML model, column 169, line 5-15). As per claim 10, rejection of claim 2 is incorporated, and further Chandrasekharan discloses: - further comprising using the machine learning model to process one or more new event logs, feature information derived from the one or more new event logs, or both in accordance with trained values of parameters of the machine learning model to generate a new prediction of the threat or suspicious activities (machine learning model to predict and detect threat from a stream of event, column 6, line 30-35, column 128, line 14-35, Fig. 48B, item 4880), As per claim 11, rejection of claim 2 is incorporated, and further Chandrasekharan discloses: - further comprising displaying the detected threat or suspicious on an end-user device (application used by a computing device to detect security relevant threat (i.e., suspicious activity or threat), column 127, line 5-15, column 128, line 15-25). As per claims 12 and 14-20, Claims 12 and 14-20 are system claim corresponding to method claim 1, and 4-11 respectively and rejected under the same reason set forth to the rejection of claims 1, and 4-11 above. Claim 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Chandrasekharan et al (US 11,676,072 B1), in view of Ma et al (US 2020/0206920 A1), and further in view of Liu et al (US 2022/0318381 A1), as applied to claim 2 and 12 and further in view of Fairweather (US 2006/0235811 A1). As per claim 3, rejection of claim 2 is incorporated, Combined method of Chandrasekharan, Ma and Liu does not explicitly discloses wherein generating the plurality of event clusters comprises applying a deterministic finite automaton (DFA) algorithm over the plurality of normalized event records. However, in the same field of endeavor Fairweather in an analogous art disclose wherein generating the plurality of event clusters comprises applying a deterministic finite automaton (DFA) algorithm over the plurality of normalized event records (deterministic Finite Algorithm (DFA) applied to lexical analyzation of a data stream and normalization, Para [0268], [0284]). Therefore, it would have been obvious to a person of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chandrasekharan, as previously modified with Ma and Liu with the teaching of Fairweather by modifying Chandrasekharan such that sequence of stream are parsed into token and analyzed using DFA. The motivation for doing so would be looking up a given word in a data stream efficiently, (Fairweather, Para [0294]). As per claims 13, Claim 13 is a system claim corresponding to method claim 3 respectively and rejected under the same reason set forth to the rejection of claim 3 above. Response to Arguments Applicant’s arguments with respect to claims 2-21 have been considered but are moot because the new ground of rejection necessitated by the amendment to the claims. In response to applicant’s argument is page 9-10, regarding 101 rejections, and in view of the amendment to claims 2, 12 and 21, examiner withdrawn the pending 101 rejection from the claims. In response to the applicant’s argument in page 12-14, regarding 103 rejections, applicants argued that, Chandrasekharan does not disclose or suggest what to do after generating a plurality of event clusters. Namely, it does not disclose or suggest "sampling one or more nodes from each of one or more of the plurality of event clusters in the graph." Nor does it disclose or suggest "generating, based on the one or more nodes sampled from each of one or more of the plurality of event clusters in the graph, labeled training data that comprises a plurality of training inputs." Examiner respectfully response that, Chandrasekharan teaches sampling event that satisfy the filter criteria and categorization criteria in the event search node which can reduce the amount of data to be analyzed in column 104, line 60-65 and column 105, line 35-40. However, after an updated search examiner found Liu et al. Liu in Para [0068], [0094], teaches sampling one or more nodes from each of one or more of the plurality of event clusters in the graph and Liu in Para [0022], [0025], [0111] teaches, using the labeled training data to train the machine learning model that is configured to process a new event log, feature information derived from the new event log, or both and to generate a prediction of an existence of any threat or suspicious activity in the new event log using the labeled training data, as claimed. Therefore, examiner firmly believe that, Chandrasekharan, Ma and Liu alone or in combination teaches the argued limitation and claim 2, 12 and 21 as claimed. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED R UDDIN whose telephone number is (571)270-3138. The examiner can normally be reached M-F: 9:00 AM-5:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Beausoliel Robert can be reached at 571-272-3645. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MOHAMMED R UDDIN/Primary Examiner, Art Unit 2167
Read full office action

Prosecution Timeline

Feb 14, 2025
Application Filed
Jan 05, 2026
Non-Final Rejection mailed — §101, §103
Apr 03, 2026
Applicant Interview (Telephonic)
Apr 03, 2026
Examiner Interview Summary
Apr 09, 2026
Response Filed
May 28, 2026
Final Rejection mailed — §101, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12669979
DATA RECORD MASTERING
1y 7m to grant Granted Jun 30, 2026
Patent 12670214
DETERMINING FAMILY CONNECTIONS OF INDIVIDUALS IN A DATABASE
1y 7m to grant Granted Jun 30, 2026
Patent 12664122
PROCESS MANAGEMENT METHOD AND ELECTRONIC DEVICE
1y 9m to grant Granted Jun 23, 2026
Patent 12651025
CONSTRUCTING A SEARCH INDEX BASED ON AN AUTOMATICALLY-SELECTED SET OF DOCUMENT PROPERTIES
1y 2m to grant Granted Jun 09, 2026
Patent 12639335
TECHNIQUES FOR ASYNCHRONOUSLY PUSHING METADATA IN BULK
1y 6m to grant Granted May 26, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+30.3%)
3y 0m (~1y 8m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 734 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month