DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on July 10, 2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function. Such claim limitation(s) is/are: “first automated event ingestion instruction that is configured to translate the raw event data”, “second automated event ingestion instruction that is configured to translate the raw event data”, and “third automated event ingestion instruction that is configured to translate the raw data” in claim 2; “graphical user interface includes a set of user interface buttons, that when operated, is configured to control whether the subject computer-executable detection instruction is used” in claim 3; “automated investigations control button that, when selected, is configured to display a drop-down menu element”, “automated investigations control button is configured to receive a selection”, and “subject computer-executable detection instruction, when executed, is configured to execute a set of automated investigation workflows” in claim 4; “detection instruction simulation container is configured to receive, from the user, input” in claim 5; “condition-setting user interface elements being configured to receive inputs” in claim 6; “set of user interface elements configured to receive user input”, “first user interface input element configured to receive a input”, “second user interface input element configured to receive a input”, and “third user interface input element configured to receive a input” in claim 7; “integration-identifying user interface elements configured to receive one or more strings of text”, “signal-specific data mapping container configured to receive inputs of characters”, and “raw event simulation container configured to receive input of historical raw data/expected technology source-agnostic event signal type” in claim 15; and “source data attribute user interface input element configured to receive an input” in claim 18.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12,381,897. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the earlier filed claims of the ‘897 in that the claims of the ‘897 contain all of the limitations of the instant application.
Claim 1 corresponds to claim 1 of the ‘897 patent;
Claim 2 corresponds to claim 2 of the ‘897 patent;
Claim 3 corresponds to claim 3 of the ‘897 patent;
Claim 4 corresponds to claim 4 of the ‘897 patent;
Claim 5 corresponds to claim 5 of the ‘897 patent;
Claim 6 corresponds to claim 6 of the ‘897 patent;
Claim 7 corresponds to claim 7 of the ‘897 patent;
Claim 8 corresponds to claim 15 of the ‘897 patent;
Claim 9 corresponds to claim 16 of the ‘897 patent;
Claim 10 corresponds to claim 17 of the ‘897 patent;
Claim 11 corresponds to claim 18 of the ‘897 patent;
Claim 12 corresponds to claim 19 of the ‘897 patent;
Claim 13 corresponds to claim 20 of the ‘897 patent;
Claim 14 corresponds to claim 1 of the ‘897 patent;
Claim 15 corresponds to claims 8 and 12 of the ‘897 patent;
Claim 16 corresponds to claim 9 of the ‘897 patent;
Claim 17 corresponds to claim 10 of the ‘897 patent;
Claim 18 corresponds to claim 11 of the ‘897 patent;
Claim 19 corresponds to claim 13 of the ‘897 patent; and
Claim 20 corresponds to claim 14 of the ‘897 patent;
Claims 1-20 of the instant application therefore are not patentably distinct from the earlier filed ‘897 claims, and as such, is unpatentable for obvious-type double patenting.
Allowable Subject Matter
Claims 1-20 would be allowable upon the submission of a terminal disclaimer.
The following is a statement of reasons for the indication of allowable subject matter:
The closest prior art teachings of Devi Redd et al, U.S. Patent 10,305,922 disclose of a data normalization module takes raw data received from the client devices and converts the raw data into structured data. The data fields with important information may be stored separately within the raw data from other related data fields. By converting the raw data to structured data, the security analytics system can store related fields of information together and filter out redundant or unnecessary information, see column 7, lines 33-37 & 43-45.
It is further disclosed wherein the data normalization module can filter the raw data based on the relevance of information within the raw data. In some embodiments, the raw data is filtered based on a pre-determined format of the raw data. In some embodiments, the data normalization module ranks the data fields based on the relevance of the data fields to detecting a security threat in the local network. The relevance of a data field may be pre-determined by developers or may be determined by the data normalization module based on threat models. In some embodiments, the data normalization module uses the filtered raw data to generate the structured data, see column 7, lines 46-49 and column 7, line 67 through column 8, line 7.
Although Devi Redd et al disclose of taking raw data (i.e., pre-normalized data as is claimed in the instant application) and converting it to structured data by normalization to be used with data fields containing important information (i.e., un-normalized as is claimed in the instant application) stored separately within the raw data from other related data fields to be used for detection of security threats, the teachings alone or in combination with the prior art fail to disclose of automatically transforming pre-normalized security event to at least one normalized security event, wherein automatically transforming the pre-normalized security event to the at least one normalized security event includes: converting a set of un-normalized evidence data fields of the pre-normalized security event to a set of normalized evidence data fields using a set of computer-executable data mapping instructions included in a security data integration created for a third-party security device; automatically assessing a corpus of computer-executable detection instructions against the at least one normalized security event; generating a security alert based on the at least one normalized security event satisfying a set of alerting conditions of a subject computer-executable detection instruction of the corpus of computer-executable detection instructions; and executing a threat mitigation response that mitigates a security threat associated with the security alert as is recited independent claims 1 and 14.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Burns et al, U.S. Patent 12,026,255 is relied upon for disclosing of a customer environment receiving a request consisting of raw data from a requesting user. The raw data can take various forms. For example, the raw data can be text, images, a stream of time series data, tabular data, or other data provided directly from a requester to the customer's environment (which can also take different forms such as text, image, time series, tabular, etc.). Customer transformation engine then transforms the raw data into vectorization data, for example, extracting features from the raw data and populating a vector, see column 8, lines 28-38.
Narechania et al, US 2023/0289696 is relied upon for disclosing of raw data is data that is fed into the lake, such as uploaded datasets, schemas, classes, etc., and data ingestion and monitoring pipeline ingests raw data (e.g., into data lake or landing zone of FIG. 1). Through interactions with the data, in some cases, raw data is used to create or identify specialized datasets (e.g., transformed data), such as profile datasets, dashboard configurations, customer segmentation rules, and/or other types. In some embodiments, various logs are generated, for example, when ingesting or querying. Example logs represent, a temporal record of user events in the system, such as query logs (e.g., users querying the databases), user interface event logs (users interacting with a user interface), and/or other types. In some embodiments, data utility metrics (e.g., revenue generated due to output artifacts or marketing campaigns, visits resulting from marketing campaigns, storage costs of data) are entered or retrieved via some interface, see paragraph 0082.
Shah et al, US 2022/0103577 is relied upon for disclosing of a 3PD ingestor may take raw data (e.g., data from third-party sources, whether formatted or not) and processes the data into a normalized format, and stores the data in a centralized location, such as 3PD to be used by vertex discovery harvester, see paragraph 0023.
Bowditch et al, US 2022/0070182 is relied upon for disclosing of identification of attack patterns or suspicious activities in one or more data sets received from a plurality of clients. Raw data is received from one or more clients, and the raw data is normalized into one or more structured data sets. For example, the raw data can include unstructured logs that are normalized into structured logs having a prescribed schema, see paragraph 0061. Profile building features are identified from the one or more data sets to facilitate building profiles of expected behavior for the one or more clients and/or entities associated with the one or more clients. In particular, an entity profile can be populated with information related to the extracted profile building features, such as feature frequency information for a particular entity or entities, see paragraph 0062.
Taylor et al, US 2019/0391977 is relied upon for disclosing of profile building features are identified from the one or more data sets to facilitate building profiles of expected behavior for the one or more clients and/or entities associated with the one or more clients. In particular, an entity profile can be populated with information related to the extracted profile building features, such as feature frequency information for a particular entity or entities, see paragraph 0053.
Potucek et al, US 2018/0240322 is relied upon for disclosing of control module also monitors, detects, informs, and initiates protective action through a heuristic capability (using one or more algorithms) by accumulating and analyzing raw sensor data and external data to automatically develop ‘normal’ and ‘abnormal’ operating ranges, then taking action or alerting operators when the algorithm detects that operation is out of normal or safe operating range, see paragraph 0331.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2407