Log Data Summarization Techniques

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments received 26 February 2026, have been fully considered. Claims 1-20 are pending. Claims 1, 3-4, 6-10, 15-16, 18, and 20 have been amended. Applicant’s efforts to amend the claims to address the 112(b) rejections are satisfactory, therefore all 112(b) rejections are withdrawn. Applicant’s efforts to address the claim rejections under 35 U.S.C. 101 have been considered but are not satisfactory. Applicant argues that the claim limitations cannot be performed in the human mind or using pen and paper to achieve real-time assessment of event log data, therefore the claims are not directed to an abstract idea. Applicant also argues that the claims provide a technological solution to a technological problem by generating summary log entries, thus enabling more efficient analysis of event log data. Although the claims are directed to a computer system, the examiner considers that the majority of steps can be performed in the human mind with the aid of pen and paper. Because of this the claims amount to applying a computer to an abstract idea. The examiner understands the key idea of the invention to be summarizing a set of event logs taken over a time period by creating a single entry for each identical action in the set. Event log data can be represented as a table where each row represents an event log collected over a specified time period and each column represents a category of information describing the event log. The invention essentially describes reducing the amount of data by counting the number of rows whose information is identical (ignoring the “time” and, in accordance with claim 16, the “action result” columns), and replacing those rows with a single entry containing the same information (without the “time” and “action result” information) and an additional column representing the number of entries represented. This is clearly doable by a human being with pen and paper. Note that the claim language has no indication of the velocity of event log data received, the length of the “predetermined time period,” the size of the dataset, or the number of users. Therefore, arguments against human capability based on the sheer volume of processing required are not supported by the claim language. Additionally, the examiner does not consider the claim language to describe a particular improvement to a technological problem. Summarizing a dataset along a dimension (here, identical action) can be useful, but the idea is very general. See 101 rejections below. Applicant’s efforts to address the claim rejections under 35 U.S.C. 103 have been considered but are not satisfactory. Applicant argues that Chu in view of Gill does not disclose or render obvious the amended claim 1, particularly assessing action parameters to determine event logs having identical actions. Adding the step of identifying action parameters in the set of event log data and assessing them to determine event logs having identical actions does not significantly change the nature of the rejection applied by Chu in view of Gill. If a system accesses a set of event logs and creates summaries of identical actions, this implies a step of identifying which actions are present in the system and must be summarized over. See also Gill, which teaches that event logs include action information (¶92: composite event logs 126 may include attributes of each transaction; an example would be a “type of request that was made,” and another would be a “URL identifier 615”; see also Figs. 6A-6B). Applicant further argues at claim 16 that Chu in view of Gill does not teach that the event logs summarize identical actions “regardless of a result of the specific same action.” The examiner agrees; nevertheless, the amended claims necessitate new grounds of rejection. See 103 rejections below. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. At Step 1 of the 101 analysis, all claims are directed to one of the statutory categories of invention. Claim 1 is rejected in response to the following analysis: At Step 2A Prong One, the judicial exceptions are bolded in the copy of claim 1 below: A method, comprising: accessing, by a computer system, a set of event log data for an entity accumulated over a predetermined time period, wherein the entity includes a collection of users operating software associated with the computer system; identifying action parameters in the set of event log data, wherein the action parameters include descriptions of actions performed by the users for which event logs are generated by the software; assessing the action parameters in the set of event log data to determine event logs having identical actions performed by the entity during the predetermined time period; and generating, for the event logs having identical actions, one or more summary log entries, wherein a summary log entry identifies a specified identical action and a number of the event logs having the specified identical action during the predetermined time period. Identifying action parameters in a set of data and assessing the action parameters to determine event logs having identical actions both encompass observation. At Step 2A Prong Two, the additional elements do not integrate the judicial exception into a practical application. Accessing event log data with a computer system describes necessary data gathering. Generating a summary of the event log data identifying a particular action and number of logs associated with that particular action over a predetermined time period merely describes a generic transformation; that is, information is accessed then summarized. Moreover, the limitations do not suggest a particular field of invention beyond software operating on computers. Finally, there is nothing particularly detailed about what information is collected or how it is organized, so there seems to be no inventive concept in the organization of the data or its summary. At Step 2B, the claim does not amount to significantly more than the judicial exception for the reasons given above. Claims 2 and 3 recite that the summary log includes a timestamp, an indication of the predetermined time period, and a total memory size of the event logs being summarized. These limitations do not change the fact that the summary of the set of data is a generic transformation, therefore claims 2 and 3 are also rejected. Claims 4-7 describe that the “entity” of claim 1 is an enterprise system associated with multiple users, that the event log data is generated by a source in response to the “identical action” being performed by a particular user, and that the summary log also indicates the source and user. Again, these limitations do not amount to significantly more than the judicial exception; a user’s actions on an enterprise computer are summarized and a summary log is generated. Claims 4-7 are therefore also rejected. Claims 8 and 9 recite creating separate summary logs for differing actions, and sending those logs to a security tool to assess anomalies. Creating separate summaries does for different actions does not fix the issues raised at the rejection of claim 1. Furthermore, searching for anomalies is recited at a level of generality that does not represent a particular transformation integrating the judicial exceptions into a practical application. Claims 8 and 9 are therefore also rejected. Claim 10 recites limitations similar to those found in claims 1 and 4-7 and is rejected for the same reasons. Claim 16 recites limitations similar to those found in claims 1 and 4-7. Note that claim 16 explicitly recites that a summary log entry summarizes same actions regardless of a result of the specified same actions. This does not integrate the summarization procedure into a particular practical application as it generically recites summarizing along the “action” dimension of data without regard to whether the results of the action are different. Claim 16 therefore also rejected. Claims 11 and 17 are rejected for the same reasons as claim 2. Claims 12 and 18 are rejected for the same reasons as claim 3. Claim 13 states that the source is hardware or software, but this is encompassed by the rationale used for rejecting claim 5, therefore claim 13 is rejected for the same reasons. Claim 14 describes caching the summary log in a file. Storing information in a file temporarily is general computer activity when a file is to be accessed for processing, and the examiner considers this to be part of applying the judicial exception using a computer. Therefore, the rationale used to reject claim 10 applies to claim 14. Claim 15 recites a process whereby summaries of particular actions performed by a particular user on a particular source are created, stored in a file, and sent to a security tool to look for anomalies. Creating summaries where possible while preserving information is not a particular transformation, nor is sending a file to a security tool for the reasons given in the rejection of claim 9. Claim 15 is therefore also rejected. Claim 19 is rejected for the same reasons as claim 6. Claim 20 is rejected for the same reasons as claim 7. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 3-10, and 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over Chu (US 20100132041 A1) in view of Gill (US 20180309637 A1). Regarding claim 1, Chu discloses a computer system (at least one of the servers of a security center 12; see Fig. 1 and ¶35, which describes the security center as having multiple servers) and event log data (Abstract: an “interception-based client data network security system” intercepts packet data, forms event logs, and transmits them to a security center for storage and analysis) for an entity, wherein the entity includes a collection of users operating software associated with the computer system (¶30: the security system can be applied to an enterprise used by employees; see also Fig. 2, user end devices 20a-20c; ¶23: “the user end device 10 can be a workstation, a desktop computer, a notebook computer, a personal digital assistant and/or a mobile phone”). Chu does not explicitly disclose the other limitations of claim 1. Gill discloses accessing a set of event log data accumulated over a predetermined time period and summarizing it (¶94: a processor generates “a set of time series data 128 from a set of composite event logs 126 by summarizing the set of composite event logs 126 at regularly-spaced time intervals”). Gill discloses assessing the set of event log data (¶94: the “set of composite event logs 126”) to determine event logs having identical actions performed by the entity (¶94: an example is given where a same query is executed five times with the same result; this implies determining event logs having identical actions; see below) during the predetermined time period (the summarization occurs over “regularly-spaced time intervals”); and generating, for the event logs having identical actions, one or more summary log entries, wherein a summary log entry identifies a specified identical action and a number of the event logs having the specified identical action during the predetermined time period (¶94: "a data point within a set of time series data 128 may summarize a set of composite event logs 126 for a respective time interval as one or more counts, standard deviations, maximum and minimum values, etc. For example, if the same query is executed multiple times and the same result is obtained, execution of the queries is summarized into a single data point associated with a count of five.”). Gill does not explicitly recite identifying action parameters in the set of event log data, wherein the action parameters include descriptions of actions for which event logs are generated by the software; and assessing the action parameters in the set of event log data to determine event logs having identical actions. However, these limitations are met by a step of identifying which actions are present in the set of event log data and are to be summarized over. Such a step would have been obvious in order to summarize correctly. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Gill with the invention of Chu by saving the event log data into a set in the computer system, then perform a method, comprising: accessing, by the computer system, the set of event log data for the entity accumulated over a predetermined time period; identifying action parameters in the set of event log data, wherein the action parameters include descriptions of actions performed by the users for which event logs are generated by the software (in the context of Chu, the actions would be performed by the users); assessing the action parameters in the set of event log data to determine event logs having identical actions performed by the entity during the predetermined time period; and generating, for the event logs having identical actions, one or more summary log entries, wherein a summary log entry identifies a specified identical action and a number of the event logs having the specified identical action during the predetermined time period. Doing so would save memory while preserving information content and facilitate more efficient operations on the event log data. Regarding claim 10, many of the limitations of claim 10 are found in claim 1 and are rejected for the same reasons. Claim 10 additionally recites a non-transitory computer-readable medium having instructions stored thereon that are capable of causing an enterprise system to implement a set of operations. This would have been obvious inasmuch as a computer would implement the method of claims 1 and 10, and to do so it would be useful to provide storage with instructions to enable the processor to do so. Claim 10 also recites that the event log data is for an enterprise system; this is disclosed by Chu (¶30: the security system can be applied to an enterprise used by employees). Claim 10 further recites that the event logs identified are “associated with identical enterprise sources performed by identical users.” Noting that Chu discloses a network comprising multiple user end devices (see Fig. 2, elements 20a-c), it would have been obvious to one of ordinary skill in the art practicing the invention of Chu in view of Gill to identify event logs associated with an identical enterprise source performed by an identical user in order to summarize event logs while preserving information about the user and source (i.e. device) associated with events. Finally, for the same reason it would have been obvious to configure the summary log entry to identify the identical enterprise source and identical user along with the other information. Regarding claim 3, Chu in view of Gill teaches the limitations of claim 1. Furthermore, Gill teaches summarizing memory size (¶94: "Examples of types of information that may be summarized…include…the number of bytes sent on each transaction"). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Gill with the invention of Chu in view of Gill by determining a total memory size of the determined event logs having the specified identical action in the set of event log data; and annotating the summary log entry with an indication of the total memory size. Doing so would be useful in order to preserve metadata in the summaries. Regarding claim 12, claim 12 is rejected for the same reasons as claim 3. Regarding claim 4, Chu in view of Gill teaches the limitations of claim 1, and Chu further discloses that the entity is an enterprise system associated with the collection of users (¶30: the security system can be applied to an enterprise used by employees; see rejection of claim 1). Regarding claim 5, Chu in view of Gill teaches the limitations of claim 4, and further teaches that the event log data is generated by an enterprise source (Abstract: user end device) associated with the enterprise system (Chu, ¶30: the enterprise system includes user end devices). Regarding claim 6, the limitations of claim 6 describe that the summary log entry summarizes over individual user and identical action; these limitations are therefore rejected for the same reasons as given in the rejection of claim 10. Regarding claim 7, the limitations of claim 7 describe summarizing by enterprise source as well as individual user and identical action, and providing enterprise source and user as well as the other information on the summary log entry. These limitations are rejected for the same reasons as given in the rejection of claim 10. Regarding claim 13, Chu in view of Gill teaches the limitations of claim 10, and further teaches that the enterprise source is an enterprise hardware source associated with the enterprise system (¶18: "The user end device 10 is an electronic device"). Regarding claim 14, Chu in view of Gill teaches the limitations of claim 10. Furthermore, it would have been obvious to one of ordinary skill in the art practicing the invention of Chu in view of Gill to cache the summary log entry in a summary log file associated with the enterprise system. Placing data in a file and storing it in cache is a typical operation of a general computer on data that is to be processed. Considering that Chu discloses processing data for security (¶22: "In a preferred embodiment, the security services provided by the security center 12 comprise: virus detection, data exposure detection, content filtering detection, virus infected webpage detection, mail detection and/or intrusion detection”), caching the summary data would facilitate processing by the security center 12. Regarding claim 8, Chu in view of Gill teaches the limitations of claim 1. Furthermore, Gill teaches generating two summaries for instances of different actions (¶94: "If two different results were obtained for the queries, two different data points are generated, each of which is associated with a count indicating a number of times that a respective result was obtained."). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Gill with the invention of Chu in view of Gill by causing assessing the action parameters in the set of event log data to determine the event logs having the identical actions performed by the entity during the predetermined time period to include: assessing the action parameters in the set of event log data to determine the event logs with a first identical action performed by the entity during the predetermined time period; and assessing the action parameters in the set of event log data to determine the event logs with a second identical action performed by the entity during the predetermined time period, the second identical action being a different action from the first identical action. This simply describes recognizing two different actions and determining how many event logs to summarize for each action. Doing so would be an important precursor to actually generating two summaries for two different actions. Generating summaries for different types of actions would be useful as argued in claim 1 to save memory while preserving information content and facilitate more efficient operations on the event log data. Regarding claim 9, Chu in view of Gill teaches the limitations of claim 8. For the reasons given in the rejection of claim 8, it would have been obvious to one of ordinary skill in the art practicing the invention of Chu in view of Gill to: generate, for the first identical action, a first summary log entry that identifies the first identical action and a first number of event logs with the first identical action determined for the predetermined time period; and generate, for the second identical action, a second summary log entry that identifies the second identical action and a second number of event logs with the second identical action determined for the predetermined time period. This simply describes the step of actually generating two summaries for two different actions. Regarding the remaining limitations, Chu further discloses sending event log data to a security tool to look for indications of security risks (¶22: "In a preferred embodiment, the security services provided by the security center 12 comprise: virus detection, data exposure detection, content filtering detection, virus infected webpage detection, mail detection and/or intrusion detection."). Noting that the computer system which generates summary log entries in claim 1 and the security tool to which the summary log entries are transmitted for analysis may represent different portions of a security center, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Chu with the invention of Chu in view of Gill by transmitting the first summary log entry and the second summary log entry to a security tool configured to determine anomalies in the set of event log data. Doing so would enable one to monitor data for security risks, thus protecting the entity. Regarding claim 15, Chu in view of Gill teaches the limitations of claim 10. Gill further teaches generating two summaries for instances of different actions (¶94: "If two different results were obtained for the queries, two different data points are generated, each of which is associated with a count indicating a number of times that a respective result was obtained."), and Chu further discloses sending event log data to a security tool to look for indications of security risks (¶22: "In a preferred embodiment, the security services provided by the security center 12 comprise: virus detection, data exposure detection, content filtering detection, virus infected webpage detection, mail detection and/or intrusion detection."). Additionally, one of ordinary skill in the art practicing the invention of Chu in view of Gill would have found it obvious to generate, for any number of event logs collected over the predetermined time period having a unique combination of identical action, user, and enterprise source, a summary log entry. Doing so would be useful for saving memory while preserving information content. Therefore, similarly to the reasons given in the rejection of claims 8 and 9 (see rejections of 8 and 9 describing generating a second summary log entry, and sending to summary log entries to a security tool), it would have been obvious to one or ordinary skill in the art practicing the invention of Chu and Gill to further implement operations comprising: assessing the set of event log data to determine additional event logs that have an additional identical action associated with an additional identical enterprise source performed by an additional identical user during the predetermined time period; generating, for each additional identical action associated with the additional identical enterprise source performed by the additional identical user, an additional summary log entry that identifies the additional identical action, the additional identical enterprise source, and the additional identical user along with an additional number of event logs determined for the predetermined time period; generating an additional summary log file with all the generated additional summary log entries; and transmitting the additional summary log file to a security tool configured to determine anomalies in the set of event log data. Claims 2 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Chu (US 20100132041 A1) in view of Gill (US 20180309637 A1), and further in view of Arrowood (US 20020010614 A1). Regarding claims 2 and 11, Chu in view of Gill teaches the limitations of claims 1 and 10, but does not explicitly teach the limitations of claims 2 and 11. Arrowood discloses a method, system and process for computer-assisted staffing of employees for a client, including storing timesheet data (Abstract). As part of the invention, Arrowood provides a summary log entry (Fig. 18). The summary log entry includes an indication of a predetermined time period (Fig. 18: see “Quarter Summary”), as well as a date stamp (Fig. 18: see “Quarter 1, 2000”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Arrowood with the invention of Chu in view of Gill by causing the summary log entry to include an indication of the predetermined time period, wherein the indication of the predetermined time period includes a length of the predetermined time period and a time and date stamp for the predetermined time period. Doing so would be useful to preserve temporal information about each summary created. Claims 16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chu (US 20100132041 A1) in view of Gill (US 20180309637 A1), and further in view of Compton (US 10911473 B2). Regarding claim 16, many of the limitations of claim 16 are found in claim 10 and are rejected for the same reasons. Claim 16 additionally explicitly recites at least one processor, which is encompassed by the computer system of claim 1. Claim 16 further recites that the set of event log data is for a particular enterprise source. This is also considered to have been obvious; claim 10 teaches summarizing a set of event log data for an entire enterprise system, including using enterprise source as a factor by which to organize summary log entries. Therefore one of ordinary skill in the art would also be enabled to summarize a set of event log data for a single enterprise source, and the results would be predictable. Chu in view of Gill does not explicitly teach that the summary log entry identifies a number of the event logs of the specific same action performed by the specific same user regardless of a result of the specific same action. Compton discloses a method for detecting a distributed denial-of-service (DDoS) attack (Abstract). In the method, a volume of data packets are received and, when they exceed a threshold, the method obtains an autonomous system number (ASN) representing the source of the data packets, and generates an output indicating a probability that a DDoS attack is occurring (Abstract). Compton teaches that DDoS works by flooding a target such as a server with a stream of bogus traffic which, due to the high volume, can slow the target or even cause it to crash (Column 1, lines 25-42). However, Compton teaches that looking at the volume of traffic alone, without considering the source of the traffic, can result in falsely concluding a system is under attack as opposed to receiving a large amount of traffic from legitimate users (Column 5, lines 7-23: “Currently, detection of DDoS attacks is based on the volume of traffic and not the source…One problem with this volume-based approach is that it often generates false positives, particularly for applications utilizing a high volume of legitimate traffic.” This issue is addressed by using an ASN for identifying a source, as explained in the Abstract.). Thus Compton is interested in counting the number of same types of actions from a same user, but not in the result of those actions. It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Compton with the invention of Chu in view of Gill by causing the summary log entry to identify a number of the event logs of the specific same action performed by the specific same user regardless of a result of the specific same action. Doing so would enable the security system to monitor for DDoS attacks from specific sources within the enterprise source and by specific means. Regarding claim 18, claim 18 is rejected for the same reasons as claim 3. Regarding claim 19, Chu in view of Gill teaches the limitations of claim 16. Furthermore, Chu discloses that the event log data is generated by the enterprise source (Abstract: data packets from a user end device are formed into event logs) of an enterprise system (¶30: the user end device may be part of an enterprise; see rejection of claim 1). Furthermore, claim 16 recites that the system “[determines] event logs having same actions performed by same users” on an enterprise source. Therefore at least some of the event logs in the set of event log data are generated in response to actions performed by users of the enterprise system. Chu teaches that one use of its security system is to detect a possible leak from rogue or careless employees (¶31). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Chu in view of Gill by restricting the set of event log data to be event logs generated in response to actions performed by users of an enterprise system. This would enable one to look for rogue or careless employees by limiting one’s analysis to user activity. Regarding claim 20, the limitations of claim 20 would have been obvious for the same reasons given in the rejection of claim 10. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Chu (US 20100132041 A1) in view of Gill (US 20180309637 A1) and Compton (US 10911473 B2), and further in view of Arrowood (US 20020010614 A1). Regarding claim 17, claim 17 is rejected for the same reasons as claims 2 and 11. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ETHAN WESLEY EDWARDS whose telephone number is (571)272-0266. The examiner can normally be reached Monday - Friday, 7:30am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Andrew Schechter can be reached at (571) 272-2302. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. ETHAN WESLEY EDWARDS Examiner Art Unit 2857 /E.W.E./ Examiner, Art Unit 2857 /ANDREW SCHECHTER/ Supervisory Patent Examiner, Art Unit 2857